← CRA Guide
Article 15

Post-Market Monitoring Obligations for Manufacturers

Article 15 establishes that CRA compliance is not a one-time exercise completed at product launch. Manufacturers must actively monitor their products for newly discovered vulnerabilities throughout the product's support period and take prompt corrective action when vulnerabilities are identified. This ongoing monitoring obligation is one of the most operationally demanding requirements of the CRA and requires manufacturers to build continuous security processes into their product management operations.

Effective: September 2026Applies to: All manufacturers of products with digital elements placed on the EU market
Free compliance portal →

The Continuous Monitoring Obligation

Article 15 requires manufacturers to perform post-market monitoring — an ongoing process of actively surveying for vulnerabilities in their products after they have been placed on the market. This is a fundamental shift from the traditional model of security-at-launch: under the CRA, the obligation to maintain product security continues for the entire support period.

Post-market monitoring must be active, not passive. Manufacturers cannot simply wait for vulnerability reports to arrive through their CVD process. They must proactively monitor public vulnerability databases (such as the NVD, CVE programme, and ENISA's European Vulnerability Database), track security research publications relevant to their product categories, monitor security advisories from component suppliers, and assess whether new vulnerabilities in underlying components affect their products.

The monitoring obligation applies to the entire product, including third-party components and open-source dependencies. A vulnerability disclosed in an open-source library that is embedded in a product triggers a manufacturer's obligation to assess the impact and respond accordingly.

CRA reference:Article 15(1)

Corrective Action Requirements

When post-market monitoring identifies a vulnerability that affects a product, manufacturers must take corrective action without undue delay. The nature of the corrective action depends on the severity and nature of the vulnerability:

Security updates: Where a technical fix is available and practicable, manufacturers must issue a security update and make it available to all affected users free of charge. The update must be delivered within a timeframe commensurate with the severity of the vulnerability.

Workarounds: Where a security update is not immediately available, manufacturers should provide interim mitigations or workarounds to reduce user exposure while the patch is developed.

Product withdrawal: In cases where a vulnerability is so severe that no reasonable mitigation is possible and users are at unacceptable risk, product withdrawal or recall may be required.

User notification: Manufacturers must inform users of vulnerabilities and available remediation through appropriate channels — typically security advisories published on the manufacturer's website and, where practicable, through in-product notification mechanisms.

CRA reference:Article 15(1), Annex I Part II

Software Bill of Materials and Vulnerability Tracking

Effective post-market monitoring is not possible without an accurate Software Bill of Materials (SBOM). An SBOM is a machine-readable inventory of all software components in a product — including open-source libraries, commercial components, firmware modules, and their version numbers. Without an SBOM, manufacturers cannot systematically assess whether a newly disclosed vulnerability in a component affects their products.

Manufacturers should maintain up-to-date SBOMs for all active products and establish automated processes for matching new CVE disclosures against their component inventories. Tools such as Software Composition Analysis (SCA) platforms can automate the vulnerability monitoring process by alerting when a new CVE is published for a component in the product's SBOM.

The SBOM should be updated whenever a software update is released, and component version changes should be tracked. SBOMs should be available to users and regulators on request as part of the technical documentation maintained under Annex VII.

CRA reference:Annex I Part II(1)

Integration with the CVD Process

Post-market monitoring under Article 15 works in parallel with the coordinated vulnerability disclosure (CVD) process under Article 13. Vulnerabilities can be discovered through two pathways: manufacturer-initiated discovery through post-market monitoring, or external discovery by security researchers who report through the CVD process.

Both pathways ultimately lead to the same obligations — triage, remediation, ENISA reporting (where applicable under Article 14), and security advisory publication. Manufacturers should ensure their internal processes integrate both pathways smoothly, so that vulnerabilities discovered by internal monitoring receive the same structured response as externally reported vulnerabilities.

The 24-hour early warning and 72-hour reporting obligations in Article 14 apply equally to vulnerabilities discovered through internal monitoring and those reported externally — the trigger is discovery or awareness, not the source of the information.

CRA reference:Article 15, Article 13, Article 14

Documentation and Audit Trail

Article 15 implicitly requires manufacturers to maintain records of their post-market monitoring activities. In the event of a market surveillance investigation, manufacturers must be able to demonstrate that they have been conducting appropriate monitoring and have responded to identified vulnerabilities in a timely manner.

  • Monitoring sources consulted and frequency
  • Vulnerabilities identified through monitoring, with dates and severity assessments
  • Corrective actions taken, including patch release dates and update dissemination records
  • ENISA notifications made under Article 14, with timestamps
  • Security advisories published, with publication dates and content

This documentation forms part of the ongoing technical file that manufacturers must maintain under Annex VII and which must be available to market surveillance authorities on request.

CRA reference:Article 15, Annex VII

CVD Portal helps you comply with Article 15 automatically.

Public submission portal, 48-hour acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever.

Start your free portal

Frequently asked

How long must post-market monitoring continue?+

Post-market monitoring must continue for the entire support period of the product — at least five years from the date of placing the product on the market, or for the expected lifetime of the product if shorter than five years. When the support period ends, manufacturers must clearly communicate to users that security updates will cease and advise on alternative products or migration paths.

What monitoring sources should manufacturers check regularly?+

At minimum, manufacturers should monitor the NIST National Vulnerability Database (NVD), the CVE programme, ENISA's European Vulnerability Database, security advisories from their component suppliers, relevant CERT/CSIRT publications, and security research publications relevant to their product categories. The specific sources should be risk-based and proportionate to the product's threat profile.

Are manufacturers required to notify users of every vulnerability discovered?+

Not necessarily of every discovery — but manufacturers must publish security advisories when vulnerabilities are addressed or when workarounds are available. For severe vulnerabilities, prompt notification to users is expected. For lower-severity issues addressed in routine update releases, aggregated release notes may be sufficient. The key requirement is that users have the information they need to assess their exposure and take appropriate action.

What if a component supplier fails to provide a security update for a vulnerable component in my product?+

The CRA obligation rests with the manufacturer of the final product, not with component suppliers. If a component supplier cannot or will not provide a fix, manufacturers must consider alternative approaches: replacing the component with a fixed version from an alternative supplier, implementing compensating controls at the product level, issuing a product update that removes the vulnerable component, or withdrawing the product if no adequate mitigation is possible.

Does post-market monitoring apply to products sold before the CRA application date?+

Post-market monitoring obligations apply to products placed on the EU market on or after the CRA application date. Products already on the market before that date are generally not subject to CRA post-market monitoring requirements, though manufacturers who continue to supply those products and their updates may face obligations in relation to the continued supply activity.

Related CRA Articles

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 5Essential Cybersecurity Requirements for Products with Digital Elements

Need a CVD policy that satisfies Article 15?

Download a free CRA-compliant template and deploy it in minutes.

Browse templates →