Plain-English definitions of every term you need to understand the EU Cyber Resilience Act, coordinate vulnerability disclosure, and meet your September 2026 deadline.
Annex I of the EU Cyber Resilience Act sets out the mandatory cybersecurity requirements that all products with digital elements must meet. It is divided into two parts: Part I covers secure product properties, and Part II covers manufacturer vulnerability handling obligations.
Annex III of the EU Cyber Resilience Act lists product categories classified as 'Important' (Class I or Class II) or 'Critical', which are subject to stricter conformity assessment requirements than the Default class. Most products not listed in Annex III fall into the Default class and can self-certify.
The CE mark is the mandatory conformity marking that manufacturers must affix to products with digital elements before placing them on the EU market under the CRA. It indicates that the product meets the CRA's essential cybersecurity requirements and has passed the applicable conformity assessment procedure.
Conformity assessment is the process by which a manufacturer demonstrates that its product meets the CRA's essential cybersecurity requirements. The process required depends on the product's classification: Default and Class I products can self-assess; Class II and Critical products require third-party assessment by a notified body.
Default Class products are the baseline category under the EU Cyber Resilience Act — products with digital elements that do not fall into the Important Class I or Class II elevated risk classifications. The vast majority of consumer and commercial connected products are Default Class. Manufacturers may self-certify conformity through an internal control procedure.
Economic operators are the legal entities in the supply chain — manufacturers, authorised representatives, importers, and distributors — upon whom the EU Cyber Resilience Act places specific obligations. The manufacturer bears the primary and most extensive obligations, but importers and distributors have supplementary duties that can result in them inheriting manufacturer obligations if the original manufacturer is non-compliant.
An end-of-life (EOL) policy defines the date on which a manufacturer will cease providing security updates, technical support, and vulnerability fixes for a product. Under the EU Cyber Resilience Act, manufacturers must clearly communicate EOL dates and ensure they meet the minimum support period requirements before they can terminate update obligations.
ENISA (the European Union Agency for Cybersecurity) is the EU's dedicated cybersecurity agency, headquartered in Athens with offices in Brussels. Under the CRA, ENISA operates the central EU vulnerability registry, receives Article 14 notifications of actively exploited vulnerabilities, and publishes guidance supporting manufacturer compliance.
The essential cybersecurity requirements are the mandatory security properties and vulnerability handling obligations set out in Annex I of the CRA that all products with digital elements must satisfy before being placed on the EU market. They are the substantive compliance test at the heart of the CRA.
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) is a horizontal EU regulation that establishes mandatory cybersecurity requirements for products with digital elements placed on the EU market. It entered into force on 10 December 2024, with most obligations applying from 11 December 2027.
The EU Declaration of Conformity is a formal document signed by the manufacturer (or authorised representative) declaring that a product meets the essential requirements of all applicable EU regulations, including the CRA. It must be drawn up before the CE mark is affixed and kept available for market surveillance authorities for at least 10 years.
Important Product Class I is the lower tier of the CRA's two-tier classification for products with digital elements that present a significant cybersecurity risk. Class I products face an elevated conformity assessment pathway compared to Default Class products, but less stringent than Class II. Examples include identity management software and general-purpose browsers.
Important Product Class II is the highest risk tier under the EU Cyber Resilience Act's product classification system, covering products with digital elements whose compromise could have severe or widespread impact. Class II products — including industrial control systems, medical devices, and critical infrastructure components — face mandatory third-party conformity assessment.
Manufacturer obligations under the EU Cyber Resilience Act are the comprehensive set of cybersecurity duties that apply to any entity that designs, develops, or produces a product with digital elements for the EU market. These obligations span product design, vulnerability handling, market surveillance cooperation, and post-market security support.
A 'product with digital elements' (PDE) is the CRA's term for any hardware or software product that has the ability to process, store, or transmit data and that connects, directly or indirectly, to another device or network. This definition determines whether the CRA applies to a given product.
Secure by default means that a product ships with security settings pre-configured to the most protective state — disabled features, closed ports, strong authentication — without requiring users to take action to enable security. It is an explicit essential requirement under Annex I of the EU Cyber Resilience Act.
Secure by design means that security is built into a product's architecture and development process from the earliest design stage, rather than added as an afterthought after development is complete. The EU Cyber Resilience Act's essential requirements in Annex I mandate a secure-by-design approach for all products with digital elements.
The support period is the duration for which a manufacturer commits to providing security updates, vulnerability remediations, and related security support for a product. Under the EU Cyber Resilience Act, the support period must be at least five years (or the product's expected lifetime) and must be communicated to users before purchase.
Technical documentation under the CRA is the comprehensive set of records a manufacturer must compile and maintain to demonstrate that a product with digital elements meets the Annex I essential cybersecurity requirements. It must be retained for at least 10 years and made available to market surveillance authorities on request.
A bug bounty programme is a formal scheme in which a manufacturer or organisation offers financial rewards to external security researchers who discover and responsibly disclose security vulnerabilities in their products or systems. Bug bounty programmes are a supplementary CVD mechanism — they add financial incentive to an underlying CVD policy — but are not themselves a substitute for the CRA's mandatory vulnerability disclosure requirements.
CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.
A CSIRT is a team that coordinates responses to cybersecurity incidents, typically operating at a national or sector level. Under the CRA, manufacturers must notify the relevant national CSIRT within 24 hours of discovering an actively exploited vulnerability in their product, alongside simultaneous notification to ENISA.
A CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.
Incident response is the organised process for detecting, containing, investigating, and recovering from cybersecurity incidents — events where a product's security has been or may have been compromised. The EU Cyber Resilience Act requires manufacturers to have incident response capabilities and to notify authorities within strict timeframes when security incidents occur.
A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.
Responsible disclosure is the practice of privately notifying a vendor of a security vulnerability before making it public, giving the vendor time to develop and release a fix. It is an older term that is largely synonymous with coordinated vulnerability disclosure (CVD), which is now the preferred terminology in EU regulatory frameworks.
A security advisory is a public document published by a manufacturer to inform users of a security vulnerability in a product, the severity of the issue, and how to remediate it. Annex I Part II of the CRA requires manufacturers to publish security advisories when releasing vulnerability fixes.
A security researcher is an individual or organisation that investigates security vulnerabilities in products, systems, or software — often independently of the affected manufacturer — and reports findings to enable remediation. The EU Cyber Resilience Act recognises the role of security researchers as essential contributors to the vulnerability discovery ecosystem and requires manufacturers to establish accessible disclosure channels for them.
security.txt is a standardised plain-text file placed at `/.well-known/security.txt` on a web domain that tells security researchers how to report vulnerabilities. Defined in RFC 9116, it is the recommended machine-readable disclosure of a manufacturer's CVD contact and policy.
Vulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.
The CISA Known Exploited Vulnerabilities (KEV) catalogue is a curated list maintained by the US Cybersecurity and Infrastructure Security Agency that identifies CVEs for which there is credible evidence of active exploitation in the wild. For EU manufacturers, the KEV catalogue is the highest-priority vulnerability intelligence source — any KEV entry affecting a shipped product triggers the CRA's 24-hour ENISA notification obligation.
CSAF is an OASIS open standard for machine-readable security advisory documents, replacing the older CVRF format. ENISA recommends CSAF as the preferred format for security advisories published by manufacturers under the EU Cyber Resilience Act.
CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.
CVSS is an open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10. Manufacturers use CVSS scores to prioritise remediation and to communicate risk in security advisories required under the CRA.
The Common Vulnerability Scoring System (CVSS) is the industry-standard framework for assessing and communicating the severity of software vulnerabilities using a numerical score from 0 to 10. CVSS scores are referenced throughout the CRA compliance ecosystem — in vulnerability advisories, SBOM tooling, CSAF documents, and PSIRT triage processes — and are the primary language for communicating vulnerability severity under the regulation.
The National Vulnerability Database (NVD) is the US government's comprehensive repository of CVE records enriched with CVSS severity scores, CWE classifications, and CPE product identifiers, maintained by NIST. It is the primary machine-readable vulnerability intelligence source used by SCA tools and vulnerability scanners globally, including by EU manufacturers complying with the CRA.
VEX (Vulnerability Exploitability eXchange) is a machine-readable security advisory format that allows manufacturers to communicate the exploitability status of known CVEs in their products — specifically whether a CVE that appears in a component is actually exploitable in the context of how the component is used. VEX is essential for managing the false-positive burden of SBOM-based vulnerability scanning.
The attack surface of a product is the totality of different points — interfaces, APIs, protocols, hardware ports, and user inputs — through which an attacker could attempt to enter or extract data from a system. Reducing attack surface is a core principle of the CRA's essential cybersecurity requirements.
A cybersecurity risk assessment is a systematic process of identifying, analysing, and evaluating security threats and vulnerabilities that could affect a product or system, then determining appropriate mitigations. The EU Cyber Resilience Act requires manufacturers to conduct and document a cybersecurity risk assessment as a precondition for market placement.
An exploit is code, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behaviour in software or hardware. Under the EU Cyber Resilience Act, manufacturers must actively track and remediate vulnerabilities before exploits are developed and weaponised.
A firmware update delivers new software to a device's embedded systems — microcontrollers, bootloaders, and operating environments — to fix vulnerabilities, add features, or address hardware behaviour. Over-the-air (OTA) updates deliver firmware remotely. The CRA requires manufacturers to implement and maintain a secure update mechanism throughout a product's support period.
Patch management is the process of identifying, testing, approving, and deploying software updates that fix security vulnerabilities and bugs. The EU Cyber Resilience Act requires manufacturers to provide security patches for their products throughout the defined support period and to deliver them without undue delay.
Penetration testing is a structured, authorised security assessment in which testers simulate real-world attack techniques to identify exploitable vulnerabilities in a product, system, or network before malicious actors discover them. The EU Cyber Resilience Act implicitly requires manufacturers to test their products' security prior to market placement.
A proof-of-concept (PoC) exploit is working code or a detailed technical demonstration that shows a security vulnerability is real and exploitable. The existence of a public PoC significantly increases the urgency of a manufacturer's patch release and may affect CRA notification timelines.
An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.
Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.
Software supply chain security encompasses the practices and controls that ensure the integrity, authenticity, and security of all software components — open-source libraries, commercial off-the-shelf modules, and development toolchains — that are integrated into a product. The CRA places explicit obligations on manufacturers to manage supply chain security throughout the product lifecycle.
Threat modeling is a structured technique for identifying, prioritising, and mitigating security threats to a system during its design phase by systematically analysing what could go wrong, who might cause it, and what the impact would be. It is the foundational practice that enables manufacturers to meet the CRA's requirement for risk-informed, secure-by-design product development.
Vulnerability scanning is the automated process of probing systems, networks, or applications to identify known security weaknesses by comparing observed configurations and software versions against databases of known vulnerabilities. It provides continuous visibility into a product's security posture and supports the CRA's requirement that manufacturers monitor and address vulnerabilities throughout a product's lifecycle.
A zero-day vulnerability is a security flaw that is unknown to the vendor and for which no patch exists at the time of discovery or exploitation. Zero-day vulnerabilities are particularly significant under the CRA because their active exploitation triggers immediate notification obligations to ENISA within 24 hours.
CVD Portal gives EU manufacturers a complete vulnerability disclosure programme — free forever.
Set up your free portal