← CRA Glossary
CVD & Vulnerability Management

Product Security Incident Response Team (PSIRT)

A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.

A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.

CVD & Vulnerability Management
Free CVD portal →

What Is a PSIRT?

A Product Security Incident Response Team (PSIRT) is the organisational unit within a manufacturer responsible for the end-to-end vulnerability lifecycle: receiving reports from external researchers and customers, triaging and validating vulnerabilities, coordinating with engineering teams to develop fixes, managing disclosure timelines, and publishing security advisories. The PSIRT is the operational heart of a manufacturer's CVD programme. It is distinct from a CSIRT (Computer Security Incident Response Team), which focuses on internal IT security incidents. FIRST publishes a PSIRT Services Framework that defines the full range of PSIRT capabilities and is widely used as a maturity model.

CRA reference:Article 13(6), Annex I Part II

PSIRT Obligations Under the CRA

While the CRA does not use the term 'PSIRT', Articles 13(6) and 14 require manufacturers to have capabilities that are functionally equivalent:

  • Intake — an accessible channel for vulnerability reports with a published response commitment.
  • Triage — a process for validating reports and assessing severity within defined timeframes.
  • Coordination — the ability to manage multi-party disclosure when vulnerabilities affect more than one vendor.
  • Notification — the capacity to notify ENISA and relevant CSIRTs within 24 hours of an actively exploited vulnerability.
  • Advisory publication — the ability to publish machine-readable security advisories (CSAF format recommended).

Manufacturers that cannot demonstrate these capabilities will fail CRA conformity assessment.

CRA reference:Article 13(6), Article 14, Annex I Part II

Building a PSIRT for CRA Compliance

For small and medium manufacturers, a full dedicated PSIRT team may not be feasible. A minimal CRA-compliant PSIRT capability requires:

  1. A named PSIRT contact — one or more individuals who are responsible for security reports and whose contact details are published.
  2. Documented triage SLAs — written procedures defining who reviews incoming reports, within what timeframe, and how severity is assessed.
  3. An escalation path — a clear route from the PSIRT to engineering leadership and legal, required for high-severity vulnerabilities with disclosure implications.
  4. Advisory tooling — the ability to produce and publish CSAF-format advisories and to request CVE IDs.
  5. A CSIRT liaison — a documented contact at the national CSIRT for the manufacturer's primary EU market.
CRA reference:Article 13(6), Article 14

PSIRT Maturity and Common Gaps

FIRST's PSIRT Services Framework defines five maturity levels. Most CRA-obligated manufacturers starting their compliance journey are at Level 1 (ad hoc) or Level 2 (defined). Common gaps include:

  • No SLA for report acknowledgement — researchers who receive no response within 5 days typically assume the report has been ignored.
  • No separation between IT security and product security — vulnerabilities in a product's firmware require different expertise and disclosure processes than a corporate IT incident.
  • No multi-party coordination experience — vulnerabilities in shared components (e.g. a CVE in an embedded Bluetooth stack) often affect multiple manufacturers; coordinating simultaneous disclosure requires specific skills.
  • Undocumented processes — informal arrangements that work until key personnel leave the organisation.

CVD Portal makes Product Security Incident Response Team (PSIRT) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Does a small manufacturer need a formal PSIRT team?+

A formal team is not required, but the capabilities a PSIRT provides are. A single person can fulfil the PSIRT function if they have the authority, tools, and documented processes to receive reports, triage vulnerabilities, coordinate fixes, notify regulators when required, and publish advisories. What matters to regulators is documented process and demonstrated response capability, not organisational structure.

What is the difference between a PSIRT and a CSIRT?+

A PSIRT (Product Security Incident Response Team) handles vulnerabilities in products the organisation manufactures and ships to customers. A CSIRT (Computer Security Incident Response Team) handles security incidents in the organisation's own internal IT infrastructure. A manufacturer subject to the CRA needs PSIRT-equivalent capabilities for its products; national-level CSIRTs are the regulatory bodies the PSIRT must notify under Article 14.

How quickly must a PSIRT acknowledge a vulnerability report under the CRA?+

The CRA does not specify a mandatory acknowledgement time, but ENISA's CVD Good Practice Guide recommends acknowledgement within 5 business days. The 24-hour clock for ENISA notification under Article 14 starts when the manufacturer becomes aware of an actively exploited vulnerability — not when it receives a researcher report. Publishing an acknowledgement SLA in your CVD policy sets expectations with researchers and provides evidence of good faith to regulators.

Related terms

Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.CSIRT — Computer Security Incident Response TeamA CSIRT is a team that coordinates responses to cybersecurity incidents, typically operating at a national or sector level. Under the CRA, manufacturers must notify the relevant national CSIRT within 24 hours of discovering an actively exploited vulnerability in their product, alongside simultaneous notification to ENISA.CVD PolicyA CVD policy is a publicly published document that defines how a manufacturer receives, processes, and responds to vulnerability reports. The EU Cyber Resilience Act requires manufacturers to publish a CVD policy as part of their vulnerability handling obligations.Vulnerability HandlingVulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Product Security Incident Response Team (PSIRT) fits into your complete CRA compliance programme.

View checklists →