← CRA Glossary
CVD & Vulnerability Management

Vulnerability Handling

Vulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.

Vulnerability handling is the complete lifecycle process through which a manufacturer identifies, evaluates, remediates, and discloses security vulnerabilities in its products. Annex I Part II of the CRA makes robust vulnerability handling a mandatory ongoing obligation for all manufacturers of products with digital elements.

CVD & Vulnerability Management
Free CVD portal →

What Is Vulnerability Handling?

Vulnerability handling encompasses the end-to-end set of processes a manufacturer uses to manage security weaknesses in its products from discovery through to user notification and remediation. ISO/IEC 30111 defines vulnerability handling (also called 'vulnerability management') as distinct from vulnerability disclosure — it covers the internal processes, whereas disclosure covers the external communication. Under the CRA, vulnerability handling includes: maintaining an SBOM to know what is in the product; monitoring for new CVEs affecting components; validating and triaging reported vulnerabilities; developing patches; publishing advisories; and reporting to regulators when exploitation is detected.

CRA reference:Annex I Part II, Article 13(6)

CRA Vulnerability Handling Requirements

Annex I Part II lists the vulnerability handling obligations that form part of the essential requirements:

  • Component identification — document all software and hardware components, including third-party and open-source (SBOM).
  • Proactive monitoring — continuously monitor for vulnerabilities in components; assess impact on the product.
  • Timely remediation — develop and release patches without undue delay; do not impose charges for security fixes.
  • CVD policy — publish and maintain an accessible coordinated vulnerability disclosure policy.
  • Advisory publication — inform affected users of vulnerabilities and remediation steps.
  • ENISA notification — notify ENISA and national CSIRTs of actively exploited vulnerabilities within 24 hours.
  • Support period commitment — document and communicate the period during which vulnerabilities will be handled.
CRA reference:Annex I Part II

The Vulnerability Handling Lifecycle

A CRA-compliant vulnerability handling lifecycle follows these stages:

  1. Discovery — vulnerability identified through internal testing, external researcher report, CVE monitoring, or threat intelligence.
  2. Triage — validate the report, assess severity (CVSS score), determine exploitability, and check for active exploitation.
  3. Notification — if actively exploited, notify ENISA/CSIRT within 24 hours. Request CVE ID.
  4. Remediation — develop and test a fix; document the root cause.
  5. Release — publish the patch through the product update mechanism, free of charge.
  6. Advisory — publish a CSAF security advisory with CVE reference, CVSS score, affected versions, and remediation instructions.
  7. Documentation — update technical documentation with the vulnerability record and advisory.
CRA reference:Annex I Part II, Article 14

Vulnerability Handling for Third-Party Components

A significant CRA compliance challenge is vulnerability handling for third-party and open-source components. Manufacturers are responsible for these components as if they were their own. Required processes include:

  • CVE feed monitoring — subscribe to NVD, vendor security bulletins, and sector-specific ISAC feeds; match new CVEs against the product SBOM.
  • Impact assessment — for each matching CVE, determine if the vulnerable code path is reachable in the product.
  • Upstream patch tracking — monitor upstream projects for security fixes; integrate them into the product's next release cycle.
  • VEX publication — for CVEs where the vulnerability is present in a component but not exploitable in the product's specific configuration, publish a VEX statement (via CSAF) to prevent unnecessary customer alarm.

The SBOM is the foundation that makes all of this tractable.

CVD Portal makes Vulnerability Handling compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

What is the difference between vulnerability handling and vulnerability disclosure?+

Vulnerability handling (ISO/IEC 30111) refers to the internal organisational processes for receiving, investigating, and fixing vulnerabilities. Vulnerability disclosure (ISO/IEC 29147) refers to the process of communicating vulnerability information to affected parties — researchers, users, regulators, and the public. The CRA requires both: the Annex I Part II process requirements govern handling; the CVD policy requirement and Article 14 notification obligations govern disclosure. A mature programme integrates both.

How long must a manufacturer handle vulnerabilities in a product?+

The CRA requires vulnerability handling throughout the product's **support period**, which the manufacturer must define and publish. The support period must be proportionate to the expected use life of the product. There is no EU-mandated universal minimum, but for long-life products (industrial equipment, medical devices), regulators expect multi-year commitments. At end-of-life, the manufacturer must notify users in advance and cease collecting unnecessary personal data.

Can we outsource vulnerability handling to a third party?+

Manufacturers can engage managed security service providers or specialist firms to assist with elements of vulnerability handling — monitoring, triage, advisory drafting — but regulatory responsibility remains with the manufacturer. The manufacturer must retain oversight, maintain documented processes, and ensure that any third-party arrangement enables it to meet its CRA timelines (including the 24-hour ENISA notification). Outsourcing without governance creates compliance risk, not compliance cover.

Related terms

Coordinated Vulnerability Disclosure (CVD)CVD is the process by which a security researcher privately reports a vulnerability to the affected vendor, who then develops and releases a fix before the vulnerability is made public. Under the EU Cyber Resilience Act, manufacturers of products with digital elements are legally required to establish a CVD process.Patch ManagementPatch management is the process of identifying, testing, approving, and deploying software updates that fix security vulnerabilities and bugs. The EU Cyber Resilience Act requires manufacturers to provide security patches for their products throughout the defined support period and to deliver them without undue delay.Product Security Incident Response Team (PSIRT)A PSIRT is a dedicated organisational function responsible for receiving, investigating, and coordinating responses to security vulnerabilities and incidents in a manufacturer's products. The EU Cyber Resilience Act's vulnerability handling obligations effectively require manufacturers to have PSIRT-equivalent capabilities.Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersArticle 14Active Exploitation and Incident Reporting — 24h, 72h, and 14-Day ObligationsAnnex IEssential Cybersecurity Requirements for Products with Digital Elements

Browse the full CRA Compliance Checklist

See how Vulnerability Handling fits into your complete CRA compliance programme.

View checklists →