News & Updates

For a typical EU SME manufacturer (20-50 FTE, one product line, no existing CVD programme), the expected cost of meeting the CRA Article 14 reporting deadline on 11 September 2026 is approximately €39,700, with a 90% confidence interval of roughly €33,900-€45,500.

Why PERT for compliance work

Point estimates are dishonest for first-time compliance work. PERT (Program Evaluation and Review Technique) forces structured three-point thinking on each task: optimistic, most likely, pessimistic. The expected value is E = (O + 4M + P) / 6, with standard deviation σ = (P - O) / 6. The result is a defensible mean plus a quantified uncertainty band, reproducible by anyone willing to swap in their own numbers.

What the work actually is

The September 2026 deadline doesn't require a full coordinated vulnerability disclosure programme. It does require enough infrastructure to detect, decide, and report under pressure within 24 hours. The minimum viable scope decomposes into twelve work packages, from scoping through to operational reserve for Q4.

• Scoping and gap assessment (E = €5,850)
• CVD policy drafting (E = €4,907)
• Intake mechanism, PSIRT design, detection capability, templates and runbook
• CSIRT contact registry, training, tabletop exercise
• Tooling, external legal review, operational reserve

What moves the number

Starting maturity is the biggest lever. Existing triage, SOC 2 or ISO 27001 documentation, and a customer support function able to absorb intake can together cut up to €21k from the baseline. The build-versus-buy decision on tooling is the second biggest. Homegrown audit-trail and notification workflows usually fail under regulatory scrutiny, which is the only time they matter.

The proportionality dividend

Article 47 requires market surveillance authorities to take SME status into account; Recital 120 requires it again when calibrating fines; and microenterprises and small enterprises are exempted entirely from fines for the 24-hour early warning failure. The GDPR enforcement pattern (guidance first, fines later for repeat offenders) is the realistic baseline. An SME that has visibly invested €40k in a credible Article 14 process is in a very different enforcement posture than one that has done nothing.

For over a decade, Coordinated Vulnerability Disclosure (CVD) has relied on the 90-day disclosure window. Security researcher Himanshu Anand argues that LLMs have rendered this framework obsolete by compressing both vulnerability discovery and exploit development to near-zero timelines.

The End of the Exclusive Finder Assumption

After reporting a critical bug, Anand was told he was the eleventh person to report the same issue within six weeks. LLM-assisted bug hunting now drives waves of simultaneous discovery, making quiet embargoes impossible to maintain.

30 Minutes from Patch to Exploit

Anand fed React security patch diffs into an LLM and produced a working Denial of Service PoC within 30 minutes. The n-day gap that once gave defenders days or weeks has collapsed.

The Week Linux Caught Fire

Copy Fail (CVE-2026-31431) was found by automated AI scanning in one hour. Iranian nation-state actors leveraged it within days. Dirty Frag (CVE-2026-43284) had its 5-day embargo broken within hours, with in-the-wild exploitation confirmed before any Linux distribution had a working patch.

What Must Change

• Monthly patch cycles are an attack window. Every critical issue must be a P0.
• Embargoes are fragile. Vendors must be prepared for zero-day public drops at any moment.
• Blue teams must integrate LLMs into CI/CD for real-time code review, dependency scanning, and patch regression testing.

In a Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, addressed the recent CVE funding scare, EU regulatory enforcement, and why vulnerability disclosure is becoming a competitive differentiator for manufacturers.

On the CVE Funding Scare: No Single Point of Failure

“A stronger model would preserve the integrity of the shared CVE backbone while distributing responsibilities across trusted actors that can contribute capacity, services, and operational support.”

Carvalho confirmed that ENISA is scaling its own vulnerability services capacity — not to fragment the ecosystem, but to strengthen Europe's operational contribution and maintain interoperability with the global CVE backbone. From ENISA's perspective, the agency is ready to contribute to the programme while continuing to build European vulnerability services capacity in parallel.

On CRA Enforcement: SRP Pilot and September 2026

The CRA mandates 24-hour early warnings, 72-hour notifications, and follow-up reports via the Single Reporting Platform (SRP) currently in pilot phase at ENISA. These obligations take effect September 2026 — for products already on the market, not only those released after the legislation.

On NIS2: The Obligation Is on CSIRTs, Not Manufacturers

Carvalho clarified a widely held misconception: under NIS2, the coordinated vulnerability disclosure obligation falls on CSIRTs to receive reports — not on organisations to submit them. The Cyber Resilience Act is the instrument that creates mandatory disclosure obligations for manufacturers.

On Vulnerability Disclosure as a Competitive Advantage

“Organisations increasingly recognise that software development nowadays requires an active, positive response to vulnerability reports, which strengthens security and is becoming a strong selling point when handled properly.”

11 September 2026 is when Article 14 reporting obligations become enforceable - for products already on the market. Full CRA conformity isn't until December 2027. The September deadline is the operational one.

What Must Be Operational by September 2026

• Article 13 VDP - publicly accessible vulnerability disclosure channel
• Triage process - ability to determine active exploitation within hours
• 24-hour early warning to ENISA and national CSIRT
• 72-hour detailed technical notification
• 14–30 day final report with disclosure strategy
• Full audit trail of all vulnerability handling activity

The SME Gap

Most SMEs selling hardware or software into the EU market have none of this infrastructure. Building it in-house - VDP, structured intake, triage workflow, authority reporting, audit trail - requires months of engineering. For organisations starting from zero today, five months is tight.

“The clock does not wait for infrastructure to be built.”

Two terms. One letter of difference. Entirely different legal consequences under the Cyber Resilience Act.

The Three-Tier Obligation Framework

• Tier 1: Assess the risk of every vulnerability - no exceptions at the outset
• Tier 2: Track known, exploitable vulnerabilities to closure before placing a product on the market
• Tier 3: Report actively exploited vulnerabilities within 24 hours of awareness

The Critical Distinction

An exploitable vulnerability could theoretically be weaponised - but hasn't been yet. An actively exploited vulnerability is one where an attacker has already succeeded. The first blocks market release. The second triggers mandatory reporting to ENISA and national CSIRTs within 24 hours.

What About Proof-of-Concept Exploit Code?

A published PoC proves exploitation is feasible but doesn't confirm an active campaign. The European Commission has not yet issued definitive guidance on this. Until it does, manufacturers should treat PoC publication as an escalation signal.

September 2026: Already Applies to Products on Market

The reporting obligation takes effect September 2026 - before full product compliance is required - and covers products already sold. If an actively exploited vulnerability is reported against any product you manufacture, the 24-hour clock starts.

The EU Cyber Resilience Act is becoming a primary driver of security investment decisions across Europe.

Board-Level Focus on CRA Compliance

According to Red Hat's 2026 State of Cloud-Native Security Report, 64% of organizations expect the CRA to be a primary influence on their 2026 security investments.

SME Readiness Gaps Widening

At the CRA Europe 2026 conference held in Bucharest, Romania, discussions highlighted a widening gap between regulatory requirements and operational readiness - particularly for small and medium-sized enterprises.

• Translating requirements into day-to-day workflows
• Resourcing consistent execution across engineering and governance
• SBOM generation and maintenance
• End-of-life product security obligations
• Incident reporting structures

As reported by Cyprus Mail, smaller businesses face challenges not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.

“For many smaller businesses, the challenge lies not in understanding the regulation, but in having the governance structures and engineering capacity to consistently deliver on it.”

Two Areas to Watch: EOL Devices and Open Source

End-of-Life Devices

Cisco's policy analysis highlights that neither the CRA nor NIS2 directly addresses how to manage devices once their lifecycle expires. With 40% of the top targeted vulnerabilities in 2025 impacting end-of-life devices - often unpatchable - this gap poses significant risks. Cisco advocates for explicit European-level guidance on managing obsolete devices.

Open Source Liability

The CRA deliberately excludes open-source software from liability obligations to avoid chilling effects on the ecosystem. However, this exclusion does not negate responsibility. Manufacturers who commercialize products using open-source code still bear full obligation - they must still generate SBOMs, track vulnerabilities, and be transparent about security practices related to their open-source dependencies.

How CVD Portal Can Help

CVD Portal helps SME manufacturers meet CRA Article 13 requirements with a free vulnerability disclosure portal that includes:

• Branded security contact at yourcompany.cvdportal.com
• Automated 48-hour acknowledgment tracking
• Full audit trail for compliance documentation
• ENISA-aligned reporting when needed

As the European Union continues to strengthen its digital market, stakeholders are reminded that the first critical compliance milestone of the Cyber Resilience Act (CRA) is approaching. Effective 11 September 2026, manufacturers of products with digital elements (PDEs) will be legally obligated to report actively exploited vulnerabilities to ENISA and national Computer Security Incident Response Teams (CSIRTs).

To ensure a high level of cybersecurity across the Union, manufacturers must establish robust internal mechanisms to detect, assess, and report these vulnerabilities within the stringent regulatory timeframes. Industry actors are encouraged to utilize this transitional period to align their operational capabilities with the forthcoming legal obligations.

In support of the implementation of the Cyber Resilience Act (Regulation EU 2024/2847), the European Commission has published draft guidelines clarifying the categorization and compliance expectations for products with digital elements (PDEs).

This documentation provides essential operational clarity on vulnerability handling requirements, risk assessment methodologies, and the delineation of product classes. The Commission has opened a public consultation period, inviting feedback from manufacturers, cybersecurity researchers, and standardisation bodies until 31 March 2026. Stakeholders are highly encouraged to participate to ensure the guidelines remain practical and effective.

The European Union Agency for Cybersecurity (ENISA) announces the commencement of the pilot testing phase for the Single Reporting Platform (SRP). Mandated by the CRA, the SRP will serve as the centralized infrastructure for manufacturers to submit early warnings and incident notifications regarding actively exploited vulnerabilities and severe security incidents.

The testing phase aims to evaluate the platform's scalability, security, and interoperability with national CSIRT networks. ENISA invites selected manufacturers and vulnerability disclosure platforms to participate in the pilot, ensuring the SRP is fully optimized and operational prior to the enforcement of reporting obligations in September 2026.

Under Article 10 of the Cyber Resilience Act, the implementation of a Coordinated Vulnerability Disclosure (CVD) policy is no longer an optional best practice, but a strict legal requirement for all manufacturers of PDEs.

To foster a collaborative security ecosystem, manufacturers must provide a publicly accessible, secure, and clear channel-such as dedicated CVD portals-allowing independent security researchers to report potential vulnerabilities. Organizations must systematically process these reports, coordinate mitigation strategies, and ensure timely remediation. The formalization of CVD represents a cornerstone of the Union’s proactive approach to cyber resilience.

The European Commission, in consultation with cybersecurity authorities, has released updated clarifications regarding the regulatory treatment of free and open-source software (FOSS) under the CRA.

The framework explicitly differentiates between commercial manufacturers and "Open Source Stewards"-non-profit foundations or entities providing sustained support for open-source projects. To avoid stifling digital innovation while ensuring ecosystem security, Open Source Stewards are subject to a tailored, light-touch regulatory regime. These entities are required to facilitate security policies and vulnerability handling procedures without bearing the full conformity assessment burden placed on commercial entities.

As part of the CRA’s incident reporting framework, manufacturers must adapt their security operations to meet strict notification timelines. Upon becoming aware of an actively exploited vulnerability or an incident with severe impact, entities are legally bound to submit an "early warning" within 24 hours.

Furthermore, a comprehensive incident notification detailing the technical scope and proposed mitigation measures must follow within 72 hours. ENISA strongly advises organizations to integrate these timeframes into their incident response playbooks and automate their triaging processes to ensure seamless compliance and minimize the window of exposure for European consumers.

The European standardisation organisations, CEN and CENELEC, report significant progress in drafting the harmonised standards requested by the European Commission for the Cyber Resilience Act.

These standards will provide the technical specifications necessary for manufacturers to meet the essential cybersecurity requirements outlined in the legislation. Adherence to these harmonised standards will grant manufacturers a "presumption of conformity," streamlining the process of obtaining the CE mark. ENISA continues to support CEN and CENELEC in ensuring these standards reflect state-of-the-art security practices, particularly in cryptography, software updates, and vulnerability management.

Effective 11 June 2026, the legal framework governing "Notified Bodies" under the CRA will officially commence. These independent, third-party conformity assessment bodies will play a vital role in auditing and certifying "important" and "critical" products with digital elements before they enter the EU market.

Given the anticipated high volume of certification requests, ENISA urges Member States to expedite the accreditation of national Notified Bodies. Manufacturers of highly critical products are advised to begin their conformity assessment preparations immediately to avoid supply chain bottlenecks during the transition period leading up to full CRA applicability in December 2027.

Manufacturers are reminded that the CRA’s vulnerability reporting obligations, taking effect in September 2026, apply to all products with digital elements currently active on the Union market-not merely new products introduced after the legislation's entry into force.

If a vulnerability is actively exploited in a legacy product that remains in its support lifecycle after the September 2026 deadline, the manufacturer is legally required to report it via the Single Reporting Platform. ENISA recommends that organizations conduct comprehensive audits of their active product portfolios and update their end-of-life (EOL) and vulnerability disclosure policies accordingly.

In alignment with the NIS2 Directive and the Cyber Resilience Act, ENISA is currently advancing the integration of the European Vulnerability Database (EUVD) with the newly established CRA Single Reporting Platform (SRP).

This strategic integration will eliminate fragmented reporting silos, allowing vulnerability intelligence to flow securely between manufacturers, national CSIRTs, and European regulatory bodies. By creating a unified ecosystem for vulnerability disclosure and threat intelligence, the Union aims to drastically reduce response times to critical zero-day vulnerabilities and enhance the collective situational awareness of the European digital single market.