CRA Compliance

Five Cyber Agencies Publish Joint CVD Guidance, and It Reads Like a CRA Checklist

On 15 July 2026, CISA, the NSA, Japan's JPCERT/CC, the Netherlands' NCSC-NL, and the UK's NCSC published Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers, a joint guide marked TLP:CLEAR.

Why it matters for EU manufacturers

The guide states that the EU Cyber Resilience Act requires all suppliers operating in the European Union to maintain vulnerability disclosure policies. Its recommendations, a published policy with safe harbor wording, a security.txt file, anonymous reporting, defined acknowledgment windows, CVE assignment, and machine-readable CSAF advisories, map closely onto Article 13(8) and Annex I Part II of the CRA.

Researcher recognition

Among the recommendations is one most manufacturers overlook. An ideal vulnerability publication should include recognition of the researcher, if the researcher grants permission. CRA Portal shipped structured researcher acknowledgments this week, with an explicit consent flag, on the public advisory page and in the CSAF export.

Read the full mapping of the guide to CRA obligations.

Read More