Under Article 10 of the Cyber Resilience Act, the implementation of a Coordinated Vulnerability Disclosure (CVD) policy is no longer an optional best practice, but a strict legal requirement for all manufacturers of PDEs.
To foster a collaborative security ecosystem, manufacturers must provide a publicly accessible, secure, and clear channel-such as dedicated CVD portals-allowing independent security researchers to report potential vulnerabilities. Organizations must systematically process these reports, coordinate mitigation strategies, and ensure timely remediation. The formalization of CVD represents a cornerstone of the Union’s proactive approach to cyber resilience.