Pricing

Free for Article 14 reporting. Upgrade for full CRA CVD compliance.

Deadline 1: Free Tier

September 11, 2026

Article 14 reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within 24h / 72h / 14 days.

Applies to all products on the market, including legacy
Deadline 2: Pro Tier

December 11, 2027

Full CRA CVD compliance. All 26 vulnerability handling articles enforced: SBOM, security testing, remediation tracking, advisories, post-release monitoring.

Applies to all new products placed on the EU market

Free

Sept 2026
€0/ forever

Free forever — covers CRA Article 14 reporting requirements mandatory from September 2026

Art. 14 Reporting
  • Public vulnerability submission portal
  • Submission tracking with unique IDs
  • 48h acknowledgment SLA tracking
  • CVD policy (auto-published)
  • Art. 14 notification workflow (24h / 72h / 14d)
  • Actively exploited vulnerability flagging
  • Severe security incident tracking
  • Report type classification (vulnerability / incident / both)
  • PGP encrypted communication
  • Compliance audit trail
  • 1 team member

Includes 14-day Pro trial

Full CRA CVD Compliance

Pro

€99/month

Full CRA CVD compliance — all 26 vulnerability handling articles

Everything in Free, plus
  • SBOM registry (SPDX / CycloneDX)
  • Hardware component registry
  • CVSS 3.1 / 4.0 severity scoring
  • Remediation decision & timeline tracking
  • CSAF 2.0 machine-readable advisory export
  • NVD / EUVD threat intelligence feeds
  • Monitoring source configuration
  • Security test & review scheduling
  • CRA-CVD obligation matrix (26 articles, 80 artifacts)
  • 8 auto-drafted policy documents
  • Compliance analytics dashboard
  • Coordinator assignment workflow
  • Post-release action tracking
  • Up to 10 team members
  • API access
  • Priority support

14-day free trial · No credit card required

Enterprise

€499/month

Automated compliance at scale with dedicated support

Everything in Pro, plus
  • Trust portal: cvd.yourdomain.com
  • Automated SBOM ↔ CVE supply chain alerts
  • ENISA SRP integration (automated Art. 14 submission)
  • EUDI Wallet identity verification (eIDAS 2.0)
  • CVE ID assistance
  • SSO / SAML integration
  • Unlimited team members
  • Custom branding & whitelabel
  • Audit-ready compliance reports
  • Dedicated account manager
  • 99.9% uptime SLA

Features evolve with EU regulatory requirements (CRA, NIS2, eIDAS 2.0). Feature availability may change as legislation is clarified or updated by the European Commission.

What Becomes Mandatory on September 11, 2026

Article 14, CRA Regulation (EU) 2024/2847: mandatory vulnerability & incident reporting via ENISA's Single Reporting Platform. Applies to all products on the market, including legacy.

Actively Exploited Vulnerabilities
Art. 14(2)
24 hours
Early warning
Awareness of active exploitation
FREE
72 hours
Full notification
Exploit details + corrective measures
FREE
14 days
Final report
After corrective measure available
FREE
Severe Security Incidents
Art. 14(4)
24 hours
Early warning
Awareness of severe incident
FREE
72 hours
Incident notification
Incident details + impact assessment
FREE
1 month
Final report
After incident notification
FREE
Triggers mandatory reporting
  • !Reliable evidence of malicious exploitation in the wild
  • !Severe incident impacting security of a product with digital elements
  • !Zero-day vulnerabilities under active attack
Does not trigger mandatory reporting
  • Good-faith security research with no evidence of malicious exploitation
  • Vulnerabilities discovered but not yet exploited
  • Voluntary reports under Article 15 (still recommended)

Feature Comparison

Free covers the September 2026 deadline. Pro covers the full CRA CVD requirements by December 2027.

CapabilityFreeProEnterprise
Article 14: Sept 2026
Public submission portal with tracking IDs
48h acknowledgment SLA tracking
CVD policy (auto-published)
Art. 14 notification timeline (24h / 72h / 14d)
Actively exploited vulnerability flagging
Severe security incident tracking
Report type classification
PGP encrypted communication
Compliance audit trail
Full CRA CVD: Dec 2027
SBOM registry (SPDX / CycloneDX)
Hardware component registry
CVSS 3.1 / 4.0 severity scoring
Remediation decision & timeline tracking
CSAF 2.0 advisory export
NVD / EUVD threat intelligence feeds
Monitoring source configuration
Security test & review scheduling
CRA-CVD obligation matrix (26 articles)
8 auto-drafted policy documents
Compliance analytics dashboard
Coordinator assignment workflow
Post-release action tracking
Enterprise Scale
API access
Custom branding & whitelabel
ENISA SRP automated submission
EUDI Wallet identity verification (eIDAS 2.0)
CVE ID assistance
SSO / SAML integration
Audit-ready compliance reports
Dedicated account manager
Team members110Unlimited

Frequently Asked Questions

What exactly must I comply with by September 11, 2026?

Article 14 of the CRA mandates that manufacturers report actively exploited vulnerabilities and severe security incidents via ENISA's Single Reporting Platform. You must submit an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days (vulnerabilities) or 1 month (incidents). This applies to all products on the market, including legacy products still within their support lifecycle. The Free tier covers everything you need.

Why is the Free tier enough for September 2026?

The September 2026 deadline only enforces Article 14 reporting obligations, not the full CVD requirements. You need a way to receive vulnerability reports, track actively exploited vulnerabilities, and meet the 24h/72h/14d notification timelines. The Free tier provides exactly this: a public submission portal, Art. 14 notification workflow, SLA tracking, secure communication, and an audit trail that proves you met every deadline.

When do I need the Pro tier?

The full CRA CVD requirements take effect on December 11, 2027. By that date, you'll need complete vulnerability handling: SBOM management, security testing, remediation tracking, CSAF advisories, and documented compliance across all 26 articles. We recommend upgrading to Pro 6-12 months before the deadline to build your compliance posture incrementally.

Does Article 14 apply to products already on the market?

Yes. Reporting obligations apply to all products with digital elements falling within the CRA scope, including products placed on the market before December 11, 2027. If your product is still on the market and within its support lifecycle, you must report actively exploited vulnerabilities from September 11, 2026.

What payment methods do you accept?

We accept all major credit cards. Enterprise customers can pay by invoice. You can upgrade, downgrade, or cancel at any time.