Pricing
Free to receive and track vulnerability reports. Article 14 filing and full CRA CVD compliance on Pro.
September 11, 2026
Article 14 reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within 24h / 72h / 14 days.
December 11, 2027
Full CRA CVD compliance. All 26 vulnerability handling articles enforced: SBOM, security testing, remediation tracking, advisories, post-release monitoring.
Free
Free forever. Receive and track vulnerability reports with a public portal, SLA tracking and an audit trail.
- Public vulnerability submission portal
- Submission tracking with unique IDs
- 48h acknowledgment SLA tracking
- CVD policy (auto-published)
- Actively exploited vulnerability flagging
- Severe security incident tracking
- Report type classification (vulnerability / incident / both)
- PGP encrypted communication
- Compliance audit trail
- 1 team member
Includes 14-day Pro trial
Pro
Billed annually as €1,188
Article 14 filing plus full CRA CVD compliance across all 26 vulnerability handling articles
- SRP-ready submission package
- Art. 14 notification workflow (24h / 72h / 14d)
- SBOM registry (SPDX / CycloneDX)
- Hardware component registry
- CVSS 3.1 / 4.0 severity scoring
- Remediation decision & timeline tracking
- CSAF 2.0 machine-readable advisory export
- NVD / EUVD threat intelligence feeds
- Monitoring source configuration
- Security test & review scheduling
- CRA-CVD obligation matrix (26 articles, 80 artifacts)
- 8 auto-drafted policy documents
- Compliance analytics dashboard
- Coordinator assignment workflow
- Post-release action tracking
- Up to 3 team members
- Priority support
ENISA provides no submission API at this stage. CVD Portal produces an SRP-ready package for one-step manual submission, and automated filing follows once ENISA publishes an API.
14-day free trial · No credit card required
Enterprise
Billed annually as €5,988
Automated compliance at scale with dedicated support
- Trust portal: cvd.yourdomain.com
- Automated SBOM ↔ CVE supply chain alerts
- EUDI Wallet identity verification (eIDAS 2.0)
- Slack, Teams & Discord notifications + custom webhooks
- CVE ID assistance
- API access
- SSO / SAML integration
- Up to 10 team members
- Custom branding & whitelabel
- Audit-ready compliance reports
- Dedicated account manager
- 99.9% uptime SLA
Features evolve with EU regulatory requirements (CRA, NIS2, eIDAS 2.0). Feature availability may change as legislation is clarified or updated by the European Commission.
What Becomes Mandatory on September 11, 2026
Article 14, CRA Regulation (EU) 2024/2847: mandatory vulnerability and incident reporting via ENISA's Single Reporting Platform. Applies to products with digital elements in CRA scope. Receiving and tracking reports is free, and the SRP-ready filing package is on Pro.
- !Reliable evidence of malicious exploitation in the wild
- !Severe incident impacting security of a product with digital elements
- !Zero-day vulnerabilities under active attack
- Good-faith security research with no evidence of malicious exploitation
- Vulnerabilities discovered but not yet exploited
- Voluntary reports under Article 15 (still recommended)
Feature Comparison
Free receives and tracks reports. Pro adds Article 14 filing and the full CRA CVD requirements by December 2027.
| Capability | Free | Pro | Enterprise |
|---|---|---|---|
| Article 14: Sept 2026 | |||
| Public submission portal with tracking IDs | |||
| 48h acknowledgment SLA tracking | |||
| CVD policy (auto-published) | |||
| Actively exploited vulnerability flagging | |||
| Severe security incident tracking | |||
| Report type classification | |||
| PGP encrypted communication | |||
| Compliance audit trail | |||
| Art. 14 notification timeline (24h / 72h / 14d) | — | ||
| SRP-ready submission package | — | ||
| Full CRA CVD: Dec 2027 | |||
| SBOM registry (SPDX / CycloneDX) | — | ||
| Hardware component registry | — | ||
| CVSS 3.1 / 4.0 severity scoring | — | ||
| Remediation decision & timeline tracking | — | ||
| CSAF 2.0 advisory export | — | ||
| NVD / EUVD threat intelligence feeds | — | ||
| Monitoring source configuration | — | ||
| Security test & review scheduling | — | ||
| CRA-CVD obligation matrix (26 articles) | — | ||
| 8 auto-drafted policy documents | — | ||
| Compliance analytics dashboard | — | ||
| Coordinator assignment workflow | — | ||
| Post-release action tracking | — | ||
| Enterprise Scale | |||
| API access | — | — | |
| Custom branding & whitelabel | — | — | |
| EUDI Wallet identity verification (eIDAS 2.0) | — | — | |
| Slack, Teams & Discord notifications | — | — | |
| Custom webhook integrations | — | — | |
| CVE ID assistance | — | — | |
| SSO / SAML integration | — | — | |
| Audit-ready compliance reports | — | — | |
| Dedicated account manager | — | — | |
| Team members | 1 | 3 | 10 |
The SRP-ready submission package produces a ready-to-file Article 14 notification for one-step manual submission. ENISA provides no submission API at this stage, so automated filing follows once ENISA publishes an API.
Frequently Asked Questions
What exactly must I comply with by September 11, 2026?
Article 14 of the CRA mandates that manufacturers report actively exploited vulnerabilities and severe security incidents via ENISA's Single Reporting Platform. You must submit an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days (vulnerabilities) or 1 month (incidents). This applies to products with digital elements in CRA scope, including ones still within their support lifecycle. The Free tier receives and tracks the reports behind these obligations, and the SRP-ready filing package is on Pro.
What does the Free tier cover?
The Free tier receives and tracks vulnerability reports. It gives you a public submission portal, submission tracking, acknowledgment SLA tracking, secure communication, and an audit trail. When you need to file under Article 14, Pro adds the SRP-ready submission package for the 24h, 72h and final notifications.
When do I need the Pro tier?
Pro is where Article 14 filing happens. It adds the SRP-ready submission package for the 24h, 72h and final notifications, alongside the full CRA vulnerability handling that takes effect on December 11, 2027, covering SBOM management, security testing, remediation tracking and CSAF advisories. We recommend upgrading to Pro well before you need to file.
Does Article 14 apply to products already on the market?
Yes. Reporting obligations apply to all products with digital elements falling within the CRA scope, including products placed on the market before December 11, 2027. If your product is still on the market and within its support lifecycle, you must report actively exploited vulnerabilities from September 11, 2026.
Why is Free really free?
CVD Portal is free for receiving and tracking vulnerability reports because we want to be the disclosure layer for thousands of EU manufacturers. We make money when companies upgrade to file under Article 14 and run the full CRA workflow, with the SRP-ready submission package, SBOM management, security testing and CSAF advisories. That is the entire model. We do not sell data, run ads, or harvest vulnerability reports.
Who owns the report data?
You do. You own every report your portal receives. Full export in CSV and JSON is available on every plan, including Free, so you can take your data with you at any time.
What happens if I cancel?
Your portal stays read-only and your export stays available. You keep access to your submission history and audit trail, and you can download everything before you go.
Can I file under Article 14 on the Free tier?
The Free tier receives and tracks reports with the submission portal, SLA tracking and an audit trail. Filing under Article 14 is on Pro, which adds the SRP-ready submission package for the 24h, 72h and final notifications plus the full CRA vulnerability handling for the December 2027 deadline.
What payment methods do you accept?
We accept all major credit cards. Enterprise customers can pay by invoice. You can upgrade, downgrade, or cancel at any time.