EU Cyber Resilience Act — Guide for Chief Information Security Officer (CISO)

The CISO holds operational accountability for the two most time-sensitive obligations in the CRA: coordinated vulnerability disclosure and Article 14 incident notification. When a vulnerability is discovered in a product — whether by internal testing, an external researcher, or active exploitation in the wild — the clock starts immediately. The CISO must ensure the organisation can triage, assess severity, and if necessary notify ENISA within 24 hours of learning of active exploitation. These are not aspirational standards; they are hard legal deadlines. CISOs who have not rehearsed this process before an incident will struggle to meet the obligation under pressure.

The CISO's daily CRA workload centres on three areas. CVD programme operations: maintaining a published security.txt file and vulnerability intake channel, triaging incoming researcher reports, and managing disclosure timelines. Vulnerability monitoring: continuously monitoring NVD, vendor advisories, and threat intelligence feeds for CVEs affecting components on your product SBOMs. When a match is found, the CISO must initiate the internal severity assessment and coordinate the patch response with engineering. Security testing governance: ensuring your penetration testing, fuzzing, and code review programmes are documented and produce evidence suitable for inclusion in the Annex IV technical file. Testing evidence must be retained throughout the product's support period.

Effective CRA security operations require close coordination across functions. With Engineering/CTO: the CISO needs direct authority to escalate patch priority and must be embedded in SBOM governance to ensure vulnerability monitoring has accurate component data. With Legal Counsel: the CISO and Legal must agree in advance on the decision criteria for triggering an Article 14 notification — waiting for legal review during the 24-hour window is too slow. Pre-agreed thresholds and a notification template should be signed off before any incident occurs. With Procurement: the CISO should define the minimum security requirements suppliers must meet and review their CVD policies as part of supplier onboarding.

The most critical trap is confusing the 24-hour early warning with the full notification. Article 14 requires a two-stage process: an early warning within 24 hours of becoming aware of an actively exploited vulnerability, followed by a complete notification within 72 hours. Many CISOs focus only on the 72-hour deadline and miss the early warning obligation entirely. A second trap is maintaining a CVD policy that is never tested — a published security.txt and an intake email are not a CVD programme unless they are regularly exercised. A third trap is scoping your security testing narrowly: Annex I requires security testing across the product's expected attack surface, not just a network penetration test.

Use this checklist to establish your CRA security operations baseline:

1. Publish a security.txt file at the standard path for all product domains and your corporate site
2. Draft and publish a CVD policy covering intake, triage SLAs, researcher acknowledgement, and disclosure timelines
3. Map your SBOM inventory — confirm you receive SBOM data from all product engineering teams and can perform automated CVE matching
4. Pre-draft your Article 14 notification template and agree trigger criteria with Legal Counsel in advance
5. Run a tabletop exercise simulating an actively exploited product vulnerability — can you execute the 24-hour early warning?
6. Review your penetration testing programme for Annex I coverage gaps