EU Cyber Resilience Act — Guide for PSIRT Manager

The Cyber Resilience Act elevates coordinated vulnerability disclosure from a voluntary best practice to a legal obligation. Article 14 requires manufacturers to have a CVD policy in place, to accept vulnerability reports from third-party researchers, and to report actively exploited vulnerabilities to public authorities within defined timelines. The PSIRT is the organisational unit responsible for making this work in practice. Unlike traditional security teams whose work is largely internal, the CRA-era PSIRT operates at the intersection of engineering, legal, regulatory, and public communications — managing inbound reports, coordinating remediation, satisfying reporting obligations, and publishing advisories that give downstream users actionable information.

Annex I Part II requires manufacturers to handle vulnerabilities in accordance with a documented CVD policy. The policy must specify how researchers can submit reports, what information is required, how the manufacturer will acknowledge receipt, and the expected timeline from report to disclosure. The security.txt standard (RFC 9116) provides a machine-readable way to publish this contact information at a discoverable URL (/.well-known/security.txt). The CVD policy should also address disclosure timelines — ENISA's guidance suggests 90 days as a reasonable default before coordinated disclosure — and the circumstances under which the manufacturer will deviate from that timeline. Records of all inbound reports, triage decisions, and resolution timelines must be retained for potential review by market surveillance authorities.

Article 14 establishes a tiered notification regime for actively exploited vulnerabilities. Within 24 hours of becoming aware that a vulnerability in their product is being actively exploited, the manufacturer must submit an early warning to ENISA's single reporting platform and the relevant national CSIRT. This early warning must include basic product identification and a description of the vulnerability and exploitation activity. Within 72 hours, a detailed notification must be submitted covering the vulnerability's technical nature, its severity, affected product versions, and any interim mitigations available. Within 14 days of the initial notification, a final report must be submitted that includes remediation status — whether a patch has been issued, a timeline for one if not, and any residual risk. PSIRT managers must ensure their internal escalation and approval processes can operate within these compressed timelines.

The Common Security Advisory Framework (CSAF) is a machine-readable JSON format for publishing security advisories. ENISA and the European Commission have signalled that CSAF will be the expected format for CRA-related disclosures. A CSAF advisory contains structured information about affected products (using CPE identifiers), vulnerability identifiers (CVE numbers), CVSS scores, remediation instructions, and VEX (Vulnerability Exploitability eXchange) statements that allow downstream integrators to understand whether a specific component configuration is actually affected. PSIRT managers should invest in CSAF tooling during the CRA transitional period. Producing CSAF advisories consistently also benefits enterprise customers who are themselves subject to the NIS2 Directive and need machine-readable supplier security information to meet their own obligations.

Audit whether the organisation has a published CVD policy and a working security contact. If not, publish a security.txt file referencing a monitored disclosure inbox, and draft a CVD policy document. Map the internal escalation path for Article 14 notifications: who assesses active exploitation, who approves the submission, and who holds the credentials for ENISA's reporting platform. Create a notification template for each of the three Article 14 deadlines so that submissions can be prepared quickly under pressure. Establish a CSAF template for standard advisory types. Run a tabletop exercise simulating an actively exploited vulnerability to validate that the process works within the 24-hour early warning window. Use CVD Portal's Article 14 timeline tool to track submission deadlines during live incidents.