Does the CRA apply to contract manufacturers?

It depends on your role. If you are an EMS provider building to a brand owner's specification, the brand owner bears primary CRA compliance responsibility. However, you have supply chain security obligations as part of the brand owner's compliance. If you are an ODM that designs and licences reference designs, you bear manufacturer-level CRA obligations for those designs. Many EMS/ODM companies operate in both modes and should understand their obligations under each.

What if a brand owner does not have a CVD policy and a researcher reports a vulnerability in one of our ODM products?

If the brand owner has no CVD capability, you may need to lead the response for your ODM design even if the product is sold under the brand owner's name. Notify the brand owner immediately, provide them with the vulnerability details, and offer to assist with advisory publication. For brand owners without CVD programmes, consider including CVD policy requirements in your ODM licensing agreements - their non-compliance creates reputational risk for your designs.

How do we handle the same vulnerability appearing in multiple brand owners' products?

When a vulnerability affects a shared ODM design licensed to multiple brand owners, you must notify all affected brand owners simultaneously and confidentially. Each brand owner then handles their own customer communication and CRA obligations independently. Coordinate a joint advisory publication window - typically 30 days after notifying all brand owners - to prevent fragmented public disclosure.

Do we need to assign CVEs for vulnerabilities in our ODM designs?

Yes, if the vulnerability is in a design you own. You can request CVEs through MITRE. For vulnerabilities affecting multiple brand owners' products, a single CVE (assigned by you) is more efficient than each brand owner requesting their own CVE for the same underlying issue. Consider becoming a CVE Numbering Authority (CNA) if ODM products are a significant part of your business.

What should our supply agreements say about CVD and CRA obligations?

As a minimum, your ODM licensing agreements should require brand owners to: (1) notify you of any vulnerability reports they receive related to your design; (2) not publicly disclose ODM design vulnerabilities before notifying you; (3) comply with your coordinated disclosure timeline. As an EMS provider, your manufacturing agreements should define your obligations to notify brand owners of manufacturing process vulnerabilities and specify your response SLAs.

← All templates

Free Template

CVD Policy Template for Contract Manufacturers

A CVD policy template for contract manufacturers (Electronics Manufacturing Services / EMS companies and Original Design Manufacturers / ODMs) that build products on behalf of brand owners. Addresses how to manage vulnerability disclosures for products you manufacture but do not own or sell under your own name, including coordination with brand owners and their CRA compliance obligations.

Article 13 · Article 14 · Article 13(4)

ForElectronics manufacturing services (EMS) providers, original design manufacturers (ODMs), and contract electronics manufacturers building connected products for third-party brand owners selling on the EU market

CRA Articles

Article 13Article 14Article 13(4)

Policy Statement

Article 13(1), Article 13(4)

[COMPANY NAME] is a contract manufacturer that produces electronic products and connected devices on behalf of brand owner customers (our 'principals'). We may operate as an Electronics Manufacturing Services (EMS) provider, an Original Design Manufacturer (ODM), or both.

This Coordinated Vulnerability Disclosure (CVD) policy governs how [COMPANY NAME] handles security vulnerability reports that relate to:

Products we design and manufacture under our own reference designs (ODM products)
Manufacturing process vulnerabilities that could affect the integrity of products we build for brand owners
Component or supply chain vulnerabilities identified during our quality and security processes

For products manufactured to a brand owner's design specification, security vulnerability handling is primarily the brand owner's responsibility. [COMPANY NAME] will coordinate with brand owners as required under our contractual obligations and the CRA Article 13(4) supply chain requirements.

Note

Contract manufacturers occupy a unique CRA position - they may bear responsibility for ODM products they designed but limited responsibility for EMS products built to a brand owner's specification. This distinction must be made explicit in the policy. Both roles carry supply chain security obligations.

Scope - ODM Products vs EMS Manufacturing

Article 13(4)

ODM Products (our designs) The following products are [COMPANY NAME] original designs, sold to brand owners who may rebrand and place them on the EU market. [COMPANY NAME] bears primary responsibility for vulnerability disclosure for these designs:

Reference design [NAME/SKU] (hardware revision [X], firmware [X.X] and later)
Reference design [NAME/SKU] (hardware revision [X], firmware [X.X] and later)

EMS Manufacturing (brand owner designs) For products we manufacture to a brand owner's specification, the brand owner bears primary CVD responsibility. [COMPANY NAME]'s obligations are limited to:

Reporting manufacturing process vulnerabilities that could compromise product integrity
Coordinating on component-level supply chain vulnerabilities identified during production
Providing manufacturing-related information to brand owners upon request for their CVD processes

Manufacturing process scope:

Firmware flashing and provisioning processes
Cryptographic key injection and certificate management during manufacturing
Supply chain and component authenticity verification

Note

The ODM vs EMS distinction is legally significant. For ODM products (your designs), you are functionally equivalent to a manufacturer under the CRA. For EMS work (someone else's design), your responsibility is narrower but still real - particularly around manufacturing process integrity and supply chain security.

How to Report a Vulnerability

Article 13(1)

For vulnerabilities in [COMPANY NAME] ODM designs: Portal: [VULNERABILITY DISCLOSURE PORTAL URL] Email: [[email protected]] PGP key: Fingerprint [FINGERPRINT], available at [PGP KEY URL]

Please include:

Reference design name/SKU and hardware/firmware version
Brand owner product name (if known - helps identify affected deployments)
Description of the vulnerability, exploitation conditions, and potential impact
Proof of concept and reproduction steps

For vulnerabilities that may be manufacturing process related (e.g. compromised firmware during production, key injection issues): Email: [[email protected]]

Brand owner customers: For issues relating to products under your brand, please contact us via our customer security portal at [CUSTOMER PORTAL URL] or your account manager with subject line 'SECURITY ESCALATION'.

Note

Contract manufacturers serve multiple principals. A separate channel for manufacturing process reports (vs. ODM design reports) helps route issues to the right team. Brand owners need a fast escalation path given their own compliance obligations.

ODM Vulnerability Response Process

Article 13

For vulnerabilities in [COMPANY NAME] ODM reference designs:

| Milestone | Target | |---|---| | Acknowledgment | Within 48 hours | | Initial triage and severity assessment | Within 5 business days | | Brand owner notification | Within 10 business days of confirmation | | Fixed design / firmware availability | Per severity SLA below | | Public advisory | After brand owner notification period |

Brand owner notification: When a vulnerability is confirmed in an ODM design, [COMPANY NAME] will notify all brand owners with active licences to that reference design. We will provide:

Technical vulnerability details and CVSS score
Fixed firmware or design update
Template advisory language
A [30]-day coordination window before public advisory publication

Severity SLAs (time to fixed firmware/design): | Severity | CVSS Range | SLA | |---|---|---| | Critical | 9.0–10.0 | 14 days | | High | 7.0–8.9 | 45 days | | Medium | 4.0–6.9 | 90 days | | Low | 0.1–3.9 | Next design cycle |

Note

ODM vulnerability response must account for the fact that multiple brand owners may have licensed the same design. A vulnerability in your reference design could affect hundreds of end-product models from different brand owners - this is a significant coordination challenge that must be planned in advance.

Manufacturing Process Security

Article 13(4), Annex I

[COMPANY NAME] implements the following controls to prevent manufacturing process vulnerabilities from affecting product security:

Firmware integrity: All firmware is cryptographically signed before flashing. Build hashes are recorded and verifiable.

Key injection security: Cryptographic keys and certificates injected during manufacturing are managed under [HSM / SECURE KEY MANAGEMENT PROCESS]. Access is restricted to [NAMED PERSONNEL / PROCESS].

Supply chain authenticity: Components are sourced through authorised distributors. Incoming components for security-critical functions are subject to [AUTHENTICITY VERIFICATION PROCESS].

Audit trail: All firmware flashing, key injection, and provisioning operations are logged and auditable.

If you believe a product may have been compromised during the manufacturing process (e.g. counterfeit components, tampered firmware), please contact us immediately at [[email protected]] or by phone at [PHONE NUMBER].

Note

Manufacturing process security is increasingly scrutinised under supply chain security frameworks and the CRA. Documenting these controls in your CVD policy signals maturity and gives brand owners the confidence that your manufacturing process does not introduce vulnerabilities. This is a differentiator in competitive EMS/ODM markets.

Coordination with Brand Owners

Article 13(4)

[COMPANY NAME] recognises that brand owners who sell products incorporating our ODM designs bear the primary CRA compliance obligation. We commit to supporting brand owners in meeting their obligations:

Timely notification: We will notify brand owners of confirmed vulnerabilities within 10 business days, before any public advisory.
Technical information: We will provide all technical details necessary for brand owners to assess impact and prepare their own customer advisories.
Article 14 support: We will notify brand owners immediately if a vulnerability in our ODM design is actively exploited, so they can meet their own ENISA reporting obligations.
SBOM information: We will provide up-to-date Software Bill of Materials (SBOM) information for our designs to support brand owners' CRA documentation obligations.
Audit support: We will respond to reasonable requests for documentation of our CVD processes from brand owners conducting supply chain due diligence.

Brand owners should ensure their supply agreements with [COMPANY NAME] include provisions for security notification and coordination.

Note

This section is as much commercial as it is compliance - brand owners increasingly require contractual CVD coordination commitments from ODM/EMS suppliers. Publishing your commitments here differentiates you in procurement and reduces negotiation time on contract security clauses.

Safe Harbour

[COMPANY NAME] authorises security research conducted in good faith on our ODM products in accordance with this policy. We will not pursue legal action against researchers who:

Acquire [COMPANY NAME]-designed products (under any brand) through legitimate channels for research
Limit testing to devices they own or have explicit permission to test
Do not access third-party systems or other users' devices
Report to [COMPANY NAME] before disclosing to any brand owner, the public, or any third party
Comply with applicable law

Note: If a product is sold under a brand owner's name, we encourage researchers to also notify the brand owner simultaneously. [COMPANY NAME] will coordinate with the brand owner on your behalf if you prefer.

Note

Contract manufacturer safe harbour must address the brand confusion problem - researchers often do not know which company designed the product in a device they purchased. Offering to coordinate with brand owners on the researcher's behalf reduces friction and builds goodwill.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free for Article 14 compliance.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CVD Policy Template for OEM Manufacturers

A CVD policy template for Original Equipment Manufacturers (OEMs) that supply components, modules, chipsets, firmware, or subsystems to downstream branded product manufacturers. Addresses the CRA's supply chain security obligations and the unique coordination challenges of operating in the middle of the product value chain.

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

Vulnerability Reporting Process Template

An internal-facing vulnerability reporting process that documents how your security team handles incoming reports from intake through resolution. Complements your public CVD policy with operational procedures aligned to CRA Article 13 and 14.

Coordinated Vulnerability Disclosure Policy Template

A complete coordinated vulnerability disclosure policy following ISO/IEC 29147 best practice and CRA Article 13. Covers the full disclosure lifecycle: intake, triage, remediation, and coordinated publication.