Does the CRA apply to OEM component suppliers?

Yes. The CRA's supply chain obligations under Article 13(4) require manufacturers to manage vulnerabilities in components they incorporate. As an OEM supplier, your components become part of downstream manufacturers' products with digital elements. If you supply components to manufacturers who sell on the EU market, your vulnerability disclosure and coordination processes directly affect their CRA compliance. Many OEM agreements will increasingly require CVD policy compliance as a contractual obligation.

Who is responsible for CRA compliance - us (the OEM) or our downstream customer?

Both. The CRA places primary obligations on the entity that places the product on the EU market (the downstream manufacturer). However, the downstream manufacturer can only fulfil these obligations if their component suppliers (you) respond promptly to vulnerability disclosures. OEM suppliers are increasingly expected to have formal CVD programmes as part of supply chain due diligence - and this will likely be enforced through contractual requirements in supply agreements.

What if a downstream customer discovers a vulnerability in our component before we do?

Your customer portal channel (described in the Reporting section) should handle this. Treat downstream manufacturer escalations with at least as much priority as external researcher reports - your customer has compliance obligations that depend on your response. The downstream notification SLA (10 business days) should be met even when the vulnerability was reported by the customer who discovered it.

Do we need a CVD policy even if we only sell to B2B customers?

Yes. Even if your components never reach end consumers directly, the downstream manufacturers who integrate them are subject to the CRA and will scrutinise your security posture. A formal CVD policy is increasingly a procurement requirement in enterprise and industrial supply chains. Lacking one puts you at a competitive disadvantage and creates risk for your customers.

How do we handle CVE assignments for component vulnerabilities?

You can request CVEs through MITRE's standard process, or consider becoming a CVE Numbering Authority (CNA) for your own product domain. As an OEM, having your own CNA status allows you to assign CVEs directly, which accelerates the process and gives you more control over CVE content. Downstream manufacturers benefit when component CVEs are assigned quickly - it enables them to populate their own advisories and SBOM vulnerability tracking.

← All templates

Free Template

CVD Policy Template for OEM Manufacturers

A CVD policy template for Original Equipment Manufacturers (OEMs) that supply components, modules, chipsets, firmware, or subsystems to downstream branded product manufacturers. Addresses the CRA's supply chain security obligations and the unique coordination challenges of operating in the middle of the product value chain.

Article 13 · Article 14 · Article 13(4)

ForOEM component suppliers, chipset manufacturers, module makers, and firmware vendors whose products are integrated into downstream branded products sold on the EU market

CRA Articles

Article 13Article 14Article 13(4)

Policy Statement

Article 13(1), Article 13(4)

[COMPANY NAME] is an Original Equipment Manufacturer (OEM) supplying [components / modules / chipsets / firmware / software - select applicable] that are integrated into products placed on the EU market by our customers (downstream manufacturers). We recognise that our products form part of the supply chain of connected products subject to the EU Cyber Resilience Act (Regulation (EU) 2024/2847).

This Coordinated Vulnerability Disclosure (CVD) policy governs how [COMPANY NAME] receives, assesses, and responds to security vulnerability reports affecting our components and subsystems, and how we coordinate with both upstream component suppliers and downstream product integrators.

Note

OEM manufacturers occupy a unique position: they have both upstream suppliers and downstream customers with CRA obligations. The policy must address both directions of the supply chain. Downstream manufacturers (your customers) need to be able to fulfil their own Article 13 and 14 obligations - your responsiveness to their vulnerability escalations directly affects their compliance.

Scope - Components and Products

Article 13(4)

This policy covers vulnerabilities in the following [COMPANY NAME] components and subsystems:

[MODULE / CHIPSET NAME 1] (part number [PN], firmware/SDK version [X.X] and later)
[MODULE / CHIPSET NAME 2] (part number [PN], version [X.X] and later)
[FIRMWARE / SDK NAME] (version [X.X] and later)
Reference designs and evaluation kits incorporating the above

Out of scope:

Vulnerabilities introduced by downstream product integrators during their own integration or customisation
Vulnerabilities in customer-developed application code running on our platforms
Components at end-of-supply (see lifecycle schedule at [EOL URL])

Downstream product scope: Our policy does not cover the end products into which our components are integrated. Those products are the responsibility of the downstream manufacturer. However, we will coordinate with downstream manufacturers when a component vulnerability affects their products.

Note

OEM scope must clearly delineate between the component (your responsibility) and the end product (your customer's responsibility). This is both a compliance and a liability question. Misalignment here creates confusion during incident response.

How to Report a Vulnerability

Article 13(1)

Security vulnerabilities in [COMPANY NAME] components may be reported by:

Security researchers
Downstream product manufacturers (our customers)
End users who have identified a component-level issue
Upstream component suppliers with a supply chain finding

Report via: Portal: [VULNERABILITY DISCLOSURE PORTAL URL] Email: [[email protected]] PGP key: Fingerprint [FINGERPRINT], available at [PGP KEY URL]

Downstream manufacturer escalation (existing customers): Customers under active supply agreements may report via our customer security portal at [CUSTOMER PORTAL URL] for priority handling.

Please include:

Component part number, hardware revision, and firmware/SDK version
Description of the vulnerability and exploitation conditions
Whether the vulnerability is present in publicly released versions or unreleased builds
If reporting as a downstream manufacturer: affected product lines and estimated deployment volume

Note

OEMs receive reports from multiple directions - researchers, customers, and upstream suppliers. Offering a separate channel for downstream manufacturer escalations allows priority handling for your commercial relationships while maintaining a standard public channel for researchers.

Downstream Manufacturer Notification

Article 13(4)

When [COMPANY NAME] confirms a vulnerability in a component that is or may be integrated into downstream products, we commit to:

Notify affected downstream manufacturers before or simultaneous with public advisory publication.
Provide downstream manufacturers with:
- Technical vulnerability details sufficient to assess impact in their product context
- CVSS base score and CWE classification
- A fixed component version, patch, or workaround
- An estimated timeline for fixed component availability
- Template language for their own customer advisory, where helpful
Allow downstream manufacturers a reasonable period to prepare and release their own patches before joint public advisory publication.

Coordination window: We request [30–60] days from the time we notify downstream manufacturers to allow them to integrate and release fixed component versions before the joint advisory is published.

Emergency exception: Where a vulnerability is actively exploited, we will notify downstream manufacturers and publish advisory immediately.

Note

Downstream notification is both a legal obligation (CRA Article 13(4)) and a commercial imperative. Your customers cannot fulfil their own CRA obligations if you withhold component vulnerability information. The 30–60 day downstream coordination window is in addition to your standard researcher coordination period.

Upstream Component Coordination

Article 13(4)

Where a vulnerability reported to [COMPANY NAME] originates in an upstream component (a chipset, IP block, library, or subsystem supplied to us by a third party), [COMPANY NAME] will:

Notify the upstream supplier within [5] business days of confirming the component-level root cause.
Coordinate disclosure timing with the upstream supplier.
Monitor upstream remediation progress and include status in our downstream customer notifications.
Publish our own advisory documenting the upstream CVE and our component's fix status - even if upstream remediation is still in progress.

Where an upstream supplier does not respond within [30] days or refuses to remediate a confirmed vulnerability, [COMPANY NAME] reserves the right to publish an advisory with available mitigations, in coordination with the researcher and downstream customers.

Note

OEMs are legally responsible for the security of what they supply, regardless of whether a vulnerability originates upstream. Document your upstream coordination process so downstream customers and regulators can see that you actively manage your own supply chain.

Response Commitments

Article 13

[COMPANY NAME] commits to the following response timeline:

| Milestone | Target | |---|---| | Acknowledgment to reporter | Within 48 hours | | Initial triage and severity assessment | Within 5 business days | | Downstream manufacturer notification | Within 10 business days of confirmation | | Fixed component / patch availability | Per severity SLA below | | Public advisory | After downstream notification period + researcher embargo |

Severity SLAs (time to fixed component release): | Severity | CVSS Range | SLA | |---|---|---| | Critical | 9.0–10.0 | 14 days | | High | 7.0–8.9 | 45 days | | Medium | 4.0–6.9 | 90 days | | Low | 0.1–3.9 | Next release |

SLAs measure time to fixed component availability, not end-product patch release (which is the downstream manufacturer's SLA).

Note

OEM SLAs must clearly define what they measure: time to fixed component, not time to end-product fix. The distinction matters - your 14-day Critical SLA starts the downstream manufacturer's 14-day integration and release clock. Total end-product patch time may be 28+ days.

Safe Harbour

[COMPANY NAME] authorises security research conducted in good faith on our components in accordance with this policy. We will not pursue legal action against researchers who:

Acquire [COMPANY NAME] components or evaluation kits through legitimate channels for research purposes
Limit testing to their own components or devices for which they have explicit permission
Do not use vulnerability findings to compromise third-party systems
Report to us before disclosing to any downstream manufacturer or the public
Comply with applicable law

Researchers who discover vulnerabilities in end products incorporating [COMPANY NAME] components are encouraged to report to both the end product manufacturer and [COMPANY NAME] simultaneously.

Note

OEM safe harbour should encourage simultaneous reporting to both the OEM and the downstream manufacturer when researchers find component vulnerabilities in end products. This accelerates coordination and reduces the risk of gaps in the notification chain.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free for Article 14 compliance.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

CVD Policy Template for Contract Manufacturers

A CVD policy template for contract manufacturers (Electronics Manufacturing Services / EMS companies and Original Design Manufacturers / ODMs) that build products on behalf of brand owners. Addresses how to manage vulnerability disclosures for products you manufacture but do not own or sell under your own name, including coordination with brand owners and their CRA compliance obligations.

Vulnerability Reporting Process Template

An internal-facing vulnerability reporting process that documents how your security team handles incoming reports from intake through resolution. Complements your public CVD policy with operational procedures aligned to CRA Article 13 and 14.

Coordinated Vulnerability Disclosure Policy Template

A complete coordinated vulnerability disclosure policy following ISO/IEC 29147 best practice and CRA Article 13. Covers the full disclosure lifecycle: intake, triage, remediation, and coordinated publication.