Is this policy sufficient for CRA Article 13 compliance?

This template addresses the core Article 13 requirements: a publicly accessible CVD policy, a single point of contact, 48-hour acknowledgment commitment, and coordinated disclosure. Compliance also requires operational processes behind the policy — logging, tracking, and evidencing responses. CVD Portal automates these operational elements.

Do non-EU manufacturers need to comply with the CRA?

Yes. The CRA applies to all products with digital elements placed on the EU market, regardless of where the manufacturer is based. Non-EU manufacturers must appoint an EU-based authorised representative to handle compliance obligations.

What is ENISA and where do I submit Article 14 notifications?

ENISA is the European Union Agency for Cybersecurity. Article 14 notifications are submitted to ENISA via the Single Reporting Platform (SRP) at enisa.europa.eu, or to the relevant national CSIRT. CVD Portal's Enterprise plan automates this submission.

Does this policy need to be translated into other EU languages?

The CRA does not require CVD policies in all EU languages. However, if you sell primarily in specific member states, providing a translation improves accessibility for local researchers and regulators.

How do I link this policy from my product?

Link to this policy from your product's security.txt file (/.well-known/security.txt), your product manual or documentation, your website footer, and any developer portals. CVD Portal generates a compliant security.txt automatically.

← All templates

Free Template

EU CVD Policy Template

A CVD policy template specifically written for EU manufacturers placing products on the European market. References EU-specific obligations (CRA, NIS2 intersection, ENISA), using terminology aligned with EU regulatory guidance.

Article 13 · Article 14 · Recital 63

ForEU-based and non-EU manufacturers placing products with digital elements on the EU market who need a policy using EU regulatory language

CRA Articles

Article 13Article 14Recital 63

Policy Overview

Article 13(1), Recital 63

[COMPANY NAME] operates a Coordinated Vulnerability Disclosure (CVD) programme in accordance with the EU Cyber Resilience Act (Regulation (EU) 2024/2847), ISO/IEC 29147, and ENISA guidelines on coordinated vulnerability disclosure.

This policy is publicly accessible and describes:

How to report security vulnerabilities in [COMPANY NAME] products
How [COMPANY NAME] handles and responds to vulnerability reports
The rights and protections afforded to security reporters

Single Point of Contact: [[email protected]] | [PORTAL URL]

Note

Reference EU regulatory instruments specifically. 'Single Point of Contact' is CRA Article 13 language — using it verbatim shows alignment with the regulation. Listing the point of contact prominently is a hard requirement.

Products Covered

Article 13(4)

This policy applies to all [COMPANY NAME] products with digital elements placed on the EU market, including:

Hardware products:

[HARDWARE PRODUCT 1] (model [X], EU Declaration of Conformity: [DOC NUMBER])
[HARDWARE PRODUCT 2]

Software products:

[SOFTWARE PRODUCT 1] (versions [X.X]+)

Associated services:

Cloud interface at [DOMAIN]
Mobile applications: [APP STORE LINKS]

Products that have reached end-of-support are listed at [SUPPORT LIFECYCLE URL]. Reports for end-of-life products are accepted but response timelines may differ.

Note

Referencing your EU Declaration of Conformity in the scope section links your CVD policy to your market placement documentation — useful for audits. Including end-of-life products with different SLAs is CRA best practice.

Reporting a Vulnerability

Article 13(1)

To report a potential security vulnerability in a [COMPANY NAME] product:

Preferred method (fastest acknowledgment): Submit via our vulnerability disclosure portal: [PORTAL URL]

Alternative: Email [[email protected]] PGP fingerprint: [FINGERPRINT] (key available at [URL])

What to include:

Product name and version
Nature of the vulnerability (CWE category if known)
Steps to reproduce
Estimated severity and impact
Proof-of-concept (optional)
Whether you believe the vulnerability is already being exploited

Reports are accepted in: English [, German, French — edit as applicable]

Note

ENISA guidelines recommend offering encrypted reporting channels. Asking whether exploitation is occurring helps you identify Article 14 obligations early.

Acknowledgment and Response Timelines

Article 13(1)

[COMPANY NAME] commits to the following response milestones in accordance with ISO/IEC 29147 and CRA Article 13:

| Milestone | Timeline | |-----------|----------| | Acknowledgment of receipt | Within 48 hours | | Initial severity assessment | Within [5] business days | | Notification of in-scope determination | Within [10] business days | | Progress updates | Every [30] days until resolved | | Notification of patch release | Upon availability | | Security advisory publication | Within [30] days of patch |

Timelines may be extended for complex vulnerabilities affecting multiple products or upstream components. We will communicate any extensions proactively.

Note

A table format is easy for reporters and auditors to scan. Explicitly referencing ISO 29147 and the CRA anchors your commitments to recognised standards.

Mandatory Reporting to Authorities (Article 14)

Article 14

In accordance with Article 14 of the EU Cyber Resilience Act, [COMPANY NAME] is required to notify ENISA and the relevant national CSIRT when:

A vulnerability in our product is actively exploited in the wild
A severe security incident has occurred affecting our products

Notification timelines (from becoming aware):

24 hours: Early warning to ENISA
72 hours: Full notification with severity assessment
14 days: Final report with root cause and remediation

If your vulnerability report triggers an Article 14 notification, we will inform you (unless doing so would compromise an ongoing investigation or law enforcement action).

Authority notifications are made to: ENISA Single Reporting Platform and [NATIONAL CSIRT — see list at enisa.europa.eu/topics/csirts-in-europe]

Note

Including this section in your public policy is increasingly expected by regulators and procurement frameworks. It demonstrates your Article 14 process is operational, not just planned.

Researcher Rights and Safe Harbour

[COMPANY NAME] recognises the value of good-faith security research. Researchers who comply with this policy have our commitment that:

We will not pursue civil or criminal action against them for vulnerability research conducted in accordance with this policy
We will not make reports to law enforcement agencies arising from their research under this policy
We will work collaboratively with them throughout the disclosure process

In return, we ask researchers to:

Access only data necessary to demonstrate the vulnerability
Avoid intentional disruption of our services or exposure of user data
Allow us a reasonable time to address vulnerabilities before public disclosure
Comply with applicable EU and national law

This safe harbour does not extend to researchers who exploit vulnerabilities maliciously or engage in activities beyond good-faith security testing.

Note

Framing safe harbour as 'researcher rights' is positively received in the EU security research community, which has been advocating for legal protections aligned with the EU Directive on the resilience of critical entities.

Security Advisories and CVE Assignment

Annex I

[COMPANY NAME] publishes security advisories for confirmed vulnerabilities at [ADVISORY URL] in CSAF 2.0 format (OASIS Common Security Advisory Framework).

Advisories include:

CVE identifier (we assist with CVE assignment through [CNAs/CVD Portal])
CVSS 3.1 and/or 4.0 severity scores
Affected products and versions
Remediation guidance and patch links
Reporter acknowledgment (with permission)

Advisories are published when a patch is available. For severe vulnerabilities, we may publish advisories with workarounds prior to patching.

Note

CSAF 2.0 is increasingly the expected format for EU market advisories. Machine-readable advisories enable downstream operators to automate vulnerability response — a significant value-add.

Use this template automatically in CVD Portal

CVD Portal generates your CVD policy, tracks acknowledgments, and creates an audit trail — free, forever.

Set up your free portal

Frequently asked questions

Ready to go beyond the template?

CVD Portal automates acknowledgments, tracks deadlines, and generates CSAF advisories — free.

Set up your free portal

Related templates

CRA-Compliant CVD Policy Template

A comprehensive CVD policy structured specifically for the EU Cyber Resilience Act. Addresses Articles 13 and 14 obligations including 24-hour early warning, 72-hour full notification, and coordinated disclosure timelines.

Basic CVD Policy Template

A straightforward coordinated vulnerability disclosure policy aligned with ISO/IEC 29147. Covers the core commitments expected by security researchers and satisfies CRA Article 13 requirements.

Article 14 Early Warning Notification Template

A structured notification template for the CRA Article 14 24-hour early warning obligation. Designed to be submitted to ENISA (or the relevant national CSIRT) when a manufacturer discovers an actively exploited vulnerability or severe security incident.

Responsible Disclosure Policy Template

A responsible disclosure policy template for manufacturers and software publishers. Uses 'responsible disclosure' terminology familiar to the security research community while meeting CRA Article 13 obligations.