CRA Article 14 · Mandatory from 11 September 2026

Set up your vulnerability disclosure portal before the CRA deadline.

From 11 September 2026, manufacturers selling products with digital elements into the EU must handle vulnerability reports and notify authorities on fixed deadlines. Fines for non-compliance reach €15 million or 2.5% of global turnover. CVD Portal gives you a branded, audit-ready disclosure portal today.

Create your free portal See a live portal

Free covers the September deadline. Operated by Porta Regulus B.V., Netherlands. No credit card.

What happens if you ignore it

The cost of non-compliance is set in the regulation.

Fines

Up to €15 million or 2.5% of worldwide turnover

Breaching the essential cybersecurity obligations carries administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher (Art. 64).

Market access

Products can be restricted or pulled from the EU market

Market surveillance authorities can require corrective action, restrict availability, or prohibit a non-compliant product on the EU market.

Buyer pressure

Enterprise buyers ask for a published CVD process

Procurement and security teams increasingly require a documented coordinated vulnerability disclosure process before they sign.

The free plan covers the Article 14 deadline. Here is what it includes.

How it works

Live in three steps.

See the full walkthrough →

Create your portal

Customize it

Add your logo, set your acknowledgment SLA, and publish a PGP key so researchers can reach you securely.

Share and receive

Link your portal from security.txt and your website. Reports land in a dashboard with deadline tracking and an audit trail.

See the product

A working portal you can click through.

Researchers submit through a branded intake form with PGP support. Your team triages reports, tracks acknowledgment deadlines, and exports the evidence trail. Every report is logged from the moment it arrives. Try it on the portal of Aurelia Devices B.V., a fictional manufacturer running on CVD Portal.

Open the live demo portal Create your free portal

CVD Portal dashboard showing the vulnerability register with CRA compliance status

EVERYTHING INCLUDED

Everything you need to receive and resolve reports

A complete vulnerability disclosure workflow covering intake, coordination, and compliance evidence, ready out of the box for the Cyber Resilience Act.

Automated Disclosure

Art. 13 + Art. 14 SLA Compliance

48-hour acknowledgment per CVD best practice (ISO/IEC 29147, Art. 13). For actively exploited vulnerabilities and significant incidents, Art. 14 mandates three reporting milestones to ENISA/CSIRT: 24h early warning, 72h detailed report, and a final report within 14 days or 1 month.

48h Acknowledgment (ISO/IEC 29147 · Art. 13)

24h Early Warning (Art. 14)

72h Detailed Report (Art. 14)

Final Report +14 days/1 month (Art. 14)

SPOC Portal

Single Point of Contact

A unified, branded vulnerability intake portal for your organization. Security researchers submit reports through a standardized, encrypted channel.

HTTPS Encrypted

Structured Intake

Audit-Ready Logs

Professional Coordination

ENISA-Aligned Triage

All submissions follow ENISA coordinated vulnerability disclosure (CVD) best practices with CVSS scoring, reporter communication, and mitigation tracking.

CVSS Scoring

Researcher Coordination

Mitigation Tracking

COMPLIANCE CHECKLIST

Are You CRA Ready?

Aligned with ISO/IEC 29147 Hosted in the EU (Hetzner)GDPR processor terms Pentested quarterly CSAF 2.0 advisory export

A published vulnerability disclosure process is becoming a baseline expectation from EU buyers and regulators. CVD Portal gives you one that is ready for the Cyber Resilience Act.

ISO 29147 EN 40000-1-3CSAF 2.0EU HostedGDPR Compliant

EU Cyber Resilience Act Timeline

Read the full timeline →

Nov 2024

CRA Published

Regulation (EU) 2024/2847 enters into force

Sept 2026

Article 14 Reporting Begins

Vulnerability reporting obligations apply to products in scope

Dec 2027

Full Conformity Deadline

Design and production requirements (Annex I, CE marking) apply

Simple, transparent pricing

See full pricing →

Free

€0forever

Meet the September 2026 deadline

Pro

€99/mo

Full CRA vulnerability-handling compliance

Enterprise

€499/mo

Automated authority reporting

Engineering Blog

CRA Compliance

When Vulnerability and Incident Reporting Become Mandatory Under the CRA

The CRA's reporting obligations do not switch on with the rest of the regulation. Article 14 applies from 11 September 2026, ahead of full conformity in December 2027, and it binds manufacturers the moment a product becomes actively exploited. Here is exactly when the duty begins and who it binds.

9 min read CRA Compliance

Which Vulnerabilities and Incidents Must Be Reported, and Which Do Not

Most vulnerabilities a manufacturer handles never trigger a report to authorities. The CRA's Article 14 duty is narrow: actively exploited vulnerabilities and severe incidents affecting product security. Here is how to tell what is in scope, with worked examples and a decision framework.

10 min read CRA Compliance

Understanding Reporting Timelines and Follow-Up Obligations

Article 14 is a three-stage cascade: a 24-hour early warning, a 72-hour detailed notification, and a final report within 14 days or one month. Here is what each stage must contain, when the clock starts, and the follow-up duties that continue after the final report.

9 min read

View all articles →

Set up your disclosure portal before September 2026

A branded, audit-ready portal for manufacturers selling products with digital elements into the EU. Free for the Article 14 deadline.