Stay informed on Cyber Resilience Act milestones, regulatory guidelines, and platform updates.
The CRA's reporting obligations do not switch on with the rest of the regulation. Article 14 applies from 11 September 2026, ahead of full conformity in December 2027, and binds manufacturers the moment a product becomes actively exploited.
Read moreMost vulnerabilities a manufacturer handles never trigger a report to authorities. The CRA's Article 14 duty is narrow: actively exploited vulnerabilities and severe incidents affecting product security. Here is how to tell what is in scope.
Read moreArticle 14 is a three-stage cascade: a 24-hour early warning, a 72-hour detailed notification, and a final report within 14 days or one month. Here is what each stage contains, when the clock starts, and the follow-up duties that continue afterward.
Read moreWhen an Article 14 event occurs, a manufacturer does not file with a single regulator. The CRA routes reports through one ENISA-operated platform to ENISA and the relevant national CSIRT at once, with onward distribution where needed.
Read moreOpen Bug Bounty and CVD Portal both deal with vulnerability disclosure, but they serve entirely different purposes. One is a community-driven reporting network, the other is a regulatory compliance tool built for the European market.
Read moreThe CRA's 24-hour clock is won or lost inside your own organisation, long before a report reaches ENISA. A practical guide to the detection sources, escalation paths, and decision authority that turn a vague late-night signal into a filed early warning.
Read moreArticle 14 reporting should be the visible output of a healthy product security programme. This closing article shows how reporting connects to vulnerability handling, SBOM, secure development, and post-market surveillance.
Read moreWe didn't set out to build a SaaS product. We set out to answer a question that kept coming up in our conversations with EU manufacturers: where do we actually start?
Read moreFor a typical EU SME manufacturer (20-50 FTE, one product line, no existing CVD programme), the expected cost of meeting the CRA Article 14 reporting deadline on 11 September 2026 is approximately €39,700, with a 90% confidence interval of
Read moreFor over a decade, Coordinated Vulnerability Disclosure (CVD) has relied on the 90-day disclosure window. Security researcher Himanshu Anand argues that LLMs have rendered this framework obsolete by compressing both vulnerability discovery
Read moreIn a Help Net Security interview, Nuno Rodrigues Carvalho, Head of Sector for Incident and Vulnerability Services at ENISA, addressed the recent CVE funding scare, EU regulatory enforcement, and why vulnerability disclosure is becoming a co
Read more11 September 2026 is when Article 14 reporting obligations become enforceable - for products already on the market. Full CRA conformity isn't until December 2027. The September deadline is the operational one.
Read moreTwo terms. One letter of difference. Entirely different legal consequences under the Cyber Resilience Act.
Read moreThe EU Cyber Resilience Act is becoming a primary driver of security investment decisions across Europe.
Read moreAs the European Union continues to strengthen its digital market, stakeholders are reminded that the first critical compliance milestone of the Cyber Resilience Act (CRA) is approaching. Effective 11 September 2026, manufacturers of product
Read moreIn support of the implementation of the Cyber Resilience Act (Regulation EU 2024/2847), the European Commission has published draft guidelines clarifying the categorization and compliance expectations for products with digital elements (PDE
Read moreThe European Union Agency for Cybersecurity (ENISA) announces the commencement of the pilot testing phase for the Single Reporting Platform (SRP). Mandated by the CRA, the SRP will serve as the centralized infrastructure for manufacturers t
Read moreUnder Article 10 of the Cyber Resilience Act, the implementation of a Coordinated Vulnerability Disclosure (CVD) policy is no longer an optional best practice, but a strict legal requirement for all manufacturers of PDEs.
Read moreThe European Commission, in consultation with cybersecurity authorities, has released updated clarifications regarding the regulatory treatment of free and open-source software (FOSS) under the CRA.
Read moreAs part of the CRA’s incident reporting framework, manufacturers must adapt their security operations to meet strict notification timelines. Upon becoming aware of an actively exploited vulnerability or an incident with severe impact, entit
Read moreThe European standardisation organisations, CEN and CENELEC, report significant progress in drafting the harmonised standards requested by the European Commission for the Cyber Resilience Act.
Read moreEffective 11 June 2026, the legal framework governing "Notified Bodies" under the CRA will officially commence. These independent, third-party conformity assessment bodies will play a vital role in auditing and certifying "important" and "c
Read moreManufacturers are reminded that the CRA’s vulnerability reporting obligations, taking effect in September 2026, apply to all products with digital elements currently active on the Union market-not merely new products introduced after the le
Read moreIn alignment with the NIS2 Directive and the Cyber Resilience Act, ENISA is currently advancing the integration of the European Vulnerability Database (EUVD) with the newly established CRA Single Reporting Platform (SRP).
Read more