Pricing
Free for Article 14 reporting. Upgrade for full CRA CVD compliance.
September 11, 2026
Article 14 reporting obligations take effect. Manufacturers must report actively exploited vulnerabilities and severe security incidents to ENISA within 24h / 72h / 14 days.
December 11, 2027
Full CRA CVD compliance. All 26 vulnerability handling articles enforced: SBOM, security testing, remediation tracking, advisories, post-release monitoring.
Free
Sept 2026Free forever. Covers CRA Article 14 reporting requirements mandatory from September 2026.
- Public vulnerability submission portal
- Submission tracking with unique IDs
- 48h acknowledgment SLA tracking
- CVD policy (auto-published)
- Art. 14 notification workflow (24h / 72h / 14d)
- Actively exploited vulnerability flagging
- Severe security incident tracking
- Report type classification (vulnerability / incident / both)
- PGP encrypted communication
- Compliance audit trail
- 1 team member
Includes 14-day Pro trial
Pro
Billed annually as €1,188
Full CRA CVD compliance across all 26 vulnerability handling articles
- SBOM registry (SPDX / CycloneDX)
- Hardware component registry
- CVSS 3.1 / 4.0 severity scoring
- Remediation decision & timeline tracking
- CSAF 2.0 machine-readable advisory export
- NVD / EUVD threat intelligence feeds
- Monitoring source configuration
- Security test & review scheduling
- CRA-CVD obligation matrix (26 articles, 80 artifacts)
- 8 auto-drafted policy documents
- Compliance analytics dashboard
- Coordinator assignment workflow
- Post-release action tracking
- Up to 3 team members
- Priority support
14-day free trial · No credit card required
Enterprise
Billed annually as €5,988
Automated compliance at scale with dedicated support
- Trust portal: cvd.yourdomain.com
- Automated SBOM ↔ CVE supply chain alerts
- ENISA SRP integration (automated Art. 14 submission)
- EUDI Wallet identity verification (eIDAS 2.0)
- Slack, Teams & Discord notifications + custom webhooks
- CVE ID assistance
- API access
- SSO / SAML integration
- Up to 10 team members
- Custom branding & whitelabel
- Audit-ready compliance reports
- Dedicated account manager
- 99.9% uptime SLA
Features evolve with EU regulatory requirements (CRA, NIS2, eIDAS 2.0). Feature availability may change as legislation is clarified or updated by the European Commission.
What Becomes Mandatory on September 11, 2026
Article 14, CRA Regulation (EU) 2024/2847: mandatory vulnerability and incident reporting via ENISA's Single Reporting Platform. Applies to products with digital elements in CRA scope.
- !Reliable evidence of malicious exploitation in the wild
- !Severe incident impacting security of a product with digital elements
- !Zero-day vulnerabilities under active attack
- Good-faith security research with no evidence of malicious exploitation
- Vulnerabilities discovered but not yet exploited
- Voluntary reports under Article 15 (still recommended)
Feature Comparison
Free covers the September 2026 deadline. Pro covers the full CRA CVD requirements by December 2027.
| Capability | Free | Pro | Enterprise |
|---|---|---|---|
| Article 14: Sept 2026 | |||
| Public submission portal with tracking IDs | |||
| 48h acknowledgment SLA tracking | |||
| CVD policy (auto-published) | |||
| Art. 14 notification timeline (24h / 72h / 14d) | |||
| Actively exploited vulnerability flagging | |||
| Severe security incident tracking | |||
| Report type classification | |||
| PGP encrypted communication | |||
| Compliance audit trail | |||
| Full CRA CVD: Dec 2027 | |||
| SBOM registry (SPDX / CycloneDX) | — | ||
| Hardware component registry | — | ||
| CVSS 3.1 / 4.0 severity scoring | — | ||
| Remediation decision & timeline tracking | — | ||
| CSAF 2.0 advisory export | — | ||
| NVD / EUVD threat intelligence feeds | — | ||
| Monitoring source configuration | — | ||
| Security test & review scheduling | — | ||
| CRA-CVD obligation matrix (26 articles) | — | ||
| 8 auto-drafted policy documents | — | ||
| Compliance analytics dashboard | — | ||
| Coordinator assignment workflow | — | ||
| Post-release action tracking | — | ||
| Enterprise Scale | |||
| API access | — | — | |
| Custom branding & whitelabel | — | — | |
| ENISA SRP automated submission | — | — | |
| EUDI Wallet identity verification (eIDAS 2.0) | — | — | |
| Slack, Teams & Discord notifications | — | — | |
| Custom webhook integrations | — | — | |
| CVE ID assistance | — | — | |
| SSO / SAML integration | — | — | |
| Audit-ready compliance reports | — | — | |
| Dedicated account manager | — | — | |
| Team members | 1 | 3 | 10 |
Frequently Asked Questions
What exactly must I comply with by September 11, 2026?
Article 14 of the CRA mandates that manufacturers report actively exploited vulnerabilities and severe security incidents via ENISA's Single Reporting Platform. You must submit an early warning within 24 hours, a full notification within 72 hours, and a final report within 14 days (vulnerabilities) or 1 month (incidents). This applies to products with digital elements in CRA scope, including ones still within their support lifecycle. The Free tier covers everything you need.
Why is the Free tier enough for September 2026?
The September 2026 deadline only enforces Article 14 reporting obligations, not the full CVD requirements. You need a way to receive vulnerability reports, track actively exploited vulnerabilities, and meet the 24h/72h/14d notification timelines. The Free tier provides exactly this: a public submission portal, Art. 14 notification workflow, SLA tracking, secure communication, and an audit trail that proves you met every deadline.
When do I need the Pro tier?
The full CRA CVD requirements take effect on December 11, 2027. By that date, you'll need complete vulnerability handling: SBOM management, security testing, remediation tracking, CSAF advisories, and documented compliance across all 26 articles. We recommend upgrading to Pro 6-12 months before the deadline to build your compliance posture incrementally.
Does Article 14 apply to products already on the market?
Yes. Reporting obligations apply to all products with digital elements falling within the CRA scope, including products placed on the market before December 11, 2027. If your product is still on the market and within its support lifecycle, you must report actively exploited vulnerabilities from September 11, 2026.
Why is Free really free?
CVD Portal is free for the September 2026 Article 14 deadline because we want to be the disclosure layer for thousands of EU manufacturers. We make money when companies upgrade for the full CRA workflow: their own domain, audit-ready evidence exports, and automated authority reporting. That is the entire model. We do not sell data, run ads, or harvest vulnerability reports.
Who owns the report data?
You do. You own every report your portal receives. Full export in CSV and JSON is available on every plan, including Free, so you can take your data with you at any time.
What happens if I cancel?
Your portal stays read-only and your export stays available. You keep access to your submission history and audit trail, and you can download everything before you go.
Is Free enough for September 2026?
Yes for Article 14 intake and guided reporting. The Free tier covers the submission portal, the 24h/72h/final notification workflow, SLA tracking, and an audit trail. Pro adds the full CRA vulnerability-handling workflow for the December 2027 deadline.
What payment methods do you accept?
We accept all major credit cards. Enterprise customers can pay by invoice. You can upgrade, downgrade, or cancel at any time.