CRA Article 14 · Mandatory from 11 September 2026

Set up your vulnerability disclosure portal before the CRA deadline.

From 11 September 2026, manufacturers selling products with digital elements into the EU must handle vulnerability reports and notify authorities on fixed deadlines. Fines for non-compliance reach €15 million or 2.5% of global turnover. CVD Portal gives you a branded, audit-ready disclosure portal today.

Create your free portal See a live portal

Free to receive and track reports. Article 14 filing is on Pro. Operated by Porta Regulus B.V., Netherlands. No credit card.

What happens if you ignore it

The cost of non-compliance is set in the regulation.

Fines

Up to €15 million or 2.5% of worldwide turnover

Breaching the essential cybersecurity obligations carries administrative fines of up to €15 million or 2.5% of total worldwide annual turnover, whichever is higher (Art. 64).

Market access

Products can be restricted or pulled from the EU market

Market surveillance authorities can require corrective action, restrict availability, or prohibit a non-compliant product on the EU market.

Buyer pressure

Enterprise buyers ask for a published CVD process

Procurement and security teams increasingly require a documented coordinated vulnerability disclosure process before they sign.

The free plan receives and tracks reports. Article 14 filing is on Pro. Here is what it includes.

How it works

Live in three steps.

See the full walkthrough →

Create your portal

Customize it

Add your logo, set your acknowledgment SLA, and publish a PGP key so researchers can reach you securely.

Share and receive

Link your portal from security.txt and your website. Reports land in a dashboard with deadline tracking and an audit trail.

See the product

A working portal you can click through.

Researchers submit through a branded intake form with PGP support. Your team triages reports, tracks acknowledgment deadlines, and exports the evidence trail. Every report is logged from the moment it arrives. Try it on the portal of Aurelia Devices B.V., a fictional manufacturer running on CVD Portal.

Open the live demo portal Create your free portal

CVD Portal dashboard showing the vulnerability register with CRA compliance status

THE COMPLETE WORKFLOW

Everything you need to receive and resolve reports

A complete vulnerability disclosure workflow covering intake, coordination, and compliance evidence, ready out of the box for the Cyber Resilience Act.

Report intake and acknowledgment are free. Article 14 authority filing is on Pro.

Automated Disclosure

Art. 14 Authority Reporting

48-hour acknowledgment per CVD best practice (ISO/IEC 29147, Art. 13). For actively exploited vulnerabilities and significant incidents, Art. 14 mandates three reporting milestones to ENISA/CSIRT: 24h early warning, 72h detailed report, and a final report within 14 days or 1 month.

48h Acknowledgment (ISO/IEC 29147 · Art. 13)Free

24h Early Warning (Art. 14)Pro

72h Detailed Report (Art. 14)Pro

Final Report +14 days/1 month (Art. 14)Pro

SPOC Portal

Single Point of Contact

A unified, branded vulnerability intake portal for your organization. Security researchers submit reports through a standardized, encrypted channel.

HTTPS EncryptedFree

Structured IntakeFree

Audit-Ready LogsFree

Professional Coordination

ENISA-Aligned Triage

All submissions follow ENISA coordinated vulnerability disclosure (CVD) best practices with CVSS scoring, coordinator assignment, and mitigation tracking.

CVSS ScoringPro

Coordinator AssignmentPro

Mitigation TrackingPro

COMPLIANCE CHECKLIST

Are You CRA Ready?

Aligned with ISO/IEC 29147 Hosted in the EU (Hetzner)GDPR processor terms Pentested quarterly CSAF 2.0 advisory export

A published vulnerability disclosure process is becoming a baseline expectation from EU buyers and regulators. CVD Portal gives you one that is ready for the Cyber Resilience Act.

ISO 29147 EN 40000-1-3CSAF 2.0EU HostedGDPR Compliant

EU Cyber Resilience Act Timeline

Read the full timeline →

Nov 2024

CRA Published

Regulation (EU) 2024/2847 enters into force

Sept 2026

Article 14 Reporting Begins

Vulnerability reporting obligations apply to products in scope

Dec 2027

Full Conformity Deadline

Design and production requirements (Annex I, CE marking) apply

Simple, transparent pricing

See full pricing →

Free

€0forever

Receive, track, and acknowledge reports

Pro

€99/mo

Article 14 authority filing + full CVD compliance

Enterprise

€499/mo

Automated compliance at scale, integrations, EUDI identity

Engineering Blog

CRA Compliance

The Clock Is Ticking: What Dutch Executives Need to Know Before the Cyberbeveiligingswet Takes Effect

The Netherlands missed the NIS2 transposition deadline by nearly two years. Now the Cyberbeveiligingswet has cleared the House of Representatives and the government is targeting entry into force on 1 July 2026. Four enforcement-facing obligations, including personal director liability, are about to change how Dutch boards operate.

9 min read CRA Compliance

The Overlapping Notification Clocks: CRA, NIS2 and GDPR in One View

One security event can start three legal clocks at once. The CRA, NIS2 and GDPR each demand notification on their own deadline, to their own authority, in their own format. Here is how the obligations overlap and why a manufacturer needs a single place to track them.

8 min read CRA Compliance

When Vulnerability and Incident Reporting Become Mandatory Under the CRA

The CRA's reporting obligations do not switch on with the rest of the regulation. Article 14 applies from 11 September 2026, ahead of full conformity in December 2027, and it binds manufacturers the moment a product becomes actively exploited. Here is exactly when the duty begins and who it binds.

9 min read

View all articles →

Set up your disclosure portal before September 2026

A branded, audit-ready portal for manufacturers selling products with digital elements into the EU. Free to receive and track reports. Article 14 filing is on Pro.