CRA Article 14: the September 2026 milestone most manufacturers are not ready for
Article 14 CRA CVD Cybersécurité Gestion des vulnérabilités PSIRT

CRA Article 14: the September 2026 milestone most manufacturers are not ready for

On 11 September 2026, the obligations to notify actively exploited vulnerabilities under Article 14 of the CRA enter into application. They apply to all products already on the market: no grandfather clause. For a manufacturer without an up-to-date SBOM and no PSIRT function, the 24-hour deadline cannot be met. What must be in place, in what order, and what a market surveillance authority looks for in a notification file.

 1 May 2026  11 min
CVD: drafting and publishing a coordinated vulnerability disclosure policy
CRA CVD Conformité Cybersécurité Gestion des vulnérabilités PSIRT

CVD: drafting and publishing a coordinated vulnerability disclosure policy

The coordinated vulnerability disclosure (CVD) policy is a public document that most connected product manufacturers have never produced, because before the CRA, nothing required it. From 11 September 2026, its absence constitutes a direct non-conformity finding. This article explains what a CVD policy must contain under CRA Annex I Part II and prEN 40000-1-3, how it differs from the internal vulnerability handling procedure, how to make it operational rather than decorative, and what the safe harbour clause implies legally.

 30 April 2026  11 min
All ANFR Annexe III Article 14 CRA CVD Conformité Conformité CE Contrôle de marché Cybersécurité DDADUE DGCCRF Directive Machines Directive RED Dossier technique Due diligence EN 18031 EN 304 632 Firmware Gestion des vulnérabilités Marquage CE PSIRT SBOM Surveillance du marché