Vulnerability management is one of the central obligations of the Cyber Resilience Act (CRA). Manufacturers of digital products must not only develop secure products but identify, assess, remediate, and communicate vulnerabilities throughout the entire support period. This article explains the specific requirements and shows how manufacturers can build an effective process.
What the CRA Requires for Vulnerability Management
The CRA sets out clear vulnerability management requirements in Annex I. These can be summarized in six core obligations.
Ongoing monitoring. Manufacturers must systematically identify and document known vulnerabilities in their products and components. This means regular matching of deployed software components against public vulnerability databases such as the NVD (National Vulnerability Database), OSV, and vendor-specific advisories.
Timely remediation. Identified vulnerabilities must be addressed without undue delay. The CRA does not define a fixed deadline in days, but the expectation is clear: critical vulnerabilities require swift action. Security updates must be provided free of charge.
Reporting actively exploited vulnerabilities. From September 2026, manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours. A detailed report with assessment, affected products, and planned countermeasures must follow within 72 hours. After the vulnerability is remediated, a final report must be submitted.
Coordinated vulnerability disclosure. Manufacturers must publish a policy for coordinated vulnerability disclosure (CVD). This must define a contact channel for security researchers, establish clear rules for handling reported vulnerabilities, and ensure reporters face no legal consequences.
Documentation. All vulnerabilities, assessments, and measures taken must be documented. This documentation forms part of the technical product documentation and must be available for inspection by market surveillance authorities.
User notification. Manufacturers must inform users about remediated vulnerabilities and provide security updates. Communication must be clear, understandable, and timely.
The Vulnerability Management Process in Practice
A functioning vulnerability management process for CRA compliance involves several interconnected stages.
Stage 1: Inventory. The foundation of all vulnerability management is an up-to-date SBOM for every product. Without knowing which components in which versions are deployed, you cannot reliably match vulnerabilities. The SBOM must be updated with every release and security update.
Stage 2: Monitoring. Set up automated monitoring that regularly matches your SBOM data against vulnerability databases. New CVEs (Common Vulnerabilities and Exposures) affecting your components must be detected promptly. Manual review alone is insufficient – for products with hundreds of dependencies, you need automation.
Stage 3: Assessment. Not every reported vulnerability has equal relevance for your product. Assess each vulnerability in the context of your product: Is the affected function reachable in your product? What would be the impact of an exploit? Use established scoring systems like CVSS (Common Vulnerability Scoring System), supplemented with a product-specific risk assessment.
Stage 4: Remediation. Develop and test patches or workarounds. For third-party components, you must integrate the upstream vendor's patch and retest your product. Plan sufficient time for regression testing – a security update must not introduce new defects.
Stage 5: Distribution. Deliver the security update through your update channel. The CRA requires that updates can be applied automatically or with minimal user effort. Inform your users about the vulnerability and the available update.
Stage 6: Documentation and reporting. Document the entire process. If the vulnerability is being actively exploited, trigger the ENISA reporting process in parallel.
Setting Up Coordinated Vulnerability Disclosure
Coordinated vulnerability disclosure (CVD) is an essential building block of CRA-compliant vulnerability management. You must provide a channel through which external security researchers can report vulnerabilities in your products.
In practice, this means publishing a security.txt file on your website (per RFC 9116) containing your security contact. Define a policy describing the workflow – from report through acknowledgment to remediation and publication. Set realistic timelines: 90 days between report and public disclosure is typical.
Ensure your team can triage incoming reports and respond promptly. Nothing undermines security researchers' trust faster than a lack of response.
Tools and Automation
Manual vulnerability management does not scale – especially for manufacturers with multiple product lines and hundreds of software components per product. Automation is not optional but a necessity.
An effective vulnerability management platform should centrally manage SBOMs of all product versions, automatically match against vulnerability databases, prioritize vulnerabilities by relevance to your specific products, traceably document the entire lifecycle of each vulnerability, and generate reports for market surveillance authorities.
Kunnus provides exactly this functionality, combining SBOM management, vulnerability monitoring, and CRA documentation in a single platform. This gives you oversight across all products and enables rapid response when new vulnerabilities emerge.
Mind the Deadlines: Reporting Comes First
The obligation to report actively exploited vulnerabilities takes effect from September 2026 – well before the general CRA conformity requirement from December 2027. This means: even if your product does not yet need to be fully CRA-compliant, you must have a functioning process for detecting and reporting vulnerabilities from September 2026.
Use the remaining time to build and test your vulnerability management process. A vulnerability that must be reported within 24 hours of discovery requires a well-rehearsed process – not last-minute scrambling for information.
This is especially critical for manufacturers of IoT devices and industrial components, whose products often operate in the field for years.
Start now: Our free CRA readiness assessment evaluates your current vulnerability management status among other areas and shows you what concrete steps to take next.