HackerOne Blog

EU Cyber Resilience Act: Preparing Your VDP for 2026 Reporting Requirements

Bertijn Eldering
Sales Engineer
EU Flag on Digital Background

The EU Cyber Resilience Act (CRA) turns vulnerability disclosure into a regulated, time-bound process for manufacturers producing "products with digital elements" sold in the EU.

For organizations with a periodic approach, meeting 24/72-hour reporting expectations and producing audit-ready evidence becomes a new challenge. 

But starting with a clear intake channel and CVD policy, then scaling with fast triage, integrations, and automation to track “awareness,” remediation, and communications is a practical path to complying with the new regulation.

What is the Cyber Resilience Act?

The Cyber Resilience Act is Regulation (EU) 2024/2847. Its goal is to improve the cybersecurity of software and hardware placed on the EU market.

It applies to products with digital elements, broadly defined as software or hardware products (including associated remote data processing solutions) that rely on digital components to function.

Key Dates to Know

Some CRA obligations start earlier than others:

Milestone

Date

What It Means

Entry into force

December 2024

The CRA becomes EU law and the rollout timeline begins.

Reporting obligations begin (Article 14)

11 September 2026

Manufacturers must start meeting mandatory vulnerability and incident reporting timelines.

Full CRA application date

11 December 2027

Full CRA requirements apply for in-scope products placed on the EU market.

That means organizations will need operational readiness for regulatory reporting well before the full regulation applies.

From a vulnerability management perspective, the CRA pushes manufacturers toward a mature, end-to-end capability, which includes:

  • An easy-to-find intake channel for vulnerability reporting
  • A defined coordinated vulnerability disclosure (CVD) policy
  • Fast triage, validation, and severity assessment
  • Timely remediation and secure updates
  • Public-facing communications about fixed vulnerabilities
  • For certain events, mandatory reporting to EU authorities on strict timelines

Additional Details for CRA Requirements

In newly published draft guidance, the European Commission gives practical interpretations of several CRA concepts, while stressing that the guidance itself is not binding.

  • The Commission’s draft guidance helps to define “awareness”: the clock starts once a manufacturer has carried out an initial assessment and has a reasonable degree of certainty that an actively exploited vulnerability or severe incident exists.

  • The CRA creates both communication duties around fixed vulnerabilities and separate incident/vulnerability notification duties. The Commission’s draft guidance suggests those user notifications should be risk-based and proportionate, and may in some cases be targeted to affected users rather than disclosed indiscriminately.

What the CRA Requires for Vulnerability Disclosure and Communications

At a minimum, the CRA expects manufacturers to run a vulnerability handling program that’s easy to access, fast to execute, and provable with records.

Requirement

What You Need in Place

CVD policy + reporting channel

Publish and enforce a CVD policy and provide a clear, monitored single point of contact for reports.

Lifecycle vulnerability handling

Track components (including an SBOM), test/review regularly, remediate quickly, and ship secure updates without undue delay.

Communicate fixes

When an update is available, publish what’s affected, severity/impact, and remediation steps. Only delay when justified to reduce risk.

Support period

Define and communicate how long you’ll provide vulnerability handling and security updates.

The support period must be at least five years unless expected use is shorter, and the draft guidance makes clear that five years is not a default ceiling where products are reasonably expected to remain in use longer.

What the CRA Requires for Reporting to EU Authorities

Starting 11 September 2026, manufacturers must report certain vulnerabilities and incidents via ENISA’s Single Reporting Platform (SRP), coordinated through the Member State’s designated CSIRT coordinator.

You report when either of these applies:

  • Actively exploited vulnerability: reliable evidence a malicious actor exploited the vulnerability without permission.
  • Severe incident impacting product security: security is (or could be) materially affected, or the incident enables (or could enable) malicious code execution in the product or user systems.

Deadlines are tied to when you become “aware”:

Report type

Early warning

Notification

Final report

Actively exploited vulnerability

24 hours

72 hours

14 days after a corrective/mitigating measure is available

Severe incident

24 hours

72 hours

1 month after the incident notification

Operationally, the key requirement is speed with evidence: timestamp awareness, classify quickly, and route the right details to the right owners quickly.

What This Means for Security Teams

The CRA turns vulnerability disclosure into day-to-day compliance operations. The difference isn’t just having a policy, it’s proving you can execute it fast.

Security teams will need two things above all:

  • Speed with evidence: a way to timestamp when you became aware, validate quickly, and meet 24/72-hour timelines when exploitation or severe impact is suspected.
  • An audit-ready record: clear ownership, traceable workflows, and documentation you can retain long term (often up to the support period or 10 years, depending on what’s required).

That’s why mature disclosure programs and incentivized reporting (including bug bounty) can be a practical way to reduce blind spots and improve response speed under the CRA.

How HackerOne Helps You Build CRA-Ready Disclosure Operations

To be ready, you need a clear reporting channel, a CVD policy, and a workflow you can prove with records.

HackerOne Essential VDP is a free, easy-to-use entry point into disclosure. It gives you a public intake channel, a consistent place to publish your policy, and structured, trackable submissions your team can manage in one platform.

When you need to operate at speed, you can layer on:

  • Managed triage to validate reports quickly, cut noise, and prioritize what matters.
  • Integrations to push high-severity issues into your ticketing and incident workflows without delays.
  • Automation to capture timestamps and key details, enforce escalations tied to 24/72-hour timelines, and keep an exportable audit trail for reporting and reviews.

Start with Operational CRA Timelines

The CRA entered into force in December 2024, with two deadlines to plan around: mandatory reporting starts September 11, 2026, and the CRA fully applies December 11, 2027.

Between now and 2026, the priority is operational readiness: a clear intake channel and CVD policy, plus a workflow that can timestamp “awareness,” validate quickly, and retain an audit-ready record.

HackerOne Essential VDP helps you stand up the baseline fast with a free, structured disclosure channel you can point to publicly and manage consistently. As you get closer to 2026 reporting expectations, add managed triage, integrations, and automation to move critical issues faster and maintain the evidence trail regulators will expect.

Launch Your Free HackerOne Essential VDP now, or speak to a security professional to learn more about setting up a CVD in your organization.

Note: This article is for informational purposes and isn’t legal advice. Your obligations depend on your role (manufacturer, importer, distributor) and product scope.

Exposure Management
Response

About the Author

Bertijn Eldering Headshot
Bertijn Eldering
Sales Engineer

Bertijn Eldering is a Sales Engineer at HackerOne. He advises enterprise clients on how to use offensive security methods to strengthen and mature their security programs. His work sits at the intersection of customer needs, operational clarity, and the practical realities of running security programs at scale.