The EU Cyber Resilience Act
Turn the CRA’s reporting mandate into disclosure operations you can prove — and a security programme that compounds from compliance into continuous validation.
The Two Dates That Matter
11 Sep
2026
Reporting obligations begin (Art. 14) — mandatory 24/72-hour vulnerability & incident reporting.
11 Dec
2027
Full CRA application — CVD policy, lifecycle handling & support period all in force.
What is the CRA?
Regulation (EU) 2024/2847 sets mandatory cybersecurity requirements for products with digital elements — software or hardware that connects to a device or network — sold into the EU. It makes vulnerability disclosure a regulated, time-bound, auditable obligation, not a best practice.
What it requires
A CVD policy & reporting channel — published, monitored, single point of contact.
Lifecycle vulnerability handling — SBOM, regular testing, timely remediation, secure updates.
Communication of fixes — what’s affected, severity, remediation steps.
A defined support period — at least five years unless expected use is shorter.
The regulation provides for a range of penalties up to €15M or 2.5% of global turnover for non-compliance.
Why HackerOne
- A reporting channel live in days. H1 Response, the HackerOne VDP, is your front door, a structured intake with full metadata, a process aligned to ISO/IEC 29147 & 30111, and SLA setting and reporting - audit-ready by design.
- Proof of exploitability, not more noise. Hai + H1 Validation pairs AI with the world’s largest researcher community to validate reports and surface what’s genuinely exploitable so the 24/72-hour clock runs on real risk.
- One platform, one record. Timestamps, escalations and an exportable audit trail on the H1 Platform, the evidence the CRA expects in one place.
- Start scoped, expand as you grow. Stand up disclosure now, and mature into H1 Bounty for broader, continuous coverage as your programme proves value.
Why teams choose HackerOne
- More than an inbox: structured intake, metadata, SLAs and an audit trail, not reports lost in email.
- Proof, not noise: a researcher community and validation prove what’s genuinely exploitable, beyond what scanners and AI flag.
- Continuous, not point-in-time: validation that runs between audits and complements your existing testing.
“Prove what’s exploitable, so you act on what’s confirmed, not noise.”
Adversarial intelligence from the world’s largest researcher community, pushing beyond what AI finds and validates on its own - on one platform that takes you from disclosure to fix.
Why teams choose HackerOne
“Prove what’s exploitable, so you act on what’s confirmed — not noise.”
The edge: adversarial intelligence from the world’s largest researcher community, pushing beyond what AI finds and validates on its own — on one platform that takes you from disclosure to fix.
More than an inbox
Structured intake, metadata, SLAs and an audit trail — not reports lost in email.
More than an inbox
Structured intake, metadata, SLAs and an audit trail — not reports lost in email.
Continuous, not point-in-time
Validation that runs between audits and complements your existing testing.
What you need — and when
Now → mid-2026
Publish a CVD policy and stand up a VDP reporting channel. Test intake; set SLAs.
11 Sep 2026
Be operational: 24h early warning / 72h notification via the ENISA platform + your national CSIRT.
Through 2027
Mature the programme — validation, audit trail, analytics. Expand scope as you grow.
11 Dec 2027
Full application: CVD policy, lifecycle handling and a defined support period in force.
Are you ready? A 60-second self-check
- Do you place products with digital elements on the EU market?
- Is your CVD policy published and your reporting channel monitored today?
- Can you evidence 24/72-hour reporting — with timestamps and an audit trail?
- Do you know who owns vulnerability intake, and where reports live right now?
Start before the clock does
The CRA's September 2026 reporting deadline isn't far off, and the organizations that will meet it without scrambling are the ones building their disclosure operations now. A monitored reporting channel, documented SLAs, and an audit-ready record of how vulnerabilities are handled aren't things you want to stand up in a hurry.
HackerOne gives you a structured path with a VDP live in days, validation that proves what's genuinely exploitable, and a single platform that carries you from your first disclosure through full CRA application in December 2027.
Watch our on-demand CRA webinar now, and talk to a HackerOne security expert to get started.