Why We Built CVD Portal and Why the September Deadline Made Us Give It Away for Free | CVD Portal Blog - CVD Portal<br>← Back to BlogCRA Compliance<br>Why We Built CVD Portal and Why the September Deadline Made Us Give It Away for Free<br>By the team at Porta Regulus BV<br>•2026-05-20•9 min read

We didn’t set out to build a SaaS product.<br>We set out to answer a question that kept coming up in our conversations with EU manufacturers: “We know the Cyber Resilience Act is coming. We know we need to do something about vulnerability disclosure. But where do we actually start?”<br>The honest answer, every time, was: “It’s more complicated than it should be.” That bothered us enough to do something about it.<br>The problem we kept seeing<br>The EU Cyber Resilience Act (CRA) introduces two distinct compliance deadlines that tend to get conflated, and that conflation is causing real harm to how companies are planning.<br>The first deadline is 11 September 2026. From that date, Article 14 of the CRA is enforceable. Every manufacturer selling products with digital elements into the EU market must have a process in place to report actively exploited vulnerabilities to ENISA: a 24-hour early warning, a 72-hour full notification, and a 14-day final report. This is not optional, it is not limited to large companies, and it applies to products already on the market, not just new ones. Fines for non-compliance can reach €10 million or 2% of global annual turnover.<br>The second deadline is 11 December 2027. That is when the full CRA requirements kick in: CE marking, conformity assessment, complete coordinated vulnerability disclosure (CVD) programmes, SBOM management, security testing documentation, CSAF advisories, and the rest. That is the complex, expensive, time-consuming work.<br>Most companies we spoke to were treating these as one problem. They would hear “CRA compliance” and immediately jump to the 2027 requirements, conclude it was a multi-year programme they couldn’t start yet, and put it aside. Meanwhile, September 2026 was arriving and nobody had done anything about Article 14.<br>That is the gap CVD Portal was built to close.<br>What we actually built<br>CVD Portal is a hosted vulnerability disclosure management platform. Manufacturers register, configure their portal in a few clicks, and get a public submission URL they can link from their website and security.txt file. From that point, the platform handles the workflow.<br>Researchers submit vulnerabilities through a structured, tracked intake form and receive immediate confirmation with a tracking identifier. The portal monitors SLA deadlines, flags actively exploited vulnerabilities, and triggers the Article 14 notification timeline the moment a submission is escalated. The 24-hour, 72-hour, and 14-day ENISA reporting deadlines are tracked automatically, with reminders and status indicators at every stage. Every action, from receipt through acknowledgment, escalation, notification, and resolution, is logged to a tamper-evident audit trail that serves as compliance evidence. Secure, PGP-encrypted communication between the manufacturer and the researcher is built in.<br>Setting up a compliant, operational vulnerability disclosure programme takes less than five minutes. That is not a marketing claim; it is the product decision we made deliberately, because the companies that most need this are not the ones with a dedicated security engineering team. They are mid-sized industrial manufacturers, IoT device makers, and software vendors who have never run a CVD programme before and need something that works out of the box.<br>Why we made the September 2026 features permanently free<br>When we mapped Article 14’s requirements against what a manufacturer actually needs to be operationally compliant by September 2026, the list was finite and achievable: a public submission mechanism with tracking, an acknowledgment capability, an Article 14 notification workflow, SLA tracking, and an audit trail.<br>We could have charged for this. We chose not to.<br>The reasoning was straightforward. Hundreds of thousands of manufacturers across the EU face this deadline. Most of them are small and medium-sized businesses without compliance budgets, legal teams, or security specialists. If we charged for the minimum viable compliance tool, we would price out the companies that need it most, and the CRA’s September obligation would become a fine factory for SMEs who genuinely didn’t know what they needed to do.<br>So the Free tier of CVD Portal covers everything required for September 2026, permanently. No trial periods. No feature limits on the core Article 14 functionality. No credit card required to get started.<br>What we charge for, on our Pro and Enterprise tiers, are the capabilities that matter for the December 2027 deadline: SBOM management, CSAF advisory generation, security test plan documentation, full CVD programme tooling, multi-product management, and the compliance analytics that larger organisations need. That work is harder,...