Vulnerability
A weakness in a product with digital elements that can potentially be exploited by a threat actor to breach the security of that product or connected systems. The CRA imposes extensive obligations on manufacturers to identify, remediate, and disclose vulnerabilities throughout the support period.
Source citations
See also
Overview
While the CRA does not define "vulnerability" directly, it uses the term extensively to describe weaknesses that can be exploited. The practical meaning follows the widely-accepted definition in cybersecurity standards (e.g. ISO/IEC 27001): a weakness in a system that could be exploited to violate its security policy.
Manufacturer obligations relating to vulnerabilities
Under Annex I Part II and Article 13, manufacturers must:
| Obligation | Reference |
|---|---|
| Identify and document vulnerabilities (including via SBOM) | Annex I Part II §1 |
| Address and remediate vulnerabilities without delay | Annex I Part II §2 |
| Apply regular security tests and reviews | Annex I Part II §3 |
| Publicly disclose fixed vulnerability information | Annex I Part II §4 |
| Put in place a CVD policy | Annex I Part II §5 |
| Facilitate reporting via a contact address | Annex I Part II §6 |
| Provide secure update distribution mechanisms | Annex I Part II §7 |
| Provide free security updates without delay | Annex I Part II §8 |
Vulnerability in third-party components
Manufacturers must exercise due diligence regarding third-party and open-source components integrated into their products (Art. 13(5)). If a vulnerability is discovered in an integrated component, the manufacturer must:
- Report it to the component's maintainer (Art. 13(6))
- Address and remediate it in their own product
- Share relevant code/documentation patches with the maintainer where appropriate
Notifiable vulnerabilities
An actively exploited vulnerability (a specific subset) triggers mandatory notification to ENISA and the relevant CSIRT within 24 hours (Art. 14(1)).