13:["$","$L19",null,{"formats":"$undefined","locale":"en","messages":{"site":{"name":"CRA Compliance Hub","tagline":"Navigate the EU Cyber Resilience Act","description":"Free, authoritative guidance to help manufacturers, importers, and distributors understand and fulfil their obligations under the EU Cyber Resilience Act (Regulation (EU) 2024/2847)."},"nav":{"understand":"Understand the CRA","yourRole":"Your role","obligations":"Obligations","tools":"Tools","resources":"Resources","search":"Search","searchPlaceholder":"Search obligations, glossary…","toggleMenu":"Toggle menu","skipToContent":"Skip to main content","changeLanguage":"Change language"},"roles":{"manufacturer":"Manufacturer","importer":"Importer","distributor":"Distributor","ossSteward":"Open-source steward"},"productClasses":{"default":"Default","importantClassI":"Important Class I","importantClassII":"Important Class II","critical":"Critical"},"obligationStatus":{"binding":"Binding","draftGuidance":"Draft guidance","interpretive":"Interpretive"},"obligationStatusDescription":{"binding":"This requirement comes directly from the regulation text.","draftGuidance":"Based on the Commission's March 2026 draft guidance (Ares 2026/2319816) — non-binding, subject to change.","interpretive":"This is our reading of the regulation. Always verify with qualified legal counsel."},"citation":{"viewSource":"View source document","article":"Art.","annex":"Annex"},"obligation":{"appliesTo":"Applies to","productClasses":"Product classes","lastReviewed":"Last reviewed","reviewedBy":"by","sources":"Sources","plainLanguage":"Plain language","legalText":"Legal text","relatedObligations":"Related obligations","noObligations":"No obligations found matching your criteria.","libraryTitle":"Obligations library","libraryDescription":"Every obligation under Regulation (EU) 2024/2847 — traceable to the article, with plain-language explanations and evidence guidance.","libraryEmpty":"No obligations published yet. Check back soon, or {link} for updates.","libraryEmptyLink":"view the changelog","breadcrumb":"Obligations","sourceCitations":"Source citations","allProducts":"All products","plainLanguagePending":"Plain-language summary pending editorial review.","pendingReview":"This obligation is pending legal and technical review. Do not rely on it for compliance decisions until the review is complete."},"glossary":{"title":"Glossary","description":"Defined terms and concepts from the EU Cyber Resilience Act and related guidance.","seeAlso":"See also","noDefinition":"No definition available yet.","searchPlaceholder":"Search terms…","breadcrumb":"Glossary","sourceCitations":"Source citations"},"timeline":{"title":"Regulatory deadlines","description":"Key dates under the EU Cyber Resilience Act.","ariaLabel":"CRA regulatory timeline","art14LearnMore":"Learn more about Art. 14 obligations","inForce":"In force","vulnReporting":"Vulnerability reporting & notification obligations apply (Art. 14)","conformityBodies":"Conformity assessment body notification obligations apply","fullApplication":"Full regulation applies to all in-scope products","daysRemaining":"{days} days remaining","passed":"Passed","events":{"entered":{"label":"CRA enters into force","description":"Regulation (EU) 2024/2847 published in the Official Journal and enters into force. The clock starts."},"art14":{"label":"Vulnerability reporting & notification obligations (Art. 14)","description":"Manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA: 24-hour early warning, 72-hour notification, 14-day final report. The ENISA single reporting platform must be operational by this date."},"conformity":{"label":"Conformity assessment body notification obligations","description":"Obligations relating to notification of conformity assessment bodies apply. Relevant for manufacturers requiring third-party conformity assessment (Important Class II, Critical products)."},"fullReg":{"label":"Full regulation applies","description":"All CRA obligations apply to all in-scope products with digital elements. All tools, assessment workflows, documentation, and vulnerability-handling processes must be in place."}}},"sources":{"title":"Source documents","description":"Every obligation, scenario, and tool output on this site is traceable to these official sources.","lastChecked":"Last checked","status":{"inForce":"In force","draft":"Draft","repealed":"Repealed","consolidated":"Consolidated"},"viewDocument":"View document","tableTitle":"Title","tableCelex":"CELEX / ELI","tableStatus":"Status","tableVersionDate":"Version date","typeLabels":{"regulation":"Regulations","annex":"Annexes","guidance":"Commission guidance","standard":"Harmonised standards","act":"Adjacent regulations & acts","decision":"Decisions & implementing acts"}},"disclaimer":{"short":"This site provides general information only and does not constitute legal advice.","learnMore":"Learn more"},"footer":{"legalDisclaimer":"Legal disclaimer","security":"Security","changelog":"Changelog","sources":"Sources","copyright":"© {year} CRA Compliance Hub. All rights reserved.","notLegalAdvice":"Not legal advice. Always consult qualified counsel for jurisdiction-specific questions."},"errors":{"notFound":"Page not found","notFoundDescription":"The page you are looking for does not exist or has been moved.","serverError":"Something went wrong","serverErrorDescription":"An unexpected error occurred. Please try again.","backHome":"Back to home"},"home":{"heroTitle":"Understand your EU Cyber Resilience Act obligations","heroSubtitle":"Clear, traceable, free guidance for manufacturers, importers, and distributors placing products with digital elements on the EU market.","heroBody":"Free, traceable guidance for manufacturers, importers, and distributors placing products with digital elements on the EU market. Every claim cites the regulation.","heroBanner":"Art. 14 applies from 11 September 2026 — {days} days away","deadlineWarning":"Art. 14 vulnerability reporting obligations apply from 11 September 2026.","chooseRole":"I am a…","exploreObligations":"Explore obligations","viewTimeline":"View timeline","rolesHeading":"Start with your role","rolesSubheading":"The CRA assigns different obligations depending on your position in the supply chain.","roles":{"manufacturer":{"label":"Manufacturer","description":"You design, develop, or produce products with digital elements placed on the EU market."},"importer":{"label":"Importer","description":"You place products from non-EU manufacturers on the EU market under your own name."},"distributor":{"label":"Distributor","description":"You make products with digital elements available on the EU market without altering them."},"ossSteward":{"label":"Open-source steward","description":"You systematically provide free/open-source software intended for commercial use."}},"deadlinesHeading":"Regulatory deadlines","deadlines":{"art14":"Art. 14 vulnerability reporting & notification","conformity":"Conformity assessment body notification obligations","fullReg":"Full regulation applies to all in-scope products"},"daysRemaining":"({days} days)","viewFullTimeline":"View full timeline →","whyHeading":"Traceable. Independent.","whyBody":"Every obligation, classification, and scenario on this site traces back to the regulation text or official guidance. No vendor sponsors influence how we interpret the law.","features":{"citations":{"title":"Article-level citations","body":"Every obligation links to the exact regulation article. No unverified summaries."},"badges":{"title":"Confidence badges","body":"Content is tagged Binding, Draft guidance, or Interpretive — so you know what is law."},"review":{"title":"Legal + tech review","body":"Obligation pages require sign-off from a named legal reviewer and a named technical reviewer."}},"latestChanges":"Latest regulatory changes","viewAllChanges":"View all changes"},"resourcesPage":{"title":"Resources","description":"Reference materials, official source documents, and tools for CRA compliance.","externalLinksTitle":"External resources","sections":{"glossary":{"title":"Glossary","description":"Definitions of key terms — each with article citations.","label":"Browse glossary"},"sources":{"title":"Source documents","description":"The official documents that underpin every obligation on this site.","label":"View sources"},"timeline":{"title":"Regulatory timeline","description":"Key CRA dates with countdown: Art. 14 reporting (Sep 2026), full application (Dec 2027).","label":"View timeline"},"obligations":{"title":"Obligations library","description":"All manufacturer, importer, and distributor obligations with article citations.","label":"Browse obligations"},"changelog":{"title":"Changelog & errata","description":"A public log of corrections and updates to this site's content.","label":"View changelog"}}},"craOverview":{"title":"Understand the Cyber Resilience Act","description":"A plain-language introduction to Regulation (EU) 2024/2847 — what it is, who it affects, and the key obligations it creates.","calloutNote":"This page provides general educational information only and does not constitute legal advice. See the legal disclaimer. Verify all obligations against the official regulation text.","calloutDisclaimer":"legal disclaimer","calloutRegulation":"official regulation text","sections":{"whatIsTheCra":"What is the CRA?","whoIsAffected":"Who does it apply to?","whatIsAPde":"What is a product with digital elements?","keyDeadlines":"Key deadlines","productClassification":"Product classification","penalties":"Penalties for non-compliance"},"deadlines":{"d1Label":"11 December 2024 — CRA enters into force","d1Description":"The regulation is legally in effect. Products placed on the market from this date must comply with CRA once the application dates are reached.","d2Label":"11 September 2026 — Vulnerability reporting obligations apply","d2Description":"Article 14 vulnerability and incident reporting to ENISA becomes mandatory. This is the first hard deadline. Manufacturers must have their reporting processes in place before this date.","d3Label":"11 June 2027 — Conformity assessment body notification","d3Description":"Member States must notify conformity assessment bodies to the Commission.","d4Label":"11 December 2027 — Full regulation applies","d4Description":"All CRA requirements apply to all in-scope products. No new products may be placed on the EU market that do not conform."},"ctaTitle":"Ready to go deeper?","ctaDescription":"Explore the full obligations library, understand your role, or view the regulatory timeline.","ctaObligations":"Obligations library","ctaManufacturer":"Manufacturer obligations","ctaTimeline":"View timeline","ctaProductClassification":"Product classification tool"},"rolesPage":{"keyFacts":"Key facts","viewObligations":"View all {role} obligations","noObligations":"No obligations found for this role.","roleBreadcrumb":"Role","keyDeadlines":"Key deadlines","obligationsCount":"Obligations ({count})","deadlines":{"entered":{"title":"11 December 2024 — CRA enters into force","description":"The regulation is legally in effect. Products placed on the market from this date must comply with CRA once the application dates are reached."},"art14":{"title":"11 September 2026 — Vulnerability reporting obligations apply","description":"Article 14 vulnerability and incident reporting to ENISA becomes mandatory. This is the first hard deadline. Manufacturers must have their reporting processes in place before this date."},"conformity":{"title":"11 June 2027 — Conformity assessment body notification","description":"Member States must notify conformity assessment bodies to the Commission."},"fullReg":{"title":"11 December 2027 — Full regulation applies","description":"All CRA requirements apply to all in-scope products. No new products may be placed on the EU market that do not conform."}},"roles":{"manufacturer":{"label":"Manufacturer","description":"A manufacturer is any natural or legal person who develops or manufactures products with digital elements, or has them designed or manufactured, and markets them under their own name or trademark.","keyFacts":["Highest obligation burden under the CRA","Must carry out cybersecurity risk assessments","Responsible for security updates throughout the support period (minimum 5 years)","Must report actively exploited vulnerabilities to ENISA from 11 Sep 2026","Must draw up EU Declaration of Conformity and affix CE marking"]},"importer":{"label":"Importer","description":"An importer is any natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union.","keyFacts":["Must verify the manufacturer has carried out conformity assessment","Must ensure technical documentation is available for 10 years","Cannot place products on the market if they do not comply","Must take corrective action if a product presents a risk","Key due-diligence obligation at Art. 19"]},"distributor":{"label":"Distributor","description":"A distributor is any natural or legal person in the supply chain, other than the manufacturer or importer, who makes a product with digital elements available on the Union market without altering its properties.","keyFacts":["Lighter obligations than manufacturers and importers","Must verify CE marking, EU DoC, and instructions are present","Must not make a non-compliant product available on the market","Must cooperate with market surveillance authorities if a risk is identified"]},"ossSteward":{"label":"Open-source steward","description":"An open-source software steward is any legal person who provides systematic support for the development of a free and open-source software product, the intended use of which can reasonably be expected to be commercial.","keyFacts":["New category introduced by the CRA to address OSS without penalising individual developers","Lighter obligations than manufacturers (no CE marking, no DoC)","Must put a cybersecurity policy in place and cooperate with authorities","Commercial-activity test determines whether an OSS project is in scope","Steward status does not apply to downstream users who package/distribute the software"]}}},"timelinePage":{"daysRemaining":"{days} days remaining","passed":"passed"},"changelogPage":{"title":"Changelog & errata","description":"A log of corrections, clarifications, and additions to this site's content."},"legalDisclaimerPage":{"title":"Legal disclaimer","warningTitle":"Important notice","warningText":"This website and its content do not constitute legal advice. The information provided is general in nature and may not apply to your specific circumstances. Always consult a qualified legal professional for advice tailored to your situation.","lastUpdated":"Last updated: 17 May 2026"},"securityPage":{"title":"Security policy","intro":"We take the security of this site and its users seriously. This page describes how to report a vulnerability and what we commit to in response."},"productClassificationPage":{"title":"Product classification","description":"CRA products with digital elements are classified into four tiers. The classification determines which conformity assessment route applies. Most products are Default. Only those explicitly listed in Annexes III and IV are Important or Critical.","legalCallout":"Classification under Annexes III and IV requires careful analysis of the product's core function. The examples below are illustrative only. Consult qualified legal counsel and the official regulation text before making a conformity assessment decision. See also the legal disclaimer.","guidanceCallout":"The Commission's March 2026 draft guidance (Ares(2026)2319816) clarifies that classification is based on the core function of the product as a whole — not individual features. A product that incidentally includes a password manager as a secondary function is not automatically Annex III Class I. See the guidance §6 for the classification methodology.","conformityLabel":"Conformity assessment","examplesLabel":"Example products","classes":{"default":{"conformity":"Module A (self-assessment)","description":"Any product with digital elements not listed in Annexes III or IV. The vast majority of consumer IoT, enterprise software, and industrial devices fall here.","examples":["Smart home appliances not in Annex III","Consumer mobile apps (non-Annex-III functions)","General-purpose server software","Industrial sensors without critical infrastructure role"]},"importantClassI":{"conformity":"Module A (if harmonised standards applied); otherwise Module B+C or H","description":"Products listed in Annex III, Class I — those posing a significant cybersecurity risk to the EU. Includes identity management software, browsers, password managers (lightweight variant), and network management tools.","examples":["Identity management and privileged access management software","Standalone and embedded browsers","Password managers","Network and application firewalls (lower tier)","Microcontrollers and microprocessors (general purpose)","Physical and virtual network interface controllers (NICs)","Operating systems for general use"]},"importantClassII":{"conformity":"Module B+C or H (notified body required)","description":"Higher-risk products listed in Annex III, Class II — including hypervisors, TPMs, smart meter gateways, and industrial/critical-infrastructure-adjacent devices. A notified body must always be involved.","examples":["Hypervisors and container runtime engines","Trusted Platform Modules (TPMs)","Firewalls and IDS/IPS for industrial/critical infrastructure use","Secure elements","Smart meter gateways","Industrial automation and control system software","Remote access software"]},"critical":{"conformity":"Module B+C or H (notified body required) — or EU cybersecurity certification","description":"The highest-risk products listed in Annex IV — hardware devices with security boxes, smart cards, and specialised hardware security modules. Subject to the strictest conformity assessment requirements.","examples":["Hardware security modules (HSMs)","Smart cards and smart card readers","Hardware devices with security boxes (tamper-evident/tamper-resistant)","Specialised cryptographic processors"]}},"table":{"heading":"Conformity assessment routes","classCol":"Class","moduleACol":"Module A","moduleBCHCol":"Module B+C / H","euCertCol":"EU Cybersecurity Certification","defaultModuleA":"✓ Always available","defaultModuleBCH":"Optional","defaultEuCert":"Optional","class1ModuleA":"If harmonised standards applied","class1ModuleBCH":"Required if no harmonised standards","class1EuCert":"Alternative","class2ModuleA":"✗ Not available","class2ModuleBCH":"✓ Required","class2EuCert":"Alternative","criticalModuleA":"✗ Not available","criticalModuleBCH":"✓ Required","criticalEuCert":"Alternative (when adopted)","footnote":"EU cybersecurity certification schemes under Regulation (EU) 2019/881 (EUCC etc.) may substitute for Module B+C/H once the relevant implementing act is adopted. Placeholder shown until then."},"ctaObligations":"View all obligations","ctaSources":"Annex III and IV full text (sources)"},"article14Page":{"heroBadge":"First CRA hard deadline — applies 18 months early","heroTitle":"Article 14 — Vulnerability reporting & notification obligations","heroDescription":"From 11 September 2026, all in-scope manufacturers must report actively exploited vulnerabilities and severe incidents to ENISA — before the rest of the CRA applies in December 2027.","urgencyTitle":"This deadline is closer than most manufacturers realise","urgencyText":"Art. 14 applies 18 months before full CRA application (Dec 2027). Your incident-response process, ENISA reporting tooling, internal escalation procedures, and user notification channels must all be operational before 11 September 2026.","whatTitle":"What Article 14 requires","whatP1":"Article 14 of Regulation (EU) 2024/2847 creates a mandatory three-step reporting chain to ENISA whenever a manufacturer discovers that a vulnerability in their product is being actively exploited by attackers in the wild, or that a severe incident has occurred.","whatP2":"This is separate from — and in addition to — notifying affected users (Art. 14(4)), which must happen concurrently. Reporting to ENISA does not substitute for notifying users, and notifying users does not substitute for reporting to ENISA.","whatP3":"Reports are submitted via the ENISA single reporting platform, which routes information to the relevant national CSIRT(s). The platform must be operational by 11 September 2026.","chainTitle":"The three-step reporting chain","chainIntro":"The clock starts from when the manufacturer becomes aware of active exploitation — not from when the vulnerability is confirmed or fully analysed.","step1Deadline":"24 hours","step1Label":"Early warning","step1Desc":"Signal to ENISA that a severe event is in progress. Minimal detail required — speed is the priority. The clock starts from when you become aware, not when you confirm all details.","step2Deadline":"72 hours","step2Label":"Full notification","step2Desc":"Detailed notification to ENISA: product identification, vulnerability description, severity, impact, and corrective or mitigating measures taken or planned.","step3Deadline":"14 days","step3Label":"Final report","step3Desc":"Complete analysis: CVE identifier, CVSS score, root cause, remediation deployed, whether the vulnerability was publicly disclosed, and confirmation that users have been notified.","usersTitle":"Notifying affected users (Art. 14(4))","usersIntro":"In parallel with the ENISA reporting chain, manufacturers must notify affected users without undue delay. Do not wait for the full fix — users need to know:","usersItem1":"Which products and versions are affected","usersItem2":"The nature of the vulnerability and that active exploitation has been observed","usersItem3":"Mitigating measures they can take immediately (workarounds, isolation) before a patch is available","usersItem4":"Whether a patch is available and how to obtain it — or an expected release timeline","usersCallout":"The user notification obligation (Art. 14(4)) applies to all manufacturers — including those of Default class products. There is no product-class exemption.","whoTitle":"Who must comply","whoMfgTitle":"Manufacturers ✓","whoMfgDesc":"All manufacturers of in-scope products with digital elements — regardless of product class (Default, Important Class I/II, or Critical). Art. 14 applies to every manufacturer from 11 September 2026.","whoImportTitle":"Importers & distributors —","whoImportDesc":"Not directly required to report to ENISA under Art. 14. However, they must pass vulnerability information to manufacturers without undue delay (Art. 20 / Art. 24) so that manufacturers can meet their Art. 14 deadlines.","oblTitle":"Article 14 obligation cards","oblIntro":"Four atomic obligations — each traceable to the regulation article, with evidence guidance and plain-language explanations.","oblEmpty":"Obligation cards coming soon.","penaltiesTitle":"Penalties for non-compliance (Art. 64)","penaltiesTier2Title":"Tier 2 fine — up to €10 M or 2 % of global annual turnover","penaltiesTier2Text":"Failure to comply with Article 14 reporting obligations attracts a Tier 2 administrative fine under Art. 64: up to € 10,000,000 or 2 % of the worldwide annual turnover of the preceding financial year, whichever is higher. The same ceiling applies to violations of Arts. 15, 17, 18 and 23.","penaltiesNote":"See all penalty tiers on the CRA overview page →","ctaTitle":"Prepare before the deadline","ctaDescription":"Review all manufacturer obligations, understand your product classification, and check the full regulatory timeline with all CRA dates.","ctaObligations":"All obligations","ctaTimeline":"Regulatory timeline"},"tools":{"pageTitle":"Compliance Tools","pageDescription":"A growing suite of interactive tools to help manufacturers, importers, and distributors understand and meet their obligations under the EU Cyber Resilience Act.","openTool":"Open tool","comingSoon":"Coming soon","comingSoonDesc":"More tools are in active development. Sign up for updates or check back regularly.","art14Section":"Art. 14 — Vulnerability & Incident Reporting","art14SectionDesc":"Meet the three-step ENISA reporting chain for actively exploited vulnerabilities in your products.","art13Section":"Art. 13 — Manufacturer Obligations","art13SectionDesc":"Document, assess, and demonstrate compliance with ongoing manufacturer obligations throughout the product lifecycle.","annexISection":"Annex I — Essential Security Requirements","annexISectionDesc":"Self-assess your product against the cybersecurity requirements covering design, development, and maintenance.","conformitySection":"Conformity Assessment","conformitySectionDesc":"Identify the correct conformity assessment route for your product class and prepare supporting documentation.","manufacturerChecklist":{"title":"Manufacturer Obligations Checklist","description":"Interactive self-assessment covering all Art. 13 ongoing obligations — from secure development to post-market monitoring."},"technicalDocBuilder":{"title":"Technical Documentation Builder","description":"Generate a structured template for CRA-compliant technical documentation per Art. 13(13) and Annex VII."},"securityAssessment":{"title":"Security Requirements Self-Assessment","description":"Walk through every Annex I Essential Cybersecurity Requirement, flag gaps, and export a remediation checklist."},"sbomGenerator":{"title":"SBOM Template Generator","description":"Create a Software Bill of Materials template aligned with CRA Art. 13(1) and IEC 62443 requirements."},"conformitySelector":{"title":"Conformity Assessment Pathway Selector","description":"Answer a few questions about your product to determine whether self-assessment, audit, or full third-party certification applies."},"deadlineCalculator":{"title":"Reporting Deadline Calculator","description":"Enter when you became aware of an actively exploited vulnerability to calculate your three ENISA reporting deadlines in your local timezone.","awarenessLabel":"Date and time you became aware","timezoneLabel":"Your local timezone","calculateButton":"Calculate deadlines","resultsTitle":"Your ENISA reporting deadlines","cetLabel":"CET / CEST (ENISA reference)","localLabel":"Your local time","deadline24hTitle":"Step 1 — 24-hour early warning","deadline72hTitle":"Step 2 — 72-hour detailed notification","deadline14dTitle":"Step 3 — 14-day final report","copy":"Copy","copied":"Copied","overdue":"OVERDUE","overdueNote":"This deadline has already passed based on the time entered.","enisaLinkLabel":"ENISA Single Reporting Platform — information & FAQ →","legalNote":"Deadlines run from the moment of awareness (Art. 14). CET/CEST is the ENISA reference timezone. This tool is a guide only — always consult qualified legal counsel.","timezones":{"europeParis":"CET / CEST — Europe (Paris, Berlin, Amsterdam)","asiaShanghai":"CST — China Standard Time (Beijing, Shanghai)","asiaTokyo":"JST — Japan Standard Time (Tokyo)","asiaSeoul":"KST — Korea Standard Time (Seoul)","americaLosAngeles":"PT — US Pacific Time (Los Angeles, Seattle)","americaNewYork":"ET — US Eastern Time (New York, Boston)","asiaKolkata":"IST — India Standard Time (Mumbai, Delhi)","utc":"UTC — Coordinated Universal Time"}},"reportingHelper":{"title":"ENISA Reporting Helper","description":"Interactive checklists for each step of the Art. 14 three-step reporting chain.","introText":"Complete each checklist before submitting to ENISA. The clock runs from the moment you become aware of active exploitation — not from confirmation or analysis.","progress":"{done}/{total} items checked","allDone":"All items checked","printButton":"Print checklist","resetButton":"Reset all","enisaButton":"Open ENISA Reporting Platform →","legalNote":"Checklists are derived from Arts. 14(2), 14(3), and 14(4) of Regulation (EU) 2024/2847. Guide only — not legal advice.","step1Title":"Step 1 — 24-hour early warning","step1Due":"Due within 24 hours of awareness","step2Title":"Step 2 — 72-hour detailed notification","step2Due":"Due within 72 hours of awareness","step3Title":"Step 3 — 14-day final report","step3Due":"Due within 14 days of awareness","userNotifTitle":"User notification (Art. 14(4)) — concurrent obligation","userNotifDue":"Without undue delay — run concurrently with ENISA reporting","calculatorLinkText":"Calculate your exact deadlines →"},"cvdPolicy":{"title":"CVD Policy Builder","description":"Generate a Coordinated Vulnerability Disclosure policy, security.txt file, and ENISA reporting workflow template for your organisation.","step1Title":"Organisation details","step2Title":"Disclosure preferences","step3Title":"Preview and download","orgName":"Organisation name","orgNamePlaceholder":"ACME Corporation","securityEmail":"Security contact email","securityEmailPlaceholder":"security@example.com","pgpKey":"PGP key fingerprint (optional)","pgpKeyPlaceholder":"ABCD EF01 2345 6789 ABCD","pgpKeyHelp":"Recommended for encrypted vulnerability reports. Leave blank if not used.","disclosureTimeline":"Coordinated disclosure deadline","days90":"90 days (recommended)","days60":"60 days","days45":"45 days","days30":"30 days (minimum)","nextButton":"Next →","backButton":"← Back","generateButton":"Generate files","downloadCvd":"Download CVD policy (.md)","downloadSecurityTxt":"Download security.txt","downloadWorkflow":"Download ENISA workflow (.md)","tabCvd":"CVD Policy","tabSecurityTxt":"security.txt","tabWorkflow":"ENISA Workflow","legalNote":"Generated files are templates only. Have them reviewed by qualified legal counsel before publication.","requiredField":"Required"}}},"now":"$undefined","timeZone":"UTC","children":"$L1a"}]