Handle and remediate vulnerabilities throughout the support period

Article 13(10) of Regulation (EU) 2024/2847, read with Annex I Part II, requires that manufacturers shall handle vulnerabilities effectively. The annex specifies the following concrete requirements:

Annex I Part II — Vulnerability handling requirements:

1. Identify and document vulnerabilities and components in the product (SBOM)
2. Address vulnerabilities without delay, proportionate to risk
3. Apply effective and regular security updates
4. Use CVE identifiers (from a CVE numbering authority) for vulnerabilities
5. Publish information about fixed vulnerabilities, including CVSS score
6. Adopt a coordinated vulnerability disclosure policy
7. Make it easy for third parties to report vulnerabilities
8. Share information on vulnerabilities with CSIRT network and ENISA upon request

1. Vulnerability management process — documented intake, triage, remediation, and disclosure workflow
2. Timely remediation — response time proportionate to CVSS score and exploitability
3. CVE assignment — obtain CVE IDs from a CNA (CVE Numbering Authority); ENISA operates as the EU CNA for CRA-related CVEs
4. CVSS scoring — publish CVSS (v3.1 or later) score with security advisories
5. Security advisories — publish advisories for all fixed vulnerabilities
6. End-of-support notice — notify users no later than 12 months before support ends so they can make alternative arrangements

• Vulnerability management policy and SLA targets (time-to-patch by severity)
• Vulnerability tracker or backlog
• CVE assignment records
• Published security advisories with CVSS scores
• End-of-support notification records