Contact us
img
Regulatory Testing from Start to Certificate
img

    Welcome to 360 Compliance
    CVD requirements under RED Delegated Act, EN 303 645, and EN 18031 for CE and CRA cybersecurity compliance

    Coordinated Vulnerability Disclosure (CVD) Requirements Based on RED Delegated Act, CE EN 303 645, and EN 18031

    July 9, 2025
    Cyber Certification

    Coordinated Vulnerability Disclosure (CVD) is now a critical requirement for EU cybersecurity compliance, especially under the Cyber Resilience Act (CRA) and the RED Delegated Act (EU 2022/30).
    CVD requirements based on the RED Delegated Act, CE EN 303 645, and EN 18031 are essential for achieving CE marking compliance and maintaining product cybersecurity throughout the device lifecycle.

    At 360Compliance, we help manufacturers implement CVD compliance frameworks that align with CE marking, RED, and CRA cybersecurity standards. Our team ensures your vulnerability disclosure processes meet all requirements set by EN 303 645 and EN 18031, supporting safe, compliant, and market-ready products.

    What Are CVD Requirements?

    CVD (Coordinated Vulnerability Disclosure) is a structured process that allows security researchers, users, and manufacturers to report and resolve cybersecurity vulnerabilities safely and transparently.

    Under EU cybersecurity regulations, CVD is no longer optional — it’s an expected part of CE and UKCA certification for connected and digital products.

    For reference, see:

    CVD Under the RED Delegated Act and EU Cyber Resilience Framework

    The RED Delegated Act (EU 2022/30) mandates that manufacturers of connected radio equipment implement cybersecurity measures, including vulnerability management and disclosure.

    Together with the Cyber Resilience Act (CRA), these frameworks require that manufacturers:

    • Maintain a vulnerability handling policy.
    • Provide a public reporting channel for security researchers.
    • Manage vulnerabilities according to EN 18031 guidelines.
    • Demonstrate compliance during CE marking and market surveillance.

    👉 Learn more about the Radio Equipment Directive (2014/53/EU) and RED Delegated Act requirements.

    Why CVD Requirements Matter

    Implementing a CVD process helps manufacturers:

    • Detect and fix vulnerabilities early.
    • Prevent cyberattacks and data breaches.
    • Demonstrate compliance with EN 303 645, EN 18031, and CRA.
    • Protect customer trust and product reputation.
    • Avoid costly enforcement actions and delays in CE approval.

    Without a structured CVD framework, unresolved vulnerabilities can lead to:

    • Market access delays under EU cybersecurity rules.
    • CRA or RED-related penalties.
    • Reputational damage and loss of consumer confidence.

    Explore more on our Cyber Resilience Act compliance services.

    Who Must Implement CVD Policies?

    CVD requirements apply to all manufacturers of networked or connected devices, including:

    • IoT devices – smart home, industrial, medical, and wearables
    • ICT and connected equipment
    • Radio devices under the CE RED Delegated Act (EU 2022/30)
    • Software and cloud-connected products

    If your product connects to a network or processes data, CVD compliance is mandatory for EU market access.

    Key Elements of a Strong CVD Policy

    A compliant CVD framework typically includes:

    • Defined Reporting Channels – Clear, accessible ways for researchers to submit reports.
    • Disclosure Management – Documented procedures for evaluating and addressing issues.
    • Communication Protocols – Coordinated notifications to reporters and affected users.
    • Traceability Records – Logs of assessment, mitigation, and closure.
    • Lifecycle Integration – CVD embedded across the device lifecycle.

    Our experts can help design and validate your framework as part of your CE cybersecurity testing program

    Steps to Achieve CVD Compliance

    1. Assess Your Current Processes – Identify gaps in vulnerability handling.
    2. Develop a Formal CVD Policy – Align with EN 303 645, EN 18031, and the RED Delegated Act.
    3. Implement Reporting Channels – Secure, traceable mechanisms for disclosures.
    4. Train Internal Teams – Ensure engineering/compliance staff know the workflows.
    5. Audit and Improve Regularly – Maintain alignment with CE and CRA.

    For professional support, see our Cybersecurity Testing & Certification Services

    Consequences of Non-Compliance

    Failure to meet CVD requirements may result in:

    • Market access denial under EU RED or CRA.
    • Regulatory fines or penalties.
    • Product recalls or halted shipments.
    • Damaged trust and long-term brand harm.

    FAQs About CVD Requirements

    Is CVD mandatory under EU law?
    Yes. Under the Cyber Resilience Act (CRA) and RED Delegated Act, manufacturers must maintain a vulnerability disclosure process aligned with EN 18031.

    Are EN 303 645 and EN 18031 related?
    Yes. EN 303 645 defines IoT cybersecurity requirements, while EN 18031 specifies how vulnerabilities should be reported and handled.

    Do small companies need a CVD policy?
    Yes — the rules apply to all manufacturers placing connected products on the EU market.

    Why Choose 360Compliance

    At 360Compliance, we simplify CVD compliance by combining technical expertise with regulatory insight.
    We help you design, implement, and document CVD frameworks that align with the RED Delegated Act, EN 303 645, EN 18031, and the Cyber Resilience Act.

    Our Services Include:

    • CVD Policy Development – Tailored disclosure frameworks for your products.
    • Cybersecurity Testing & Evaluation – Vulnerability and risk testing before market launch.
    • Regulatory Alignment – CRA, CE, RED, and UKCA compliance support.
    • Training & Documentation – Equipping teams to manage and resolve disclosures effectively.

    👉 Contact 360Compliance to establish a complete CVD compliance framework and strengthen your product’s cybersecurity today.

    Share this:

    You may also be interested

    Cambodia-TRC
    Cambodia TRC Regulatory Updates
    March 21, 2024
    On December 11th, 2023, the head leader of Cambodia's Telecommunication Regulator of Cambodia (TRC) issued a notification to all officers regarding the review of type approval documents, emphasizing the importance of consistency between the information provided in test reports and that submitted by clients. This notification clarified that previously accepted practices, such as using the product name and country of origin as claimed by the client, should now align precisely with the details presented in the test report. Following discussions and confirmations, TRC officers reaffirmed on December 27th, 2023, that this new rule must be adhered to for all future projects seeking type approval. For submissions with one country of origin, the test report must indicate the CoO. In cases where a product has more than one country of origin, the report should display one CoO, with any additional CoOs declared in a separate declaration letter. Moreover, TRC explicitly stated that reports lacking any indication of country of origin will not be accepted under these new guidelines. This adjustment aims to enhance accuracy and consistency in reviewing type approval submissions. Streamlining TRC Type Approval with Support from 360Compliance 360Compliance specializes in navigating TRC's type approval process, ensuring documents precisely reflect the country of origin per the latest guidelines. Our team offers expert advice and comprehensive services, including preparing test reports and submitting declaration letters. Partner with us to meet TRC's stringent criteria, minimize delays, and effectively secure type approval for your products. Let 360Compliance handle the complexities of compliance, allowing you to focus on your core business activities with peace of mind. Contact us today to learn more about our services and how we can help you achieve regulatory compliance in Cambodia.
    SIRIM_MCMC_Certification
    Malaysia SIRIM-MCMC Regulatory Updates
    March 21, 2024
    The Malaysia SIRIM CMCS Department, responsible for MCMC certification, recently implemented a significant update regarding Intellectual Property (IP) Forms for Type Approval applications. These forms replace the trademark authorization letter to improve efficiency and accuracy in approvals. The new IP Forms categorize trademark declarations based on whether the applicant has obtained authorization from the trademark/brand owner. For applicants who have been authorized, the required documents include evidence of a registration certificate issued by the Intellectual Property Corporation of Malaysia (MyIPO). Or an equivalent foreign organization, along with an Intellectual Property (IP) Authorization Letter (eTAC/FOR/01-8). On the other hand, if the applicant has not obtained written consent and authorization to use the trademark/brand, they must submit the Intellectual Property (IP) Undertaking form issued by the applicant (eTAC/FOR/01-9). Importantly, these new forms are effective immediately and will be used for all new projects. They mark a significant shift in SIRIM's approach. The organization can now accept brands/trademarks that have not been officially authorized by the brand owner. However, in such cases, the importer must provide a written declaration accepting responsibility. Furthermore, the new Brand name authorization process requires both the Brand owner and the Importer to co-sign the Brand name authorization letter. This updated procedure aims to enhance transparency and accountability in the approval process for Type Approval applications, ultimately benefiting both applicants and consumers in Malaysia. Simplifying SIRIM Certification with 360Compliance Navigating the latest SIRIM and MCMC certification requirements can be complex, especially when introducing new Intellectual Property (IP) Forms. 360Compliance is here to simplify this process for you. Our team knows the latest SIRIM updates, including the new eTAC/FOR/01-8 and eTAC/FOR/01-9 forms. We provide comprehensive support, ensuring your Type Approval applications are complete, accurate, and compliant with the latest regulations. From obtaining the necessary authorizations to submitting the correct IP Forms, we manage every step of the process efficiently. Partner with 360Compliance to streamline your SIRIM certification journey, minimize delays, and maximize compliance. Contact us today to ensure your products easily meet Malaysia's certification standards.
    india
    India Regulatory Updates
    March 21, 2024
    India TEC issued a notification in January 2024 regarding generic exemptions for products without available test labs.  In January 2024, India's Telecommunications Engineering Centre (TEC) issued a significant notification regarding generic exemptions due to the absence of available test laboratories within the country. These exemptions represent a crucial development, indicating that specific parameters no longer require the submission of test reports if customers cannot provide them. It's important to note that while these exemptions are in place, ILAC reports for CE/FCC are still subject to regulations based on the specific product category. This means that evaluation criteria for these reports vary depending on the nature of the product. Furthermore, TEC has specified product categories that continue to accept ILAC reports. Notably, the validation for these exemptions has been extended until June 30, 2024, with the potential for further extensions based on the evolving circumstances. These updates underscore TEC's commitment to adapting regulations to facilitate market access while maintaining stringent quality standards in the telecommunications sector. TEC approves testing exemptions for several product categories under their mandatory testing and certification program The Telecommunications Engineering Centre (TEC), under the Ministry of Communications, recently issued a notification regarding the approval of test requirements exemptions for certain product categories that necessitate mandatory testing and certification. This development signifies a significant step towards streamlining regulatory processes and promoting efficiency in the telecommunications sector. By exempting certain products from rigorous testing requirements, TEC aims to facilitate faster market access for manufacturers while maintaining high standards of quality and safety. This initiative aims to reduce costs and accelerate the introduction of innovative products to benefit industry stakeholders and consumers. How 360Compliance Can Streamline TEC Certification? 360Compliance offers expert guidance for navigating TEC certification complexities, especially with recent updates. We're adept in TEC requirements and ILAC report evaluations, ensuring compliance. Our understanding of exemption criteria and certification process management aids manufacturers and distributors in adjusting smoothly. Partnering with us secures strategic advantages for quicker market access, keeping with India's telecom quality standards. We simplify compliance, focusing on your innovation and growth in a changing regulatory landscape.

    Get in touch to take the next step with 360Compliance

    Contact us
    360 Compliance
    Powered by  GDPR Cookie Compliance
    Privacy Overview

    This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.