PROGRAMME FRAMEWORK

Cyber Vulnerability Reporting

for Manufacturers under the Cyber Resilience Act

Format

Digital Practitioner Programme with Facilitated Capstone Workshop

Modules

6 Modules

Total Hours

26 Hours

Audience

Product security officers, PSIRT leads, compliance managers, engineering leads, QA staff and importers/distributors

Apply now

Programme Purpose

This programme develops the capability manufacturers need to meet the vulnerability handling, disclosure, reporting and evidence obligations introduced by the EU Cyber Resilience Act for products with digital elements.

The programme is designed for product security officers, PSIRT leads, vulnerability response teams, compliance managers, software engineering leads, quality assurance staff, open-source stewards, importers and distributors who need to understand the CRA reporting chain.

The digital practitioner programme moves beyond awareness training. It is designed to produce a working practitioner toolkit through self-paced digital learning, producing policies, workflows, triage records, regulatory decision tools, advisory templates and evidence packs — capped with a live practitioner capstone workshop.

Key Regulatory Dates

Date

Obligation

11 September 2026

Manufacturers must report actively exploited vulnerabilities and severe incidents affecting product security using ENISA’s Single Reporting Platform.

11 December 2027

Full CRA applies, including essential cybersecurity requirements, conformity assessment and post-market obligations.

Programme Learning Architecture

Each module follows the same four-part digital learning pathway, allocating 4 hours across structured delivery components:

Learning Component

Duration

Description

Foundation Digital Lesson

60 Minutes

Pre-recorded digital learning covering foundational knowledge, concepts, regulatory requirements, standards and terminology.

Deep Dive Session 1 – Core Topics

60 Minutes

Pre-recorded trainer-led session: expert explanations, worked examples, decision walkthroughs and regulatory interpretation.

Deep Dive Session 2 – Practitioner Outputs

60 Minutes

Pre-recorded trainer-led session: template walkthroughs, document creation guidance, evidence expectations and audit considerations.

Scenario / Simulation Assessment

60 Minutes

Realistic CRA-focused scenario requiring learners to apply module knowledge and produce practitioner outputs for portfolio submission.

Total per Module

4 Hours

 

6 Modules × 4 Hours = 24 Hours digital learning

Final Live Practitioner Workshop = 2 Hours

Total Programme Duration: 26 Hours

Module 1 - Foundations of Cyber Vulnerability Reporting and Disclosure

Module 1 establishes the operational, legal, organisational and communication foundations required for effective cyber vulnerability reporting and coordinated disclosure. It introduces the full vulnerability reporting ecosystem, including researchers, vendors, asset owners, CNAs, CSIRTs, PSIRTs, regulators, customers and users.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • Vulnerability reporting lifecycle
  • Key terminology: vulnerability, weakness, exploit, exposure, threat, risk, incident, impact
  • Disclosure ecosystem and stakeholder roles
  • Vulnerability versus incident reporting
  • Private, coordinated and public disclosure models
  • Ethical and legal foundations: authorisation, proportionality, safe harbour, researcher conduct

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Coordinated disclosure in practice
  • Stakeholder relationships and engagement models
  • Bug bounty models and vulnerability disclosure programmes
  • Common reporting failures and operational failure modes
  • Organisational maturity considerations

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Stakeholder mapping
  • Current-state vulnerability reporting process mapping
  • Vulnerability lifecycle modelling
  • Baseline maturity assessment

Scenario Assessment

Scenario: The Misclassified Vulnerability Report

Learners analyse a poorly documented vulnerability report, identify missing information, classify correctly and determine escalation requirements.

Learners produce:

  • Stakeholder map
  • Vulnerability lifecycle diagram
  • Current-state process map
  • Initial maturity reflection
Full module information

Module 2 - Building a CRA-Conformant Vulnerability Disclosure Policy

Module 2 develops the capability to design a vulnerability disclosure policy and intake model that is defensible, practical and aligned with CRA expectations. The module is grounded in ISO/IEC 29147, OWASP vulnerability disclosure guidance, NCSC-style vulnerability disclosure tooling, and CRA Annex I expectations.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • CRA Annex I vulnerability handling obligations
  • ISO/IEC 29147 disclosure requirements
  • Vulnerability Disclosure Programme fundamentals
  • Policy scope: products, services, environments and exclusions

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Researcher authorisation boundaries and safe-harbour language
  • Acceptable and prohibited testing scope
  • Reporting routes: email, web form, portal, security.txt and encrypted submission
  • Embargo expectations and third-party/supplier vulnerabilities
  • Publication and crediting policies
  • Integration with PSIRT and legal review

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Drafting a CRA-compliant vulnerability disclosure policy
  • Building intake forms and minimum report content requirements
  • Developing security.txt implementation
  • Policy quality reviews against good and poor VDP examples

Scenario Assessment

Scenario: Launching a New Connected Product

Learners must design a complete VDP and intake model for a manufacturer preparing to launch a connected product with digital elements under the CRA.

Learners produce:

  • Draft vulnerability disclosure policy
  • Intake form template
  • Security.txt implementation checklist
  • Safe-harbour and scope rationale
  • Policy-quality self-assessment

Module 3 - Intake, Validation, Evidence and Triage

Module 2 develops the capability to design a vulnerability disclosure policy and intake model that is defensible, practical and aligned with CRA expectations. The module is grounded in ISO/IEC 29147, OWASP vulnerability disclosure guidance, NCSC-style vulnerability disclosure tooling, and CRA Annex I expectations.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • CRA Annex I vulnerability handling obligations
  • ISO/IEC 29147 disclosure requirements
  • Vulnerability Disclosure Programme fundamentals
  • Policy scope: products, services, environments and exclusions

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Researcher authorisation boundaries and safe-harbour language
  • Acceptable and prohibited testing scope
  • Reporting routes: email, web form, portal, security.txt and encrypted submission
  • Embargo expectations and third-party/supplier vulnerabilities
  • Publication and crediting policies
  • Integration with PSIRT and legal review

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Drafting a CRA-compliant vulnerability disclosure policy
  • Building intake forms and minimum report content requirements
  • Developing security.txt implementation
  • Policy quality reviews against good and poor VDP examples

Scenario Assessment

Scenario: Launching a New Connected Product

Learners must design a complete VDP and intake model for a manufacturer preparing to launch a connected product with digital elements under the CRA.

Learners produce:

  • Draft vulnerability disclosure policy
  • Intake form template
  • Security.txt implementation checklist
  • Safe-harbour and scope rationale
  • Policy-quality self-assessment

Module 4 - Vulnerability Handling, Remediation and Coordination

Module 4 focuses on the operational handling of confirmed vulnerabilities, including remediation planning, coordination, patching, mitigation, advisory preparation and closure. The module is anchored in ISO/IEC 30111 and FIRST PSIRT practice, with particular attention to multi-party and supply-chain coordination.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • ISO/IEC 30111 vulnerability handling principles
  • Vulnerability handling lifecycle
  • PSIRT operating models
  • Free-of-charge security updates under CRA
  • Multi-party coordination: suppliers, OEMs, open-source maintainers, cloud providers

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Root-cause analysis and remediation options
  • Patch development, configuration changes, mitigations and workarounds
  • Product withdrawal decisions and risk acceptance
  • SBOM maintenance and post-market monitoring
  • Importers, distributors, customers, national CSIRTs and ENISA
  • CNAs and CVE assignment

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Remediation plan template design
  • PSIRT/CSIRT RACI development
  • Multi-party coordination tracking
  • Root-cause analysis documentation
  • Security update planning records

Scenario Assessment

Scenario: Critical Supply Chain Vulnerability

Learners manage a high-severity vulnerability affecting a shared component across multiple customer products and open-source dependencies.

Learners produce:

  • Remediation plan and coordination tracker
  • Root-cause analysis worksheet
  • Security update planning record
  • Embargo decision checklist
  • PSIRT/CSIRT RACI

Module 5 - CRA Reporting, Advisories and Regulatory Communication

Module 5 develops the capability to make reporting decisions and prepare regulator, customer, executive and public communications. It directly addresses CRA Article 14 obligations and situates them within the wider regulatory context including NIS2, the EU Vulnerability Database and the UK PSTI regime.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • CRA Article 14 reporting obligations
  • Actively exploited vulnerabilities and severe product-security incidents
  • Reporting timelines: early warning within 24 hours; vulnerability notification within 72 hours
  • ENISA Single Reporting Platform
  • NIS2 Article 12 coordinated vulnerability disclosure
  • EU Vulnerability Database, UK PSTI and sector-specific obligations

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Regulatory decision making and reporting thresholds
  • Designated CSIRT coordination and downstream user notification
  • Executive briefings and public advisory practice
  • Product liability and data protection considerations
  • Public disclosure planning and holding lines

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • CRA early warning template drafting
  • CRA vulnerability notification template
  • CRA final report preparation
  • Customer advisory and executive briefing templates
  • Disclosure timeline development

Scenario Assessment

Scenario: Actively Exploited Vulnerability

Learners prepare staged notifications for a vulnerability that is actively exploited in the wild, making live regulatory and communication decisions under time pressure.

Learners produce:

  • Regulatory decision tree
  • CRA early warning notification
  • CRA 72-hour vulnerability notification
  • CRA final report outline
  • Customer advisory and executive briefing
  • Public holding statement

Module 6 - Integrated Simulation, Conformity Evidence and Portfolio Defence

Module 6 brings the full programme together through integrated digital learning, a scenario assessment and portfolio completion. Learners connect vulnerability reporting practice to conformity assessment and post-market compliance evidence, and complete and defend their practitioner toolkit.

Foundation Digital Lesson  |  60 Minutes | Pre-Recorded Digital Learning

  • Conformity assessment linkage and vulnerability handling evidence
  • Technical documentation requirements and decision logs
  • SBOM linkage and remediation history
  • Advisory records and security update evidence
  • Audit readiness and portfolio completion

Deep Dive Session 1 – Core Topics  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Integrated vulnerability handling lifecycle review
  • Market surveillance scrutiny and auditability requirements
  • Internal disagreement, legal and communications pressure handling
  • Gap analysis and maturity improvement planning

Deep Dive Session 2 – Practitioner Outputs  |  60 Minutes | Pre-Recorded Trainer-Led Session

  • Portfolio assembly and evidence mapping
  • Complete practitioner toolkit finalisation
  • Gap analysis documentation
  • 90-day maturity improvement plan development

Scenario Assessment

Scenario: Full CRA Regulatory Challenge

Learners manage an evolving multi-party disclosure event involving an incomplete report, potential active exploitation, open-source dependency and multiple customers.

Learners produce:

  • Complete vulnerability handling portfolio
  • Regulatory reporting pack and evidence pack
  • Customer advisory and final stakeholder map
  • Gap analysis and remediation roadmap
  • 90-day maturity improvement plan

Programme Capstone Workshop

Live Online Practitioner Workshop | 2 Hours | Delivered after all six modules

The Capstone Workshop provides an integrated review of the entire CRA vulnerability reporting lifecycle and consolidates learning across all programme outputs. It is delivered following completion of all six digital modules.

Workshop Structure

Session 1 – End-to-End CRA Vulnerability Reporting Walkthrough  |  45 Minutes

  • Vulnerability discovery
  • Intake and triage
  • Remediation
  • Regulatory reporting
  • Disclosure
  • Evidence retention

Session 2 – Integrated Case Study  |  45 Minutes

  • Active exploitation
  • Supplier involvement
  • Regulatory reporting
  • Customer notification
  • Remediation planning

Session 3 – Practitioner Portfolio Review  |  20 Minutes

  • Review of the complete artefact set developed throughout the programme
  • Peer discussion of practitioner decisions and evidence quality

Session 4 – Implementation Planning and Q&A  |  10 Minutes

  • Development of immediate organisational implementation actions
  • Alignment to the programme’s recommended 90-day roadmap

Programme Assessment Strategy

Assessment Approach

Assessment is work-based and portfolio-led. Learners are assessed on their ability to produce defensible, usable, evidence-based vulnerability handling artefacts — not on memory recall. Each module’s scenario assessment generates outputs that form part of the final portfolio.

Assessment Component

Weight

Module

Disclosure policy and intake design

20%

Module 2

Triage and prioritisation

25%

Module 3

Remediation and coordination planning

20%

Module 4

Reporting and advisory pack

20%

Module 5

Simulation and oral defence

15%

Module 6

Pass Standard

Learners must demonstrate that their process is:

Required Characteristics

Scope of Assessment

–    Evidence-based

–    Repeatable

–    Proportionate

–    Legally aware

–    Operationally realistic

–    Aligned to recognised standards

–    Suitable for audit, regulator scrutiny and customer assurance

Full Programme Artefact Set

By the end of the programme, each learner should have produced a complete practitioner toolkit. The 25 artefacts below are the tangible evidence of competence and programme completion.

Policy, Process & Disclosure

–    Vulnerability disclosure policy

–    Vulnerability report intake form

–    security.txt checklist

–    Stakeholder map

–    Current-state process map

–    Regulatory decision tree

–    Disclosure timeline tracker

Regulatory Reporting & Advisory

–    CRA early warning template

–    CRA vulnerability notification template

–    CRA final report template

–    Customer advisory template

–    Executive briefing template

–    Public holding statement

Triage, Evidence & Remediation

–    Triage worksheet

–    Evidence sufficiency checklist

–    CVSS / EPSS / SSVC prioritisation worksheet

–    Decision log

–    PSIRT/CSIRT RACI

–    Remediation plan template

–    Multi-party coordination tracker

–    Embargo checklist

–    Root-cause analysis worksheet

Conformity & Maturity

–    Conformity evidence checklist

–    Gap analysis and remediation roadmap

–    90-day maturity improvement plan

 

Standards and Regulatory Mapping

The programme maps to the following standards, frameworks and regulatory instruments:

Reference

Scope

ISO/IEC 29147

Vulnerability disclosure

ISO/IEC 30111

Vulnerability handling

FIRST PSIRT Services Framework

PSIRT operating model

FIRST CVSS v4.0

Severity scoring

FIRST EPSS

Exploitation likelihood

CISA SSVC

Stakeholder-specific prioritisation

CISA KEV

Known exploited vulnerability cataloguing

CERT/CC CVD Guidance

Coordinated vulnerability disclosure

OWASP Vulnerability Disclosure Cheat Sheet

Researcher and vendor guidance

EU Cyber Resilience Act

Primary regulatory instrument

NIS2 Article 12

Coordinated vulnerability disclosure

EU Vulnerability Database

EU vulnerability record-keeping

UK PSTI Regime

UK product security obligations

ENISA Single Reporting Platform

CRA regulatory reporting

SBOM guidance (CycloneDX, SPDX)

Software bill of materials

Recommended 90-Day Post-Course Implementation Roadmap

Participants are expected to apply their learning immediately on return to their organisation. The following roadmap supports structured post-course implementation.

Establish

Days 1–30

–    Assign vulnerability handling owners

–    Confirm product scope

–    Publish or revise disclosure policy

–    Set up intake route and define ticket categories

–    Create initial SLAs

–    Confirm legal and communications contacts

Implement

Days 31–60

–    Deploy triage worksheet and adopt severity/prioritisation method

–    Set evidence standards and create RACI

–    Define escalation thresholds

–    Prepare advisory and notification templates

–    Map CRA reportability decision points

Exercise

Days 61–90

–    Run tabletop exercise and test reporter communications

–    Test legal, product, engineering and communications escalation

–    Validate regulatory reporting decision tree

–    Test customer advisory workflow

–    Review evidence pack quality and define maturity metrics

Design Rationale

The redesigned framework retains the original CRA specification’s emphasis on legal obligations, vulnerability handling, reporting procedures, tooling, conformity assessment and ongoing compliance.

It adopts the six-module structure while shifting from a workshop-centric blended delivery model to a scalable digital practitioner programme. Each module uses consistent 60-minute learning blocks across four structured components — Foundation Digital Lesson, Deep Dive Session 1, Deep Dive Session 2 and Scenario Assessment — making the programme accessible asynchronously while retaining rigorous practitioner outcomes.

The programme concludes with a 2-hour live practitioner capstone workshop that consolidates learning across all modules and connects vulnerability reporting practice to conformity evidence and post-market obligations.

The portfolio-led assessment model ensures that learning translates directly into operational capability and audit-ready documentation.

1,800.00

Apply now

Enrol in ECI, European College of Innovation today.

Apply now