The Cyber Resilience Act (CRA) of the European Union (EU) imposes many new cyber security requirements practically to all network-enabled information technology products, whether hard­ware or software. The paper examines and elaborates the CRA’s new requirements for vulnerability coordination, including vul­nerability disclosure. Although these requirements are only a part of the CRA’s obligations for vendors, also some new vulnerability coordination mandates are present. In particular, so-called actively exploited vulnerabilities require mandatory reporting. In addition to elaborating the reporting logic, the paper discusses the notion of actively exploited vulnerabilities in relation to the notion of known exploited vulnerabilities used in the United States. The CRA further alters the coordination practices on the side of public administra­tions. The paper addresses also these new practices. With the exam­ination elaboration, and associated discussion based on conceptual analysis, the paper contributes to the study of cyber security regu­lations, providing also a few takeaways for further research.