Summary

Manufacturers are required to report actively exploited vulnerabilities and severe incidents affecting the security of their products with digital elements to designated Computer Security Incident Response Teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA).

Relevant CRA Provisions

Recital (76)
Article 13
Article 14
Article 15
Article 16
Article 17

Detailed Explanation

Under the EU Cyber Resilience Act (CRA), manufacturers of products with digital elements have specific reporting obligations to ensure the cybersecurity of their products. These obligations are primarily detailed in Article 14, which mandates manufacturers to notify any actively exploited vulnerabilities and severe incidents to the CSIRT designated as coordinator and ENISA. Notifications must be made via a single reporting platform established by ENISA, as outlined in Article 16.

Manufacturers must submit an early warning notification within 24 hours of becoming aware of an actively exploited vulnerability or severe incident. They must then provide a detailed vulnerability or incident notification within 72 hours, followed by a final report once corrective measures are available.

Additionally, manufacturers are encouraged to establish coordinated vulnerability disclosure policies (Recital 76) to facilitate the reporting of vulnerabilities. Voluntary reporting of vulnerabilities and incidents is also permitted under Article 15, allowing other natural or legal persons to notify ENISA or CSIRTs of any cybersecurity issues they identify.

Obligations for Stakeholders

Manufacturers: Must report actively exploited vulnerabilities and severe incidents as per Article 14. They should also maintain coordinated vulnerability disclosure policies (Recital 76) and ensure products conform to essential cybersecurity requirements (Article 13).
Other Natural or Legal Persons: May voluntarily report vulnerabilities and incidents to ENISA or CSIRTs under Article 15.
CSIRTs and ENISA: Responsible for processing notifications, ensuring confidentiality, and disseminating information as necessary (Articles 15, 16, and 17).