Summary

This article outlines the specific steps and timelines for incident reporting under the EU Cyber Resilience Act (CRA), emphasizing the responsibilities of organizations, the coordination with national authorities, and the involvement of ENISA in ensuring effective communication and response to cybersecurity threats.

Relevant CRA Provisions

Detailed Explanation

Under the CRA, manufacturers are required to report actively exploited vulnerabilities and severe incidents affecting their products with digital elements. The reporting process involves notifying the Computer Security Incident Response Team (CSIRT) designated as coordinator and the European Union Agency for Cybersecurity (ENISA) via a single reporting platform established by ENISA. The platform is designed to streamline reporting and ensure quick dissemination of information to relevant authorities.

Manufacturers must submit early warning notifications within 24 hours of becoming aware of an actively exploited vulnerability or severe incident. They must then provide detailed vulnerability or incident notifications within 72 hours, followed by final reports once corrective measures are available. The CSIRT designated as coordinator may request intermediate reports for status updates.

ENISA plays a crucial role in managing the single reporting platform, ensuring its security, and coordinating with national CSIRTs. The platform allows for the confidential handling of sensitive information, particularly when security updates are not yet available. ENISA also prepares biennial technical reports on emerging cybersecurity risks based on the notifications received.

Obligations for Stakeholders

  • Manufacturers: Must notify actively exploited vulnerabilities and severe incidents to the CSIRT designated as coordinator and ENISA via the single reporting platform. They must provide early warning, detailed, and final reports within specified timelines and inform affected users of the incidents.
  • CSIRTs Designated as Coordinators: Receive and process notifications, disseminate information to relevant authorities, and may request intermediate reports. They ensure the confidentiality and security of the information provided.
  • ENISA: Manages the single reporting platform, ensures its security, and coordinates with national CSIRTs. ENISA prepares technical reports on emerging cybersecurity risks and supports CSIRTs in handling notifications.
  • Other Natural or Legal Persons: May voluntarily report vulnerabilities, cyber threats, incidents, or near misses to the CSIRT designated as coordinator or ENISA.