Summary

The EU Cyber Resilience Act (CRA) mandates specific incident reporting requirements to enhance cybersecurity resilience. Companies must adhere to timelines, procedures, and responsibilities outlined in the CRA to ensure compliance and improve cyber resilience.

Relevant CRA Provisions

• Recital (65)
• Recital (67)
• Recital (69)
• Recital (72)
• Recital (74)
• Article 15
• Article 16
• Article 17
• Article 70

Detailed Explanation

The CRA establishes a structured approach for incident reporting to enhance cybersecurity resilience across the EU. Key elements include:

• Single Reporting Platform: ENISA is tasked with establishing a single reporting platform to streamline incident reporting. This platform allows manufacturers to submit notifications to both the CSIRT designated as coordinator and ENISA simultaneously (Recital 69, Article 16).
• Mandatory Notifications: Manufacturers must notify ENISA and the CSIRT designated as coordinator of actively exploited vulnerabilities and severe incidents impacting product security. These notifications must be submitted via the single reporting platform (Recital 65, Article 16).
• Voluntary Reporting: Manufacturers and other entities can voluntarily report vulnerabilities, cyber threats, incidents, and near misses to ENISA or the CSIRT designated as coordinator. This voluntary reporting does not impose additional obligations (Recital 74, Article 15).
• Dissemination of Notifications: Upon receiving a notification, the CSIRT designated as coordinator must disseminate it to relevant CSIRTs. Dissemination may be delayed in exceptional circumstances for cybersecurity reasons (Article 16).
• User Notification: Manufacturers must inform users about severe incidents and any available corrective measures to mitigate impacts (Recital 67).
• Confidentiality and Security: ENISA and CSIRTs must ensure the confidentiality and security of reported information, especially for vulnerabilities without available security updates (Article 16, Recital 69).
• Public Awareness: In cases where public awareness is necessary to prevent or mitigate severe incidents, the CSIRT designated as coordinator may inform the public or require the manufacturer to do so (Article 17).
• Evaluation and Review: The Commission is required to evaluate and review the CRA, including the effectiveness of the single reporting platform, and submit reports to the European Parliament and Council (Article 70).

Obligations for Stakeholders

• Manufacturers: Must notify ENISA and the CSIRT designated as coordinator of actively exploited vulnerabilities and severe incidents. They should also inform users about severe incidents and available corrective measures.
• CSIRTs Designated as Coordinators: Responsible for receiving and disseminating notifications, ensuring confidentiality, and informing market surveillance authorities. They may delay dissemination in exceptional circumstances.
• ENISA: Establishes and maintains the single reporting platform, ensures confidentiality and security of notifications, and prepares biennial technical reports on cybersecurity risks.