Summary

The Cyber Resilience Act (CRA) mandates specific incident response requirements for organizations, emphasizing the roles and responsibilities in managing and reporting cybersecurity incidents related to products with digital elements.

Relevant CRA Provisions

Detailed Explanation

The CRA establishes a structured approach to incident response, requiring manufacturers and other stakeholders to report cybersecurity incidents and vulnerabilities. Manufacturers must notify both the CSIRT designated as coordinator and ENISA of actively exploited vulnerabilities and severe incidents. Notifications should be made via a single reporting platform managed by ENISA. The CSIRT designated as coordinator may delay dissemination of sensitive notifications under exceptional circumstances. Manufacturers are also required to inform users about severe incidents and any corrective measures. Voluntary reporting of vulnerabilities, cyber threats, incidents, and near misses is encouraged but not mandatory. ENISA and CSIRTs must ensure the confidentiality of reported information and provide helpdesk support to manufacturers, especially micro and small enterprises.

Obligations for Stakeholders

  • Manufacturers: Must notify CSIRTs and ENISA of actively exploited vulnerabilities and severe incidents. Inform users about severe incidents and corrective measures. Can voluntarily report other vulnerabilities, threats, incidents, and near misses.
  • Other Natural or Legal Persons: Can voluntarily report vulnerabilities, threats, incidents, and near misses to CSIRTs or ENISA.
  • CSIRTs Designated as Coordinators: Process notifications, prioritize mandatory over voluntary notifications, and may delay dissemination of sensitive notifications under exceptional circumstances. Inform market surveillance authorities of notified incidents.
  • ENISA: Manage the single reporting platform, ensure its security, and prepare technical reports on cybersecurity risks. Cooperate with CSIRTs to implement security measures for the platform.