Summary

This article outlines the specific responsibilities and procedures that manufacturers and distributors must follow to effectively handle and report cybersecurity incidents in compliance with the EU Cyber Resilience Act (CRA). It details the mandatory reporting requirements, the structure and timing of notifications, and the obligations for informing users and authorities.

Relevant CRA Provisions

Recitals: Recital 67, Recital 76

Articles: Article 1, Article 14, Article 15, Article 16, Article 17, Article 20

Detailed Explanation

The CRA imposes stringent requirements on manufacturers and distributors to ensure the cybersecurity of products with digital elements. Manufacturers are required to notify both the CSIRT designated as coordinator and ENISA of any actively exploited vulnerabilities or severe incidents impacting the security of their products. Notifications must be submitted via a single reporting platform managed by ENISA. The process includes early warning notifications, vulnerability notifications, and final reports, with specific timeframes for each type. Manufacturers must also inform affected users about these incidents and any available corrective measures.

Distributors, on the other hand, must verify the conformity of products with digital elements before making them available on the market. They are required to act with due care and inform market surveillance authorities if they become aware of any non-compliance or significant cybersecurity risks posed by the products.

Obligations for Stakeholders

  • Manufacturers:
    • Notify CSIRT and ENISA of actively exploited vulnerabilities and severe incidents via the single reporting platform.
    • Submit early warning notifications within 24 hours, vulnerability notifications within 72 hours, and final reports within specified timeframes.
    • Inform users about incidents and available corrective measures.
    • Implement coordinated vulnerability disclosure policies and facilitate the reporting of vulnerabilities.
    • Ensure products are made available on the market without known exploitable vulnerabilities and with secure configurations.
  • Distributors:
    • Verify the conformity of products with digital elements before making them available on the market.
    • Inform manufacturers and market surveillance authorities of any non-compliance or significant cybersecurity risks.
    • Cooperate with market surveillance authorities on any measures taken to eliminate cybersecurity risks.
    • Inform users and authorities if the manufacturer ceases operations and cannot comply with CRA obligations.