Summary

This article outlines the immediate actions and protocols that organizations should follow to effectively respond to and mitigate the impacts of detected vulnerabilities or breaches in compliance with the Cyber Resilience Act (CRA). It emphasizes the importance of timely notification, coordinated vulnerability disclosure, and the implementation of security measures to protect users and maintain market integrity.

Relevant CRA Provisions

• Recital (68)
• Recital (71)
• Recital (65)
• Recital (76)
• Recital (66)
• Recital (67)
• Article 15
• Article 16

Detailed Explanation

Upon detecting a vulnerability or breach, manufacturers must act swiftly to mitigate risks and ensure the security of their products with digital elements. The CRA mandates that manufacturers notify both the Computer Security Incident Response Team (CSIRT) designated as coordinator and the European Union Agency for Cybersecurity (ENISA) of any actively exploited vulnerabilities or severe incidents impacting product security. This notification should be made via the single reporting platform established by ENISA, ensuring that relevant authorities and market surveillance bodies are promptly informed. Manufacturers should also consider the sensitivity of the information and may request a delay in dissemination under exceptional circumstances, such as when the vulnerability is under coordinated disclosure or poses an imminent high cybersecurity risk.

Additionally, manufacturers are required to inform their users about any severe incidents and provide necessary corrective measures. This can be done through public disclosures on their websites or direct communication with users, depending on the severity of the cybersecurity risks. The CRA encourages manufacturers to establish coordinated vulnerability disclosure policies, including bug bounty programs, to incentivize the reporting of vulnerabilities and enhance overall cybersecurity.

Obligations for Stakeholders

Manufacturers: Must notify CSIRTs and ENISA of actively exploited vulnerabilities and severe incidents, inform users of severe incidents and provide corrective measures, establish coordinated vulnerability disclosure policies, and ensure products are secure by default with mechanisms for addressing vulnerabilities.

CSIRTs designated as coordinators: Must process notifications, prioritize mandatory over voluntary notifications, ensure confidentiality of information, and may delay dissemination of notifications under exceptional circumstances.

ENISA: Must manage the single reporting platform, ensure its security, and cooperate with CSIRTs to implement necessary technical and operational measures.