Summary

The Cyber Resilience Act (CRA) mandates clear and efficient communication protocols between organizations, authorities, and customers to ensure transparency and compliance with cybersecurity requirements. This includes establishing a single point of contact for users, notifying authorities of severe incidents, and providing detailed information and instructions to users.

Relevant CRA Provisions

• Recital (63)
• Recital (67)
• Recital (119)
• Article 17
• Article 37
• Article 50
• Article 53
• Article 63
• Annex II

Detailed Explanation

The CRA emphasizes the importance of transparent and efficient communication between manufacturers, authorities, and users. Manufacturers must establish a single point of contact for users to report vulnerabilities and receive information. This contact should be easily accessible and not rely solely on automated tools. Additionally, manufacturers are required to notify relevant authorities and users about severe incidents impacting product security and provide detailed instructions for secure use, including handling vulnerabilities and updates.

Confidentiality of information is crucial, and all parties involved in the application of the CRA must respect this to protect intellectual property, business information, public security, and the integrity of legal proceedings. Market surveillance authorities may request access to data and documentation necessary to assess product conformity with cybersecurity requirements.

The Commission facilitates the exchange of experience between Member States’ national authorities to ensure consistent application of the CRA. ENISA and CSIRTs play a role in coordinating incident reporting and providing support to manufacturers, especially SMEs.

Obligations for Stakeholders

• Manufacturers: Establish a single point of contact for users, notify authorities and users of severe incidents, provide detailed product information and instructions, and ensure confidentiality of sensitive information.
• Distributors and Importers: Ensure that products comply with CRA requirements and facilitate communication between manufacturers and users as necessary.
• Open Source Software Stewards: Maintain clear communication channels for vulnerability reporting and provide necessary documentation and support to users.
• Market Surveillance Authorities: Respect confidentiality, request necessary data and documentation for assessments, and cooperate with ENISA and CSIRTs for incident management.
• ENISA and CSIRTs: Coordinate incident reporting, provide support to manufacturers, and facilitate public awareness when necessary.
• Commission: Organize the exchange of experience between Member States’ national authorities to ensure consistent application of the CRA.