Summary

The EU Cyber Resilience Act (CRA) mandates specific incident reporting requirements for manufacturers of products with digital elements. This includes the timely notification of actively exploited vulnerabilities and severe incidents to designated Computer Security Incident Response Teams (CSIRTs) and the European Union Agency for Cybersecurity (ENISA). The CRA also outlines the establishment of a single reporting platform to streamline these notifications.

Relevant CRA Provisions

• Recital (65)
• Recital (69)
• Recital (72)
• Recital (74)
• Article 14
• Article 15
• Article 16

Detailed Explanation

The CRA requires manufacturers to report actively exploited vulnerabilities and severe incidents impacting the security of their products with digital elements. These notifications must be made simultaneously to the CSIRT designated as coordinator and ENISA via a single reporting platform. The reporting process includes early warning notifications, vulnerability notifications, and final reports. The CRA also allows for voluntary reporting of vulnerabilities, cyber threats, incidents, and near misses. ENISA is tasked with managing the single reporting platform and preparing biennial technical reports on cybersecurity risks.

Obligations for Stakeholders

• Manufacturers: Must notify CSIRTs and ENISA of actively exploited vulnerabilities and severe incidents within specified timeframes (24 hours for early warnings, 72 hours for detailed notifications, and 14 days or one month for final reports). They must also inform affected users of the incidents and any mitigation measures.
• CSIRTs Designated as Coordinators: Must process notifications, disseminate them to relevant CSIRTs, and inform market surveillance authorities. They may delay dissemination under exceptional cybersecurity-related grounds.
• ENISA: Manages the single reporting platform, ensures its secure operation, and prepares technical reports on cybersecurity risks.