Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 15 Voluntary reporting
Summary What does Article 15 of the CRA regulation say?
This article establishes a voluntary reporting channel that runs alongside the mandatory notification obligations set out in Article 14.
It opens the door for manufacturers and any other natural or legal persons to report vulnerabilities, cyber threats, security incidents, and near misses to the relevant CSIRT designated as coordinator or to ENISA on a purely voluntary basis.
A key protection is built in: submitting a voluntary notification cannot trigger any additional obligations that would not otherwise have applied, encouraging open disclosure without fear of regulatory penalty.
The article also addresses the situation where a third party — rather than the manufacturer — raises an actively exploited vulnerability or severe incident, requiring the receiving CSIRT to inform the manufacturer without undue delay.
Important points:
- Manufacturers and any other natural or legal persons may voluntarily report vulnerabilities, cyber threats, incidents, and near misses to a CSIRT designated as coordinator or ENISA — no obligation to do so arises from this article alone.
- CSIRTs designated as coordinators and ENISA are required to protect the confidentiality of information provided by voluntary reporters, and voluntary reporting must not result in additional obligations being imposed on the notifying party.
- CSIRTs designated as coordinators may prioritise the processing of mandatory notifications over voluntary ones.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Manufacturers as well as other natural or legal persons may notify any vulnerability contained in a product with digital elements as well as cyber threats that could affect the risk profile of a product with digital elements on a voluntary basis to a CSIRT designated as coordinator or ENISA.
Manufacturers as well as other natural or legal persons may notify any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident on a voluntary basis to a CSIRT designated as coordinator or ENISA.
The CSIRT designated as coordinator or ENISA shall process the notifications referred to in paragraphs 1 and 2 of this Article in accordance with the procedure laid down in Article 16.
The CSIRT designated as coordinator may prioritise the processing of mandatory notifications over voluntary notifications.
Where a natural or legal person other than the manufacturer notifies an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements in accordance with paragraph 1 or 2, the CSIRT designated as coordinator shall without undue delay inform the manufacturer.
The CSIRTs designated as coordinators as well as ENISA shall ensure the confidentiality and appropriate protection of the information provided by a notifying natural or legal person. Without prejudice to the prevention, investigation, detection and prosecution of criminal offences, voluntary reporting shall not result in the imposition of any additional obligations upon a notifying natural or legal person to which it would not have been subject had it not submitted the notification.
Relevant recitals
Recital 68 Actively exploited vulnerabilities
Actively exploited vulnerabilities concern instances where a manufacturer establishes that a security breach affecting its users or any other natural or legal persons has resulted from a malicious actor making use of a flaw in one of the products with digital elements made available on the market by the manufacturer. Examples of such vulnerabilities could be weaknesses in a product’s identification and authentication functions. Vulnerabilities that are discovered with no malicious intent for purposes of good faith testing, investigation, correction or disclosure to promote the security or safety of the system owner and its users should not be subject to mandatory notification. Severe incidents having an impact on the security of the product with digital elements, on the other hand, refer to situations where a cybersecurity incident affects the development, production or maintenance processes of the manufacturer in such a way that it could result in an increased cybersecurity risk for users or other persons. Such a severe incident could include a situation where an attacker has successfully introduced malicious code into the release channel via which the manufacturer releases security updates to users.
Recital 71 Sensitivity of information in notification
When manufacturers notify an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, they should indicate how sensitive they consider the notified information to be. The CSIRT designated as coordinator initially receiving the notification should take this information into account when assessing whether the notification gives rise to exceptional circumstances that justify a delay in the dissemination of the notification to the other relevant CSIRTs designated as coordinators based on justified cybersecurity-related grounds. It should also take that information into account when assessing whether the notification of an actively exploited vulnerability gives rise to particularly exceptional circumstances that justify that the full notification is not made available simultaneously to ENISA. Finally, CSIRTs designated as coordinators should be able to take that information into account when determining appropriate measures to mitigate the risks stemming from such vulnerabilities and incidents.
Recital 74 Voluntary notification of vulnerabilities and incidents
Manufacturers and other natural and legal persons should be able to notify to a CSIRT designated as coordinator or ENISA, on a voluntary basis, any vulnerability contained in a product with digital elements, cyber threats that could affect the risk profile of a product with digital elements, any incident having an impact on the security of the product with digital elements as well as near misses that could have resulted in such an incident.
Recital 75 Vulnerability researchers
Member States should aim to address, to the extent possible, the challenges faced by vulnerability researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilities could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.
Recital 119 Respect for confidentiality
In order to ensure trusting and constructive cooperation of market surveillance authorities at Union and national level, all parties involved in the application of this Regulation should respect the confidentiality of information and data obtained in carrying out their tasks.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
product with digital elements
Definition
near miss
Definition
remote data processing
Definition
cybersecurity risk
Definition
actively exploited vulnerability
Definition
incident having an impact on the security of the product with digital elements
Definition
electronic information system
Definition
market surveillance authority
Definition
hardware
Definition
software