Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 16 Establishment of a single reporting platform

    1. For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) and in order to simplify the reporting obligations of manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, a single reporting platform shall be established by ENISA. The day-to-day operations of that single reporting platform shall be managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-pointsmeans any device that is connected to a network and serves as an entry point to that network;.

    1. After receiving a notification, the CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification shall, without delay, disseminate the notification via the single reporting platform to the CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. on the territory of which the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has indicated that the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been made available.

    2. In exceptional circumstances and, in particular, upon request by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in light of the level of sensitivity of the notified information as indicated by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity-related grounds for a period of time that is strictly necessary, including where a vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is subject to a coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification.

    3. In particularly exceptional circumstances, where the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; indicates in the notification referred to in Article 14(2), point (b):

      1. that the notified vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; has been actively exploited by a malicious actor and, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. to which the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has notified the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

      2. that any immediate further dissemination of the notified vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State; or

      3. that the notified vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; poses an imminent high cybersecurity riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from the further dissemination;

    4. only the information that a notification was made by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are to be made available simultaneously to ENISA until the full notification is disseminated to the CSIRTs concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and to ENISA itself.

    1. After receiving a notification of an actively exploited vulnerabilitymeans a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; in a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or of a severe incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. shall provide the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of their respective Member States with the notified information necessary for the market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; to fulfil their obligations under this Regulation.

    1. ENISA shall take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of the single reporting platform and the information submitted or disseminated via the single reporting platform. It shall notify without undue delay any security incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting the single reporting platform to the CSIRTs network as well as to the Commission.

    1. ENISA, in cooperation with the CSIRTs network, shall provide and implement specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the electronic notification end-pointsmeans any device that is connected to a network and serves as an entry point to that network; set up by the CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; has no corrective or mitigating measures available, information about that vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is shared in line with strict security protocols and on a need-to-know basis.

    1. Where a CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. has been made aware of an actively exploited vulnerabilitymeans a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; as part of a coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification may delay the dissemination of the relevant notification via the single reporting platform based on justified cybersecurity-related grounds for a period that is no longer than is strictly necessary and until consent for disclosure by the involved coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure parties is given. That requirement shall not prevent manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; from notifying such a vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; on a voluntary basis in accordance with the procedure laid down in this Article.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod