Art. 17 Other provisions related to reporting | CRA regulation | CRA

1. ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.
1. Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elementsmeans an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; or to handle an ongoing incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, or where disclosure of the incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is otherwise in the public interest, the CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. of the relevant Member State may, after consulting the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; concerned and, where appropriate, in cooperation with ENISA, inform the public about the incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or require the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to do so.
1. ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union pursuant to Article 18 of Directive (EU) 2022/2555.
1. The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.
1. After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, add the publicly known vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
1. The CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in particular manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that qualify as microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or as small or medium-sized enterprises.