Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 17 Other provisions related to reporting
Summary What does Article 17 of the CRA regulation say?
This article directly follows the notification and reporting obligations established in Articles 14 and 15, and deals with what happens after those notifications are made.
It covers the downstream use of reported vulnerability and incident information across the EU's cybersecurity infrastructure.
The article assigns roles to ENISA and the CSIRTs designated as coordinators in terms of sharing information with wider EU bodies, publishing vulnerability data, producing periodic trend reports, and supporting manufacturers in meeting their reporting obligations.
Importantly, it also provides a liability protection, confirming that the act of notifying does not in itself expose the notifying party to greater legal risk.
Important points:
- ENISA is required to produce a technical report on emerging cybersecurity risk trends in products with digital elements every 24 months, submitted to the Cooperation Group.
- The act of notification under Articles 14 and 15 shall not subject the notifying person or entity to increased liability.
- CSIRTs designated as coordinators are required to provide helpdesk support to manufacturers regarding their reporting obligations under Article 14, with particular attention to microenterprises and small and medium-sized enterprises.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.
Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to handle an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State may, after consulting the manufacturer concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.
ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.
The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.
After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.
Relevant recitals
Recital 69 Single reporting platform and biennal report
To ensure that notifications can be disseminated quickly to all relevant CSIRTs designated as coordinators and to enable manufacturers to submit a single notification at each stage of the notification process, a single reporting platform with national electronic notification end-points should be established by ENISA. The day-to-day operations of the single reporting platform should be managed and maintained by ENISA. The CSIRTs designated as coordinators should inform their respective market surveillance authorities about notified vulnerabilities or incidents. The single reporting platform should be designed in such a way that it ensures the confidentiality of notifications, in particular as regards vulnerabilities for which a security update is not yet available. In addition, ENISA should put in place procedures to handle information in a secure and confidential manner. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.
Recital 72 National entry points for reporting
In order to simplify the reporting of information required under this Regulation, in consideration of other complementary reporting requirements laid down in Union law, such as Regulation (EU) 2016/679, Regulation (EU) 2022/2554 of the European Parliament and of the Council(25), Directive 2002/58/EC of the European Parliament and of the Council(26) and Directive (EU) 2022/2555, as well as to decrease the administrative burden for entities, Member States are encouraged to consider providing at national level single entry points for such reporting requirements. The use of such national single entry points for the reporting of security incidents under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. When establishing the single reporting platform referred to in this Regulation, ENISA should take into account the possibility for the national electronic notification end-points referred to in this Regulation to be integrated into national single entry points that may also integrate other notifications required under Union law.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
end-point
Definition
CSIRT designated as coordinator
Definition
product with digital elements
Definition
microenterprises
Definition
remote data processing
Definition
cybersecurity risk
Definition
incident having an impact on the security of the product with digital elements
Definition
electronic information system
Definition
market surveillance authority
Definition
hardware
Definition
software
Footnote 26
Footnote 25