Source: OJ L 2024/2847, 20.11.2024Current language: EN
- Cyber resilience for products with digital elements
Basic legislative acts
- CRA regulation
Article 17 Other provisions related to reporting
ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.
Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elementsmeans an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; or to handle an ongoing incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, or where disclosure of the incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is otherwise in the public interest, the CSIRT designated as coordinatormeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. of the relevant Member State may, after consulting the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; concerned and, where appropriate, in cooperation with ENISA, inform the public about the incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or require the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to do so.
ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union pursuant to Article 18 of Directive (EU) 2022/2555.
The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.
After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, add the publicly known vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
The CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in particular manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that qualify as microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or as small or medium-sized enterprises.
Relevant recitals
Recital 69 Single reporting platform and biennal report
To ensure that notifications can be disseminated quickly to all relevant CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and to enable manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to submit a single notification at each stage of the notification process, a single reporting platform with national electronic notification end-pointsmeans any device that is connected to a network and serves as an entry point to that network; should be established by ENISA. The day-to-day operations of the single reporting platform should be managed and maintained by ENISA. The CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. should inform their respective market surveillance authoritiesmeans a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; about notified vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;. The single reporting platform should be designed in such a way that it ensures the confidentiality of notifications, in particular as regards vulnerabilitiesmeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; for which a security update is not yet available. In addition, ENISA should put in place procedures to handle information in a secure and confidential manner. On the basis of the information it gathers, ENISA should prepare a biennial technical report on emerging trends regarding cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in products with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555.
Recital 72 National entry points for reporting
In order to simplify the reporting of information required under this Regulation, in consideration of other complementary reporting requirements laid down in Union law, such as Regulation (EU) 2016/679, Regulation (EU) 2022/2554 of the European Parliament and of the Council(25)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (OJ L 333, 27.12.2022, p. 1)., Directive 2002/58/EC of the European Parliament and of the Council(26)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (OJ L 201, 31.7.2002, p. 37). and Directive (EU) 2022/2555, as well as to decrease the administrative burden for entities, Member States are encouraged to consider providing at national level single entry points for such reporting requirements. The use of such national single entry points for the reporting of security incidentsmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; under Regulation (EU) 2016/679 and Directive 2002/58/EC should not affect the application of the provisions of Regulation (EU) 2016/679 and Directive 2002/58/EC, in particular those relating to the independence of the authorities referred to therein. When establishing the single reporting platform referred to in this Regulation, ENISA should take into account the possibility for the national electronic notification end-pointsmeans any device that is connected to a network and serves as an entry point to that network; referred to in this Regulation to be integrated into national single entry points that may also integrate other notifications required under Union law.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.