Source: OJ L, 2026/881, 20.4.2026

Current language: EN

Terms and conditions for delaying notifications

COMMISSION DELEGATED REGULATION (EU) 2026/881

of 11 December 2025

supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)(1), and in particular Article 14(9) thereof,

Whereas:

Open full page
Recital 1Terms and conditions for applying cybersecurity-related grounds

In exceptional circumstances, and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information, and on justified cybersecurity-related grounds, the computer security incident response team (CSIRT) designated as coordinator initially receiving notification of an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements (‘the CSIRT initially receiving the notification’) may decide to delay for a period of time that is strictly necessary the dissemination of the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer submitting the notification has indicated that the product with digital elements has been made available (‘the relevant CSIRTs’). Therefore, it is necessary to set out the terms and conditions for applying such grounds. Where such grounds apply, the CSIRT initially receiving the notification is allowed to delay dissemination to relevant CSIRTs for a period of time that is strictly necessary, but is not required to do so. Under Article 16(2) of Regulation (EU) 2024/2847, where a CSIRT initially receiving the notification decides to invoke such grounds, it should immediately inform the European Union Agency for Cybersecurity (ENISA) of its decision to delay, and its reasons for doing so, and when it intends to further disseminate the notification.

Recital 2Conditions for restricting the access of ENISA

In accordance with Article 16(2), second subparagraph of Regulation (EU) 2024/2847, the terms and conditions for applying the cybersecurity-related grounds set out in this Regulation are not to apply to access by ENISA to the information notified. ENISA’s access to the information notified may only be restricted in particularly exceptional circumstances: when the manufacturer indicates in its notification that one of the three conditions referred to in Article 16(2), third subparagraph, points (a), (b) or (c) of Regulation (EU) 2024/2847 is met, and then only in relation to the 72-hour vulnerability notification referred to in Article 14(2), point (b) of Regulation (EU) 2024/2847. In such cases, the only information to be made available simultaneously to ENISA is information that a notification has been made by a manufacturer; general information about the product with digital elements; information on the general nature of the exploit; and the information that security-related grounds have been invoked.

Recital 3Cybersecurity risks outweighing benefits of further dissemination

Access to the notified information enables CSIRTs to have an overview of the security environment in their territory and to put in place mitigating measures, raising the overall level of cybersecurity in the Union. Therefore, further restrictions on the dissemination of notifications in light of the nature of the information being notified should be possible only in cases where, in light of the sensitivity of the information notified, the cybersecurity risks stemming from further dissemination outweigh the security benefits to the Union, and those risks cannot be adequately mitigated by placing restrictions on the handling and further sharing of the notification through appropriate protocols in use within the CSIRT Network, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP). This may be the case, for example, where a manufacturer has informed the CSIRT initially receiving the notification that it expects to provide a mitigating measure (such as a patch) shortly. It may also be the case, when the CSIRT initially receiving the notification decides to share only parts of a notification, and these parts are nonetheless sufficient for the relevant CSIRTs to ensure that they are able to put in place adequate risk mitigation measures. Furthermore, and in order to encourage cooperation on vulnerability identification and disclosure between manufacturers, CSIRTs and security researchers, this may also be the case when the CSIRT is acting as a trusted intermediary for an ongoing coordinated vulnerability disclosure (CVD) procedure as referred to in Article 12(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council(2). In such case, when the CSIRT decides to delay the dissemination of a notification, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, that CSIRT is to delay it for a period that is no longer than strictly necessary and until consent for disclosure by the parties involved in the CVD is given.

HAS ADOPTED THIS REGULATION:

  1. Article 1Subject matter
  2. Article 2Definitions
  3. Article 3Terms and conditions for applying cybersecurity-related grounds stemming from the nature of the reported information
  4. Article 4Terms and conditions for applying cybersecurity-related grounds in relation to a specific CSIRT
  5. Article 5Terms and conditions for applying cybersecurity-related grounds in relation to the single reporting platform
  6. Article 6

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 11 December 2025.

For the Commission

The President

Ursula VON DER LEYEN

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod