Source: OJ L, 2026/881, 20.4.2026Current language: EN
Terms and conditions for delaying notifications
COMMISSION DELEGATED REGULATION (EU) 2026/881
of 11 December 2025
supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act)(1), and in particular Article 14(9) thereof,
Whereas:
Recital 1Terms and conditions for applying cybersecurity-related grounds
In exceptional circumstances, and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information, and on justified cybersecurity-related grounds, the computer security incident response team (CSIRT) designated as coordinator initially receiving notification of an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements (‘the CSIRT initially receiving the notification’) may decide to delay for a period of time that is strictly necessary the dissemination of the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer submitting the notification has indicated that the product with digital elements has been made available (‘the relevant CSIRTs’). Therefore, it is necessary to set out the terms and conditions for applying such grounds. Where such grounds apply, the CSIRT initially receiving the notification is allowed to delay dissemination to relevant CSIRTs for a period of time that is strictly necessary, but is not required to do so. Under Article 16(2) of Regulation (EU) 2024/2847, where a CSIRT initially receiving the notification decides to invoke such grounds, it should immediately inform the European Union Agency for Cybersecurity (ENISA) of its decision to delay, and its reasons for doing so, and when it intends to further disseminate the notification.
Recital 2Conditions for restricting the access of ENISA
In accordance with Article 16(2), second subparagraph of Regulation (EU) 2024/2847, the terms and conditions for applying the cybersecurity-related grounds set out in this Regulation are not to apply to access by ENISA to the information notified. ENISA’s access to the information notified may only be restricted in particularly exceptional circumstances: when the manufacturer indicates in its notification that one of the three conditions referred to in Article 16(2), third subparagraph, points (a), (b) or (c) of Regulation (EU) 2024/2847 is met, and then only in relation to the 72-hour vulnerability notification referred to in Article 14(2), point (b) of Regulation (EU) 2024/2847. In such cases, the only information to be made available simultaneously to ENISA is information that a notification has been made by a manufacturer; general information about the product with digital elements; information on the general nature of the exploit; and the information that security-related grounds have been invoked.
Recital 3Cybersecurity risks outweighing benefits of further dissemination
Access to the notified information enables CSIRTs to have an overview of the security environment in their territory and to put in place mitigating measures, raising the overall level of cybersecurity in the Union. Therefore, further restrictions on the dissemination of notifications in light of the nature of the information being notified should be possible only in cases where, in light of the sensitivity of the information notified, the cybersecurity risks stemming from further dissemination outweigh the security benefits to the Union, and those risks cannot be adequately mitigated by placing restrictions on the handling and further sharing of the notification through appropriate protocols in use within the CSIRT Network, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP). This may be the case, for example, where a manufacturer has informed the CSIRT initially receiving the notification that it expects to provide a mitigating measure (such as a patch) shortly. It may also be the case, when the CSIRT initially receiving the notification decides to share only parts of a notification, and these parts are nonetheless sufficient for the relevant CSIRTs to ensure that they are able to put in place adequate risk mitigation measures. Furthermore, and in order to encourage cooperation on vulnerability identification and disclosure between manufacturers, CSIRTs and security researchers, this may also be the case when the CSIRT is acting as a trusted intermediary for an ongoing coordinated vulnerability disclosure (CVD) procedure as referred to in Article 12(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council(2). In such case, when the CSIRT decides to delay the dissemination of a notification, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, that CSIRT is to delay it for a period that is no longer than strictly necessary and until consent for disclosure by the parties involved in the CVD is given.
Recital 4Information enabling creation of an exploitation technique
The information included in the notification will help CSIRTs fulfil their tasks in the context of risk mitigation and incident handling. In rare cases, however, such information could be sufficient to enable the creation of an exploitation technique without additional research, even by actors with limited skills and resources. If that information were accessed by malicious actors, the cybersecurity of the Union would be heavily impacted, given the ease of the exploitation. This could be the case, for instance, where the vulnerable version of a piece of software differs only marginally from previous, non-vulnerable versions. In such cases, if the CSIRT initially receiving the notification believes that the cybersecurity risks stemming from further dissemination cannot be adequately mitigated by placing restrictions on handling and further sharing, it may decide to delay the dissemination until an effective risk mitigation measure, such as a security update or user guidance, is available.
Recital 5Serious concerns about confidentiality in relevant CSIRTs
If a relevant CSIRT is not able to protect adequately the notified information, sensitive information could be accessed by malicious actors and exploits be put in place throughout the Single Market. Therefore, where there are serious concerns about a relevant CSIRT’s ability to ensure the confidentiality of the notified information, the CSIRT initially receiving the notification may decide to delay the dissemination of a notification only to that relevant CSIRT until such concerns have been addressed. This may be the case in situations where a relevant CSIRT has been hit by a cybersecurity incident affecting its ability to operate securely, or where there is evidence or information that significant shortcomings in the capabilities of the CSIRT have been detected, such as serious resource constraints compromising its ability to carry out its functions, or reliance on outdated or vulnerable software.
Recital 6Compromise of the single reporting platform
In order to prevent malicious actors from accessing sensitive information, where the single reporting platform established under Article 16 of Regulation (EU) 2024/2847 has been compromised by a cybersecurity incident, the CSIRT initially receiving the notification should delay the dissemination via the single reporting platform until the platform’s ability to ensure the confidentiality of notified information has been restored.
Recital 7Availability of product restricted to one market
In accordance with the first subparagraph of Article 16(2) of Regulation (EU) 2024/2847, the CSIRT initially receiving the notification need not disseminate a notification to any other relevant CSIRT if the manufacturer indicates that the product with digital elements is only made available on the market of the Member State of the CSIRT initially receiving the notification.
Recital 8Consultation of relevant stakeholders and expert group
The Commission has consulted and sought the views of relevant stakeholders in preparing the draft delegated act, and has consulted the Expert Group on Cybersecurity of Products with Digital Elements.
Recital 9Cooperation with the CSIRTs Network and ENISA
In accordance with Article 14(9) of Regulation (EU) 2024/2847, the Commission has cooperated closely with the CSIRTs Network established pursuant to Article 15 of Directive (EU) 2022/2555 and with ENISA, in preparing the draft delegated act,
HAS ADOPTED THIS REGULATION:
- Article 1Subject matter
- Article 2Definitions
- Article 3Terms and conditions for applying cybersecurity-related grounds stemming from the nature of the reported information
- Article 4Terms and conditions for applying cybersecurity-related grounds in relation to a specific CSIRT
- Article 5Terms and conditions for applying cybersecurity-related grounds in relation to the single reporting platform
- Article 6
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 11 December 2025.
For the Commission
The President
Ursula VON DER LEYEN
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
CSIRT initially receiving the notification
Definition
product with digital elements
Definition
relevant CSIRT
Definition
remote data processing
Definition
cybersecurity risk
Definition
actively exploited vulnerability
Definition
electronic information system
Definition
hardware
Definition
software
Footnote 2