Source: OJ L, 2026/881, 20.4.2026Current language: EN
- Cyber resilience for products with digital elements
Delegated acts
- Terms and conditions for delaying notifications
Article 1 Subject matter
Summary What does Article 1 of the Terms and conditions for delaying notifications say?
This is the foundational scope article of the Regulation.
It establishes the core purpose: to define the specific terms and conditions under which a CSIRT designated as coordinator — the one that first receives a vulnerability or incident notification — may lawfully delay passing that notification on to other relevant CSIRTs.
This Regulation does not stand alone; it directly implements and gives substance to Article 16(2) of Regulation (EU) 2024/2847, which established the general grounds for such delays but left the detail to be filled in here.
Important points:
- The Regulation governs the CSIRT initially receiving a notification, setting out when it may delay sharing that notification with other coordinator CSIRTs.
- The delay mechanism applies specifically to notifications made under Articles 14 and 15 of Regulation (EU) 2024/2847, concerning products with digital elements.
- This article establishes the subject matter and scope only — the actual conditions justifying a delay are set out in the articles that follow.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
This Regulation specifies the terms and conditions for applying the cybersecurity-related grounds referred to in Article 16(2) of Regulation (EU) 2024/2847 that enable the CSIRT designated as coordinator initially receiving a notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of that Regulation to delay the dissemination of the notification to the CSIRTs designated as coordinators on the territory of which the manufacturer has indicated that the product with digital elements has been made available.
Relevant recitals
Recital 1 Terms and conditions for applying cybersecurity-related grounds
In exceptional circumstances, and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information, and on justified cybersecurity-related grounds, the computer security incident response team (CSIRT) designated as coordinator initially receiving notification of an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements (‘the CSIRT initially receiving the notification’) may decide to delay for a period of time that is strictly necessary the dissemination of the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer submitting the notification has indicated that the product with digital elements has been made available (‘the relevant CSIRTs’). Therefore, it is necessary to set out the terms and conditions for applying such grounds. Where such grounds apply, the CSIRT initially receiving the notification is allowed to delay dissemination to relevant CSIRTs for a period of time that is strictly necessary, but is not required to do so. Under Article 16(2) of Regulation (EU) 2024/2847, where a CSIRT initially receiving the notification decides to invoke such grounds, it should immediately inform the European Union Agency for Cybersecurity (ENISA) of its decision to delay, and its reasons for doing so, and when it intends to further disseminate the notification.
Recital 4 Information enabling creation of an exploitation technique
The information included in the notification will help CSIRTs fulfil their tasks in the context of risk mitigation and incident handling. In rare cases, however, such information could be sufficient to enable the creation of an exploitation technique without additional research, even by actors with limited skills and resources. If that information were accessed by malicious actors, the cybersecurity of the Union would be heavily impacted, given the ease of the exploitation. This could be the case, for instance, where the vulnerable version of a piece of software differs only marginally from previous, non-vulnerable versions. In such cases, if the CSIRT initially receiving the notification believes that the cybersecurity risks stemming from further dissemination cannot be adequately mitigated by placing restrictions on handling and further sharing, it may decide to delay the dissemination until an effective risk mitigation measure, such as a security update or user guidance, is available.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
CSIRT initially receiving the notification
Definition
product with digital elements
Definition
relevant CSIRT
Definition
remote data processing
Definition
cybersecurity risk
Definition
actively exploited vulnerability
Definition
electronic information system
Definition
hardware
Definition
software