Source: OJ L, 2026/881, 20.4.2026Current language: EN
- Cyber resilience for products with digital elements
Delegated acts
- Terms and conditions for delaying notifications
Article 3 Terms and conditions for applying cybersecurity-related grounds stemming from the nature of the reported information
Summary What does Article 3 of the Terms and conditions for delaying notifications say?
Article 3 sets out the substantive cybersecurity grounds under which the CSIRT initially receiving a notification may delay passing that notification on to the relevant CSIRTs in other Member States.
It builds directly on Article 1 of this Regulation, which establishes the overall purpose of specifying when such delays are permissible under Regulation (EU) 2024/2847.
The core threshold is a two-part test: the cybersecurity risks of dissemination must outweigh its security benefits given the sensitivity of the information, and those risks must not be manageable through information-handling protocols such as TLP or PAP.
Only where that threshold is met can one of four specific triggering conditions then justify a delay — ranging from an imminent manufacturer fix, to exploitation risk, to partial information sharing being sufficient, to an ongoing coordinated vulnerability disclosure process.
Important points:
- The CSIRT initially receiving the notification is the body empowered to decide on a delay, but the delay is strictly time-limited to what is necessary and is subject to a mandatory overarching test before any of the four conditions can apply.
- In all four scenarios, the delay is temporary — dissemination to relevant CSIRTs must occur once a risk mitigation measure becomes available, the CVD process concludes, or the 72-hour window lapses without a fix being delivered.
- Where the vulnerability is part of a coordinated vulnerability disclosure process and the receiving CSIRT is acting as trusted intermediary, dissemination is additionally conditional on consent from the parties involved in that process.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The CSIRT initially receiving the notification may decide to delay for a period of time limited to that strictly necessary the dissemination of notifications or parts thereof to relevant CSIRTs in cases where, in light of the sensitivity of the notified information, the cybersecurity risks posed by the dissemination outweigh its security benefits and those risks cannot be mitigated by placing restrictions on the handling or further sharing of the notification through appropriate protocols, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP), and where at least one of the following conditions is met:
the manufacturer has informed the CSIRT initially receiving the notification that an effective risk mitigation measure, such as a security update or user guidance, is expected to be made available within 72 hours; if an effective risk mitigation measure is not made available within this timeframe, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs;
the information included in the notification is deemed sufficient, in light of the nature of the notified actively exploited vulnerability, to create an exploitation technique, particularly when the vulnerability can be easily identified and exploited by actors with limited skills and resources; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs;
the CSIRT initially receiving the notification is able to share with the relevant CSIRTs sufficient information to ensure that the relevant CSIRTs can put in place adequate risk mitigation measures; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notification shall disseminate the full notification to the relevant CSIRTs;
the CSIRT initially receiving the notification of the actively exploited vulnerability has been made aware of it as part of a coordinated vulnerability disclosure (CVD) for which that CSIRT is acting as a trusted intermediary in accordance with Article 12(1) of Directive (EU) 2022/2555; in such case, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs when a delay is no longer strictly necessary and consent for disclosure by the parties involved in the CVD is given.
Relevant recitals
Recital 3 Cybersecurity risks outweighing benefits of further dissemination
Access to the notified information enables CSIRTs to have an overview of the security environment in their territory and to put in place mitigating measures, raising the overall level of cybersecurity in the Union. Therefore, further restrictions on the dissemination of notifications in light of the nature of the information being notified should be possible only in cases where, in light of the sensitivity of the information notified, the cybersecurity risks stemming from further dissemination outweigh the security benefits to the Union, and those risks cannot be adequately mitigated by placing restrictions on the handling and further sharing of the notification through appropriate protocols in use within the CSIRT Network, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP). This may be the case, for example, where a manufacturer has informed the CSIRT initially receiving the notification that it expects to provide a mitigating measure (such as a patch) shortly. It may also be the case, when the CSIRT initially receiving the notification decides to share only parts of a notification, and these parts are nonetheless sufficient for the relevant CSIRTs to ensure that they are able to put in place adequate risk mitigation measures. Furthermore, and in order to encourage cooperation on vulnerability identification and disclosure between manufacturers, CSIRTs and security researchers, this may also be the case when the CSIRT is acting as a trusted intermediary for an ongoing coordinated vulnerability disclosure (CVD) procedure as referred to in Article 12(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council(2). In such case, when the CSIRT decides to delay the dissemination of a notification, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, that CSIRT is to delay it for a period that is no longer than strictly necessary and until consent for disclosure by the parties involved in the CVD is given.
Recital 4 Information enabling creation of an exploitation technique
The information included in the notification will help CSIRTs fulfil their tasks in the context of risk mitigation and incident handling. In rare cases, however, such information could be sufficient to enable the creation of an exploitation technique without additional research, even by actors with limited skills and resources. If that information were accessed by malicious actors, the cybersecurity of the Union would be heavily impacted, given the ease of the exploitation. This could be the case, for instance, where the vulnerable version of a piece of software differs only marginally from previous, non-vulnerable versions. In such cases, if the CSIRT initially receiving the notification believes that the cybersecurity risks stemming from further dissemination cannot be adequately mitigated by placing restrictions on handling and further sharing, it may decide to delay the dissemination until an effective risk mitigation measure, such as a security update or user guidance, is available.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
vulnerability
Definition
component
Definition
cyber threat
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
CSIRT initially receiving the notification
Definition
product with digital elements
Definition
relevant CSIRT
Definition
remote data processing
Definition
cybersecurity risk
Definition
actively exploited vulnerability
Definition
electronic information system
Definition
hardware
Definition
software
Footnote 2