Source: OJ L, 2026/881, 20.4.2026

Current language: EN

Article 3 Terms and conditions for applying cybersecurity-related grounds stemming from the nature of the reported information


Summary What does Article 3 of the Terms and conditions for delaying notifications say?

Article 3 sets out the substantive cybersecurity grounds under which the CSIRT initially receiving a notification may delay passing that notification on to the relevant CSIRTs in other Member States.

It builds directly on Article 1 of this Regulation, which establishes the overall purpose of specifying when such delays are permissible under Regulation (EU) 2024/2847.

The core threshold is a two-part test: the cybersecurity risks of dissemination must outweigh its security benefits given the sensitivity of the information, and those risks must not be manageable through information-handling protocols such as TLP or PAP.

Only where that threshold is met can one of four specific triggering conditions then justify a delay — ranging from an imminent manufacturer fix, to exploitation risk, to partial information sharing being sufficient, to an ongoing coordinated vulnerability disclosure process.

Important points:

  • The CSIRT initially receiving the notification is the body empowered to decide on a delay, but the delay is strictly time-limited to what is necessary and is subject to a mandatory overarching test before any of the four conditions can apply.
  • In all four scenarios, the delay is temporary — dissemination to relevant CSIRTs must occur once a risk mitigation measure becomes available, the CVD process concludes, or the 72-hour window lapses without a fix being delivered.
  • Where the vulnerability is part of a coordinated vulnerability disclosure process and the receiving CSIRT is acting as trusted intermediary, dissemination is additionally conditional on consent from the parties involved in that process.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

The CSIRT initially receiving the notification may decide to delay for a period of time limited to that strictly necessary the dissemination of notifications or parts thereof to relevant CSIRTs in cases where, in light of the sensitivity of the notified information, the cybersecurity risks posed by the dissemination outweigh its security benefits and those risks cannot be mitigated by placing restrictions on the handling or further sharing of the notification through appropriate protocols, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP), and where at least one of the following conditions is met:

  1. the manufacturer has informed the CSIRT initially receiving the notification that an effective risk mitigation measure, such as a security update or user guidance, is expected to be made available within 72 hours; if an effective risk mitigation measure is not made available within this timeframe, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs;

  2. the information included in the notification is deemed sufficient, in light of the nature of the notified actively exploited vulnerability, to create an exploitation technique, particularly when the vulnerability can be easily identified and exploited by actors with limited skills and resources; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs;

  3. the CSIRT initially receiving the notification is able to share with the relevant CSIRTs sufficient information to ensure that the relevant CSIRTs can put in place adequate risk mitigation measures; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notification shall disseminate the full notification to the relevant CSIRTs;

  4. the CSIRT initially receiving the notification of the actively exploited vulnerability has been made aware of it as part of a coordinated vulnerability disclosure (CVD) for which that CSIRT is acting as a trusted intermediary in accordance with Article 12(1) of Directive (EU) 2022/2555; in such case, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, the CSIRT initially receiving the notification shall disseminate the notification to the relevant CSIRTs when a delay is no longer strictly necessary and consent for disclosure by the parties involved in the CVD is given.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod