Art. 3 Terms and conditions for applying cybersecurity-related grounds stemming from the nature of the reported information | Terms and conditions for delaying notifications | CRA

The CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; may decide to delay for a period of time limited to that strictly necessary the dissemination of notifications or parts thereof to relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. in cases where, in light of the sensitivity of the notified information, the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed by the dissemination outweigh its security benefits and those risks cannot be mitigated by placing restrictions on the handling or further sharing of the notification through appropriate protocols, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP), and where at least one of the following conditions is met:

the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has informed the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; that an effective risk mitigation measure, such as a security update or user guidance, is expected to be made available within 72 hours; if an effective risk mitigation measure is not made available within this timeframe, the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; shall disseminate the notification to the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available.;
the information included in the notification is deemed sufficient, in light of the nature of the notified actively exploited vulnerabilitymeans a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;, to create an exploitation technique, particularly when the vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; can be easily identified and exploited by actors with limited skills and resources; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; shall disseminate the notification to the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available.;
the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; is able to share with the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. sufficient information to ensure that the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. can put in place adequate risk mitigation measures; once an effective risk mitigation measure, such as a security update or user guidance, is available, the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; shall disseminate the full notification to the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available.;
the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; of the actively exploited vulnerabilitymeans a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; has been made aware of it as part of a coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure (CVD) for which that CSIRT is acting as a trusted intermediary in accordance with Article 12(1) of Directive (EU) 2022/2555; in such case, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; shall disseminate the notification to the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. when a delay is no longer strictly necessary and consent for disclosure by the parties involved in the CVD is given.