Source: OJ L, 2026/881, 20.4.2026

Current language: EN

Article 4 Terms and conditions for applying cybersecurity-related grounds in relation to a specific CSIRT


Summary What does Article 4 of the Terms and conditions for delaying notifications say?

This article deals with a more targeted scenario compared to Article 3, which addresses delays in dissemination broadly.

Here, the focus is on situations where the CSIRT initially receiving the notification may withhold sharing notification information with a specific relevant CSIRT, rather than all relevant CSIRTs.

The basis for this targeted delay is concern over that specific CSIRT's ability to maintain the confidentiality of the notified information, either because it has suffered a cybersecurity incident or because its general capabilities are considered inadequate.

The article also sets out the conditions under which dissemination may resume, tying the end of the delay to the relevant CSIRT demonstrating that the confidentiality concern has been resolved.

Important points:

  • The CSIRT initially receiving the notification may delay dissemination to a specific relevant CSIRT if that CSIRT has been hit by a cybersecurity incident or is considered to lack adequate capability to protect the confidentiality of the information.
  • The delay triggered by a cybersecurity incident lasts until the affected CSIRT notifies the CSIRTs Network that its confidentiality capabilities have been restored.
  • Where the delay is based on inadequate capabilities, the relevant CSIRT must provide evidence that it has addressed the identified shortcomings before dissemination resumes.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

  1. The CSIRT initially receiving the notification may decide to delay for a period of time that is strictly necessary the dissemination of notifications or parts thereof to a specific relevant CSIRT in cases where:

    1. the relevant CSIRT has been affected by a cybersecurity incident casting doubt on its ability to ensure the confidentiality of the notified information;

    2. it has sufficient reason to believe that the capabilities of the relevant CSIRT are inadequate to ensure the confidentiality of the notified information.

  2. In cases referred to in point (a) of the first subparagraph, the CSIRT initially receiving the notification may delay the dissemination until the relevant CSIRT has informed the CSIRTs Network referred to in Article 15 of Directive (EU) 2022/2555 that its ability to ensure the confidentiality of notifications has been restored.

  3. In cases referred to in point (b) of the first subparagraph, the CSIRT initially receiving the notification may delay the dissemination to the relevant CSIRT until that CSIRT has provided evidence that it has addressed the shortcomings identified.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod