Source: OJ L, 2026/881, 20.4.2026Current language: EN
- Cyber resilience for products with digital elements
Delegated acts
- Terms and conditions for delaying notifications
Article 4 Terms and conditions for applying cybersecurity-related grounds in relation to a specific CSIRT
Summary What does Article 4 of the Terms and conditions for delaying notifications say?
This article deals with a more targeted scenario compared to Article 3, which addresses delays in dissemination broadly.
Here, the focus is on situations where the CSIRT initially receiving the notification may withhold sharing notification information with a specific relevant CSIRT, rather than all relevant CSIRTs.
The basis for this targeted delay is concern over that specific CSIRT's ability to maintain the confidentiality of the notified information, either because it has suffered a cybersecurity incident or because its general capabilities are considered inadequate.
The article also sets out the conditions under which dissemination may resume, tying the end of the delay to the relevant CSIRT demonstrating that the confidentiality concern has been resolved.
Important points:
- The CSIRT initially receiving the notification may delay dissemination to a specific relevant CSIRT if that CSIRT has been hit by a cybersecurity incident or is considered to lack adequate capability to protect the confidentiality of the information.
- The delay triggered by a cybersecurity incident lasts until the affected CSIRT notifies the CSIRTs Network that its confidentiality capabilities have been restored.
- Where the delay is based on inadequate capabilities, the relevant CSIRT must provide evidence that it has addressed the identified shortcomings before dissemination resumes.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
The CSIRT initially receiving the notification may decide to delay for a period of time that is strictly necessary the dissemination of notifications or parts thereof to a specific relevant CSIRT in cases where:
the relevant CSIRT has been affected by a cybersecurity incident casting doubt on its ability to ensure the confidentiality of the notified information;
it has sufficient reason to believe that the capabilities of the relevant CSIRT are inadequate to ensure the confidentiality of the notified information.
In cases referred to in point (a) of the first subparagraph, the CSIRT initially receiving the notification may delay the dissemination until the relevant CSIRT has informed the CSIRTs Network referred to in Article 15 of Directive (EU) 2022/2555 that its ability to ensure the confidentiality of notifications has been restored.
In cases referred to in point (b) of the first subparagraph, the CSIRT initially receiving the notification may delay the dissemination to the relevant CSIRT until that CSIRT has provided evidence that it has addressed the shortcomings identified.
Relevant recitals
Recital 5 Serious concerns about confidentiality in relevant CSIRTs
If a relevant CSIRT is not able to protect adequately the notified information, sensitive information could be accessed by malicious actors and exploits be put in place throughout the Single Market. Therefore, where there are serious concerns about a relevant CSIRT’s ability to ensure the confidentiality of the notified information, the CSIRT initially receiving the notification may decide to delay the dissemination of a notification only to that relevant CSIRT until such concerns have been addressed. This may be the case in situations where a relevant CSIRT has been hit by a cybersecurity incident affecting its ability to operate securely, or where there is evidence or information that significant shortcomings in the capabilities of the CSIRT have been detected, such as serious resource constraints compromising its ability to carry out its functions, or reliance on outdated or vulnerable software.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
component
Definition
cybersecurity
Definition
manufacturer
Definition
CSIRT designated as coordinator
Definition
CSIRT initially receiving the notification
Definition
product with digital elements
Definition
relevant CSIRT
Definition
remote data processing
Definition
electronic information system
Definition
hardware
Definition
software