Beta

Source: OJ L 2024/2847, 20.11.2024

EN

Article 14 Reporting obligations of manufacturers

    1. A manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall notify any actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; contained in the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; that it becomes aware of simultaneously to the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555., in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall notify that actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; via the single reporting platform established pursuant to Article 16.

    1. For the purposes of the notification referred to in paragraph 1, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall submit:

      1. an early warning notification of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;, without undue delay and in any event within 24 hours of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is aware that their product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been made available;

      2. unless the relevant information has already been provided, a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; notification, without undue delay and in any event within 72 hours of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; becoming aware of the actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner;, which shall provide general information, as available, about the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, the general nature of the exploit and of the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; considers the notified information to be;

      3. unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following:

        1. a description of the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;, including its severity and impact;

        2. where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;

        3. details about the security update or other corrective measures that have been made available to remedy the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;.

    1. A manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall notify any severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; that it becomes aware of simultaneously to the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555., in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall notify that incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; via the single reporting platform established pursuant to Article 16.

    1. For the purposes of the notification referred to in paragraph 3, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall submit:

      1. an early warning notification of a severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;, without undue delay and in any event within 24 hours of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; becoming aware of it, including at least whether the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is aware that their product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been made available;

      2. unless the relevant information has already been provided, an incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification, without undue delay and in any event within 72 hours of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; becoming aware of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, which shall provide general information, where available, about the nature of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, an initial assessment of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; considers the notified information to be;

      3. unless the relevant information has already been provided, a final report, within one month after the submission of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; notification under point (b), including at least the following:

        1. a detailed description of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, including its severity and impact;

        2. the type of threat or root cause that is likely to have triggered the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;;

        3. applied and ongoing mitigation measures.

    1. For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; shall be considered to be severe where:

      1. it negatively affects or is capable of negatively affecting the ability of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or

      2. it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or in the network and information systems means: an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972; any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; of a user of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;.

    1. Where necessary, the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification may request manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to provide an intermediate report on relevant status updates about the actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;.

    1. The notifications referred to in paragraphs 1 and 3 of this Article shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points means any device that is connected to a network and serves as an entry point to that network; referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point means any device that is connected to a network and serves as an entry point to that network; of the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. of the Member State where the manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; have their main establishment in the Union and shall be simultaneously accessible to ENISA.

    2. For the purposes of this Regulation, a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; of its products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; concerned has the establishment with the highest number of employees in the Union.

    3. Where a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point means any device that is connected to a network and serves as an entry point to that network; of the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. in the Member State determined pursuant to the following order and based on the information available to the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;:

      1. the Member State in which the authorised representative means a natural or legal person established within the Union who has received a written mandate from a manufacturer to act on its behalf in relation to specified tasks; acting on behalf of the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; for the highest number of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; of that manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is established;

      2. the Member State in which the importer means a natural or legal person established in the Union who places on the market a product with digital elements that bears the name or trademark of a natural or legal person established outside the Union; placing on the market means the first making available of a product with digital elements on the Union market; the highest number of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; of that manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is established;

      3. the Member State in which the distributor means a natural or legal person in the supply chain, other than the manufacturer or the importer, that makes a product with digital elements available on the Union market without affecting its properties; making available on the market means the supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge; the highest number of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; of that manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; is established;

      4. the Member State in which the highest number of users of products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; of that manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; are located.

    4. In relation to the third subparagraph, point (d), a manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; may submit notifications related to any subsequent actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; to the same CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. to which it first reported.

    1. After becoming aware of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or a severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions;, the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; shall inform the impacted users of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, and where appropriate all users, of that vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and, where necessary, of any risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; fails to inform the users of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; in a timely manner, the notified CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; or incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

    1. By 11 December 2025, the Commission shall adopt delegated acts in accordance with Article 61 of this Regulation to supplement this Regulation by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications as referred to in Article 16(2) of this Regulation. The Commission shall cooperate with the CSIRTscomputer security incident response teams network established pursuant to Article 15 of Directive (EU) 2022/2555 and ENISA in preparing the draft delegated acts.

    1. The Commission may, by means of implementing acts, specify further the format and procedures of the notifications referred to in this Article as well as in Articles 15 and 16. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 62(2). The Commission shall cooperate with the CSIRTscomputer security incident response teams network and ENISA in preparing those draft implementing acts.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod