Art. 16 Establishment of a single reporting platform | CRA regulation |

1. For the purposes of the notifications referred to in Article 14(1) and (3) and Article 15(1) and (2) and in order to simplify the reporting obligations of manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, a single reporting platform shall be established by ENISA. The day-to-day operations of that single reporting platform shall be managed and maintained by ENISA. The architecture of the single reporting platform shall allow Member States and ENISA to put in place their own electronic notification end-points means any device that is connected to a network and serves as an entry point to that network;.
1. After receiving a notification, the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification shall, without delay, disseminate the notification via the single reporting platform to the CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. on the territory of which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has indicated that the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been made available.
2. In exceptional circumstances and, in particular, upon request by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in light of the level of sensitivity of the notified information as indicated by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; under Article 14(2), point (a), of this Regulation, the dissemination of the notification may be delayed based on justified cybersecurity-related grounds for a period of time that is strictly necessary, including where a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is subject to a coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555. Where a CSIRT decides to withhold a notification, it shall immediately inform ENISA about the decision and provide both a justification for withholding the notification as well as an indication of when it will disseminate the notification in accordance with the dissemination procedure laid down in this paragraph. ENISA may support the CSIRT on the application of cybersecurity-related grounds in relation to delaying the dissemination of the notification.
3. In particularly exceptional circumstances, where the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; indicates in the notification referred to in Article 14(2), point (b):
  1. that the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; has been actively exploited by a malicious actor and, according to the information available, it has been exploited in no other Member State than the one of the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. to which the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has notified the vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;;
  2. that any immediate further dissemination of the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; would likely result in the supply of information the disclosure of which would be contrary to the essential interests of that Member State; or
  3. that the notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; poses an imminent high cybersecurity risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from the further dissemination;
4. only the information that a notification was made by the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, the general information about the product, the information on the general nature of the exploit and the information that security related grounds were raised are to be made available simultaneously to ENISA until the full notification is disseminated to the CSIRTscomputer security incident response teams concerned and ENISA. Where, based on that information, ENISA considers that there is a systemic risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; affecting security in the internal market, it shall recommend to the recipient CSIRT that it disseminate the full notification to the other CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. and to ENISA itself.
1. After receiving a notification of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; in a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; or of a severe incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of a product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;, the CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. shall provide the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of their respective Member States with the notified information necessary for the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; to fulfil their obligations under this Regulation.
1. ENISA shall take appropriate and proportionate technical, operational and organisational measures to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of the single reporting platform and the information submitted or disseminated via the single reporting platform. It shall notify without undue delay any security incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; affecting the single reporting platform to the CSIRTscomputer security incident response teams network as well as to the Commission.
1. ENISA, in cooperation with the CSIRTscomputer security incident response teams network, shall provide and implement specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single reporting platform referred to in paragraph 1, including at least the security arrangements related to the establishment, operation and maintenance of the single reporting platform, as well as the electronic notification end-points means any device that is connected to a network and serves as an entry point to that network; set up by the CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. at national level and ENISA at Union level, including procedural aspects to ensure that, where a notified vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; has no corrective or mitigating measures available, information about that vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; is shared in line with strict security protocols and on a need-to-know basis.
1. Where a CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. has been made aware of an actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; as part of a coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure procedure as referred to in Article 12(1) of Directive (EU) 2022/2555, the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. initially receiving the notification may delay the dissemination of the relevant notification via the single reporting platform based on justified cybersecurity-related grounds for a period that is no longer than is strictly necessary and until consent for disclosure by the involved coordinated vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure parties is given. That requirement shall not prevent manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; from notifying such a vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; on a voluntary basis in accordance with the procedure laid down in this Article.