Article 17 Other provisions related to reporting

ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents means an incident which causes a level of disruption that exceeds a Member State’s capacity to respond to it or which has a significant impact on at least two Member States; and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTscomputer security incident response teams network, where available.

Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements means an incident that negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of data or functions; or to handle an ongoing incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, or where disclosure of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; is otherwise in the public interest, the CSIRT designated as coordinator means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. of the relevant Member State may, after consulting the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or require the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; to do so.

ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; in products with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; and submit it to the Cooperation Group means a group as defined in Article 2, point (11), of Directive 2013/34/EU; established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union pursuant to Article 18 of Directive (EU) 2022/2555.

The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.

After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; of the product with digital elements means a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; concerned, add the publicly known vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; database established pursuant to Article 12(2) of Directive (EU) 2022/2555.

The CSIRTs designated as coordinators means a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in particular manufacturers means a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; that qualify as microenterprises, ‘small enterprises’ and ‘medium-sized enterprises’ mean, respectively, microenterprises, small enterprises and medium-sized enterprises as defined in the Annex to Recommendation 2003/361/EC; or as small or medium-sized enterprises means a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;.