Vulnerabilities exist in nearly all connected products. The Cyber Resilience Act (CRA) which entered into force in 2024, will continue the work that RED cybersecurity started and mitigate some of the risk. Part of CRA will have reporting obligations as of 11. September 2026 for applicable products. Reports shall be submitted through the Single Reporting Platform (SRP), currently under development by ENISA.
What shall be reported
All notifications are to be submitted to ENISA and the CSIRT designated as coordinator, within defined timelines using the Single Reporting Platform. The receiving CSIRT will share the notification with other relevant CSIRTs within the EU, unless dissemination is restricted for cybersecurity reasons. The time limits are deadlines and do not prevent manufacturers from providing information earlier than indicated.
The timelines start when manufacturer becomes aware of the incident or the vulnerability being actively exploited.
Manufacturers must report vulnerabilities that are being actively exploited once they become aware of it.
- Within 24 hours and without undue delay:
A notification of the actively exploited vulnerability shall be submitted without undue delay. If it is limited to certain territories, this information shall also be included.
- Within 72 hours and without undue delay:
General information, general information about the product, the exploited vulnerability, corrective or mitigating measures taken by the manufacturer, corrective or mitigating measures that can be made by users and manufacturer can choose to include an indication of how sensitive the information provided is.
- Within 14 days after a corrective or mitigating measure is available:
A final report containing a description of the vulnerability, the severity and impact of it, any available information about the actor who has exploited/exploiting the vulnerability, and details about the security update or other corrective measures that have been made available to remedy the vulnerability.
Manufacturers must report any severe incident that has an impact on the security of a product once they become aware of it.
- Within 24 hours and without undue delay:
Notification of the severe incident with note if its suspected to be caused by unlawful or malicious acts. If it is limited to certain territories, this information shall also be included.
- Within 72 hours and without undue delay:
Provide general information about the incident, nature of the incident and an assessment. Any corrective or mitigating measures taken by the manufacturer as well as any corrective or mitigating measures that can be taken by the customer. Manufacturer should also include how sensitive this information is.
- Within 1 month of submission of the previous report:
Detailed description of the incident, including severity and impact. The root cause or type of threat that triggered the incident as well as applied and ongoing mitigation measures.
CSIRT may request an intermediate report on relevant status updates.
The manufacturer shall inform the impacted users of the product, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable.
References
Severe incident
A severe incident has been defined as either:
- Incidents that negatively affect or are capable of negatively affecting the product’s ability to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions.
- Incidents that has led or is capable of leading to the introduction or execution of malicious code in the product or the network and information system of a user of the product.
Actively exploited vulnerability
This has been defined as a vulnerability for which there is reliable evidence of exploitation by unauthorized actors in real-world environments.