Terms and conditions for delaying notifications

In exceptional circumstances, and, in particular, upon request by the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; and in light of the level of sensitivity of the notified information, and on justified cybersecurity-related grounds, the computer security incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; response team (CSIRT) designated as coordinator initially receiving notification of an actively exploited vulnerabilitymeans a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner; or a severe incidentmeans an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; having an impact on the security of a product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; (‘the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847;’) may decide to delay for a period of time that is strictly necessary the dissemination of the notification via the single reporting platform to the CSIRTs designated as coordinatorsmeans a CSIRT designated as coordinator pursuant to Article 12(1) of Directive (EU) 2022/2555. on the territory of which the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; submitting the notification has indicated that the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately; has been made available (‘the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available.’). Therefore, it is necessary to set out the terms and conditions for applying such grounds. Where such grounds apply, the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; is allowed to delay dissemination to relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. for a period of time that is strictly necessary, but is not required to do so. Under Article 16(2) of Regulation (EU) 2024/2847, where a CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; decides to invoke such grounds, it should immediately inform the European Union Agency for Cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; (ENISA) of its decision to delay, and its reasons for doing so, and when it intends to further disseminate the notification.

In accordance with Article 16(2), second subparagraph of Regulation (EU) 2024/2847, the terms and conditions for applying the cybersecurity-related grounds set out in this Regulation are not to apply to access by ENISA to the information notified. ENISA’s access to the information notified may only be restricted in particularly exceptional circumstances: when the manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; indicates in its notification that one of the three conditions referred to in Article 16(2), third subparagraph, points (a), (b) or (c) of Regulation (EU) 2024/2847 is met, and then only in relation to the 72-hour vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; notification referred to in Article 14(2), point (b) of Regulation (EU) 2024/2847. In such cases, the only information to be made available simultaneously to ENISA is information that a notification has been made by a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;; general information about the product with digital elementsmeans a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately;; information on the general nature of the exploit; and the information that security-related grounds have been invoked.

Access to the notified information enables CSIRTs to have an overview of the security environment in their territory and to put in place mitigating measures, raising the overall level of cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; in the Union. Therefore, further restrictions on the dissemination of notifications in light of the nature of the information being notified should be possible only in cases where, in light of the sensitivity of the information notified, the cybersecurity risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; stemming from further dissemination outweigh the security benefits to the Union, and those risks cannot be adequately mitigated by placing restrictions on the handling and further sharing of the notification through appropriate protocols in use within the CSIRT Network, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP). This may be the case, for example, where a manufacturermeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge; has informed the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; that it expects to provide a mitigating measure (such as a patch) shortly. It may also be the case, when the CSIRT initially receiving the notificationmeans the CSIRT designated as coordinator initially receiving the notification in accordance with Article 14(1) and (3) and Article 15(1) and (2) of Regulation (EU) 2024/2847; decides to share only parts of a notification, and these parts are nonetheless sufficient for the relevant CSIRTsmeans the CSIRT designated as coordinator on the territory of which the manufacturer has indicated that the product with digital elements has been made available. to ensure that they are able to put in place adequate risk mitigation measures. Furthermore, and in order to encourage cooperation on vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; identification and disclosure between manufacturersmeans a natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under its name or trademark, whether for payment, monetisation or free of charge;, CSIRTs and security researchers, this may also be the case when the CSIRT is acting as a trusted intermediary for an ongoing coordinated vulnerabilitymeans a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat; disclosure (CVD) procedure as referred to in Article 12(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council(²)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).. In such case, when the CSIRT decides to delay the dissemination of a notification, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, that CSIRT is to delay it for a period that is no longer than strictly necessary and until consent for disclosure by the parties involved in the CVD is given.