Data & Privacy
- Data Act
- Data Governance Act
- ePrivacy Directive
- GDPR
AI & Trust
- Artificial Intelligence Act
- Product Liability Directive
Cybersecurity
- Cyber Resilience Act
- Cybersecurity Act
- DORA
- NIS2
Digital Services & Media
- Digital Markets Act
- Digital Services Act
- European Media Freedom Act
Cyber Resilience Act
- Recitals
CHAPTER I
GENERAL PROVISIONSArticles 1 — 12
CHAPTER II
OBLIGATIONS OF ECONOMIC OPERATORS AND PROVISIONS IN RELATION TO FREE AND OPEN-SOURCE SOFTWAREArticles 13 — 26
CHAPTER III
CONFORMITY OF THE PRODUCT WITH DIGITAL ELEMENTSArticles 27 — 34
CHAPTER IV
NOTIFICATION OF CONFORMITY ASSESSMENT BODIESArticles 35 — 51
CHAPTER V
MARKET SURVEILLANCE AND ENFORCEMENTArticles 52 — 60
CHAPTER VI
DELEGATED POWERS AND COMMITTEE PROCEDUREArticles 61 — 62
CHAPTER VII
CONFIDENTIALITY AND PENALTIESArticles 63 — 65
CHAPTER VIII
TRANSITIONAL AND FINAL PROVISIONSArticles 66 — 71
ANNEXES
CRA Article 17. Other provisions related to reporting
- 1.ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level. For the purpose of determining such relevance, ENISA may consider technical analyses performed by the CSIRTs network, where available.
- 2.Where public awareness is necessary to prevent or mitigate a severe incident having an impact on the security of the product with digital elements or to handle an ongoing incident, or where disclosure of the incident is otherwise in the public interest, the CSIRT designated as coordinator of the relevant Member State may, after consulting the manufacturer concerned and, where appropriate, in cooperation with ENISA, inform the public about the incident or require the manufacturer to do so.
- 3.ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.
- 4.The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.
- 5.After a security update or another form of corrective or mitigating measure is available, ENISA shall, in agreement with the manufacturer of the product with digital elements concerned, add the publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
- 6.The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.
Relevant Recitals for this Article
A secure internet is indispensable for the functioning of critical infrastructures and for society as a whole. Directive (EU) 2022/2555 aims at ensuring a high level of cybersecurity of services provided by essential and important entities as referred to in Article 3 of that Directive, including digital infrastructure providers that support core functions of the open internet, ensure internet access and provide internet services. It is therefore important that the products with digital elements necessary for digital infrastructure providers to ensure the functioning of the internet are developed in a secure manner and that they comply with well-established internet security standards. This Regulation, which applies to all connectable hardware and software products, also aims at facilitating the compliance of digital infrastructure providers with the supply chain requirements under Directive (EU) 2022/2555 by ensuring that the products with digital elements that they use for the provision of their services are developed in a secure manner and that they have access to timely security updates for such products.