Cyber Resilience Act reporting requirements

Transparent reporting mechanisms are essential for effective cybersecurity governance. Equipment manufacturers must establish clear protocols for reporting cybersecurity incidents, both internally and to relevant stakeholders. This transparent approach enables swift responses to cyber threats, minimizing potential damage and enhancing trust among customers and regulatory authorities.

What should you report?

The main information you need to share with external stakeholder is a list of actively exploited vulnerabilities

To whom?

1 - Reporting to the European Agency

Notifying the European Union Agency for Cybersecurity (ENISA) about actively exploited vulnerabilities is imperative and must occur within 24 hours of becoming aware of the vulnerability. This reporting should include detailed information about the exploit and any measures taken to address or mitigate its effects.

"Unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact; (ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability." (article 14)
logo European Commission cyber resilience act EU
European Parliament
Cyber Resilience Act

In the context of the Cyber Resilience Act, the ENISA organization is tasked with receiving notifications from OEMs regarding actively exploited vulnerabilities in their products as well as incidents impacting the security of these products. It should transmit these notifications to relevant European & States authorities

2 - Reporting to users

Additionally, device makers should promptly inform users of any security incidents affecting their products, along with any corrective measures that users can implement to mitigate the impact.

This proactive reporting ensures that users can respond swiftly to security incidents, whether through published information on the manufacturer’s website or direct outreach from the manufacturer.

Equipment manufacturers ought to autonomously establish the appropriate timing for notifying users, encompassing both patch releases and vulnerability identification. This schedule should align seamlessly with the outcomes of the risk assessment they have performed.

Consult our synthesis on the CRA

Read online
Download pdf

Related content

Discover more from The Embedded Kit

Subscribe now to keep reading and get access to the full archive.

Continue reading