(fra kommisjonsforordningen)

(1) In exceptional circumstances, and, in particular, upon request by the manufacturer and in light of the level of sensitivity of the notified information, and on justified cybersecurity-related grounds, the computer security incident response team (CSIRT) designated as coordinator initially receiving notification of an actively exploited vulnerability or a severe incident having an impact on the security of a product with digital elements (‘the CSIRT initially receiving the notification’) may decide to delay for a period of time that is strictly necessary the dissemination of the notification via the single reporting platform to the CSIRTs designated as coordinators on the territory of which the manufacturer submitting the notification has indicated that the product with digital elements has been made available (‘the relevant CSIRTs’). Therefore, it is necessary to set out the terms and conditions for applying such grounds. Where such grounds apply, the CSIRT initially receiving the notification is allowed to delay dissemination to relevant CSIRTs for a period of time that is strictly necessary, but is not required to do so. Under Article 16(2) of Regulation (EU) 2024/2847, where a CSIRT initially receiving the notification decides to invoke such grounds, it should immediately inform the European Union Agency for Cybersecurity (ENISA) of its decision to delay, and its reasons for doing so, and when it intends to further disseminate the notification. 

(2) In accordance with Article 16(2), second subparagraph of Regulation (EU) 2024/2847, the terms and conditions for applying the cybersecurity-related grounds set out in this Regulation are not to apply to access by ENISA to the information notified. ENISA’s access to the information notified may only be restricted in particularly exceptional circumstances: when the manufacturer indicates in its notification that one of the three conditions referred to in Article 16(2), third subparagraph, points (a), (b) or (c) of Regulation (EU) 2024/2847 is met, and then only in relation to the 72-hour vulnerability notification referred to in Article 14(2), point (b) of Regulation (EU) 2024/2847. In such cases, the only information to be made available simultaneously to ENISA is information that a notification has been made by a manufacturer; general information about the product with digital elements; information on the general nature of the exploit; and the information that security-related grounds have been invoked. 

(3) Access to the notified information enables CSIRTs to have an overview of the security environment in their territory and to put in place mitigating measures, raising the overall level of cybersecurity in the Union. Therefore, further restrictions on the dissemination of notifications in light of the nature of the information being notified should be possible only in cases where, in light of the sensitivity of the information notified, the cybersecurity risks stemming from further dissemination outweigh the security benefits to the Union, and those risks cannot be adequately mitigated by placing restrictions on the handling and further sharing of the notification through appropriate protocols in use within the CSIRT Network, such as the Traffic Light Protocol (TLP) or the Permissible Actions Protocol (PAP). This may be the case, for example, where a manufacturer has informed the CSIRT initially receiving the notification that it expects to provide a mitigating measure (such as a patch) shortly. It may also be the case, when the CSIRT initially receiving the notification decides to share only parts of a notification, and these parts are nonetheless sufficient for the relevant CSIRTs to ensure that they are able to put in place adequate risk mitigation measures. Furthermore, and in order to encourage cooperation on vulnerability identification and disclosure between manufacturers, CSIRTs and security researchers, this may also be the case when the CSIRT is acting as a trusted intermediary for an ongoing coordinated vulnerability disclosure (CVD) procedure as referred to in Article 12(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council3 . In such case, when the CSIRT decides to delay the dissemination of a notification, and in accordance with Article 16(6) of Regulation (EU) 2024/2847, that CSIRT is to delay it for a period that is no longer than strictly necessary and until consent for disclosure by the parties involved in the CVD is given. 

(4) The information included in the notification will help CSIRTs fulfil their tasks in the context of risk mitigation and incident handling. In rare cases, however, such information could be sufficient to enable the creation of an exploitation technique without additional research, even by actors with limited skills and resources. If that information were accessed by malicious actors, the cybersecurity of the Union would be heavily impacted, given the ease of the exploitation. This could be the case, for instance, where the vulnerable version of a piece of software differs only marginally from previous, non-vulnerable versions. In such cases, if the CSIRT initially receiving the notification believes that the cybersecurity risks stemming from further dissemination cannot be adequately mitigated by placing restrictions on handling and further sharing, it may decide to delay the dissemination until an effective risk mitigation measure, such as a security update or user guidance, is available. 

(5) If a relevant CSIRT is not able to protect adequately the notified information, sensitive information could be accessed by malicious actors and exploits be put in place throughout the Single Market. Therefore, where there are serious concerns about a relevant CSIRT’s ability to ensure the confidentiality of the notified information, the CSIRT initially receiving the notification may decide to delay the dissemination of a notification only to that relevant CSIRT until such concerns have been addressed. This may be the case in situations where a relevant CSIRT has been hit by a cybersecurity incident affecting its ability to operate securely, or where there is evidence or information that significant shortcomings in the capabilities of the CSIRT have been detected, such as serious resource constraints compromising its ability to carry out its functions, or reliance on outdated or vulnerable software. 

(6) In order to prevent malicious actors from accessing sensitive information, where the single reporting platform established under Article 16 of Regulation (EU) 2024/2847 has been compromised by a cybersecurity incident, the CSIRT initially receiving the notification should delay the dissemination via the single reporting platform until the platform’s ability to ensure the confidentiality of notified information has been restored. 

(7) In accordance with the first subparagraph of Article 16(2) of Regulation (EU) 2024/2847, the CSIRT initially receiving the notification need not disseminate a notification to any other relevant CSIRT if the manufacturer indicates that the product with digital elements is only made available on the market of the Member State of the CSIRT initially receiving the notification. 

(8) The Commission has consulted and sought the views of relevant stakeholders in preparing the draft delegated act, and has consulted the Expert Group on Cybersecurity of Products with Digital Elements. 

(9) In accordance with Article 14(9) of Regulation (EU) 2024/2847, the Commission has cooperated closely with the CSIRTs Network established pursuant to Article 15 of Directive (EU) 2022/2555 and with ENISA, in preparing the draft delegated act,