The Cybersecurity Coalition (“Coalition”) and the Hacking Policy Council (“HPC”) submitted comments to the European Commission in response to its consultation on the Commission Delegated Regulation supplementing Regulation (EU) 2024/2847 of the European Parliament and of the Council by specifying the terms and conditions for applying the cybersecurity-related grounds in relation to delaying the dissemination of notifications (“Delegated Act”). 

Under Article 14 of the Cyber Resilience Act (“CRA”), manufacturers of products with digital elements must report any “actively exploited vulnerabilities” and “severe incidents” to the national Computer Security Incident Response Team (“CSIRT”) of the EU Member State where they have their main establishment. Then, under Article 16, the CSIRT that receives this information is required to share it with other relevant national CSIRTs, namely those that are part of the EU CSIRT Network in Member States where the same product is available. This exchange occurs through a Single Reporting Platform managed by ENISA.

The Delegated Act defines the circumstances under which a national CSIRT may delay sharing information received from a manufacturer with other national CSIRTs. It outlines three primary “cybersecurity-related grounds” for such a delay:

• The nature of the reported information is such that the risks of sharing outweigh the benefits, and those risks cannot be effectively mitigated (Article 3 of the Delegated Act) 
• The sending CSIRT has doubts about the ability of the receiving CSIRT to ensure the confidentiality of information, either because it has been compromised by a cybersecurity incident or lacks adequate capabilities to protect the data (Article 4 of the Delegated Act) 
• The Single Reporting Platform has been compromised and cannot guarantee the confidentiality of the information (Article 5 of the Delegated Act) 

Both the Coalition and HPC expressed concern that certain provisions in the Delegated Act could mandate disclosures that ultimately weaken cybersecurity. The Coalition and HPC also expressed the following specific concerns in the Delegated Act: 

Concerns Related To Article 3 

• Article 3(a) provides for a delay in disseminating a notification if a “risk mitigation measure,” such as a security update or user guidance, will be available within 72 hours. The Coalition and HPC both urged the Commission to make this 72-hour timeframe more flexible, emphasizing that manufacturers often require more time to develop and test mitigation measures.
• Article 3(b) provides for a delay if the information contained in the notification is “deemed sufficient … to create an exploitation technique.” The Coalition and HPC called on the Commission and ENISA to apply a broad and inclusive interpretation of what constitutes “sufficient” information to create an exploitation.
• Article 3(d) provides for a delay if the CSIRT has received the information through a Coordinated Vulnerability Disclosure (CVD) process. The HPC expressed support for this provision, noting that it aligns with internationally recognized best practices for responsible vulnerability disclosure and management.
• The Delegated Act does not establish a clear or transparent adjudication process to resolve disputes regarding CSIRT delay decisions covered under Article 3. The Coalition urged the Commission to develop specific criteria for ENISA’s review authority, establish timelines for resolving disagreements, and define communication procedures to promote consistent implementation and accountability across Member States.
• Article 4(a) provides for a delay if the receiving CSIRT is affected by a cybersecurity incident that could undermine its ability to ensure the confidentiality of the reported information. Similarly, Article 4(b) provides for a delay if the sending CSIRT has “sufficient reason to believe” that the capabilities of the receiving CSIRT are inadequate to protect the information. The Coalition noted that CSIRTs may not always have access to the information necessary to make such determinations. To address this gap, the Coalition recommended requiring CSIRTs to notify ENISA when they experience a cybersecurity incident or regarding their operational capabilities, and for ENISA to make this information available to other CSIRTs to support informed and consistent decision-making.
• Both the Coalition and HPC also emphasized that most EU Member States lack laws or formal policies governing how governments may handle, retain, or use vulnerability information. HPC in particular warned that such information could be misused for state intelligence or surveillance purposes. Accordingly, both organizations called for the adoption of clear guardrails and oversight mechanisms to prevent misuse of vulnerability data shared under the CRA.
• Invoking Article 4 effectively requires one CSIRT to make a sensitive assessment of another Member State’s competence and integrity, potentially raising diplomatic or political tensions within the EU CSIRT Network. To preserve trust and cooperation, the Coalition urged the Commission and ENISA to establish a transparent adjudication process and clear procedural criteria for resolving disputes related to Article 4 determinations in a timely and consistent manner.

Concerns Related To Reporting By Manufacturers

The Coalition noted that while the draft Delegated Act includes provisions to protect information sharing among CSIRTs, it does not adequately address the risks associated with information sharing between manufacturers of covered products with digital elements and those CSIRTs. For instance, although Article 5 allows a CSIRT to delay reporting via ENISA’s Single Reporting Platform if it has experienced a cybersecurity incident, manufacturers would still be required to use that same platform to submit notifications. Since there is no requirement for ENISA to inform manufacturers of such an incident, manufacturers could unknowingly report vulnerabilities through a compromised or insecure channel. To mitigate this risk, the Coalition urged the Commission and ENISA to adopt measures to ensure the security and integrity of manufacturer reporting. 

‍