European Union (EU) governments have pushed back against the idea of requiring manufacturers to report actively exploited vulnerabilities directly to the European Union Agency for Cybersecurity (ENISA). Instead, the amended version of the proposed Cyber Resilience Act (CRA) calls for manufacturers to disclose vulnerabilities to their national Computer Security Incident Response Team (CSIRT).
The CSIRT will then share this information through a new intelligence sharing platform operated and maintained by ENISA. However, concerns have arisen about ENISA potentially becoming a target for hostile states and criminals due to the platform’s central role.
ENISA has already been tasked with creating and maintaining an EU Vulnerability database similar to the CVE database run by MITRE under the Network and Information Security (NIS2) Directive.
While the proposed single reporting platform will allow each incident response team to have their own “electronic notification end-points,” potential conflicts may arise between various incident response teams across Europe with differing affiliations and roles.
The legislation would also impose fines of up to €15 million or 2.5% of global turnover on companies that fail to comply with reporting obligations, with misleading information leading to fines of up to €5 million or 1% of global turnover. The new draft of the CRA extends the time for the reporting obligations to take effect, postponing it by two years after the regulation enters force.