EU Defines Conditions for Delaying Cybersecurity Notifications under the Cyber Resilience Act
The European Commission has adopted Commission Delegated Regulation (EU) 2026/881, which supplements Regulation (EU) 2024/2847 (Cyber Resilience Act) by specifying the terms and conditions under which the dissemination of notifications on vulnerabilities and incidents may be delayed on cybersecurity grounds.
Scope of the Regulation
The Regulation establishes the conditions allowing the CSIRT initially receiving a notification to delay the dissemination of that notification to relevant CSIRTs in other Member States where the product with digital elements has been made available.
Any delay must be limited to a period that is strictly necessary.
Conditions Related to the Nature of the Information
The dissemination of notifications, or parts thereof, may be delayed where the cybersecurity risks of dissemination outweigh the security benefits, and those risks cannot be mitigated through standard information-sharing protocols.
Such delay may apply where at least one of the following conditions is met:
The manufacturer has indicated that an effective mitigation measure (such as a security update or guidance) is expected within 72 hours.
The information contained in the notification is sufficient to enable the creation of an exploitation technique.
Sufficient information can be shared to allow risk mitigation, while full details are withheld.
The notification is part of a coordinated vulnerability disclosure (CVD) process.
In these cases, full dissemination shall occur once it is no longer strictly necessary to delay, including when mitigation measures become available.
Conditions Related to Specific CSIRTs
Dissemination may also be delayed to a specific relevant CSIRT where:
That CSIRT has been affected by a cybersecurity incident affecting its ability to ensure confidentiality; or
There are identified shortcomings in its capabilities to protect the notified information.
Dissemination shall resume once the concerns have been addressed.
Conditions Related to the Reporting Platform
Where the single reporting platform has been affected by a cybersecurity incident compromising confidentiality, dissemination via that platform may be delayed until its secure functioning is restored.
Additional Provisions
The CSIRT initially receiving the notification is not obliged to delay dissemination, even where the conditions are met.
Where a delay is applied, the CSIRT must inform ENISA immediately, including the reasons and the intended timing of dissemination.
The Regulation does not apply to ENISA’s access to notified information, except in limited exceptional circumstances defined in Regulation (EU) 2024/2847.
Entry into Force
The Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union and is directly applicable in all Member States.
Read the full document below.
