| [ ] |
Vuln handling |
Annex I 2.1 |
Identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products |
SBOM & known vuln scanning |
| [ ] |
Vuln handling |
Annex I 2.2 |
In relation to the risks posed to products with digital elements, address and remediate vulnerabilities without delay, including by providing security updates; where technically feasible, new security updates shall be provided separately from functionality updates |
provide security updates (seperate from functional or bug fixes) |
| [ ] |
|
Article 13.6 |
Manufacturers shall, upon identifying a vulnerability in a component, including in an open source-component, which is integrated in the product with digital elements report the vulnerability to the person or entity manufacturing or maintaining the component, and address and remediate the vulnerability in accordance with the vulnerability handling requirements set out in Part II of Annex I. Where manufacturers have developed a software or hardware modification to address the vulnerability in that component, they shall share the relevant code or documentation with the person or entity manufacturing or maintaining the component, where appropriate in a machine-readable format. |
for oss-components, consider working with upstream to shaer any developed updates with the project |
| [ ] |
|
Article 13.8 |
Manufacturers shall ensure, when placing a product with digital elements on the market, and for the support period, that vulnerabilities of that product, including its components, are handled effectively and in accordance with the essential cybersecurity requirements set out in Part II of Annex I. Manufacturers shall determine the support period so that it reflects the length of time during which the product is expected to be in use, taking into account, in particular, reasonable user expectations, the nature of the product, including its intended purpose, as well as relevant Union law determining the lifetime of products with digital elements. Without prejudice to the second subparagraph, the support period shall be at least five years. Where the product with digital elements is expected to be in use for less than five years, the support period shall correspond to the expected use time. |
publish support period & EoL dates |
| [ ] |
|
Article 13.9 |
Manufacturers shall ensure that each security update, as referred to in Part II, point (8), of Annex I, which has been made available to users during the support period, remains available after it has been issued for a minimum of 10 years or for the remainder of the support period, whichever is longer. |
security updates should be accessble to consumers for at least 10 years from last “substantial modification”/release |
| [ ] |
|
Article 13.10 |
Where a manufacturer has placed subsequent substantially modified versions of a software product on the market, that manufacturer may ensure compliance with the essential cybersecurity requirement set out in Part II, point (2), of Annex I only for the version that it has last placed on the market, provided that the users of the versions that were previously placed on the market have access to the version last placed on the market free of charge and do not incur additional costs to adjust the hardware and software environment in which they use the original version of that product. |
|
| [ ] |
|
Article 13.19 |
Manufacturers shall ensure that the end date of the support period referred to in paragraph 8, including at least the month and the year, is clearly and understandably specified at the time of purchase in an easily accessible manner and, where applicable, on the product with digital elements, its packaging or by digital means. Where technically feasible in light of the nature of the product with digital elements, manufacturers shall display a notification to users informing them that their product with digital elements has reached the end of its support period. |
retroactively fix known vulns for products on the market when CRA goes into effect |
| [ ] |
|
Article 13.21 |
From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, or to withdraw or recall the product, as appropriate. |
have testing and security reviews for each release |
| [ ] |
Vuln handling |
Annex I 2.3 |
Apply effective and regular tests and reviews of the security of the product with digital elements |
have testing and security reviews for each release |
| [ ] |
Vuln handling |
Annex I 2.4 |
Once a security update has been made available, share and publicly disclose information about fixed vulnerabilities, including a description of the vulnerabilities, information allowing users to identify the product with digital elements affected, the impacts of the vulnerabilities, their severity and clear and accessible information helping users to remediate the vulnerabilities; in duly justified cases, where manufacturers consider the security risks of publication to outweigh the security benefits, they may delay making public information regarding a fixed vulnerability until after users have been given the possibility to apply the relevant patch |
publicly communicate discovered vulnerabilities |
| [ ] |
Vuln handling |
Annex I 2.5 |
Put in place and enforce a policy on coordinated vulnerability disclosure |
have a CVD policy |
| [ ] |
Vuln handling |
Annex I 2.6 |
Take measures to facilitate the sharing of information about potential vulnerabilities in their product with digital elements as well as in third party components contained in that product, including by providing a contact address for the reporting of the vulnerabilities discovered in the product with digital elements |
publish vulnerability information for third-party comoponets used within the offering |
| [ ] |
|
Article 13.17 |
For the purposes of this Regulation, manufacturers shall designate a single point of contact to enable users to communicate directly and rapidly with them, including in order to facilitate reporting on vulnerabilities of the product with digital elements. Manufacturers shall ensure that the single point of contact is easily identifiable by the users. They shall also include the single point of contact in the information and instructions to the user set out in Annex II. The single point of contact shall allow users to choose their preferred means of communication and shall not limit such means to automated tools. |
have a single point of contact for vulnerability reporting |
| [ ] |
|
Article 14.1 |
For the purposes of the notification referred to in paragraph 1, the manufacturer shall submit: A manufacturer shall notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that actively exploited vulnerability via the single reporting platform established pursuant to Article 16. |
|
| [ ] |
|
Article 14.2a |
(a) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, indicating, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; |
provide early notifiucation of exploited vulns within 24hours |
| [ ] |
|
Article 14.2b |
(b) unless the relevant information has already been provided, a vulnerability notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the actively exploited vulnerability, which shall provide general information, as available, about the product with digital elements concerned, the general nature of the exploit and of the vulnerability concerned as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; |
provide vuln advisory, fixes, and/or workarounds to consumers within 72 hours for actively exploited vulns |
| [ ] |
|
Article 14.2c |
(c) unless the relevant information has already been provided, a final report, no later than 14 days after a corrective or mitigating measure is available, including at least the following: (i) a description of the vulnerability, including its severity and impact;(ii) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability; (iii) details about the security update or other corrective measures that have been made available to remedy the vulnerability. |
provide “final report” within 14days of notice of active exploitation |
| [ ] |
|
Article 14.3 |
A manufacturer shall notify any severe incident having an impact on the security of the product with digital elements that it becomes aware of simultaneously to the CSIRT designated as coordinator, in accordance with paragraph 7 of this Article, and to ENISA. The manufacturer shall notify that incident via the single reporting platform established pursuant to Article 16. |
establish an EU National CSIRT contact, report “severe” vulns to EU National CSIRT contact and ENISA |
| [ ] |
|
Article 14.4a |
For the purposes of the notification referred to in paragraph 3, the manufacturer shall submit: (a) an early warning notification of a severe incident having an impact on the security of the product with digital elements, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, which shall also indicate, where applicable, the Member States on the territory of which the manufacturer is aware that their product with digital elements has been made available; |
|
| [ ] |
|
Article 14.4b |
(b) unless the relevant information has already been provided, an incident notification, without undue delay and in any event within 72 hours of the manufacturer becoming aware of the incident, which shall provide general information, where available, about the nature of the incident, an initial assessment of the incident, as well as any corrective or mitigating measures taken, and corrective or mitigating measures that users can take, and which shall also indicate, where applicable, how sensitive the manufacturer considers the notified information to be; |
provide vuln advisory, fixes, and/or workarounds to consumers within 72 hours for “severe” vulns |
| [ ] |
|
Article 14.4c |
(c) unless the relevant information has already been provided, a final report, within one month after the submission of the incident notification under point (b), including at least the following: (i) a detailed description of the incident, including its severity and impact; (ii) the type of threat or root cause that is likely to have triggered the incident; (iii) applied and ongoing mitigation measures. |
provide “final report” within 14days of notice of “severe” vuln notification |
| [ ] |
|
Article 14.5a&b |
For the purposes of paragraph 3, an incident having an impact on the security of the product with digital elements shall be considered to be severe where: (a) it negatively affects or is capable of negatively affecting the ability of a product with digital elements to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or (b) it has led or is capable of leading to the introduction or execution of malicious code in a product with digital elements or in the network and information systems of a user of the product with digital elements. |
definition of a “severe” impact |
| [ ] |
|
Article 14.6 |
Where necessary, the CSIRT designated as coordinator initially receiving the notification may request manufacturers to provide an intermediate report on relevant status updates about the actively exploited vulnerability or severe incident having an impact on the security of the product with digital elements. |
establish an EU National CSIRT contact, that entity may request more frequent updates |
| [ ] |
|
Article 14.7 |
The notifications referred to in paragraphs 1 and 3 of this Article shall be submitted via the single reporting platform referred to in Article 16 using one of the electronic notification end-points referred to in Article 16(1). The notification shall be submitted using the electronic notification end-point of the CSIRT designated as coordinator of the Member State where the manufacturers have their main establishment in the Union and shall be simultaneously accessible to ENISA. For the purposes of this Regulation, a manufacturer shall be considered to have its main establishment in the Union in the Member State where the decisions related to the cybersecurity of its products with digital elements are predominantly taken. If such a Member State cannot be determined, the main establishment shall be considered to be in the Member State where the manufacturer concerned has the establishment with the highest number of employees in the Union. Where a manufacturer has no main establishment in the Union, it shall submit the notifications referred to in paragraphs 1 and 3 using the electronic notification end-point of the CSIRT designated as coordinator in the Member State determined pursuant to the following order and based on the information available to the manufacturer: (a) the Member State in which the authorised representative acting on behalf of the manufacturer for the highest number of products with digital elements of that manufacturer is established; (b) the Member State in which the importer placing on the market the highest number of products with digital elements of that manufacturer is established; (c) the Member State in which the distributor making available on the market the highest number of products with digital elements of that manufacturer is established; (d) the Member State in which the highest number of users of products with digital elements of that manufacturer are located. |
all above notices will be through the ENISA Single Reporting Platform and must notify the slected National CSIRT and ENISA. Includes decision tree ot assist in selection of Natiional CSIRT |
| [ ] |
|
Article 14.8 |
After becoming aware of an actively exploited vulnerability or a severe incident having an impact on the security of the product with digital elements, the manufacturer shall inform the impacted users of the product with digital elements, and where appropriate all users, of that vulnerability or incident and, where necessary, of any risk mitigation and corrective measures that the users can deploy to mitigate the impact of that vulnerability or incident, where appropriate in a structured, machine-readable format that is easily automatically processable. Where the manufacturer fails to inform the users of the product with digital elements in a timely manner, the notified CSIRTs designated as coordinators may provide such information to the users when considered to be proportionate and necessary for preventing or mitigating the impact of that vulnerability or incident. |
|
| [ ] |
Vuln handling |
Annex I 2.7 |
provide for mechanisms to securely distribute updates for products with digita elements to ensure that vulnerabilities are fixed or mitigated in a timely manner and, where applicable for security updates, in an automatic manner |
have secure means to distribute security updates & protect from tampering |
| [ ] |
Vuln handling |
Annex I 2.8 |
Ensure that, where security updates are available to address identified security issues, they are disseminated without delay and, unless otherwise agreed between a manufacturer and a business user in relation to a tailor-made product with digital elements, free of charge, accompanied by advisory messages providing users with the relevant information, including on potential action to be taken. |
security updates should be provided publicly and freely |
