European Commission Specifies Conditions for Cybersecurity-Related Delays in Notification Dissemination under Cyber Resilience Act

In a move to fine-tune cybersecurity notification protocols, the European Commission aims to strike a balance between timely information sharing and risk mitigation. This regulation notably impacts EU member state CSIRTs (Computer Security Incident Response Teams), cybersecurity product manufacturers, the ENISA agency, and ultimately EU consumers and businesses reliant on digital products. Reactions are expected from industry players concerned about compliance timing and security teams focused on incident response efficiency.

The source is a Commission Delegated Regulation published on December 11, 2025, by the Directorate-General for Communications Networks, Content and Technology (CNECT). It supplements Regulation (EU) 2024/2847, also known as the Cyber Resilience Act, clarifying specifically how and when notifications about cybersecurity vulnerabilities may be delayed.

This document is a binding regulatory act, defining concrete procedural conditions for delaying notification dissemination under cybersecurity grounds. It includes precise provisions such as a 72-hour window for manufacturers to provide mitigation measures like patches, criteria for partial or full dissemination based on risk, and conditions related to capability or incident compromises at CSIRTs or the ENISA platform.

The regulation strengthens centralized EU-level cybersecurity coordination by making the CSIRT receiving the initial notification responsible for assessing dissemination delays while ensuring ENISA is immediately informed. It empowers CSIRTs to delay notification if premature sharing risks enabling exploitation, but also sets strict deadlines and conditions to prevent indefinite withholding, emphasizing operational security over unrestricted transparency.

Stakeholders like cybersecurity manufacturers might face operational pressure to develop rapid mitigations within a tight timeframe, while CSIRTs gain discretion but also potential liability in judging when delays are justified. ENISA’s role is reinforced as a central overseer, ensuring notification does not remain hidden for security platform incidents. EU consumers and businesses may benefit from reduced exploit risks but could experience delays in receiving vulnerability information.

This regulation marks a specific and technical step within the ongoing implementation of the Cyber Resilience Act. Following this, interactions with ENISA and Member State authorities on practical implementation are anticipated, as well as industry feedback on the balance struck between security needs and notification transparency.

← Atlas › News › Digital & Communication