EU governments reject requiring manufacturers to report vulnerabilities to central cyber agency

European Union governments have pushed back on the central role initially suggested for the bloc’s cybersecurity agency, rejecting a proposal requiring manufacturers to report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA).

Instead, in its amended version of the proposed Cyber Resilience Act (CRA), the European Council calls for manufacturers to disclose vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based.

The CSIRT will then disseminate this warning to other member states’ authorities using a new intelligence sharing platform that would be operated and maintained by ENISA.

The European Council is the EU’s executive body made up of the heads of government. Before the proposals become law, they will be negotiated with the European Parliament later this year.

It is not clear whether the move to have ENISA, which is based in Greece and has just over 100 employees, operate and maintain a platform rather than receive the reports directly will address some of the concerns about the agency stockpiling information about ongoing hacking activities.

Bart Groothuis, the European Parliament’s rapporteur for cybersecurity, previously told Recorded Future News that the proposal risked making ENISA a target for hostile states and criminals.

“It’s a risk in itself for the safety and security of the internet because other agencies might want to go for that,” he said.

ENISA has already been tasked with establishing and maintaining an EU Vulnerability database — similar to the CVE database run by MITRE — under a recent update to the Network and Information Security (NIS2) Directive, which went into force in January of this year. The agency is still establishing the policies and procedures around this database to ensure its security and integrity.

The proposed single reporting platform would be designed so that each incident response team can put in place their own “electronic notification end-points.” The design of the platform, including the security arrangements about it, would be established by the EU’s network of CSIRTs.

ENISA would have a duty to “notify without undue delay any security incident affecting the single reporting platform to the CSIRTs network.”

The legislation may provoke conflict between the various incident response teams across Europe, some of which are part of their country’s intelligence services, like in Italy — and may also be involved in the domestic vulnerabilities equities process — while others (such as Germany’s Federal Office for Information Security) are independent of the security services.

According to the Council’s proposal, if incident response teams are informed about an actively exploited vulnerability or an incident having an impact on the security of a product with digital elements by a third party, then they are obliged to inform the manufacturer without undue delay. What comprises an “undue delay” is not established.

The amended version of the CRA states that “in exceptional circumstances, the initial recipient of a notification should be able to decide to delay its dissemination via the single reporting platform where this can be justified on cybersecurity related grounds and for a period of time that is strictly necessary.” It calls for the CSIRTs network to establish the specifics on when these delays are allowed.

Under the CRA, companies that fail to comply with their obligations to report actively exploited vulnerabilities could face administrative fines of up to €15 million (about $16.62 million), or 2.5% of their global turnover, whichever is higher. Supplying misleading information to national incident response teams could result in a fine of €5 million ($5.54 million), or 1% of global turnover, whichever is higher.

The new draft of the CRA extends the length of time it would take for the reporting obligations to come into effect, putting it back by two years after the regulation enters force — a year later than under the previous version.

European Council Amendments on Scribd