Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Vulnerability Coordination Under the Cyber Resilience Act

Jukka Ruohonen, Paul Timmers

TL;DR

The paper analyzes the EU Cyber Resilience Act's vulnerability coordination and disclosure provisions, detailing mandatory reporting for actively exploited vulnerabilities and severe incidents with strict timelines. It situates these obligations within the broader EU cyber security package, particularly NIS2 and ENISA's role, and discusses implications for open source projects and supply chains through SBOMs and OSS foundation governance. The analysis clarifies the vertical and horizontal coordination requirements among CSIRTs, market surveillance authorities, and vendors, and highlights potential challenges around evidence standards and multi-party coordination. The work provides practical takeaways for regulators and practitioners and proposes multiple avenues for future research on actively exploited vulnerabilities, KEV relations, standardization, and enforcement across member states.

Abstract

The Cyber Resilience Act (CRA) of the European Union (EU) imposes many new cyber security requirements practically to all network-enabled information technology products, whether hardware or software. The paper examines and elaborates the CRA's new requirements for vulnerability coordination, including vulnerability disclosure. Although these requirements are only a part of the CRA's obligations for vendors, also some new vulnerability coordination mandates are present. In particular, so-called actively exploited vulnerabilities require mandatory reporting. In addition to elaborating the reporting logic, the paper discusses the notion of actively exploited vulnerabilities in relation to the notion of known exploited vulnerabilities used in the United States. The CRA further alters the coordination practices on the side of public administrations. The paper addresses also these new practices. With the examination elaboration, and associated discussion based on conceptual analysis, the paper contributes to the study of cyber security regulations, providing also a few takeaways for further research.

Vulnerability Coordination Under the Cyber Resilience Act

TL;DR

The paper analyzes the EU Cyber Resilience Act's vulnerability coordination and disclosure provisions, detailing mandatory reporting for actively exploited vulnerabilities and severe incidents with strict timelines. It situates these obligations within the broader EU cyber security package, particularly NIS2 and ENISA's role, and discusses implications for open source projects and supply chains through SBOMs and OSS foundation governance. The analysis clarifies the vertical and horizontal coordination requirements among CSIRTs, market surveillance authorities, and vendors, and highlights potential challenges around evidence standards and multi-party coordination. The work provides practical takeaways for regulators and practitioners and proposes multiple avenues for future research on actively exploited vulnerabilities, KEV relations, standardization, and enforcement across member states.

Abstract

The Cyber Resilience Act (CRA) of the European Union (EU) imposes many new cyber security requirements practically to all network-enabled information technology products, whether hardware or software. The paper examines and elaborates the CRA's new requirements for vulnerability coordination, including vulnerability disclosure. Although these requirements are only a part of the CRA's obligations for vendors, also some new vulnerability coordination mandates are present. In particular, so-called actively exploited vulnerabilities require mandatory reporting. In addition to elaborating the reporting logic, the paper discusses the notion of actively exploited vulnerabilities in relation to the notion of known exploited vulnerabilities used in the United States. The CRA further alters the coordination practices on the side of public administrations. The paper addresses also these new practices. With the examination elaboration, and associated discussion based on conceptual analysis, the paper contributes to the study of cyber security regulations, providing also a few takeaways for further research.

Paper Structure

This paper contains 7 sections, 1 figure.

Table of Contents

  1. Introduction
  2. Vulnerability Disclosure and Coordination
  3. The CRA's Vulnerability Coordination Requirements
  4. The CRA's Vulnerability Coordination Requirements for Open Source Projects
  5. The CRA and Supply Chains
  6. Conclusion
  7. Further Work

Figures (1)

  • Figure 1: Vulnerability Coordination Under the CRA in an Analytical Nutshell