The Cyber Resilience Act (CRA) not only introduces far-reaching cyber security requirements for products with digital elements in the EU, but also reporting obligations for security incidents.
In this case, a security incident is defined as the active exploitation of a vulnerability in a product with digital elements.
An example of an actively exploited vulnerability would be an input field whose input is not validated. An attacker could then simply inject commands via the input field on the device. This could result in unauthorized privilege escalation. Such a command injection vulnerability was exploited in a network storage product according to CVE-2020-9054 [1]. Here, the known weakness CWE-78 (OS command injection) [2] was not sufficiently taken into account.
Another exploit takes advantage of the use of simple default credentials, for example default passwords such as "admin" or "123456", see CWE-1392 (Use of default credentials) [3]. Brute force attacks can be used to determine simple default passwords in a very short time and give attackers complete access to the device.
As soon as a manufacturer becomes aware of an actively exploited vulnerability in their product with digital elements, they must report this vulnerability to the responsible Cyber Security Incident Response Team (CSIRT) of its member state and to the European Network and Information Security Agency (ENISA) in accordance with Art. 14, Para. 1 of the CRA.
For Germany, for example, the Federal Office for Information Security (BSI) could become the responsible CSIRT. However, a designation is still pending. [4]
The actively exploited vulnerability must be reported via the reporting platform in Art. 16.
"The reporting platform with the provisional description "Cyber Resilience Act - Single Reporting Platform" (CRA-SRP) is expected to be launched at the same time as the reporting obligations come into force on September 11, 2026." [5]
A part of the new reporting opligations includes an initial early warning in the first 24 hours after the manufacturer became aware of the exploitation of the vulnerability. The early warning must include information on the member states in which the product with digital elements was made available.
After the first 72 hours, the manufacturer is supposed to issue a more extensive notification, which should contain the following information:
- General information about the affected product with digital elements
- General information about the type of exploitation and the vulnerability exploited
- Any corrective or risk mitigation measures taken
- Corrective or mitigating actions that users can take
- Sensitivity level of the reported information
A final report on the security incident is required after 14 days, which should summarize the severity and impact of the exploited vulnerability, information about any malicious actor who exploited the vulnerability, and information about existing security updates or other corrective actions provided to address the vulnerability.
In order to be prepared for the upcoming reporting obligation, it would be advisable to introduce an internal process or even your own internal Product Security Incident Response Team (PSIRT).
If there are any furthe questions regarding the implementation of the reporting obligations, our team at Globalnorm will be happy to support you. Simply send us an e-mail with your question or use our contact form.
Author's note
This article has been machine translated into English.
TERMS AND ABBREVIATIONS
EU: European Union
CRA: Cyber Resilience Act
CSIRT: Computer Emergency Response Team
ENISA: European Union Agency for Cybersecurity
BSI: German Federal Office for Information Security
PSIRT: Product Security Incident Response Team
