The organization must report any significant incident having an impact on the security of the product with digital elements to the coordinating CSIRT and to the ENISA. The manufacturer must report the incident via the single reporting platform established pursuant to Article 16.
An early warning must be submitted of a severe incident having an impact on the security of the product with digital elements, without undue delay and at the latest 24 hours of the manufacturer becoming aware of it, including at least whether the incident is suspected of being caused by unlawful or malicious acts, and where applicable, the Member States on the territory of which the their product is made available.
An incident notification shall be made without undue delay, in any event within 72 hours of the manufacturer becoming aware of it. The vulnerability notification shall include at least the following:
- (a) description of the product with digital elements concerned
- (b) the general nature and the initial assessment of the incident
- (c) details about corrective or mitigating measures taken, and corrective or mitigating measures that users can take
- (d) where applicable, how sensitive the manufacturer considers the notified information to be
In addition to the vulnerability notification, the manufacturer shall provide a final report including at least the following:
- (a) a detailed description of the incident, including its severity and impact
- (b) the type of threat or root cause that is likely to have triggered the incident
- (c) applied and ongoing mitigation measures
The final report shall be provided no later than a month after the initial submission of the incident notification unless the relevant information has already been provided.
