If the organization becomes aware of an actively exploited vulnerability in a product with digital elements, he must report it to the coordinating CSIRT and to the ENISA. The manufacturer must report the actively exploited vulnerability via the single reporting platform established pursuant to Article 16.
A vulnerability notification shall be made without undue delay, in any event within 72 hours of the manufacturer becoming aware of it. The vulnerability notification shall include at least the following:
- (a) description of the product with digital elements concerned
- (b) the general nature of the exploit and of the vulnerability concerned
- (c) details about corrective or mitigating measures taken, and corrective or mitigating measures that users can take
- (d) where applicable, how sensitive the manufacturer considers the notified information to be
In addition to the vulnerability notification, the manufacturer shall provide a final report including at least the following:
- (a) a description of the vulnerability, including its severity and impact
- (b) where available, information concerning any malicious actor that has exploited or that is exploiting the vulnerability
- (c) details about the security update or other corrective measures that have been made available to remedy the vulnerability
The final report shall be provided no later than 14 days after a corrective or mitigating measure is available.
