A Newly Adopted Delegated Act Lets Authorities Hit Pause on Vulnerability Disclosure
Nuo 2026 m. rugsėjo 11 d., the Cyber Resilience Act switches on one of its most consequential rules: mandatory reporting of aktyviai išnaudojami pažeidžiamumai. Every in-scope manufacturer will have 24 valandos to flag a live, exploited flaw to a single EU platform, often before a patch exists. The result is a continuously updated registry of the most dangerous unfixed weaknesses in products across the continent. That is both a powerful defensive tool and, in the wrong hands, an extraordinary target.
The reporting machine goes live
Under Article 14, manufacturers must send an early warning within 24 hours of becoming aware of an actively exploited vulnerability, a fuller notification within 72 hours, and a final report within 14 days of a corrective measure being available. Reporting happens once, through the Single Reporting Platform operated by ENISA. The notification is routed to the national CSIRT of the manufacturer’s main establishment and shared at the same time with ENISA.
The Single Reporting Platform is not yet live. The Commission has scheduled it to be operational by 2026 m. rugsėjo 11 d., the date the reporting duties begin, with a testing period beforehand. Until it goes live there is no production platform through which to file an Article 14 notification, so the practical priority now is the internal process that will feed it, not the submission tool itself.
The paradox of speed
Fast disclosure helps defenders. But reporting a flaw before a fix is ready also assembles, in one place, a precise map of what is broken and being exploited right now. If that information spreads too widely or leaks, it stops being an early-warning system and becomes a shopping list for attackers. The lawmakers knew this, so the framework builds in a brake.
What the delegated act changes
On 11 December 2025, the Commission adopted a delegated act that sets out when the CSIRT first receiving a notification may delay passing it on to other CSIRTs and ENISA. It identifies three grounds for a delay:
- The nature of the information, where an assessment of what was reported justifies holding it back.
- Confidentiality, where the receiving CSIRT cannot guarantee the information will be kept secure.
- Platform integrity, where the Single Reporting Platform has been compromised or is temporarily not operational.
The act supplements, and does not replace, the duties in Article 14. It applies only if neither the European Parliament nor the Council objects within the scrutiny period before it enters into force.
What it means for manufacturers and developers
The delegated act does not loosen your obligations. The 24/72/14 timeline under Article 14 is unchanged, and it covers legacy products already on the market, not just new launches. The pause sits with the authorities, not with you. What it signals is that the reporting system is being built for the real world, balancing transparency against the danger of broadcasting unpatched flaws. With under three months to go, the task is the same: stand up a product-specific process to detect, triage and report actively exploited vulnerabilities, and know exactly which CSIRT you would notify.