This document is now public and ready for review. At first glance - it seems that some of the clarity we've been asking for (as an organisation with no clear 'HQ' or 'majority of staff' or 'majority of consumers' identified) is not in this document yet.
Dw. > Begin forwarded message: > > From: "[email protected]" <[email protected]> > Subject: Draft delegated act for the CRA - public consultation > Date: 16 October 2025 at 14:18:24 CEST > To: "[email protected]" <[email protected]> > > Dear CRA Network, > > As you know, the Cyber Resilience Act establishes the obligation for > manufacturers to notify, to their national Computer Security Incident > Response Team (CSIRT) and to ENISA, about actively exploited vulnerabilities > or incidents affecting the security of their products. > > The CSIRT that receives the notification is required to share, without delay, > this information with the CSIRTs of other Member States on the territory of > which the product has been made available; however, under exceptional > circumstances, the CSIRT that initially receives the notification may delay > sharing this information with other CSIRTs. > Today, we published for public consultation a draft delegated act that > further specifies the terms and conditions for such exceptional delays in > dissemination. The draft text can be viewed here > <https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14731-Cybersecurity-terms-conditions-for-delaying-the-notification-of-incidents-delegated-act-_en> > and you may submit comments through the “have your say” portal until 13 > November 2025. > > We intend to adopt this text by 11 December 2025, as foreseen by Article > 14(9) of the CRA. > > Best regards, > The CRA Team > > Have you been forwarded this email? Sign up here > <https://ec.europa.eu/eusurvey/runner/CRA-implementation>. > You no longer wish to receive these updates? Please reply to this email and > we will delete you from our database.
