European Union governments have pushed back on the central role initially suggested for the bloc’s cybersecurity agency, rejecting a proposal requiring manufacturers to report actively exploited vulnerabilities to the European Union Agency for Cybersecurity (ENISA).
Instead, in its amended version of the proposed Cyber Resilience Act (CRA), the European Council calls for manufacturers to disclose vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the country where they are based.
The CSIRT will then disseminate this warning to other member states’ authorities using a new intelligence sharing platform that would be operated and maintained by ENISA.
The European Council is the EU’s executive body made up of the heads of government. Before the proposals become law, they will be negotiated with the European Parliament later this year.