Joint statement raising concerns on unpatched vulnerability reporting in the Cyber Resilience Act

Vulnerability handling plays a crucial role in maintaining the security and integrity of digital products. By identifying security weaknesses, it allows manufacturers to fix them quickly and effectively.

However, the proposed extension of vulnerability reporting to ‘unpatched’ vulnerabilities in the Cyber Resilience Act – meaning those to which there is no known fix – will severely harm our collective cybersecurity, rather than enhance it.

A diverse coalition of national, European and international associations active across different sectors asks the European Parliament and Council to remove these obligations, and to instead focus on the reporting of patched vulnerabilities that have been actively exploited and pose a significant cybersecurity risk. As with ‘cyber threats’ under the NIS2 Directive, manufacturers should, where appropriate, communicate to potentially affected users, especially in a business-to-business context, any measures or remedies they can take in response to a significant vulnerability.

Read the full joint statement here.