Article 17 Regulation (EU) 2024/2847 · Chapter II 法規 (EU) 2024/2847 · 第二章
Other provisions related to reporting 通報之其他規定
ENISA may share notifications with EU-CyCLONe and the Cooperation Group; ENISA prepares biannual technical reports on emerging vulnerability trends; notification does not increase liability of the notifying party. ENISA 得與 EU-CyCLONe 與合作小組分享通報;ENISA 每兩年備技術報告談新興弱點趨勢;通報不增加通報方之責任。
Block 1 · Official text 區塊 1 · 官方條文
What the Regulation actually says 條文實際怎麼寫
Source. From Regulation (EU) 2024/2847, OJ L 2024/2847 (20 Nov 2024). Translation unofficial; refer to EUR-Lex for binding text. 來源。節錄自《法規 (EU) 2024/2847》,OJ L 2024/2847(2024 年 11 月 20 日)。中文為非官方翻譯;強制適用條文請見 EUR-Lex。
1. ENISA may submit to the European cyber crisis liaison organisation network (EU-CyCLONe) established under Article 16 of Directive (EU) 2022/2555 information notified pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation if such information is relevant for the coordinated management of large-scale cybersecurity incidents and crises at an operational level.
2. ENISA, on the basis of the notifications received pursuant to Article 14(1) and (3) and Article 15(1) and (2) of this Regulation, shall prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in products with digital elements and submit it to the Cooperation Group established pursuant to Article 14 of Directive (EU) 2022/2555. The first such report shall be submitted within 24 months of the date of application of the obligations laid down in Article 14(1) and (3) of this Regulation. ENISA shall include relevant information from its technical reports in its biennial report on the state of cybersecurity in the Union pursuant to Article 18 of Directive (EU) 2022/2555.
3. The mere act of notification in accordance with Article 14(1) and (3) or Article 15(1) and (2) shall not subject the notifying natural or legal person to increased liability.
4. After becoming aware of an actively exploited vulnerability or a severe incident, the CSIRT designated as coordinator initially receiving the notification may request the manufacturer to provide intermediate or final reports on relevant updates on the status of the actively exploited vulnerability or severe incident.
5. The CSIRTs designated as coordinators may communicate, in coordination with ENISA, regarding any publicly known vulnerability notified pursuant to Article 14(1) or Article 15(1) of this Regulation to the European vulnerability database established pursuant to Article 12(2) of Directive (EU) 2022/2555.
6. The CSIRTs designated as coordinators shall provide helpdesk support in relation to the reporting obligations pursuant to Article 14 to manufacturers and in particular manufacturers that qualify as microenterprises or as small or medium-sized enterprises.
1. ENISA 得將依本法規第 14(1)、(3) 條與第 15(1)、(2) 條所通報之資訊提交予依《指令 (EU) 2022/2555》第 16 條建立之歐洲網路危機聯絡組織網絡(EU-CyCLONe),限於該等資訊與大規模網路安全事件及危機之協調管理(運作層次)相關者。
2. ENISA 應基於依本法規第 14(1)、(3) 條與第 15(1)、(2) 條所收通報、每 24 個月準備一份關於具數位元素產品網路安全風險之新興趨勢技術報告、並提交予依《指令 (EU) 2022/2555》第 14 條設立之合作小組。首份此種報告應於本法規第 14(1)、(3) 條義務適用日起 24 個月內提交。ENISA 應將其技術報告中之相關資訊納入依《指令 (EU) 2022/2555》第 18 條所備之每兩年一次之歐盟網路安全狀態報告。
3. 依第 14(1)、(3) 條或第 15(1)、(2) 條進行通報之行為本身、不應使通報之自然人或法人承擔加重之責任。
4. 知悉主動受利用弱點或嚴重事件之後、最初接收通報之指定為協調者之 CSIRT 得要求製造商提供關於該主動受利用弱點或嚴重事件狀態之中期或最終報告。
5. 指定為協調者之 CSIRT 得與 ENISA 協調、就本法規第 14(1) 條或第 15(1) 條所通報之任何已公開弱點、與依《指令 (EU) 2022/2555》第 12(2) 條設立之歐洲弱點資料庫進行通訊。
6. 指定為協調者之 CSIRT 應就第 14 條通報義務、向製造商(特別是微型或中小型企業之製造商)提供服務台支援。
Block 2 · Plain language 區塊 2 · 白話解讀
Where the data flows after manufacturers report — and why this matters operationally 製造商通報後資料的去向,這在營運上為什麼重要
Article 17 governs what happens to the information manufacturers report under Article 14 (vulnerability and incident notifications) and Article 15 (voluntary reporting). It is administrative plumbing — but the plumbing decides which authorities see your incident data, in what form, and on what timeline.
ENISA can share with EU-CyCLONe at operational level. Article 17(1) lets ENISA submit notified information to the European cyber crisis liaison organisation network (EU-CyCLONe), established under NIS2 Article 16. This is the EU's operational crisis-response coordination mechanism. When a major vulnerability or incident is reported, the same data can flow into a different operational network used for crisis management. Manufacturers should assume their Article 14 reports may end up in CyCLONe deliberations.
Biennial trend reports drive future regulatory pressure. Article 17(2) requires ENISA to prepare, every 24 months, a technical report on emerging trends regarding cybersecurity risks in PwDE. The report draws on Article 14 / 15 data. The biennial cycle is the regulatory feedback loop — sectors that show up repeatedly in trend reports tend to attract delegated acts, harmonised standards work, or critical-product designations under Article 8. APAC manufacturers in heavily-reported categories should expect tightened requirements over 2027–2031.
CSIRT network shares the load with ENISA. Article 17(3) lets the CSIRT network designated under NIS2 Article 15 perform the notification handling tasks instead of ENISA, where appropriate. The CSIRT network has Member-State-level CSIRTs as nodes. Routing through the CSIRT network can give your incident report multiple Member-State authorities visibility simultaneously — which can be either helpful (faster coordinated response) or expensive (more questions, more requests).
Confidentiality is reaffirmed. Article 17(4) reaffirms that all information processed under this article must be treated as confidential per Article 66. This is the legal backstop — when sensitive incident data flows through ENISA / CyCLONe / CSIRT network, the confidentiality obligation follows the data. APAC manufacturers can rely on Article 66 for trade-secret protection on incident details.
第 17 條規範製造商依第 14 條(弱點與事件通報)跟第 15 條(自願通報)所通報資訊的去向。它是行政管線,但管線決定哪些機關會看到你的事件資料、以什麼形式、在什麼時程。
ENISA 可在營運層級分享給 EU-CyCLONe。第 17(1) 條讓 ENISA 把所通報資訊送交歐洲網路危機聯絡組織網路(EU-CyCLONe),該網路依 NIS2 第 16 條建立。這是 EU 的營運危機回應協調機制。重大弱點或事件被通報時、同一份資料可流入用於危機管理的另一個營運網路。製造商應假設其第 14 條通報可能進入 CyCLONe 的審議。
兩年期趨勢報告驅動未來法規壓力。第 17(2) 條要求 ENISA 每 24 個月就具數位元素產品網路安全風險新興趨勢編製技術報告。報告取材於第 14 / 15 條資料。兩年期循環是法規回饋環,在趨勢報告中反覆出現的部門、傾向吸引授權行為、調和標準工作、或第 8 條下的關鍵產品指派。在被大量通報類別中的 APAC 製造商、應預期 2027 到 2031 年要求收緊。
CSIRT 網路跟 ENISA 分擔工作。第 17(3) 條讓依 NIS2 第 15 條指派之 CSIRT 網路在適當時取代 ENISA 處理通報。CSIRT 網路以會員國層級 CSIRT 為節點。透過 CSIRT 網路繞、可同時讓你的事件通報被多個會員國主管機關看到,可能有幫助(協調回應較快)、也可能昂貴(更多問題、更多請求)。
機密性再次確認。第 17(4) 條再次確認本條下處理的全部資訊、依第 66 條視為機密。這是法律保底,敏感事件資料流經 ENISA / CyCLONe / CSIRT 網路時、機密義務跟著資料走。APAC 製造商可依賴第 66 條對事件細節的營業祕密保護。
Block 3 · APAC perspective 區塊 3 · APAC 觀點
Reporting routing and APAC PSIRT operating model 通報路由與 APAC PSIRT 運作模型
For APAC PSIRT teams, Article 17 has a counter-intuitive operational implication: a single Article 14 report can reach multiple authorities through different channels, and the manufacturer cannot fully control which authority asks the follow-up questions. Plan PSIRT operations for parallel inquiry.
對 APAC PSIRT 團隊、第 17 條有反直覺的營運意義:單一第 14 條通報可透過不同管道到達多個主管機關、製造商沒辦法完全控制哪個主管機關問後續問題。PSIRT 運作要為平行詢問做規劃。
| Reporting channel通報管道 | Who sees it誰看得到 | APAC PSIRT preparationAPAC PSIRT 準備 |
|---|---|---|
| Article 14(2)(a) — vulnerability, 24h early warning第 14(2)(a) 條:弱點通報之 24 小時早期警報 | ENISA SRP, then potentially CSIRT network, then EU-CyCLONe if escalated.ENISA SRP、可能 CSIRT 網路、升級時 EU-CyCLONe。 | Pre-drafted 24h template; EU-localised legal review; communications coordination across reporting tiers.預擬 24h 模板;EU 在地法律審查;跨通報層級的溝通協調。 |
| Article 14(2)(b) — vulnerability, 72h notification第 14(2)(b) 條:弱點通報之 72 小時詳細通報 | Same channels as the 24h early warning; also potentially national market surveillance authority via Article 17(3).與 24 小時早期警報相同管道,也可能透過第 17(3) 條到國家市場監督機關。 | PSIRT runbook should track which Member State customers are affected (informs which CSIRT may pick up).PSIRT 操作手冊應追蹤哪些會員國客戶受影響(知道哪個 CSIRT 可能接手)。 |
| Article 14(2)(c) — vulnerability, final report (14 days after corrective measure available)第 14(2)(c) 條:弱點通報之最終報告(矯正措施可用後 14 日內) | Feeds into ENISA biennial trend report; if the incident is significant, the manufacturer's name surfaces.流入 ENISA 兩年趨勢報告;事件重大時,製造商名字會浮現。 | Quality of root cause analysis and remediation matters — appears in trend reports that other regulators read.根因分析與矯正措施品質很重要,出現在其他主管機關會看的趨勢報告中。 |
| Article 14(4)(a)–(c) — severe incident parallel track第 14(4)(a)–(c) 條:嚴重事件平行軌道 | Same channels as the vulnerability track. Trigger is Article 14(3); cadence is 24h / 72h / 1 month after the 72h notification (not 14 days).與弱點軌道相同管道。觸發條款為第 14(3) 條;節奏為 24h / 72h / 72 小時通報後 1 個月(不是 14 天)。 | PSIRT runbook should keep the two final-report clocks distinct: 14 days anchored on corrective measure availability vs 1 month anchored on 72h notification submission.PSIRT 操作手冊要把兩個最終報告時鐘分清楚:14 天從矯正措施可用起算,1 個月從 72 小時通報提交起算。 |
| Article 15 — voluntary reporting第 15 條:自願通報 | ENISA, CSIRT network. Useful for sharing intel that does not meet Article 14 mandatory thresholds.ENISA、CSIRT 網路。對分享未達第 14 條強制門檻的情資有用。 | Voluntary reports build relationship capital with ENISA; useful for vendors expecting frequent regulator interaction.自願通報跟 ENISA 累積關係資本;對預期跟主管機關頻繁互動的廠商有用。 |
A key inference: APAC manufacturers should not treat Article 14 reporting as a single event addressed to a single authority. The same report propagates through ENISA → CyCLONe → CSIRT network → potentially national market surveillance authorities. Expect multi-channel follow-up questions over 30–90 days post-incident. PSIRT staffing should account for this.
關鍵推論:APAC 製造商不該把第 14 條通報當成單一事件、寄給單一主管機關。同一報告從 ENISA → CyCLONe → CSIRT 網路 → 可能到國家市場監督機關傳播。預期事件後 30-90 天多管道後續問題。PSIRT 人力配置應考量這點。
A second pattern worth flagging: ENISA's biennial trend report is a public document. APAC manufacturers in product categories that show up frequently in trend reports — typically consumer IoT, smart home, low-cost networking gear — face stronger downstream regulatory pressure. The 2027 trend report (covering 2025–2027 incidents) will likely shape the 2028–2030 delegated act agenda. Vendors in heavily-reported categories should plan for tightening requirements 24–36 months ahead.
第二個值得標出的模式:ENISA 兩年期趨勢報告是公開文件。在趨勢報告中反覆出現的產品類別中的 APAC 製造商,通常是消費 IoT、智慧家庭、低價網通設備,面對較強的下游法規壓力。2027 年趨勢報告(涵蓋 2025-2027 事件)很可能形塑 2028-2030 授權行為議程。在大量被通報類別中的廠商、應提前 24-36 個月為要求收緊做規劃。
Block 4 · Cross-regulation map 區塊 4 · 跨法規對照
Article 17 in the EU cybersecurity reporting architecture 第 17 條在 EU 網路安全通報架構中
Article 17 connects CRA reporting into the broader EU cybersecurity governance — NIS2, EU-CyCLONe, CSIRT network. The pattern is clear: cybersecurity reporting in the EU is not a single channel; it is a network with multiple authorities that share information. 第 17 條把 CRA 通報接進更廣的 EU 網路安全治理,NIS2、EU-CyCLONe、CSIRT 網路。模式清楚:EU 的網路安全通報不是單一管道;它是多個主管機關共享資訊的網路。
NIS2 Directive 2022/2555 Article 16 — EU-CyCLONeNIS2 指令 2022/2555 第 16 條:EU-CyCLONe
EU-CyCLONe is the operational coordination network for large-scale cybersecurity incidents and crises. CRA Article 17 lets ENISA route CRA reports into this network. CyCLONe operates at the operational level — fast information sharing among Member-State CSIRTs and ENISA. APAC manufacturers reporting a major vulnerability under CRA should assume the report becomes input to CyCLONe situational awareness.
EU-CyCLONe 是大規模網路安全事件與危機的營運協調網路。CRA 第 17 條讓 ENISA 把 CRA 通報送進此網路。CyCLONe 在營運層級運作,會員國 CSIRT 跟 ENISA 之間快速資訊共享。在 CRA 下通報重大弱點的 APAC 製造商、應假設該通報成為 CyCLONe 情勢感知的輸入。
NIS2 Article 15 — CSIRT networkNIS2 第 15 條:CSIRT 網路
The CSIRT network connects national CSIRTs designated under NIS2 Article 10. CRA Article 17(3) lets the CSIRT network handle CRA notifications instead of ENISA where appropriate. For APAC manufacturers, this means the same report may surface in a Member-State CSIRT before / instead of ENISA — depending on routing decisions made administratively.
CSIRT 網路連接依 NIS2 第 10 條指派的國家 CSIRT。CRA 第 17(3) 條讓 CSIRT 網路在適當時取代 ENISA 處理 CRA 通報。對 APAC 製造商、這意味著同一通報可能在 ENISA 之前或取代 ENISA、出現在會員國 CSIRT:依行政路由決定。
Cybersecurity Act 2019/881 — ENISA institutional base網路安全法 2019/881:ENISA 機構基礎
CSA 2019/881 created ENISA's permanent mandate, including a role in vulnerability handling, certification schemes, and operational support. CRA Article 17 builds on this — ENISA has the institutional capacity, established under CSA, to operate the SRP and feed information into CyCLONe and CSIRT network. Without CSA's ENISA structure, CRA reporting would be fragmented across Member States.
CSA 2019/881 創造 ENISA 的常設職權、包括弱點處理、認證計畫、營運支援的角色。CRA 第 17 條建立在這之上,ENISA 有 CSA 下建立的機構量能、運作 SRP、把資訊送進 CyCLONe 跟 CSIRT 網路。沒有 CSA 的 ENISA 結構、CRA 通報會跨會員國分散。
DORA 2022/2554 Article 19 — financial-sector parallelDORA 2022/2554 第 19 條:金融部門平行制度
Digital Operational Resilience Act (DORA) for financial entities has its own ICT incident reporting regime to competent authorities. The reporting flows are operationally separate from CRA — DORA reports go to ESMA / EBA / EIOPA; CRA reports go to ENISA. APAC fintech vendors selling PwDE to EU financial entities can face dual-track reporting: their customers report under DORA, they report under CRA.
金融實體的數位營運韌性法案(DORA)有自己的 ICT 事件通報制度、向有權主管機關通報。通報流跟 CRA 在營運上獨立,DORA 通報到 ESMA / EBA / EIOPA;CRA 通報到 ENISA。賣具數位元素產品給 EU 金融實體的 APAC fintech 廠商、可面對雙軌通報:他們的客戶在 DORA 下通報、他們在 CRA 下通報。
CRA Article 66 — confidentiality backstopCRA 第 66 條:機密性保底
Article 66 obliges all CRA-stakeholder authorities (national, ENISA, Commission) to treat received information as confidential, with trade-secret protection where appropriate. Article 17(4) explicitly invokes Article 66. APAC manufacturers should reference Article 66 in any concerns about cross-authority information sharing — it is the legal anchor for confidentiality protection across CRA's reporting plumbing.
第 66 條義務所有 CRA 相關主管機關(國家、ENISA、執委會)把收到的資訊視為機密、適當時提供營業祕密保護。第 17(4) 條明文援引第 66 條。APAC 製造商對跨主管機關資訊共享有疑慮時、應引用第 66 條:它是 CRA 通報管線中機密保護的法律錨點。