A vulnerability as defined in Article 6, point 15 of Directive DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL means a vulnerability, which has not yet been publicly disclosed and patched and for which there is reliable evidence that execution of malicious code was performed by an actor on a system without permission of the system owner.
Unpatched, actively exploited vulnerabilities must be reported to the CSIRT, which provides support. According to NCCS Article 38 Paragraph 4, if critical and high impact organisations report relevant information on uncorrected vulnerabilities that have been actively exploited to CSIRT, the latter may forward this information to the competent authority. In view of the sensitivity of the information reported, the CSIRT may withhold or delay the transmission of the information for legitimate cyber security reasons. Unpatched, actively exploited vulnerabilities that are actively exploited should be reported to the CSIRT, which will provide support.
If an unpatched, actively exploited vulnerability is reported to CSIRT according to NCCS Article 37 Paragraph 2 then:
(a) share it with ENISA via an appropriate secure information exchange channel without delay, unless otherwise specified in other Union law;
(b) support the concerned entity to receive from the manufacturer or provider an effective, coordinated and rapid management of the unpatched actively exploited vulnerability or of effective and efficient mitigation measures;
(c) share available information with the vendor and request the manufacturer or provider, where possible, to identify a list of CSIRTs in Member States concerned by the unpatched actively exploited vulnerability and that shall be informed;
(d) share available information with the CSIRTs identified under the previous point, based on need-to-know principle;
(e) share, where they exist, mitigation strategies and measures to the reported unpatched actively exploited vulnerability.
If the competent authority becomes aware of an unpatched, actively exploited vulnerability according to NCCS Article 37 Paragraph 3, then:
(a) share, where they exist, mitigation strategies and measures to the reported unpatched actively exploited vulnerability, in coordination with the CSIRTs in its Member State;
(b) shall share the information with a CSIRT in the Member State where the unpatched actively exploited vulnerability has been reported.