A new Cyber Resilience Act (CRA) was recently agreed upon in the European Union (EU). It imposes many new cyber security requirements practically to all information technology products, whether hardware or software. The paper examines and elaborates the CRA's new requirements for vulnerability coordination, including vulnerability disclosure. Although these requirements are only a part of the CRA's obligations for vendors, also some new vulnerability coordination mandates are present, including particularly with respect to so-called actively exploited vulnerabilities. The CRA further alters the coordination practices on the side of public administrations. With the examination, elaboration, and associated discussion, the paper contributes to the study of cyber security regulations, providing also a few practical takeaways.

翻译：欧盟近期通过了一项新的《网络弹性法案》。该法案实际上对所有信息技术产品（无论是硬件还是软件）提出了多项新的网络安全要求。本文审视并阐述了《网络弹性法案》中关于漏洞协调（包括漏洞披露）的新要求。尽管这些要求仅是法案对供应商所规定义务的一部分，但其中确实包含了一些新的漏洞协调强制条款，特别是针对所谓"被主动利用的漏洞"。此外，该法案进一步改变了公共管理部门的协调实践。通过审视、阐述及相关讨论，本文为网络安全法规研究做出了贡献，并提供了一些实践启示。