News Item

Coordinated Vulnerability Disclosure: Towards a Common EU Approach

The new report of the European Union Agency for Cybersecurity (ENISA) explores how to develop harmonised national vulnerability programmes and initiatives in the EU.

Published on February 16, 2023

With the new Directive on measures for a high common level of cybersecurity across the Union (NIS2) adopted on 16 January 2023, Member States will need to have a coordinated vulnerability disclosure policy adopted and published by 17 October 2024. In addition, other ongoing legislative developments will also address vulnerability disclosure, with vulnerability handling requirements already foreseen in the proposed Cyber Resilience Act (CRA).

The new report published today looks into the expectations of both industry and the Member States in relation to the NIS2’s objective. It also analyses the related legal, collaborative, technical challenges arising from such initiatives.

Apart from insights on industry expectations, the findings feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU Member States establish their national Coordinated Vulnerability Disclosure (CVD) policies. These guidelines would be focused on vulnerability management, dedicated processes and related responsibilities.

With this research, ENISA seeks to find out how a harmonised approach across the EU can be achieved. The different options envisaged to do so will be discussed within the task force driving the project and consisting of ENISA together with the NIS cooperation group.

Peeking into the report:

Examples of what industry expects:

  • a national or European CVD policy may encourage organisations to set vulnerability management and security practices as a priority;
  • policy makers should consider the existing initiatives and standards around CVD;
  • global cooperation across different legislations as well as cooperation between industry players and the public sector needs to be strengthened to avoid silos.

Challenges for Security Researchers

The report also highlights the incentives and obstacles addressed to security researchers to legally report vulnerabilities. Reputational interests are a key driver for researchers whose public proof of vulnerability discovery and disclosure adds to their professional credibility and thus ensures the legitimacy and reliability of their work. On the other hand, a vague or absent CVD framework may lead to legal uncertainty, and this hinder or even prevent the reporting of vulnerabilities.

Background

The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in the EU in April 2022. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2019 State of Vulnerabilities report.  

Further information

Developing National Vulnerability Programmes and Initiatives – ENISA report 2023

Vulnerability Disclosure in the EU – An overview of National Vulnerability Disclosure Policies in the EU – ENISA report 2022

State of Vulnerabilities 2018/2019 - Analysis of Events in the life of Vulnerabilities

Economics of Vulnerability Disclosure

Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations

Directive on measures for a high common level of cybersecurity across the Union (NIS2)

Cyber Resilience Act (CRA)

Contact

For press questions and interviews, please contact press (at) enisa.europa.eu

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies