With the new Directive on measures for a high common level of cybersecurity across the Union (NIS2) adopted on 16 January 2023, Member States will need to have a coordinated vulnerability disclosure policy adopted and published by 17 October 2024. In addition, other ongoing legislative developments will also address vulnerability disclosure, with vulnerability handling requirements already foreseen in the proposed Cyber Resilience Act (CRA).
The new report published today looks into the expectations of both industry and the Member States in relation to the NIS2’s objective. It also analyses the related legal, collaborative, technical challenges arising from such initiatives.
Apart from insights on industry expectations, the findings feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU Member States establish their national Coordinated Vulnerability Disclosure (CVD) policies. These guidelines would be focused on vulnerability management, dedicated processes and related responsibilities.
With this research, ENISA seeks to find out how a harmonised approach across the EU can be achieved. The different options envisaged to do so will be discussed within the task force driving the project and consisting of ENISA together with the NIS cooperation group.
Peeking into the report:
Examples of what industry expects:
- a national or European CVD policy may encourage organisations to set vulnerability management and security practices as a priority;
- policy makers should consider the existing initiatives and standards around CVD;
- global cooperation across different legislations as well as cooperation between industry players and the public sector needs to be strengthened to avoid silos.
Challenges for Security Researchers
The report also highlights the incentives and obstacles addressed to security researchers to legally report vulnerabilities. Reputational interests are a key driver for researchers whose public proof of vulnerability discovery and disclosure adds to their professional credibility and thus ensures the legitimacy and reliability of their work. On the other hand, a vague or absent CVD framework may lead to legal uncertainty, and this hinder or even prevent the reporting of vulnerabilities.
The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in the EU in April 2022. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2019 State of Vulnerabilities report.
Cyber Resilience Act (CRA)
For press questions and interviews, please contact press (at) enisa.europa.eu