Both, the NIS Directive and the GDPR introduce breach reporting obligations. In particular, in the case of the GDPR this might include an obligation to go public about an incident. These legal obligations might be in conflict with good/common practice of responsible vulnerability disclosure. This paper briefly outlines reporting duties under NISD and GDPR and maps these to hypothetical scenarios where informing end users about cyber incidents might lead to uncontrolled vulnerability disclosure. In that view, this paper analyses whether the latest proposal for a NIS Directive 2.0 strikes the right balance between the need for swift reporting and the need to investigate a vulnerability when introducing a ‘coordinated vulnerability disclosure’.
The paper has been published in JIPITEC 2021: Responsible Vulnerability Disclosure under the NIS 2.0 Proposal