On 13 April 2022, the European Union Agency for Cybersecurity (ENISA) published a report on national coordinated vulnerability disclosure (CVD) policies in the EU Member States.
Coordinated vulnerability disclosure is a process by which vulnerabilites finders work together and share information with the relevant stakeholders such as vendors or ICT infrastructure owners. The ENISA report maps the policies in place across the EU, compares the different approaches and highlights good practices. The analysis shows a wide disparity among Member States with only four Member States having already implemented a respective policy.
The report also outlines the challenges identified by Member States when implementing national vulnerability disclosure policies, including legal risks.
In that regard it is important that the forthcoming NIS Directive 2.0 will require Member States to implement a national CVD policy (Art. 6 NIS Directive 2.0 Proposal). Each Member State shall designate one of its CSIRTs as a coordinator for the purpose of coordinated vulnerability disclosure. The designated CSIRT shall act as a trusted intermediary, facilitating, where necessary, the interaction between the reporting entity and the manufacturer or provider of ICT products or ICT services. Where the reported vulnerability concerns multiple manufacturers or providers of ICT products or ICT services across the Union, the designated CSIRT of each Member State concerned shall cooperate with the CSIRT network.
Further, the NIS Directive 2.0 mandates ENISA to develop and maintain a vulnerability registry, the EU vulnerability database (EUVDB) as a single, easily accessible platform facilitating information sharing.