\
Jurisdiction
European Union
Region
Europe
Requirement
Recommended
Policy
Coordinated Vulnerability Disclosure Policies in the EU
Applies to
EU Member States
Provision
Section 4
Description
Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies.
Date
April 2022
Organization
European Union Agency for Cybersecurity (ENISA)
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
Important and essential entities (as defined, similar to critical infrastructure)
Provision
Article 21.2(e)
Description

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Date
October 17, 2024
Organization
European Parliament / Commission / Council
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
EU Member States (and their designated CSIRT) and ENISA
Provision
Article 12(1)
Description

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. 

Date
October 17, 2024
Organization
European Parliament / Commission / Council
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required
Policy
Cyber Resilience Act (CRA)
Applies to
Manufacturers of software and digitally-enabled devices in the EU Single Market
Provision
Annex 1 Sec. 2(5)
Description

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure. 

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027 

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force


 

Date
December 10, 2024
Organization
European Union
View source
Subscribe to European Union