\
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Guide to Coordinated Vulnerability Disclosure Policies, Part I: Good Practices
Applies to
Companies and organizations
Provision
N/A
Description
Outlines "good practices" for the content of a CVD and for the overall process of Discovery, Report, Investigate, Deploy a Solution, and (Possibly) Disclose Publicly.
Date
December 2020
Organization
Centre for Cyber Security Belgium
View source
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Cybersecurity Strategy Belgium 2.0 2021-2025
Applies to
Companies and organizations
Provision
Section 3.2.2
Description
Companies and organizations are urged to publish a “Coordinated Vulnerability Disclosure Policy.” Through sectoral authorities, professional organizations and the Cyber Security Coalition Belgium, they will be informed of significant threats or vulnerabilities. Organizations of Vital Interest will also receive targeted and non-public alerts through the CCB’s Early Warning System (EWS).
Date
May 2021
Organization
Centre for Cyber Security Belgium
Jurisdiction
European Union
Region
Europe
Requirement
Recommended
Policy
Coordinated Vulnerability Disclosure Policies in the EU
Applies to
EU Member States
Provision
Section 4
Description
Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies.
Date
April 2022
Organization
European Union Agency for Cybersecurity (ENISA)
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
Important and essential entities (as defined, similar to critical infrastructure)
Provision
Article 21.2(e)
Description

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Date
October 17, 2024
Organization
European Parliament / Commission / Council
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
EU Member States (and their designated CSIRT) and ENISA
Provision
Article 12(1)
Description

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. 

Date
October 17, 2024
Organization
European Parliament / Commission / Council
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required
Policy
Cyber Resilience Act (CRA)
Applies to
Manufacturers of software and digitally-enabled devices in the EU Single Market
Provision
Annex 1 Sec. 2(5)
Description

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure. 

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027 

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force


 

Date
December 10, 2024
Organization
European Union
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended
Policy
Code of practice for app store operators and app developers
Applies to
App Store Operators and App Developers
Provision
Sec. 3
Description

App Store Operators and App Developers listing apps on them should have a VDP (contact details/contact form); App Store Operators should verify that App Developers abide by these practices; App Store Operators should accept vulnerability disclosure reports on behalf of App Developers if they have not acknowledged the vulnerability - if the App Developer still fails to acknowledge the vulnerability, the App Store Operator should delist the app from its platform.

Date
October 24, 2023
Organization
Department of Science, Innovation, & Technology
View source
Jurisdiction
United Kingdom
Region
Europe
Requirement
Required
Policy
Product Security and Telecommunications Infrastructure (PSTI) Act
Applies to
Manufacturers, importers and distributors of consumer connectable products in the UK
Provision
Part 1, Chapter 2, Sec. 8 of the PSTI Act & PSTI Regulations 2023, Schedules 1 and 2
Description

The Product Security and Telecommunications Infrastructure Act 2022, Chapter 1 allows the Secretary of State to specify security requirements for connected devices.

PSTI Regulations 2023, Schedule 1, 2 requires that connected device manufacturers:Provide publicly available information on how to report security issues and publish in English at least one point of contact for security issues relating to their products (hardware or software), including when notifiers will receive acknowledgments and status updates, in an accessible, clear and transparent way, without any prior request for personal information.

Date
April 29, 2024
Organization
UK Parliament
View source
Subscribe to Europe