European Union https://www.hackerone.com/ en Coordinated Vulnerability Disclosure Policies in the EU https://www.hackerone.com/node/2359 Coordinated Vulnerability Disclosure Policies in the EU h1_admin Mon, 07/29/2024 - 14:47 Jurisdiction European Union Region Europe Requirement Recommended Organization European Union Agency for Cybersecurity (ENISA) Provision Section 4 Applies to EU Member States Date April 2022 Description Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies. https://www.enisa.europa.eu/publications/coordinated-vulnerability-disclosure-p… ]]> Mon, 29 Jul 2024 19:47:29 +0000 h1_admin 2359 at https://www.hackerone.com NIS 2 Directive (Directive (EU) 2022/2555) https://www.hackerone.com/node/2339 NIS 2 Directive (Directive (EU) 2022/2555) h1_admin Fri, 07/26/2024 - 12:49 Jurisdiction European Union Region Europe Requirement Required *Coming Soon Organization European Parliament / Commission / Council Provision Article 21.2(e) Applies to Important and essential entities (as defined, similar to critical infrastructure) Date October 17, 2024 Description

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

https://eur-lex.europa.eu/eli/dir/2022/2555 ]]> Fri, 26 Jul 2024 17:49:58 +0000 h1_admin 2339 at https://www.hackerone.com NIS 2 Directive (Directive (EU) 2022/2555) https://www.hackerone.com/node/2338 NIS 2 Directive (Directive (EU) 2022/2555) h1_admin Fri, 07/26/2024 - 12:43 Jurisdiction European Union Region Europe Requirement Required *Coming Soon Organization European Parliament / Commission / Council Provision Article 12(1) Applies to EU Member States (and their designated CSIRT) and ENISA Date October 17, 2024 Description

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. 

https://eur-lex.europa.eu/eli/dir/2022/2555 ]]> Fri, 26 Jul 2024 17:43:35 +0000 h1_admin 2338 at https://www.hackerone.com Cyber Resilience Act (CRA) https://www.hackerone.com/node/2337 Cyber Resilience Act (CRA) h1_admin Fri, 07/26/2024 - 12:41 Jurisdiction European Union Region Europe Requirement Required Organization European Union Provision Annex 1 Sec. 2(5) Applies to Manufacturers of software and digitally-enabled devices in the EU Single Market Date December 10, 2024 Description

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure. 

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027 

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force


 

https://www.europarl.europa.eu/doceo/document/TA-9-2024-0130_EN.html#title2 ]]> Fri, 26 Jul 2024 17:41:19 +0000 h1_admin 2337 at https://www.hackerone.com