Insights European Union Agency for Cybersecurity (ENISA) publishes report on how to develop harmonised national vulnerability programmes and initiatives in the EU


ENISA notes that with the adoption of the new Security of Network and Information Systems Directive (NIS2), Member States will need to have a coordinated vulnerability disclosure policy adopted and published by 17 October 2024. In addition, other ongoing EU legislative developments will address vulnerability disclosure, with vulnerability handling requirements already foreseen in the EU Commission’s proposed Cyber Resilience Act (CRA).

ENISA’s new report, “Developing National Vulnerability Programmes”, examines the expectations of both industry and Member States in relation to NIS2’s objectives. It also analyses the related legal, collaborative and technical challenges arising from such initiatives.

The findings from the report will feed into the guidelines ENISA and the NIS Cooperation Group intend to prepare to help EU Member States establish their national Coordinated Vulnerability Disclosure (CVD) policies. These guidelines will be focused on vulnerability management, dedicated processes and related responsibilities.

With this research, ENISA seeks to discover how a harmonised approach across the EU can be achieved. The different options envisaged will be discussed by the task force driving the project, which involves ENISA and the NIS Cooperation Group.

The report finds that industry expects:

  • a national or European CVD policy to encourage organisations to set vulnerability management and security practices as priority;
  • policy makers to consider the existing initiatives and standards around CVD;
  • global cooperation across legislation as well as cooperation between industry players; and
  • the public sector to be strengthened to avoid silos.

The report also highlights the incentives of, and obstacles faced by, security researchers to legally report vulnerabilities. Reputational interests are a key driver for researchers whose public proof of vulnerability discovery and disclosure adds to their professional credibility and thus ensures the legitimacy and reliability of their work. On the other hand, a vague or absent CVD framework may lead to legal uncertainty and hinder or even prevent the reporting of vulnerabilities. To read ENISA’s news release in full and for a link to the report and additional information, click here.