EU mandates disclosure rules

The European Union now requires member states to have coordinated vulnerability disclosure rules on the books, turning a once-optional practice into a legal obligation. (eur-lex.europa.eu) Coordinated vulnerability disclosure is the process for reporting a software flaw privately, giving the vendor time to fix it, and then publishing details so users can protect themselves. The European Union Agency for Cybersecurity says the Network and Information Systems Directive 2 requires member states to adopt and publish a national policy for that process. (enisa.europa.eu 1) (enisa.europa.eu 2) That deadline was October 17, 2024, under Directive (EU) 2022/2555, which entered into force on January 16, 2023. The directive also requires Computer Security Incident Response Teams to be involved in national coordinated vulnerability disclosure processes. (enisa.europa.eu) (eur-lex.europa.eu) The same law gave the European Union Agency for Cybersecurity a second job: build and maintain a European Vulnerability Database. ENISA says that database lets organizations and their suppliers register and disclose vulnerabilities in information and communications technology products and services on a voluntary basis. (enisa.europa.eu) That database, called the European Vulnerability Database, went live in May 2025. ENISA presented it as a Network and Information Systems Directive 2 measure meant to improve how vulnerabilities are tracked across the bloc. (helpnetsecurity.com) The practical problem is older than the law. In April 2022, ENISA said member states were at different stages of maturity on disclosure policy, and it published recommendations to make national approaches more consistent. (enisa.europa.eu) Nuno Rodrigues Carvalho of ENISA told Help Net Security on April 15, 2026, that regulation can set expectations, but vendors and maintainers still need the people, workflows, and trust to handle reports well. He also pointed to recent strain around the Common Vulnerabilities and Exposures program as a sign that the wider disclosure system still depends heavily on shared infrastructure. (helpnetsecurity.com) ENISA has been expanding its own role inside that system. In 2024, the agency said it had become an authorized Common Vulnerabilities and Exposures Numbering Authority, which means it can assign identifiers to newly disclosed flaws. (enisa.europa.eu) The European rulebook now says every member state needs a disclosure policy, but the day-to-day test is still whether a researcher can report a bug, reach the right team, and get a fix shipped before attackers move first. (enisa.europa.eu) (helpnetsecurity.com)