Article 12 Coordinated vulnerability disclosure and a European vulnerability database

Since the exploitation of vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; in network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; may cause significant disruption and harm, swiftly identifying and remedying such vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; is an important factor in reducing riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. Entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; that develop or administer network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance; should therefore establish appropriate procedures to handle vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; when they are discovered. Since vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; are often discovered and disclosed by third parties, the manufacturer or provider of ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; should also put in place the necessary procedures to receive vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; information from third parties. In that regard, international standardsmeans a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(29) Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).; ISO/IEC 30111 and ISO/IEC 29147 provide guidance on vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; handling and vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure. Strengthening the coordination between reporting natural and legal persons and manufacturers or providers of ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; is particularly important for the purpose of facilitating the voluntary framework of vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure. Coordinated vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure specifies a structured process through which vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; are reported to the manufacturer or provider of the potentially vulnerable ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; in a manner allowing it to diagnose and remedy the vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; before detailed vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; information is disclosed to third parties or to the public. Coordinated vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure should also include coordination between the reporting natural or legal person and the manufacturer or provider of the potentially vulnerable ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; or ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; as regards the timing of remediation and publication of vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;.

Member States, in cooperation with ENISA, should take measures to facilitate coordinated vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; disclosure by establishing a relevant national policy. As part of their national policy, Member States should aim to address, to the extent possible, the challenges faced by vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; researchers, including their potential exposure to criminal liability, in accordance with national law. Given that natural and legal persons researching vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; could in some Member States be exposed to criminal and civil liability, Member States are encouraged to adopt guidelines as regards the non-prosecution of information security researchers and an exemption from civil liability for their activities.

Access to correct and timely information about vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; affecting ICT productsmeans an ICT product as defined in Article 2, point (12), of Regulation (EU) 2019/881; and ICT servicesmeans an ICT service as defined in Article 2, point (13), of Regulation (EU) 2019/881; contributes to an enhanced cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; riskmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management. Sources of publicly available information about vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; are an important tool for the entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; and for the users of their services, but also for the competent authorities and the CSIRTs. For that reason, ENISA should establish a European vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; database where entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;, regardless of whether they fall within the scope of this Directive, and their suppliers of network and information systemsmeans:an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; ordigital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;, as well as the competent authorities and the CSIRTs, can disclose and register, on a voluntary basis, publicly known vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; for the purpose of allowing users to take appropriate mitigating measures. The aim of that database is to address the unique challenges posed by risksmeans the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to Union entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations;. Furthermore, ENISA should establish an appropriate procedure regarding the publication process in order to give entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; the time to take mitigating measures as regards their vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; and employ state-of-the-art cybersecuritymeans cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881; risk-management measures as well as machine-readable datasets and corresponding interfaces. To encourage a culture of disclosure of vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat;, disclosure should have no detrimental effects on the reporting natural or legal person.

Although similar vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; registries or databases exist, they are hosted and maintained by entitiesmeans a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations; which are not established in the Union. A European vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; database maintained by ENISA would provide improved transparency regarding the publication process before the vulnerabilitymeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; is publicly disclosed, and resilience in the event of a disruption or an interruption of the provision of similar services. In order, to the extent possible, to avoid a duplication of efforts and to seek complementarity, ENISA should explore the possibility of entering into structured cooperation agreements with similar registries or databases that fall under third-country jurisdiction. In particular, ENISA should explore the possibility of close cooperation with the operators of the Common Vulnerabilitiesmeans a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat; and Exposures (CVE) system.