Responsible Vulnerability Disclosure under the NIS 2.0 Proposal

Authors

  • Sandra Schmitz
  • Stefan Schiffner

Keywords:

Cybersecurity, Disclosure, GDPR, NIS Directive, Vulnerability

Abstract

Both, the NIS Directive and the GDPR introduce breach reporting obligations. In particular, in the case of the GDPR this might include an obligation to go public about an incident. These legal obligations might be in conflict with good/common practice of responsible vulnerability disclosure. This paper briefly outlines reporting duties under NISD and GDPR and maps these to hypothetical scenarios where informing end users about cyber incidents might lead to uncontrolled vulnerability disclosure. In that view, this paper analyses whether the latest proposal for a NIS Directive 2.0 strikes the right balance between the need for swift reporting and the need to investigate a vulnerability when introducing a ‘coordinated vulnerability disclosure’.

Downloads

Published

2022-02-04

URN