On the 26th January, 2023, The European Union Agency for Cybersecurity (ENISA) held its first EU Cybersecurity Policy Conference. The conference summoned speakers from European Institutions, national governments, European companies, and European organisations. Francesco Bordone, ECSO’s Manager for Cybersecurity Policies, spoke on a panel and covered Coordinated Vulnerability Disclosure (CVD) inside the NIS2 framework.
On the 26th January, 2023, ENISA hosted the first EU Cybersecurity Policy Conference, which was organized in partnership with the European Commission (DG CNECT). Policymakers, industry representatives, and other key stakeholders attended to discuss the implementation of cybersecurity and upcoming challenges.
In a panel discussion on Coordinated Vulnerability Disclosure (CVD) inside the NIS2 framework, ECSO explained that CVD ultimately boils down to the concept of trust. Security researchers need to trust the private companies they report vulnerabilities to. Similarly, companies need to trust the national authorities they report to, and national authorities must trust ENISA to run the European Vulnerability Database (EUVDB) established with the NIS2.
As the main voice for European cybersecurity industry, ECSO proceeds to highlight today’s three primary problems with CVD, being:
• companies are afraid to be held liable when they report a vulnerability.
• companies fear that they will damage their reputation if they report a vulnerability.
• security researchers often risk to be sued by the companies they have reported vulnerabilities to.
To tackle these main issues, ECSO encourages European and national authorities to first raise awareness about what the companies must report and why this is important to report. Second, EU and national authorities must help to shape a new narrative to take the blame away from companies that report vulnerabilities, and instead, grant them recognition. As a third measure, security researchers that report a vulnerability should be given a legal “shield”.
In a concluding remark, ECSO also proposes that it would be a good idea for European and National public authorities to give financial incentives in the form of tax breaks to companies that have adopted a Vulnerability Disclosure Policy (VDP). By doing so, IT security departments will transform from being cost centres into becoming profit centres.
ECSO id delighted to have taken part in insightful discussions at the EU Cybersecurity Policy and welcomes similar conferences in the future.