Disclosing information about vulnerabilities in ICT systems or products to the public is considered an ethical practice for various reasons, such as raising awareness and enabling users to protect themselves from further harm. However, on the EU level, this concept remains in development, and numerous challenges must be addressed, particularly due to conflicting perspectives and the absence of a comprehensive legal framework to ensure that disclosures are made in good faith. Navigating undesirable practices in the EU cybersecurity ecosystem, efforts are underway to establish policy and legislative frameworks that encourage ethical hacking and discourage the commercial exploitation of discovered vulnerabilities. This chapter examines the emerging EU legislation applicable to coordinated vulnerability disclosure, identifies existing policy approaches and explores challenges that deserve additional attention to contribute to the debate on a fully integrated and operative approach in practice. Particular attention is given to how coordinated vulnerability disclosure is being embedded within the EU’s multi-level legislative architecture, which combines internal market regulation with cybersecurity governance. We also consider the institutional aspect, particularly the role of the European Union Agency for Cybersecurity in maintaining a Vulnerability Database. This supports Member States in establishing national frameworks for coordinated vulnerability disclosure, contributing to broader efforts to foster a culture of security, transparency, and trust across information systems and networks within the European Union.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Construing Coordinated Vulnerability Disclosure in EU Law: Normative and Institutional Implications for Cybersecurity Governance

  • Marija Vlajković,
  • Jelisaveta Tasev

摘要

Disclosing information about vulnerabilities in ICT systems or products to the public is considered an ethical practice for various reasons, such as raising awareness and enabling users to protect themselves from further harm. However, on the EU level, this concept remains in development, and numerous challenges must be addressed, particularly due to conflicting perspectives and the absence of a comprehensive legal framework to ensure that disclosures are made in good faith. Navigating undesirable practices in the EU cybersecurity ecosystem, efforts are underway to establish policy and legislative frameworks that encourage ethical hacking and discourage the commercial exploitation of discovered vulnerabilities. This chapter examines the emerging EU legislation applicable to coordinated vulnerability disclosure, identifies existing policy approaches and explores challenges that deserve additional attention to contribute to the debate on a fully integrated and operative approach in practice. Particular attention is given to how coordinated vulnerability disclosure is being embedded within the EU’s multi-level legislative architecture, which combines internal market regulation with cybersecurity governance. We also consider the institutional aspect, particularly the role of the European Union Agency for Cybersecurity in maintaining a Vulnerability Database. This supports Member States in establishing national frameworks for coordinated vulnerability disclosure, contributing to broader efforts to foster a culture of security, transparency, and trust across information systems and networks within the European Union.