Section 6.4.2 of the ENISA Technical Implementation Guide for NIS2 (v1.0, June 2025) provides non-binding technical guidance on the implementation of Article 21(2)(f) of Directive (EU) 2022/2555 and Annex I, Section 6 of the Implementing Regulation (EU) 2024/2690. It emphasizes the establishment of formal vulnerability handling and disclosure processes, including the adoption of public Vulnerability Disclosure Policies (VDPs) and support for Coordinated Vulnerability Disclosure (CVD). The guidance outlines good practices such as the publication of VDPs on organizational websites, clear communication channels for external reporters, defined response timelines, and alignment with international standards (e.g., ISO/IEC 29147, ISO/IEC 30111). It also includes practical implementation steps and evidence examples for demonstrating conformity during supervision by competent authorities.

Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies. Since April 2022, ENISA has published updated guidance and practical templates to assist member states in establishing effective CVD policies.

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. This provision was adopted on October 17, 2024, and Member States are in the process of implementing these requirements. Full operational status is expected to be established progressively throughout 2025.

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure. 

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027 

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force