Czechia's NUKIB will "draft a national policy proposal for the coordinated disclosure of vulnerabilities" by Q4 2021. Originally targeted for Q4 2021, publication is pending as of mid-2025.

Outlines the specific legal consequences of a CVD as they relate to Intrusion into an IT system; Manipulation of IT data; IT forgery and IT fraud; Crimes concerning the secrecy of communications; and Compliance with other legal provisions.

Outlines "good practices" for the content of a CVD and for the overall process of Discovery, Report, Investigate, Deploy a Solution, and (Possibly) Disclose Publicly.

Companies and organizations are urged to publish a “Coordinated Vulnerability Disclosure Policy.” Through sectoral authorities, professional organizations and the Cyber Security Coalition Belgium, they will be informed of significant threats or vulnerabilities. Organizations of Vital Interest will also receive targeted and non-public alerts through the CCB’s Early Warning System (EWS).  Additionally, Belgium has established a legal framework (effective February 15, 2023) providing protections for ethical hackers who report vulnerabilities in good faith, ensuring they are not subject to prosecution under certain conditions.

Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies. Since April 2022, ENISA has published updated guidance and practical templates to assist member states in establishing effective CVD policies.

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. This provision was adopted on October 17, 2024, and Member States are in the process of implementing these requirements. Full operational status is expected to be established progressively throughout 2025.

Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure. 

Establish a coordinated vulnerability disclosure policy (CVD).

Full compliance deadline: December 10, 2027 

Early reporting obligations: Some provisions, like vulnerability reporting, may apply earlier, starting 21 months after the CRA enters into force

App Store Operators and App Developers listing apps on them should have a VDP (contact details/contact form); App Store Operators should verify that App Developers abide by these practices; App Store Operators should accept vulnerability disclosure reports on behalf of App Developers if they have not acknowledged the vulnerability - if the App Developer still fails to acknowledge the vulnerability, the App Store Operator should delist the app from its platform.