arXiv: Do (Not) Tell Me About My Insecurities: Assessing the Status Quo of Coordinated Vulnerability Disclosure in Germany Amid New EU Cybersecurity Regulations

This paper, published on arXiv, assesses the current state of Coordinated Vulnerability Disclosure (CVD) in Germany against the backdrop of new EU cybersecurity regulations, particularly the NIS2 Directive and the Cyber Resilience Act. It finds that while Germany has a legal framework for CVD, implementation remains inconsistent and fragmented across sectors. The study highlights a gap between regulatory expectations and actual practice, noting that many organizations still lack formal, publicly accessible disclosure policies and fail to meet response timelines mandated by upcoming rules.

The analysis directly affects all organizations operating in Germany that are subject to NIS2, including critical infrastructure operators, digital service providers, and public administration entities. It also impacts software vendors and manufacturers who must comply with the Cyber Resilience Act’s vulnerability handling requirements. Any EU-based firm with German operations or customers should take note, as the findings signal broader enforcement trends.

Compliance teams should immediately audit their existing vulnerability disclosure processes against NIS2 and CRA requirements. They must establish or update a formal CVD policy with clear reporting channels, response SLAs, and remediation timelines. Teams should also prepare for mandatory reporting to national authorities like the BSI and ensure their incident response plans align with the new 24-hour notification deadlines. Proactive engagement with security researchers and public documentation of disclosure practices will be critical to avoid regulatory penalties.