CVD Policy

ENISA is supporting the EU Member States since 2012 to develop, implement and evaluate their National Cyber Security Strategies (NCSS). Since 2017, all EU Member States have published their own NCSS.
Back to main topic

Establish a CVD Policy

CVD Policy

CVD Policy

The state of implementation of national CVD policies across the Member States shows that substantial differences exist among them. The research shows that while evolving in a fragmented EU environment, multiple Member States are making progress in the development of national CVD policies but at different rates.

Most of the Member States without a CVD policy in place expressed the intention of establishing one in the future, especially in the context of the national transposition of the NIS2 directive. Very few Member States seem to be opposed to implementing a CVD policy. In some cases, this is because current practices or legal frameworks in place in the countries already allow CVD processes to take place even without a formal policy.

Austria flag
Austria
Belgium flag
Belgium
Bulgaria flag
Bulgaria
Croatia flag
Croatia
Cyprus flag
Cyprus
Czech Republic flag
Czech Republic
Denmark flag
Denmark
Estonia flag
Estonia
Finland flag
Finland
France flag
France
Germany flag
Germany
Greece flag
Greece
Hungary flag
Hungary
Iceland flag
Iceland
Ireland flag
Ireland
Italy flag
Italy
Latvia flag
Latvia
Liechtenstein flag
Liechtenstein
Lithuania flag
Lithuania
Luxembourg flag
Luxembourg
Malta flag
Malta
Netherlands flag
Netherlands
Norway flag
Norway
Poland flag
Poland
Portugal flag
Portugal
Romania flag
Romania
Slovakia flag
Slovakia
Slovenia flag
Slovenia
Spain flag
Spain
Sweden flag
Sweden
Switzerland flag
Switzerland
Belgium flag
Belgium

Belgium has implemented a legal framework for CVD under Articles 22 and 23 of the Law of 26 April 2024 (Belgian NIS2 Act). The Centre for Cybersecurity Belgium (CCB) is the designated CVD coordinator. Vulnerability research is legally permitted under strict conditions, including timely reporting and no public disclosure without CCB approval. All NIS2 entities are required to adopt a CVD policy in line with the CCB CVD Guide.

Main CVD Page: https://ccb.belgium.be/en/coordinated-vulnerability-disclosure-policy-and-vulnerability-detection-reward-program-bug-bounty CCB CVD Policy (under review): https://ccb.belgium.be/en/vulnerability-policy

Law of 26 April 2024: https://www.ejustice.just.fgov.be/eli/loi/2024/04/26/2024202344/justel Procedure Document: BE_CVD_POLICY_en.pdf

Attachments:
BE_CVD_POLICY_en.pdf
Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Documents
BE_NCSS_2021_en.pdf
BE_NCSS_2021_fr.pdf
BE_NCSS_2021_de.pdf
BE_NCSS_2021_nl.pdf
BE_POLICY_DOCUMENT_2024_en.pdf
Cyprus flag
Cyprus

The CVD policy is planned as secondary legislation. Primary legislation harmonizing Directive (EU) 2022/2555 must be voted on in the House of Representatives. Expected availability: Q3 2025. Efforts are led by the Digital Security Authority and National CSIRT-CY. Recent DDoS attacks highlight the urgency of the policy.

Related objective Establish a CVD Policy

Country related resources:

Documents
CY_NCSS_2020_gr.pdf
CY_NCSS_2020_en.pdf
Czech Republic flag
Czech Republic

The National Cyber and Information Security Agency (NÚKIB) is finalizing its national CVD policy for publication in Q1–Q2 2025. Governmental CERT under NÚKIB will serve as the CVD coordinator. The policy aligns with NIS2 Directive requirements and involves a new CVD platform and resources. Legal aspects such as criminal law and GDPR are under consultation to support responsible disclosure.

https://www.nukib.gov.cz/en https://osveta.nukib.gov.cz/course/view.php?id=168 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555

CZ_CVD_POLICY.pdf

Attachments:
CZ_CVD_POLICY.pdf
Related objective Establish a CVD Policy

Country related resources:

Action Plan
CZ_ACTION_PLAN_2021_cz.pdf
CZ_ACTION_PLAN_2021_en.pdf
Action Plan (EN)
Documents
CZ_NCSS_2021_en.pdf
CZ_NCSS_2021_cz.pdf
CZ_REPORT_ON_CYBERSECURITY_2021_en.pdf
Denmark flag
Denmark

Implementation of the CVD policy is in progress. It is expected to be part of a new national strategy for cyber- and information security, anticipated to be effective from 2026. Further details and links will be available at a later stage.

Related objective Establish a CVD Policy

Country related resources:

Documents
DK_NCSS_2022_da.pdf
DK_NCSS_2022_en.pdf
Estonia flag
Estonia

Estonia has begun implementing a national CVD policy. The Estonian Information System Authority is piloting Vulnerability Disclosure Policy (VDP) and Bug Bounty Program (BBP) through HackerOne. The VDP policy has a broader scope covering critical infrastructure like the top-level domain registry (TLD: .EE) and state/local networks. BBP currently applies only to services of the Authority. Expansion to other public sector services requires individual institutions to establish their own CVDPs and contracts. A general public CVDP is the long-term goal.

Available via HackerOne platform (restricted access)

Not publicly available

Related objective Establish a CVD Policy

Country related resources:

Action Plan
Cybersecurity strategy 2024–2030 Cyber-conscious Estonia
Documents
EE_NCSS_2024_en.pdf
EE_NCSS_2024_et.pdf
EE_NCSS_2024_doc_et.pdf
EE_REPORT_ON_CYBER_SECURITY_2024_en.pdf
Finland flag
Finland

Traficom's National Cyber Security Centre (NCSC-FI) is the national authority managing CVD. It collects information on security breaches and threats, and produces national cybersecurity snapshots. The CVD policy is implemented and available online. A national law concerning the CVD policy is expected by April.

https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/vulnerability-coordination/coordinated

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Action Plan
FI_ACTION_PLAN_2024_en.pdf
FI_ACTION_PLAN_2024_fi.pdf
Cyber Security Strategy Implementation Plan Published
Documents
FI_NCSS_2024_fi.pdf
FI_NCSS_2024_en.pdf
Germany flag
Germany

The CVD-Policy of Germany was published on 1st December 2022. Guideline document is available in German with an English version planned for 2025/2026. BSIG §4b provides the legal basis for handling vulnerabilities.

https://www.bsi.bund.de/EN/IT-Sicherheitsvorfall/IT-Schwachstellen/it-schwachstellen_node.html

https://www.bsi.bund.de/DE/IT-Sicherheitsvorfall/IT-Schwachstellen/Leitlinie/Leitlinie_node.html https://www.gesetze-im-internet.de/bsig_2009/__4b.html

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Documents
DE_NCSS_2021_en.pdf
DE_NCSS_2021_de.pdf
Greece flag
Greece

Article 12 of Law 5160/2024 transposes Article 12 of the NIS2 Directive and designates the CSIRT of the National Cybersecurity Authority (NCSA) as the national coordinator for the CVD policy. NCSA is currently drafting secondary legislation to fully implement the CVD policy framework. No public URL for the policy is available yet.

Law 5160/2024 PDF (in Greek): 'EL_LAW_5160_2024_gr.pdf'

Attachments:
EL_LAW_5160_2024_gr.pdf
Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Action Plan
https://cyber.gov.gr/wp-content/uploads/2025/04/E%CE%9D-NATIONAL-CYBER-SECURITY…
Documents
EL_NCSS_2020_en.pdf
EL_NCSS_2020_gr.pdf
EL_CYBERSECURITY_HANDBOOK_en.pdf
Latvia flag
Latvia

Latvia's CVD policy is implemented under the National Cyber Security Law. CERT.LV is the national CVD coordinator as designated in Article 5. Vulnerability reporting platform launched in March 2023. Detailed responsibilities and rights are provided in Articles 39 and 40. Terms, data policy, and FAQs are published on the platform.

Main: https://cvd.cert.lv/ Terms: https://cvd.cert.lv/statictexts/view/terms-and-conditions Data Policy: https://cvd.cert.lv/statictexts/view/data-processing Law: https://likumi.lv/ta/id/353390-nacionalas-kiberdrosibas-likums (LV) FAQs: https://cvd.cert.lv/faq/answers/10, https://cvd.cert.lv/faq/answers/100

Terms & Conditions: https://cvd.cert.lv/statictexts/view/terms-and-conditions Law (LV): https://likumi.lv/ta/id/353390-nacionalas-kiberdrosibas-likums

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Documents
LV_NCSS_2023_lv.pdf
LV_NCSS_2023_en.pdf
Lithuania flag
Lithuania

Lithuania's CVD policy is established in Article 25 of the Law on Cybersecurity and detailed in the Procedure for Vulnerability Disclosure. Entities may create their own policies, provided they are not more restrictive than the national policy. These are aligned with the Cybersecurity Requirements.

Law on Cybersecurity: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/f6958c2085dd11e495dc9901227533ee/asr Disclosure Procedure: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/270e6bd1e08911eb866fe2e083228059 Cybersecurity Requirements: https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/94365031a53411e8aa33fe8f0fea665f/asr Vulnerability Reporting Form: https://www.nksc.lt/pranesti-spraga.html

Publicly available via the official legislative and institutional links.

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Action Plan
https://e-seimas.lrs.lt/portal/legalAct/lt/TAD/b2217730c46611ee9269b566387cfecb…
Documents
LT_NCSS_2018_en.pdf
LT_PROGRESS_MEASURE_DESCRITPION_lt.pdf
LT_NATIONAL_PROGRESS_PLAN_2021_lt.pdf
LT_CYBERSECURITY_PROGRAMME_lt.pdf
LT_CYBERSECURITY_PROGRAMME_JUSTIFICATION_lt.pdf
LT_SECURITY_STRATEGY_2021_lt.pdf
LT_LAW_ON_CYBERSECURITY_lt.pdf
LT_NATIONAL_DEFENCE_SYSTEM_PROGRAMME_2024_lt.pdf
Poland flag
Poland

CVD service started on August 1st, 2023 alongside CERT.PL joining the CVE Program as a CNA. CSIRT NASK (which includes CERT.PL) has been designated as the national CVD coordinator under the ongoing legislative process to implement the NIS2 Directive. Adoption of the Cybersecurity Act is expected in the second half of 2025.

Policy: https://cert.pl/en/cvd/ (EN), https://cert.pl/cvd/ (PL) Disclosure site: https://cert.pl/en/cve/ (EN), https://cert.pl/cve/ (PL)

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Documents
PL_NCSS_2019_en.pdf
PL_NCSS_2019_po.pdf
PL_SECURITY_STRATEGY_2020_en.pdf
PL_NCSS_OFFICIAL_DOCUMENT_2019_po.pdf
Romania flag
Romania

In the current stage of implementing the NIS2 Directive, DNSC has been designated as the CVD coordinator under Article 36 of Emergency Ordinance 155/2024, adopted on 30 December 2024. DNSC acts as the national CSIRT and a trusted intermediary, managing reporting, communication, timelines, legal compliance, and procedures for vulnerability disclosure. CVD procedures include anonymity, reporting responsibilities, researcher conduct, and timelines. Entities must establish vulnerability management processes and collaborate with DNSC. Strategic assessment published.

Policy page: https://dnsc.ro/pagini/CVD (RO) Strategic Assessment: https://dnsc.ro/doc/ghid (RO)

Strategic Assessment Document (RO): https://dnsc.ro/doc/ghid Emergency Ordinance 155/2024 (not linked as PDF but described)

Related objective Establish a CVD Policy

Country related resources:

Action Plan
Action Plan for National Cybersecurity
Documents
RO_NCSS_2022_ro.pdf
Spain flag
Spain

Spain is currently transposing the NIS2 Directive into national law. Although no CSIRT has yet been designated as the national coordinator for Coordinated Vulnerability Disclosure (CVD), the legislation provides for the creation of a National Cybersecurity Center, which will designate a CSIRT to fulfill this role. While the legal framework for vulnerability research and reporting is not yet formalized, both INCIBE-CERT and CCN-CERT actively facilitate vulnerability coordination and disclosure processes.

CVD Policy: https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/asignacion-publicacion-cve https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-assignment-publication Advisories: https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/avisos-cna https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/advisories-cna https://www.ccn-cert.cni.es/es/seguridad-al-dia/vulnerabilidades?format=html

Contact: [email protected]
Related objective Establish a CVD Policy

Country related resources:

Action Plan
National Cybersecurity Plan Announcement
Documents
ES_NCSS_2019_en.pdf
ES_NCSS_2019_es.pdf
Sweden flag
Sweden

CERT-SE is the coordinating CSIRT for Sweden. A national CVD policy is under development. CERT-SE has plans to launch a website with guidance for vulnerability discoverers and companies, though the timeline is still uncertain.

https://www.cert.se

Related objective Establish a CVD Policy

Country related resources:

Action Plan
SE_ACTION_PLAN_2025_se.pdf
Documents
SE_NCSS_2025_se.pdf
SE_NCSS_2025_ANNEX_2_se.pdf
SE_NCSS_2025_OFFICIAL_DOCUMENT_se.pdf