In March 2019, the EU Parliament adopted the Cybersecurity Act. The EU Cybersecurity Act aims to strengthen the role of the European Agency for Network and Information Security (ENISA) and introduces a common certification framework for ICT products (Hardware, Software and Services).
Before this, in 2018, the European Commission advocated the creation of a network of Cybersecurity expertise centers to reinforce research and the deployment of new capabilities in the European Union.
The European Commission has pushed to invest more than €2 billion to reinforce cybersecurity in the Digital Europe Program along with the H2020 Program, with €63.5 million invested in four pilot projects.
One of the four funded projects is called SPARTA, bringing together 44 partners. As a SPARTA partner, YesWeHack asserts its role in advocating operational Coordinated Vulnerability Disclosure and Crowd-sourced security at the European level.
Since its creation in 2013, YesWeHack has been defending and promoting Coordinated Vulnerability Disclosure.
In March 2018, YesWeHack CEO Guillaume Vassault-Houlière and Romain Lecoeuvre (CTO) contributed to the ground-breaking report on Software Vulnerability Disclosure processes in Europe published by CEPS experts including Lorenzo Pupillo, Afonso Ferreira and Gianluca Varisco.
As a result, only the Netherlands, followed closely by France, have a decent national CVD policy. Needless to say, a huge amount of work remains to be done in this field.
Back in 2016, France – through its National Cybersecurity Agency of France aka ANSSI – included Vulnerability Disclosure in its revised legislative framework. ( Source > Law for a Digital Republic Article 47 )
Let us take a look at how Coordinated Vulnerability Disclosure (CVD) is incentivized and framed by the EU Cyber Security Act.