On the 11th of September, the Ministry For The Economy, Enterprise And Strategic Projectshas initiated a public consultation on the proposed Coordinated Vulnerability Disclosure Policy (“CVDP”), which marks the first time that ethical hacking has attained legal cognisance, and a clear step towards strengthening the nation's cybersecurity infrastructure.
Released on August 27, 2024, this CVPD is one of the vital components of Malta's ongoing efforts to comply with the European Union's NIS2 Directive and the National Cybersecurity Strategy 2023-2026.
The CVDP seeks to address vulnerabilities inherent in Information and Communication Technology (“ICT”) systems, which are critical to national security and daily operations. These vulnerabilities, often unknown to the system's responsible organisation, might potentially pose significant security risks. The policy outlines a formalised approach to facilitate the reporting and resolution of these weaknesses by involving security researchers and organisations in a secure and with legal certainty.
The policy's main objective is thus to encourage responsible disclosure of vulnerabilities by creating a legal framework for both the organisations managing ICT systems and the security researchers testing them.
The scope of the CVDP is broad and ambitious. It aligns with the obligations set out under Article 7 of the NIS2 Directive, which mandates Member States to adopt national cybersecurity strategies that include policies on managing vulnerabilities. Notably, the currently proposed Cyber Resilience Act reinforces the requirement for manufacturers of digital products to implement CVD policies before market placement.
Under the proposed CVPD, the security researchers who test and report on ICT systems will operate under a binding agreement with the responsible organisation.
The CVDP is designed to be technology-neutral and without prejudice with various legal frameworks, including Malta's Criminal Code and the General Data Protection Regulation (“GDPR”).
One of the primary features of the CVDP is the establishment of clear guidelines on the obligations of the organisations responsible for ICT systems. These include the following:
As part of the public consultation, stakeholders are invited to provide feedback on the proposed policy by accessing the full document on the public consultation portal.
The Coordinated Vulnerability Disclosure Policy can be accessed here.
--
Do you require assistance in drafting your organisation’s Vulnerability Disclosure Policy? GTG is here to help!
For more information regarding Information Technology Law, do not hesitate to contact Dr Ian Gauci or Dr Terence Cassar.