Responsible Vulnerability Disclosure under the NIS 2.0 Proposal Schmitz Sandra Schiffner Stefan Both, the NIS Directive and the GDPR introduce breach reporting obligations. In particular, in the case of the GDPR this might include an obligation to go public about an incident. These legal obligations might be in conflict with good/common practice of responsible vulnerability disclosure. This paper briefly outlines reporting duties under NISD and GDPR and maps these to hypothetical scenarios where informing end users about cyber incidents might lead to uncontrolled vulnerability disclosure. In that view, this paper analyses whether the latest proposal for a NIS Directive 2.0 strikes the right balance between the need for swift reporting and the need to investigate a vulnerability when introducing a ‘coordinated vulnerability disclosure’. Cybersecurity Disclosure GDPR NIS Directive Vulnerability 340 periodical academic journal JIPITEC 12 5 2022 448 457 2190-3387 urn:nbn:de:0009-29-54958 http://nbn-resolving.de/urn:nbn:de:0009-29-54958 schmitz2022