In addition to the other answers, I'd like to add that the Schengen area, the EU, and the Eurozone are all technically separate, none is a subset of one of the others:
Ireland and Cyprus are in EU & Eurozone but not Schengen; Poland, Hungary (and more) are in EU & Schengen but not Eurozone; Switzerland is in Schengen but neither EU nor Eurozone; Montenegro and Kosovo are in the Eurozone but neither the EU nor Schengen.
In europe we have a kind of mini passport, called person id. Which only works in your own country and other shengen countries. It’s nearly the same cost as a passport (at least in my municipality)
You are required to have a passport (or id) with you (as in, that’s what the law says). Even in your own country. But in your own country a drivers license is usually also sufficient.
But in practice you will almost never be asked to show any of those. In your own country, nor abroad.
That depends on country, in Poland you don't need to carry any ID on you anymore (you're then required to remember PESEL number, and recite it to police if asked; 11 digits, six of those are birthday).
In practice you can get away with not having ID on your person in most countries as long as its reasonably close by. Technically you could get in trouble though so better carry one if you might provoke the police.
maybe the workforce is not really behind the non-profit foundation and want shares to skyrocket, sell, and be well off for life.
at the end of the day, the people working there are not rich like the founders and money talks when you have to pay rent, eat and send your kids to a private college.
I feel more like companies "worried" about disclosure to governments in 24 hours worry more about needing to fix things fast and maybe hire more people to do it than from security concerns issues.
I feel more like companies "worried" about disclosure to governments in 24 hours are "worried" less about the 24 hour and more about the disclose part.
Their preferred outcome would be mandatory disclosure within infinity hours.
This is a very simplistic take. There are CVEs and then there are CVEs. Some may take months to be properly fixed, no matter how many engineer-hours you put on them (e.g. the entire side-channel attacks saga). And that's not even taking into account the time required to alert different vendors (think about all the different linux distributions, upstream, big companies, etc...) and coordinate adequate steps.
None of which matters if it is active exploit, which not only the government but users fo the software should be made aware of even if no patch is avalible yet, this will allow them to make the choice to shutdown the system, apply network level or other security measure, increase monitoring or many many many many other things they would be unable to do if software vendors keep it hidden for months while they choose what is the best course.
Don't you think governments need to know if their software has a known actively exploited vulnerability that exposes their private data, especially if you are going to take months to fix it? Or are you saying it is fine to stay silent if you notice Russians are using an exploit reading private user data and it will take months for you to fix it?
Not sure what you mean, if you know you have an actively exploited vulnerability then what more investigation would you need to do in a few hours?
This law only talks about actively exploited vulnerabilities, if you find a bug and go home for the weekend without fixing it that should be fine since that bug isn't actively exploited.
Edit: Point is, once you have done the investigation necessary to know that it is actively exploited you already have a ton of understanding about the problem. I don't see why you would need more than 24 hours at that point just to write a report to affected actors.
Suppose that I'm actively exploiting your software. Then I'm in a position where I can describe the exploit, but you may not be. After all I'm hardly eager to tell you how I'm doing it.
Once you discover that it's happening, you know there is an exploit so you know at least that the vulnerability exists. The discovery probably tells you something about the vulnerability, but how much? The last one I heard about in any detail was discovered when they noticed that an uplink was at 100% utilisation and realised that it was due to data being exfiltrated. That didn't tell them much about how the intruder gained the ability to exfiltrate the data.
Do you know enough to describe it? I know enough, but you're the one who's required to write a notification. Can you describe the vulnerability that's the subject of your notification?
Even if they knew, what would they do about it? It's not like "the governments" could pull up a Spectre patch out of thin air. There are no mitigations. So what do they gain from knowing if they can't avoid it anyways?
There are mitigations for many vulnerabilities that don't involve the software being patched. For example, once you know a particular vulnerability exists, even if it's unpatched you can monitor for attempts against it, modify firewall rules and process monitoring to improve your awareness, etc.
It’s not uncommon for groups like CISA to recommend blocking things from the internet or disabling a particular feature which is part of the exploit but not critical to the entire app. They also proactively notify users in some cases (e.g. industrial systems) so everyone knows to install the patch as soon as it’s released.
As a simple analogy, look at how the Kia lock vulnerabilities are being handled. Yes, it’s best if you can repair everything but it’s not without value to make sure everyone affected knows the risk so they can change their behavior or buy a separate lock until then.
Also, there are governments and then there are governments. I would rather have a company keep zero-day a secret than disclose it to government run by assholes such as Victor Orban or Emmanuel Macron.
that have a reason, as it's been demostrated by a lot of metastudies you can find on cochrane that there is usually much more worst outcomes and long term effects on the broad of the population when misdiagnosed by overdiagnosing than just simply saving an extra 0.01% (not real number)
the same reason of why for example now there is an advocacy to end yearly mammograms on older woman, because the number of them saved by that practice is inferior to the ones that are misdiagnosed and then put under other unnecesary medical practices that end up hurting more by unnecesary practices on a lot of them that would have never developed a cancer or under pressure to the ones that no one will be able to save no matter how sooner they got the diagnostic.
infinite constant and unnecesary medical tests is not the way for now, maybe in the future, but not now.
