Proposed EU Cyber Resilience Act includes a vulnerability disclosure requirement that would have all manufacturers report to the government within 24 hours of first discovered exploitation. In most cases, this would mean disclosing before the vulnerability has been mitigated.

