What about confidentiality aspects in vulnerability reporting and security risks?

The Competent Authority is also required to implement an information security management system. Among the aspects covered by this management system is: the protection of the confidentiality of any information that the competent authority may hold in relation to organisations under its supervision and information received through the organisation’s external reporting systems. See requirement IS.AR.200(a) (9).