authentication

Although from a technical point of view the risk could be considered limited (as suggested by @Daisetsu) if the authentication mechanism is properly implemented, the system is still leaking data.

Going a bit deeper into whether this is a terrible risk or not. It depends on several things such as:

You basically have 50% of the credentials and a password guessing attack can be quite simple.

Now I am no General Data Protection Regulation (GDPR) expert but an email address in specific case can be considered personal data:

It depends whether or not a natural person is identified or identifiable based on the email address. The way persons have structured their email addresses has to be taken into account in order to determine whether the email address can be seen as personal data or not.

Source: https://lawandmore.nl/en/blog-nl-en/email-addresses-and-the-scope-of-the-gdpr/

In other words, it also depends in what country you reside and what laws are applicable when it comes to personal data.

Can you direct me to appropriate resources that elaborate on valid error messages to be shown or any protocol to be followed for such login scenarios.

In both cases (invalid email address and invalid password), the message should just display something like: "Username and/or password are incorrect."