Regulation
In-depth guides and analysis on regulation from the Safeguard engineering team.
20 articles
EU AI Act Article 73: Serious Incident Reporting from August 2026
Article 73 of the AI Act requires high-risk AI providers to report serious incidents within 15 days, with shorter clocks of 2 days for critical infrastructure and 10 days for death.
France's NIS2 Transposition: Inside the Resilience Bill
France's Senate passed the Resilience bill on 12 March 2025 — the omnibus law transposing NIS2 and CER — after the Commission's reasoned opinion of 7 May 2025 escalated infringement proceedings.
CRA Article 14: 24-Hour Early Warning and 72-Hour Reporting Explained
Article 14 of the Cyber Resilience Act mandates dual notifications to coordinating CSIRTs and ENISA within 24 hours of awareness. Reporting starts 11 September 2026.
ENISA's CRA Single Reporting Platform Goes Live September 2026
From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.
UK Cyber Security and Resilience Bill: What Changed November 2025
The UK government published the draft Cyber Security and Resilience Bill on 12 November 2025, bringing over 900 managed service providers and data centres above 1MW into NIS scope.
Germany's NIS2 Transposition: BSI Act in Force December 2025
Germany's NIS2 implementing law took effect 6 December 2025 with no transition period, expanding regulated entities from 4,500 to roughly 29,000 and giving the BSI direct sanction powers.
CRA Product Classes: Implementing Regulation 2025/2392 Technical Descriptions
Commission Implementing Regulation (EU) 2025/2392 was signed on 28 November 2025, setting the technical descriptions for important and critical CRA product categories.
UK CSR Bill: Relevant MSPs and Data Centres Brought Into Scope
The UK Cyber Security and Resilience Bill introduced on 12 November 2025 expands the NIS regime to 900-1,100 managed service providers and large data centres.
CRA Harmonised Standards: Inside CEN-CENELEC JTC 13 and Standardisation Request M/606
Standardisation Request M/606 was accepted in April 2025 with 41 harmonised standards to deliver by Q3 2026 to underpin CRA presumption of conformity.
CRA Open Source Software Stewards: Article 24's Light-Touch Regime
The CRA's open-source software steward concept under Article 24 creates a distinct, lighter set of obligations for foundations and non-profits supporting commercial OSS.
CIRCIA Final Rule Slips to May 2026: What Changes
CISA pushed the CIRCIA final rule deadline from October 2025 to May 2026, citing 24,000 public comments and harmonization work with other federal cyber reporting frameworks.
EU AI Act Article 5: Prohibited Practices Now Enforceable
Article 5 of the EU AI Act became enforceable on 2 August 2025, with administrative fines up to €35 million or 7% of worldwide turnover for prohibited AI practices.