eu
Safeguard articles tagged "eu" — guides, analysis, and best practices for software supply chain and application security.
12 articles
EU Cyber Resilience Act FAQ: Timelines, SBOMs, and Reporting Duties
A precise FAQ on the EU Cyber Resilience Act in 2026 — what it covers, the phased 2026 and 2027 deadlines, the SBOM requirement, 24-hour vulnerability reporting, risk classes, and penalties.
NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams
By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.
EU Cyber Resilience Act Vendor Obligations in 2026
The Cyber Resilience Act entered into force in December 2024 with a phased application schedule. The vendor obligations begin to bite in 2026 and accelerate through 2027.
NIS2 Directive Supply Chain Obligations in 2026
NIS2 has been in force across the EU since October 2024, and member state enforcement is now operating in earnest. The supply chain obligations are the ones most organizations underestimated.
ENISA's CRA Single Reporting Platform Goes Live September 2026
From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.
Germany's NIS2 Transposition: BSI Act in Force December 2025
Germany's NIS2 implementing law took effect 6 December 2025 with no transition period, expanding regulated entities from 4,500 to roughly 29,000 and giving the BSI direct sanction powers.
ENISA Threat Landscape 2025: Supply Chain Section Decoded
ENISA's October 2025 report analysed 4,875 incidents from July 2024 to June 2025 and found phishing led at 60% of intrusions, with supply chain and slopsquatting as fast-growing vectors.
EU NIS2 Directive: Enforcement at One Year
Twelve months after the NIS2 transposition deadline, enforcement is uneven, fines are real, and software supply chain obligations are starting to bite.
DORA Register of Information: Lessons From the First Submission
The 30 April 2025 ESA deadline forced banks and insurers to inventory every ICT contract against 105 prescribed data points — and exposed structural gaps in third-party data.
DORA Operational Resilience: Software Implications
DORA became fully applicable January 17, 2025. Here's what Articles 6, 8, 28, and the ICT third-party RTS mean for the software you build, buy, and operate in the EU.
GDPR Meets CRA: Software Overlap
GDPR Article 32 and the EU Cyber Resilience Act look like separate regimes, but for any software handling personal data they converge at the component level. Here's where they overlap and where they diverge.
GDPR and Software Supply Chain Obligations You Can't Ignore
GDPR's security requirements extend deep into software supply chains. Here's where data protection law meets dependency management.