incident-reporting
Safeguard articles tagged "incident-reporting" — guides, analysis, and best practices for software supply chain and application security.
13 articles
NIS2 Directive explained: the software and supply-chain obligations
NIS2 rewired EU cybersecurity law around supply-chain security, vulnerability handling, and 24-hour incident reporting. Here is who is in scope and what your software teams now have to prove.
NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams
By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.
UK Cyber Security and Resilience Bill (May 2026): Report Stage, Supply Chain, and the 24-Hour Clock
By May 2026 the UK's Cyber Security and Resilience Bill has cleared Commons committee and is heading to Report stage. We analyze its expanded scope, the 24-hour incident reporting requirement, and the supply chain obligations software vendors should prepare for.
EU AI Act Article 73: Serious Incident Reporting from August 2026
Article 73 of the AI Act requires high-risk AI providers to report serious incidents within 15 days, with shorter clocks of 2 days for critical infrastructure and 10 days for death.
DORA Compliance for Fintech Engineering Teams
DORA has applied since January 2025. For engineers that means ICT asset inventories, 4-hour incident classification, TLPT, and a register of every software supplier.
CIRCIA Final Rule: Reporting Thresholds and Covered Entities
CISA pushed the CIRCIA final rule to May 2026. We unpack the dual-track threshold structure, the 72-hour and 24-hour timers, and what the 300,000-entity scope means.
CRA Article 14: 24-Hour Early Warning and 72-Hour Reporting Explained
Article 14 of the Cyber Resilience Act mandates dual notifications to coordinating CSIRTs and ENISA within 24 hours of awareness. Reporting starts 11 September 2026.
ENISA's CRA Single Reporting Platform Goes Live September 2026
From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.
CIRCIA Final Rule Slips to May 2026: What Changes
CISA pushed the CIRCIA final rule deadline from October 2025 to May 2026, citing 24,000 public comments and harmonization work with other federal cyber reporting frameworks.
NIS2 Directive: What EU Software Vendors Must Do Now
NIS2 is in force, transposition is late in half the EU, and the obligations bind anyway if you're in scope. The supply chain security and 24-hour reporting duties, decoded.
FAR CUI Proposed Rule: An 8-Hour Clock and a Government-Wide Standard
The January 15, 2025 FAR CUI rule extends NIST SP 800-171 to every federal contractor and adds an 8-hour incident reporting clock for non-federal facilities.
SEC Cyber Disclosure Rules: What Public Companies Must Do Now
The SEC's new cybersecurity disclosure rules require public companies to report material incidents within four days. Here's the operational impact.