Safeguard
Tag

incident-reporting

Safeguard articles tagged "incident-reporting" — guides, analysis, and best practices for software supply chain and application security.

13 articles

Compliance

NIS2 Directive explained: the software and supply-chain obligations

NIS2 rewired EU cybersecurity law around supply-chain security, vulnerability handling, and 24-hour incident reporting. Here is who is in scope and what your software teams now have to prove.

Jul 1, 20267 min read
Regulatory Compliance

NIS2's First Enforcement Wave (May 2026): What the Early Proceedings Tell Compliance Teams

By May 2026 the first NIS2 enforcement actions are surfacing across early-transposing member states, starting with registration and notification failures. We analyze what authorities are pursuing first and how to build evidence that survives the escalation.

May 20, 202611 min read
Regulatory Compliance

UK Cyber Security and Resilience Bill (May 2026): Report Stage, Supply Chain, and the 24-Hour Clock

By May 2026 the UK's Cyber Security and Resilience Bill has cleared Commons committee and is heading to Report stage. We analyze its expanded scope, the 24-hour incident reporting requirement, and the supply chain obligations software vendors should prepare for.

May 18, 202611 min read
Regulation

EU AI Act Article 73: Serious Incident Reporting from August 2026

Article 73 of the AI Act requires high-risk AI providers to report serious incidents within 15 days, with shorter clocks of 2 days for critical infrastructure and 10 days for death.

May 4, 20267 min read
Compliance

DORA Compliance for Fintech Engineering Teams

DORA has applied since January 2025. For engineers that means ICT asset inventories, 4-hour incident classification, TLPT, and a register of every software supplier.

Apr 15, 20266 min read
Compliance

CIRCIA Final Rule: Reporting Thresholds and Covered Entities

CISA pushed the CIRCIA final rule to May 2026. We unpack the dual-track threshold structure, the 72-hour and 24-hour timers, and what the 300,000-entity scope means.

Mar 11, 20266 min read
Regulation

CRA Article 14: 24-Hour Early Warning and 72-Hour Reporting Explained

Article 14 of the Cyber Resilience Act mandates dual notifications to coordinating CSIRTs and ENISA within 24 hours of awareness. Reporting starts 11 September 2026.

Mar 4, 20266 min read
Regulation

ENISA's CRA Single Reporting Platform Goes Live September 2026

From 11 September 2026, every CRA manufacturer must file a 24-hour early warning of actively exploited vulnerabilities through one ENISA-operated portal — and the platform is being built right now.

Mar 4, 20267 min read
Regulation

CIRCIA Final Rule Slips to May 2026: What Changes

CISA pushed the CIRCIA final rule deadline from October 2025 to May 2026, citing 24,000 public comments and harmonization work with other federal cyber reporting frameworks.

Oct 2, 20255 min read
Compliance

NIS2 Directive: What EU Software Vendors Must Do Now

NIS2 is in force, transposition is late in half the EU, and the obligations bind anyway if you're in scope. The supply chain security and 24-hour reporting duties, decoded.

Jul 8, 20256 min read
Regulation

FAR CUI Proposed Rule: An 8-Hour Clock and a Government-Wide Standard

The January 15, 2025 FAR CUI rule extends NIST SP 800-171 to every federal contractor and adds an 8-hour incident reporting clock for non-federal facilities.

Apr 8, 20256 min read
Compliance

SEC Cyber Disclosure Rules: What Public Companies Must Do Now

The SEC's new cybersecurity disclosure rules require public companies to report material incidents within four days. Here's the operational impact.

Dec 15, 20236 min read
incident-reporting — Safeguard Blog