CISA ends fixed patch deadlines for federal agencies
CISA's Binding Operational Directive 26-04 is now in force (issued 10 June 2026), replacing uniform severity-based patching deadlines with a risk-based model. Agencies must triage vulnerabilities against four variables — asset exposure, Known Exploited Vulnerabilities (KEV) status, exploit automatability, and post-exploitation impact. The highest-risk combination must be remediated within 3 days plus a forensic compromise check; low-risk flaws can wait for the next upgrade. BOD 26-04 consolidates and replaces BOD 19-02 and BOD 22-01. It binds federal civilian agencies but signals CISA's expected baseline for critical-infrastructure operators too.
Also Today
FedRAMP CR26 release lands at end of June. The Consolidated Rules for 2026 — in public preview since 4 May — publish at month's end, effective 31 December. CR26 renames "authorization" to "certification" and swaps Low/Moderate/High impact levels for Certification Classes A–D. CSPs and 3PAOs: review the preview and pick your Rev5-vs-20x path before release.
NIS2 first compliance audits due 30 June in transposed states. Essential and important entities face their first formal NIS2 audit by 30 June — but the date is set by each Member State's transposition law, not a single EU-wide cutoff. Penalties reach €10M or 2% of global turnover. Confirm your applicable national deadline and complete first-audit evidence.
Vietnam's Law on Cybersecurity 2025 takes full effect 1 July. Law No. 116/2025/QH15 consolidates network-security, data and critical-system obligations. Vietnam-exposed operators: confirm registration and localisation obligations are met.
EU Cyber Resilience Act reporting go-live is 81 days out. Manufacturers' duty to report exploited vulnerabilities and severe incidents applies from 11 September via a 24h / 72h / 14-day chain to ENISA and the relevant CSIRT. Identify your CSIRT of main establishment and stand up the workflow now.
Deadline Alert
30 June 2026 (8 days) — NIS2 first compliance audit (per transposed Member State); FedRAMP CR26 release
1 July 2026 (9 days) — Vietnam Law on Cybersecurity 2025 takes full effect
One Thing to Do Today
Re-base your vulnerability-management policy on risk, not just severity. Even outside the federal sector, map your patch SLAs to BOD 26-04's four variables — exposure, KEV status, automatability, impact — so your highest-risk, internet-facing, actively-exploited flaws get a 72-hour clock instead of a generic 30-day window.
Tomorrow's Focus: Privacy and personal data protection — enforcement actions, new state laws, and cross-border transfer developments.