Today's Focus: Cybersecurity, Data Security & Cloud Security
Today's Top Story
EU Cyber Resilience Act Conformity Rules Now in Force
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) crossed its first hard milestone on 11 June: Chapter IV now applies, so Member States must designate notifying authorities and may begin designating the conformity assessment bodies that will certify high-criticality products. The clock for manufacturers is now running. Vulnerability and incident reporting obligations for products with digital elements apply from 11 September 2026 — 88 days out — and Member States are expected to have enough notified bodies in place by 11 December to avoid a CE-marking bottleneck. Any manufacturer selling connected products into the EU should map products to CRA criticality classes now and lock in a route to conformity.
Also Today
Commission takes France and Spain to the EU Court over NIS2. The European Commission has referred both Member States to the Court of Justice for failing to fully transpose the NIS2 Directive (EU 2022/2555), the final infringement stage after reasoned opinions to 19 states. Cross-border entities should assume active supervision in already-transposed jurisdictions and watch laggards for sudden adoption. Source
FedRAMP "Authorized" becomes "Certified" under CR26. FedRAMP is finalizing its Consolidated Rules for 2026: approved cloud services will be labeled "FedRAMP Certified," and GSA has confirmed the 20x authorization model is permanent. The 20x submission pipeline is expected to open in Q4 FY2026. CSPs should align documentation to the new terminology and prep 20x materials. Source
CISA reopens CIRCIA town halls — starting today. CISA's rescheduled CIRCIA rulemaking town halls run 15–18 June after the spring DHS-shutdown delay, signalling the final reporting rule will likely slip past May. The rule would require 72-hour incident and 24-hour ransom-payment reporting. Critical-infrastructure entities should register for their sector session. Source
UK bill pulls data centres into regulatory scope. The UK Cyber Security and Resilience Bill, progressing through Parliament toward Royal Assent later this year, reclassifies data centres as essential services (1MW standalone / 10MW enterprise IT thresholds) and brings managed-service and cloud-support firms directly under regulation for the first time. Source
⏰ Deadline Radar
1 July (16 days): Vietnam Law on Cybersecurity 2025 takes full effect
11 September (88 days): EU CRA product vulnerability/incident reporting obligations apply
30 September (107 days): FedRAMP Rev 5 machine-readable authorization packages required
One Thing to Do Today
Map your products with digital elements to their EU CRA criticality classes and identify your notified-body route to CE marking — before the 11 September reporting obligations land.
Tomorrow's Focus
Privacy & personal data protection — the latest on global privacy enforcement and data-protection rulemaking.
CyberEyeQ — Actionable Regulatory Intelligence
Questions or tips: [email protected]