Upcoming Dates

A continually updated reference for the vulnerability disclosure and security research community. Dates are organized by category and updated weekly alongside Policy Pulse.

Last updated: May 23, 2026

---

Policy Comment Deadlines

May 28, 2026 — CISA KEV nomination form intake (rolling)
CISA's new public nomination form for the Known Exploited Vulnerabilities catalog is now open on a rolling basis. Vendors, researchers, and anyone else with exploitation evidence can submit candidate CVEs. First documented public intake into KEV. Qualtrics nomination form

May 30, 2026 — NIST CSF 2.0 implementation examples comment period closes
Submit practitioner feedback on AI-profile implementation examples for the NIST Cybersecurity Framework 2.0. NIST CSRC

Jun 1, 2026 — NIST SP 1800-40 Automation of Cryptographic Module Validation draft closes
Submit feedback on automation of cryptographic module validation. NIST CSRC

Jun 11, 2026 — EU CRA notifying authority designations due
EU member states must notify the Commission of designated conformity-assessment bodies under the Cyber Resilience Act. CRA portal

Jun 12, 2026 — NIST SP 800-230 Additional SLH-DSA Parameter Sets draft closes
Submit feedback on additional SLH-DSA parameter sets for stateless hash-based digital signatures. NIST CSRC

Jun 15, 2026 — TSA Cybersecurity Measures for Surface Modes comments close
Submit comments on cybersecurity requirements for surface transportation. Federal Register

Jun 16, 2026 — NIST SP 800-133 Rev. 3 Cryptographic Key Generation draft closes
Submit feedback on NIST's cryptographic key generation guidelines. NIST CSRC

Jun 30, 2026 — EU member states NIS2 first compliance audit deadline
Designated essential and important entities must complete their first NIS2 compliance audit cycle. NIS2 directive

Rolling — CISA KEV catalog updates
Six updates landed in the prior two weeks of May 21. FCEB agencies track BOD 22-01 remediation deadlines per individual KEV entry. KEV catalog

---

Regulations Coming Into Effect

May 2026 — CIRCIA final rule (targeted publication)
CISA's Cyber Incident Reporting for Critical Infrastructure Act final rule targeted for publication in May 2026 after virtual town halls between March 9 and April 2 absorbed harmonization feedback. Estimated covered population over 300,000 entities across 16 critical infrastructure sectors. Once published, 72-hour incident and 24-hour ransom-payment reporting clocks apply. Federal Register

Jun 1, 2026 — Australia ransomware reporting civil penalties
Australia's mandatory 72-hour ransomware payment reporting transitions to active enforcement with civil penalties up to AUD 19,800. Australian Government

Jun 11, 2026 — EU Cyber Resilience Act conformity assessment framework applies
The CRA conformity assessment framework begins applying to products with digital elements. European Commission

Jun 19, 2026 — UK Data (Use and Access) Act complaints procedure deadline
Deadline for organizations to put in place complaints procedures under the Data (Use and Access) Act. ICO

Jul 1, 2026 — Queensland mandatory data breach notification (local govt)
Queensland's mandatory data breach notification requirement extends to local government. QLD OIC

Aug 2, 2026 — EU AI Act high-risk system and GPAI obligations
High-risk AI system and General-Purpose AI obligations under the EU AI Act take effect. European Commission

Aug 30, 2026 — EU CRA Type A horizontal standards compliance deadline
Manufacturers must comply with CRA Type A horizontal harmonized standards. Hogan Lovells

Sep 11, 2026 — EU Cyber Resilience Act vulnerability reporting begins
Manufacturers placing products with digital elements on the EU market must report actively exploited vulnerabilities through the CRA Single Reporting Platform: 24-hour early warning, 72-hour notification, 14-day final report after corrective measure. All products on market before December 11, 2027 are in scope. Largest single expansion of mandatory CVD intake in years. European Commission

Sep 30, 2026 — CISA 2015 (Cybersecurity Information Sharing Act) sunsets
Liability protections for cybersecurity information sharing expire absent further congressional action. Congress

Oct 30, 2026 — EU CRA Type B horizontal and Type C vertical standards compliance
Manufacturers must comply with CRA Type B horizontal and Type C vertical harmonized standards. Hogan Lovells

Dec 11, 2026 — EU CRA EUCC Delegated Act due
The Commission's delegated act adopting the European Cybersecurity Certification Scheme (EUCC) for CRA is due. European Commission

Dec 31, 2026 — UN Cybercrime Treaty signature period closes
The UN Convention Against Cybercrime closes for signature. UN

Jan 1, 2027 — NY RAISE Act effective
New York's RAISE Act AI safety framework requirements take effect. NY Governor

Oct 2027 — US Copyright Office Tenth Triennial Section 1201 Proceeding opens
Plan now: AI trustworthiness research carve-out is the active community ask for the 2027 cycle. Section 1201 Proceedings

Dec 11, 2027 — Full EU Cyber Resilience Act application
Full application of CRA obligations across all in-scope products with digital elements. European Commission

---

Conferences, CFPs, and Events

May 19-22, 2026 — AUSCERT 2026
Australia's leading cybersecurity conference. Gold Coast. Register

Jun 2-3, 2026 — WEIS 2026
Workshop on the Economics of Information Security. UC Berkeley. Details

Jun 13, 2026 — BSides Leeds 2026
Community-driven security conference. Leeds. Details

Jun 14-19, 2026 — FIRST Conference 38
Annual incident response and PSIRT conference. Denver. Details

Jun 22-26, 2026 — TROOPERS26
Heidelberg-based deep technical security conference. Details

Jun 26-28, 2026 — leHACK 2026
French hacker conference. Paris. Details

Aug 1, 2026 — BSides London 2026 CFP opens
BSides London 2026 paper submission window opens. Submit

Aug 1-6, 2026 — Black Hat USA 2026
Annual Black Hat USA conference. Las Vegas. Register

Aug 3-5, 2026 — BSides Las Vegas 2026
BSides Las Vegas community conference. Details

Aug 6-9, 2026 — DEF CON 34
DEF CON 34. Las Vegas. Details

Aug 12-14, 2026 — USENIX Security Symposium 2026
USENIX Security Symposium. Baltimore. Details

Aug 19, 2026 — NDSS 2027 Fall cycle papers deadline
Submit papers for NDSS 2027 fall cycle. San Diego. Submit

Aug 25, 2026 — USENIX Security '27 Cycle 1 papers deadline
First cycle for USENIX Security '27 paper submissions. Denver. Submit

Nov 6, 2026 — IEEE S&P 2027 Cycle 2 abstracts deadline
Second-cycle abstracts due for IEEE S&P 2027. Quebec. Details

Nov 15-19, 2026 — ACM CCS 2026
ACM Conference on Computer and Communications Security. The Hague. Details

Nov 18, 2026 — Aspen Cyber Summit 2026
Annual Aspen Cyber Summit. Washington DC. Details

Jan 19, 2027 — USENIX Security '27 Cycle 2 registration deadline
Second cycle registration for USENIX Security '27. Denver. Submit

Apr 5-8, 2027 — RSA Conference 2027
Annual RSA Conference. San Francisco. Details

---

International Developments

Feb 2026+ — Budapest Convention Second Additional Protocol entry into force
The Second Additional Protocol on enhanced cooperation and disclosure of electronic evidence enters into force as ratifications accumulate. Council of Europe

Spring 2026 — UK Crime and Policing Bill ping-pong (CMA statutory defence)
Crime and Policing Bill returns between Lords and Commons; CyberUp-backed CMA statutory defence amendments under consideration. CyberUp's April 16, 2026 report "Cybersecurity at a Crossroads" sharpens the political case by ranking the UK behind the US, France, and Australia on researcher protections. UK Parliament

Throughout 2026 — Pall Mall Process Industry Guidelines
UK and France-led voluntary code on commercial cyber intrusion capabilities continues to gather state and industry signatories around accountability, precision, transparency, and oversight pillars, with explicit references to the Budapest Convention and UN Cybercrime Convention as anchoring frameworks. UK Government

Jan 2027 — UN Cybercrime Treaty next session (Vienna deadlock)
Vienna talks failed to produce procedural consensus in January 2026; no further sessions scheduled until 2027. Researcher-protection language in the treaty (Articles 6 and 7 carve-outs) remains unresolved. Global Initiative

---

Pending / TBD (2026)

2026 — UK Cyber Security and Resilience Bill Report Stage
UK CSR Bill expected to reach report stage during 2026. UK Parliament

2026 — H.R.872 Federal Contractor Cybersecurity Vulnerability Reduction Act
US House bill to require VDPs from federal contractors. Congress

2026 — S.3315 Health Care Cybersecurity and Resiliency Act
Senate bill with cybersecurity requirements for the health sector. Congress

2026 — PILLAR Act / S.3251 State and Local Cybersecurity Grant reauthorization
Senate proposal to reauthorize the State and Local Cybersecurity Grant Program. Congress

2026 — American Leadership in AI Act (Lieu / Obernolte)
Bipartisan consolidated AI package combining 20+ prior proposals across six titles, including Rep. Ross's AI Incident Reporting and Security Enhancement Act, which would direct NIST to add AI systems to the NVD and stand up a federal AI vulnerability reporting process in coordination with CISA. Lieu press release

2026 — California SB 898 — mandatory 5-year support windows for connected consumer devices
California bill amending the Unfair Competition Law to require manufacturers of internet-connected consumer devices to disclose and maintain a guaranteed minimum five-year support period from point of sale, with public end-of-life notice requirements and no-cost device replacement obligations for lessors. Amended May 5 and re-referred to Senate Appropriations Committee. The US state-level analog to EU CRA long-term support requirements — directly relevant to VDP programs covering connected consumer hardware sold in California. CalMatters Digital Democracy

2026 — Texas SB 2610 small-business cybersecurity safe harbor
Texas safe harbor for small businesses meeting recognized cybersecurity frameworks. Texas Legislature

2026 — CISA BOD 26-02 edge device replacement
CISA's Binding Operational Directive on replacing end-of-support edge devices. CISA

2026 — Machine-readable cybersecurity policy pilot
Joint CISA/NIST/ONCD/OMB pilot on machine-readable security policy. Federal Register

2026 — NIST AI Agent Security draft standards
NIST CAISI initiative on standards for AI agent security and identity, building on the April 2 NCCoE concept paper RFI. NIST CAISI

2026 — UK Computer Misuse Act statutory defence
UK government continues commitment to a statutory good-faith defence under the Computer Misuse Act 1990. Security Minister Dan Jarvis confirmed in December 2025 the government is exploring this; CyberUp's April 2026 framework (harm-vs-benefit, proportionality, intent, competence) remains the leading proposal text. No bill text yet in 2026. CyberUp

2026 — EU Cybersecurity Act recast
European Commission's recast of the EU Cybersecurity Act (COM(2026) 11) establishing ENISA's mandate, ICT supply-chain security, and simpler certification. Feedback window via "Have Your Say" closed May 19, 2026. European Commission

Rolling 2026 — CISA ED 26-03 Supplemental Direction (Cisco SD-WAN)
Hunt and Hardening Guidance for Cisco SD-WAN systems remains active alongside ongoing KEV updates. CISA

Rolling 2026 — Project Glasswing consortium (Anthropic Claude Mythos Preview)
Anthropic's restricted-consortium model now has formal endorsement from the UK AI Security Institute and Ireland's National Cyber Security Centre, with $100M usage credits and $4M to open-source security work distributed across 50+ critical-software organizations. Cloudflare CISO Grant Bourzikas published a detailed internal-codebase post-mortem ("Project Glasswing: what Mythos showed us") on May 18, 2026. ProMarket has raised antitrust questions; the DOJ/FTC February 2026 joint inquiry on competitor collaborations is the relevant lens. Anthropic Glasswing

---

This page is maintained by disclose.io as a community resource. Have a date we should add? Reply to any Policy Pulse issue or reach out on Twitter/X.