Upcoming Dates
Key dates for the vulnerability disclosure and security research community: policy comment deadlines, regulations, CFPs, and international developments.
A continually updated reference for the vulnerability disclosure and security research community. Dates are organized by category and updated weekly alongside Policy Pulse.
Last updated: July 12, 2026
Never miss a date:
π Subscribe in your calendar app β an auto-updating feed of every dated entry below (also available as a direct .ics link).
βοΈ Prefer email? Subscribe to Upcoming Dates Weekly for a weekly digest of this page β opt-in, separate from the main blog.
Policy Comment Deadlines
Jul 13, 2026 β NIST IR 8320E IPD: Hardware-Enabled Security for Confidential Computing in Cloud Workloads
Cloud TEE/SGX/SEV guidance β relevant to confidential-computing vulnerability disclosure researchers. NIST CSRC
Jul 23, 2026 β EU AI Act: Targeted Consultation on High-Risk Classification Guidelines (Article 6) closes
Draft Commission guidance on which AI systems β including AI-assisted vulnerability-triage and security tooling β count as "high-risk" and face conformity-assessment and human-oversight duties; consultation deadline extended from Jun 23. European Commission
Jul 31, 2026 β CISA .gov Registrar Information Collection (Docket CISA-2026-0001)
.gov TLD registry program collection β directly relevant to researchers reporting issues against federal .gov domains. Federal Register
Jul 31, 2026 β CISA State and Local Cybersecurity Grant Program Evaluation
Sets metrics influencing how state/local critical-infrastructure VDPs are funded and assessed. Federal Register
Jul 31, 2026 β NIST SP 800-38D Rev. 1: GCM and GMAC (second pre-draft call)
Second pre-draft revision of the GCM/GMAC block-cipher mode (adds wGCM, drops short authentication tags) β foundational crypto guidance for the product-security community. NIST
Jul 31, 2026 β EUCC Agreed Cryptographic Mechanisms (ACM) Version 3.0 β Public Review
ENISA public review of the updated Agreed Cryptographic Mechanisms document (v3.0) under the EU Cybersecurity Certification Scheme on Common Criteria (EUCC) β relevant to cryptographic standards and product security certification in the EU. EU / ENISA
Jul 31, 2026 β NIST NCCoE: Asset Management as a Foundation for OT Cybersecurity β comment period closes
Draft NCCoE project description on OT asset discovery, inventory, and configuration-management practices β relevant to ICS/OT security researchers and vendors handling VDP intake for operational technology. NIST
Aug 14, 2026 β NIST SP 800-219 Rev. 2: Automated Secure Configuration Guidance (macOS Security Compliance Project)
Initial public draft covering automated security assessment and secure baseline configuration for macOS, iOS, and visionOS β opened June 22, 2026; relevant to enterprise and government device security baselines. NIST CSRC
Aug 24, 2026 β NIST SP 800-213 Rev. 1: IoT Product Cybersecurity Guidelines β comment period closes
Draft federal guidance reframing IoT security requirements from "devices" to "products" β relevant to IoT security researchers and VDP programs at vendors selling into the U.S. government. NIST CSRC
Dec 16, 2026 β UK DSIT Software Security Code of Practice: Evaluation Survey
Six-month call for evidence on the UK's voluntary Software Security Code (vulnerability disclosure + reporting expectations on software vendors). gov.uk consultation
Right to Repair
Right to repair and good-faith security research share the same legal battleground: the DMCA Β§1201 anti-circumvention regime and the fight over firmware locks, parts-pairing, and access to diagnostic tools. Wins for repairers routinely widen the space for researchers, and vice versa.
Aug 24, 2026 β DMCA Β§1201 Tenth Triennial Rulemaking: exemption petition deadline
Deadline to petition the Copyright Office for new or renewed circumvention exemptions β covers BOTH the diagnosis/maintenance/repair classes and the good-faith security-research exemption (same proceeding), for the 2027β2030 term. Federal Register notice
Sep 1, 2026 β Texas HB 2963 consumer-electronics Right to Repair takes effect
Texas's law requiring manufacturers to provide parts, tools, and documentation for electronics over $50 goes live β expanding the patchwork that legitimizes independent repair of firmware-bearing devices. H2 Compliance
Sep 28, 2026 β DMCA Β§1201 Tenth Triennial: comments on renewal petitions due
Written comments responding to renewal petitions (including the repair and security-research exemption classes) are due in the Copyright Office's tenth anti-circumvention rulemaking. Copyright Office NewsNet 1088
Dec 31, 2026 β John Deere $99M settlement: offline diagnostic/repair-tool deadline
By this date Deere must let owners and independent repairers run reprogramming and diagnostics in offline mode and access the same tooling as its Dealer Technical Assistance Center β a concrete embedded-firmware access milestone from the April 2026 right-to-repair settlement. The Register
Jan 1, 2027 β Oregon SB 1596 Right to Repair (parts-pairing ban) enforcement begins
Oregon's first-in-the-nation ban on "parts pairing" (software serialization that blocks replacement components) becomes enforceable β directly constraining the firmware-level lockouts researchers and repairers otherwise have to circumvent. Compliance & Risks
Regulations Coming Into Effect
Jul 16, 2026 β New Jersey Data Privacy Act: cure-period sunset
30-day right-to-cure provision sunsets 18 months after Jan 15, 2025 effective date; after this, cure is entirely at AG discretion β enforcement risk for inadequate security/disclosure handling rises sharply. NJ DPA FAQ
Jul 17, 2026 β EU Critical Entities Resilience Directive: critical-entity designation deadline
Member States must formally designate critical entities across 11 sectors; designated entities then have 10 months β compliance by May 2027 β creates a new population needing formal CVD pathways adjacent to NIS2. Commission CER page
Jul 25, 2026 β NIST NVD: action plan due in response to Commerce OIG report
NIST must submit a formal action plan responding to the Commerce Office of Inspector General report on its management of the National Vulnerability Database β an accountability milestone for the CVE/NVD enrichment infrastructure the entire disclosure ecosystem depends on. Help Net Security
Aug 1, 2026 β California DELETE Act / DROP platform: broker compliance enforcement
Registered data brokers must access California's DROP every 45 days to process consumer deletion requests; failure = $200/request/day β DROP itself becomes a high-impact disclosure target. CA DROP
Aug 2, 2026 β EU AI Act: Article 50 transparency obligations enter into application
AI-content labelling and interaction-notice rules go live; enforcement powers under Articles 88-101 activate for GPAI providers (fines up to 3% global turnover). The Digital Omnibus (EP plenary adopted Jun 16, 2026; Council adoption expected Jun 29) did NOT defer Article 50 β only Annex III standalone high-risk systems moved to Dec 2, 2027; Article 50(2) watermarking for pre-market systems has a grace period to Dec 2, 2026. Council of EU
Aug 2, 2026 β California AI Transparency Act (SB 942, as amended by AB 853): core operative date
Large generative-AI providers (>1M monthly CA users) must offer a free public AI-detection tool and embed provenance disclosures in AI-generated content β a new pathway for AI-content authenticity bug reports. CA Legislature
Aug 9, 2026 β CISA BOD 26-04: Prioritizing Security Updates Based on Risk (Phase II)
New directive issued Jun 10, 2026 that revokes BOD 22-01 (the KEV directive) and BOD 19-02, replacing them with an SSVC risk-tiered remediation model; by this date FCEB agencies must update vulnerability-management policies (Phase III remediation follows ~Dec 7, 2026). CISA BOD 26-04
Sep 11, 2026 β EU CRA Article 14: Vulnerability reporting obligations enter into application
Manufacturers of products with digital elements must report actively-exploited vulnerabilities (24h early warning, 72h notification, 14-day final report) via the ENISA Single Reporting Platform β the first global mandatory exploited-vuln reporting clock. EU CRA reporting
Sep 30, 2026 β Cybersecurity Information Sharing Act of 2015 (CISA 2015) sunset
Current reauthorization (extended through Sep 30, 2026 in the Feb 2026 appropriations act) expires β liability protections and antitrust safe harbor for cyber threat-indicator sharing terminate absent further congressional action. Wiley analysis
Oct 1, 2026 β Connecticut SB 5 (AI Transparency, Safety, and Consumer Protection Act)
Bans on AI-enabled discrimination, deepfakes, biometric scraping; mandatory provenance metadata on GPAI outputs >1M MAU β another formal pathway for AI-generated-content authenticity and discriminatory-AI bug reports. CT SB 5
Oct 3-4, 2026 β Australia telecommunications cyber-maturity Level 1 (TSRMP Rules)
Carriers and relevant carriage service providers must reach cyber-maturity indicator Level 1 (Essential Eight, C2M2, or AESCSF Core) under the Telecommunications Security and Risk Management Program (Level 2 for carriers follows Oct 3, 2027). Allens analysis
Nov 10, 2026 β CMMC 2.0 Phase 2: Mandatory Third-Party Certification
DoD contractors handling Controlled Unclassified Information must hold Level 2 CMMC certification from an accredited C3PAO as a condition of contract award β self-attestation is no longer sufficient; approximately 80,000 contractors affected, reshaping how the DIB approaches VDP and vulnerability management. DoD CMMC
Dec 2, 2026 β EU AI Act: Article 50(2) Watermarking Grace Period Closes
Systems placed on the market before August 2, 2026 that generate synthetic audio, image, video, or text content must comply with Article 50(2) watermarking/provenance-marking requirements by this date β the final grace provision from the Digital Omnibus. EU AI Act timeline
Dec 7, 2026 β CISA BOD 26-04: risk-based remediation (Phase III)
Under the new SSVC risk-tiered model, FCEB agencies must remediate vulnerabilities per the directive's risk table; non-CDM agencies report status every 7 days β the operational replacement for the old fixed KEV remediation timelines. CISA BOD 26-04
Dec 9, 2026 β EU Product Liability Directive: Applies to Digital Products
The revised EU PLD (2024/2853) applies to products placed on the market after this date β for the first time, standalone software and digital elements are explicitly "products," and failure to provide security updates can constitute a defect, directly raising the legal stakes of slow patch cycles and inadequate disclosure handling. EU Official Journal
Dec 10, 2026 β Australia Privacy Act: Automated Decision-Making Transparency
New APP 1 obligations from the Privacy and Other Legislation Amendment Act 2024 take effect: Australian entities must disclose in privacy policies how personal information is used in automated decisions that could significantly affect individuals' rights β a transparency requirement touching AI systems that process personal data during security assessments. OAIC guidance
Dec 24, 2026 β EU eIDAS 2.0: Digital Identity Wallets Deployment Deadline
All 27 EU member states must make at least one certified European Digital Identity Wallet available to citizens and businesses β 24 months after implementing acts entered into force Dec 4, 2024; voluntary and free, creating new authentication infrastructure with identity-verification implications for cross-border security research. eIDAS 2.0 timeline
Sep 2026 (target) β CIRCIA Final Rule publication β DELAYED, rulemaking reopened
CISA missed its statutory deadline and reopened the rulemaking: a May 26, 2026 Federal Register notice scheduled town-hall meetings (held Jun 15-18, 2026) to narrow the scope and burden of the April 2024 NPRM before finalizing; CISA's Unified Agenda now targets September 2026, though no final-rule publication date is formally announced and the 18-month effective-date clock will begin on eventual publication. Federal News Network
Jan 1, 2027 β New York RAISE Act
Frontier-model developers (>$500M revenue, >10^26 FLOPs, >$100M compute) must publish safety frameworks pre-deployment and report safety incidents to NY DFS within 72h β first US state-level AI safety-incident reporting channel. Wiley alert
Jan 1, 2027 β Colorado SB 189 (repeal-and-replace of the Colorado AI Act)
Signed May 14, 2026, SB 189 scraps the original Colorado AI Act (whose June 30, 2026 effective date is now defunct) and replaces it with a narrower ADMT transparency/disclosure framework for automated decision systems. CO SB26-189
Jan 1, 2027 β Illinois SB 315 (AI Safety Measures Act)
First US law mandating annual independent third-party AI safety audits of frontier developers, plus AI critical-safety-incident reporting (audit/transparency reporting phases in Jan 1, 2028); passed both chambers May 29, 2026, awaiting the Governor's signature. Transparency Coalition
Jan 1, 2027 β Indiana Consumer Data Protection Act (ICDPA)
20th US comprehensive state privacy law: 100K consumer threshold; "reasonable" admin/technical/physical security required; AG-only enforcement, 30-day cure, $7,500/violation. Indiana Code Title 24 Art. 15
Jan 1, 2027 β Kentucky Consumer Data Privacy Act (HB 15)
Same threshold structure as Indiana; data protection assessments required for processing created/generated after Jun 1, 2026. KY HB 15
Jan 1, 2027 β Louisiana Data Privacy Act (LDPA)
22nd US comprehensive state privacy law: covered businesses must honor consumer access/correction/deletion rights and run data-protection assessments for higher-risk processing, with a 30-day AG cure period through Jul 31, 2027. WilmerHale
Jan 1, 2027 β Texas Responsible AI Governance Act (TRAIGA, HB 149)
Bans manipulative/discriminatory AI; first US state AI law with an explicit safe harbor for internal adversarial testing / red-team exercises β materially lowers legal risk for AI security research in Texas. TX HB 149
Dec 11, 2027 β EU CRA: main obligations apply
The core CRA requirements take effect β secure-by-design, CE marking, SBOMs, mandatory vulnerability handling and security updates across the support period; non-compliant connected products cannot be placed on the EU market after this date. EC CRA implementation
Dec 31, 2030 β EO 14412: Federal post-quantum cryptography migration (key establishment)
Under Executive Order 14412 ("Securing the Nation Against Advanced Cryptographic Attacks"), federal High Value Assets must migrate to post-quantum cryptography for key establishment by this date (digital signatures follow by Dec 31, 2031), with a companion procurement rule pulling federal contractors onto the same clock β years of rushed PQC library swaps will generate a fresh class of cryptographic-implementation bugs entering VDP intake. Federal Register
Conferences, CFPs, and Events
Jul 13, 2026 β Nullcon Berlin 2026 CFP closes
Training runs Nov 2-4 and the main conference Nov 5-6 at The Westin Grand Berlin, with an AppSec/bug-bounty/offensive-research track directly relevant to the VDP community; submit via the Pretalx-hosted form only. Submit
Jul 19, 2026 β BSides NYC 0x05 CFP closes
New York City community security conference; CFP open through 8AM Jul 19, welcoming security-research and disclosure talks. BSidesNYC CFP
Jul 20, 2026 β Hardwear.io Netherlands 2026 CFP closes
Hardware security conference Nov 16-20 at Amsterdam Marriott Hotel; seeks offensive/defensive hardware research covering IoT, embedded, automotive, ICS/SCADA, and medical devices. Submit
Jul 22, 2026 β Black Hat Europe 2026 Briefings CFP closes
Main Briefings call (closes 23:59 GMT; notifications by Sep 25) for the Dec 9-10 conference at ExCeL London, across themes including AI & autonomous threats, cyber conflict, and identity/trust/control. Event page
Jul 24, 2026 β BSides Munich 2026 CFP closes
10th edition, Nov 7 workshops at Hochschule MΓΌnchen and Nov 9 main conference at The Westin Grand Munich; theme "X Marks the Spot!" Submit
Jul 31, 2026 β CODE BLUE 2026 Call for Presentations closes
Tokyo international security conference (main days Nov 17-18); ~45-min talks across Technical, General, Law & Policy, and CyberCrime tracks, submitted via Sessionize; may close early if filled. Submit
Jul 31, 2026 β DEF CON 34 preregistration deadline (late-pricing cutoff)
$600 late-tier preregistration closes 8:59pm EST β the last chance to guarantee a Human badge before the conference reverts to cash-only "LineCon" onsite registration; relevant lead time for anyone planning to attend Policy @ DEF CON / Policy Village in person. Register
Aug 1, 2026 β BSides Frankfurt 2026 CFP closes
Frankfurt, Germany (event Sep 10-11); CFP deadline for the EU security-research community. BSides Frankfurt
Aug 1-6, 2026 β Black Hat USA 2026
Mandalay Bay, Las Vegas; Trainings Aug 1-4, Briefings and Business Hall Aug 5-6 β premier technical security venue with active vulnerability research presentations and policy briefings. Black Hat USA
Aug 3-5, 2026 β BSides Las Vegas 2026
Tuscany Suites, Las Vegas, NV; flagship community security con during hacker-summer-camp week, including the Proving Ground first-time-speaker track. BSidesLV
Aug 5, 2026 β BSides Zadar 2026 CFP closes
Zadar, Croatia (event Sep 11); EU community con. BSides Zadar
Aug 6-9, 2026 β DEF CON 34
Las Vegas Convention Center; theme "Agency" β Policy Village and AI Village confirmed. DEF CON 34 Policy
Aug 10, 2026 β BSides Oslo 2026 CFP closes
Event Oct 29 at Vulkan Arena, Oslo; deadline 23:59 CET. BSides Oslo
Aug 12-14, 2026 β USENIX Security '26
Baltimore, MD; premier academic venue with active disclosure-policy track. Conference page
Aug 19, 2026 β NDSS 2027 Fall Cycle CFP closes
Event March 22-26 2027, Seoul; top-tier network and system security venue for VDP-adjacent research. CFP
Aug 25, 2026 β USENIX Security '27 Cycle 1 paper submission deadline
Event Aug 11-13 2027, Denver (abstract registration Aug 18) β primary academic venue for vulnerability research and disclosure case studies. Conference page
Aug 30, 2026 β DefCamp 2026 CFP Wave 2 closes
16th edition of CEE's largest security conference, Nov 19-20 in Bucharest; Wave 3 (final) closes Oct 15; topics include AI threats, supply chain, and threat modeling. Submit
Aug 31, 2026 β Council of Europe Octopus Conference 2026 registration closes
Registration deadline for the Octopus Conference on cybercrime cooperation (event Oct 14-16, Strasbourg) β key Budapest Convention community venue. Register
Sep 10, 2026 β BSides Belfast 2026
Eighth Northern Ireland BSides event, 600-700 expected attendees across 2+ tracks; CFP already closed but general ticket release opens Jul 14. Tickets/Info
Sep 17, 2026 β BSides St. John's 2026
Holiday Inn Conference Centre, St. John's, Newfoundland and Labrador, Canada; CFP still open on the event site (no separate CFP deadline published β check site directly). Event info / CFP
Sep 30, 2026 β BSides London 2026 CFP closes
All calls (presentations, rookie talks, workshops) close 23:59; conference Dec 12, 2026 at Novotel London West. BSides London
Oct 7-9, 2026 β Wild West Hackin' Fest Deadwood 2026
Deadwood, South Dakota, 15th edition; pre-con training Oct 6-7 β community security conference with strong offensive and defensive research content. WWHF
Oct 9-10, 2026 β c0c0n 2026
Grand Hyatt Kochi, Kerala, India; 19th year β strong APAC voice in vulnerability research and disclosure practice; registration open through Sep 30 (talk CFP closed May 10). Register
Oct 14-16, 2026 β AISA CyberCon Melbourne
Melbourne Convention & Exhibition Centre; Australia's largest cybersecurity conference β principal policy + practitioner stage for ANZ. Register
Oct 14-16, 2026 β Council of Europe Octopus Conference 2026
Council of Europe headquarters, Strasbourg; global cybercrime-cooperation conference anchoring the Budapest Convention community β directly relevant to international computer crime law and security research protections. Event page
Oct 15, 2026 β DefCamp 2026 CFP Wave 3 closes (final)
Final submission wave for DefCamp 2026, Nov 19-20 Bucharest. Submit
Oct 29, 2026 β BSides Oslo 2026
Vulkan Arena, Oslo, Norway; Nordic community security conference. Event
Nov 4-5, 2026 β ENISA European Cybersecurity Skills Conference
Larnaca, Cyprus; EU policy on cyber workforce, certification, and disclosure ecosystem β touches NIS2 / CRA implementation. Event page
Nov 7-9, 2026 β BSides Munich 2026
Hochschule MΓΌnchen (workshops Nov 7) and The Westin Grand Munich (main conference Nov 9); 10th edition. Event
Nov 15-19, 2026 β 33rd ACM CCS 2026
World Forum, The Hague, NL; top-tier academic security conference co-located with European cyber-policy infrastructure. Conference page
Nov 16-20, 2026 β Hardwear.io Netherlands 2026
Amsterdam Marriott Hotel; three days training plus two days conference plus HardPwn CTF β hardware and embedded security community hub for Europe. Event
Nov 17, 2026 β IEEE S&P 2027 Cycle 2 paper deadline
48th IEEE Symposium on Security & Privacy (Montreal, May 2027); abstracts due Nov 10, papers Nov 17 β top-tier venue for VDP/exploitation/policy research. CFP
Nov 17-18, 2026 β CODE BLUE 2026
Bellesalle Takadanobaba, Tokyo; Japan's flagship international security conference β APAC voice in vulnerability research / disclosure norms. Conference page
Nov 18, 2026 β Aspen Cyber Summit
Capital Turnaround, Washington DC; US public-private cyber-policy convening with senior CISA / DOJ / Hill engagement. Event page
Nov 19-20, 2026 β DefCamp 2026
Bucharest, Romania; 16th edition of CEE's largest security conference β 2,000+ experts from 50+ countries. Event
Dec 7-10, 2026 β Black Hat Europe 2026
ExCeL London; EU industry policy + technical track converge here β closest European peer to Black Hat USA for the disclosure community. Event page
Dec 12, 2026 β BSides London 2026
Novotel London West; long-running UK community con with a strong rookie-track pipeline into the research community. BSides London
Dec 27-30, 2026 β 40C3 Chaos Communication Congress
Hamburg Messe, Hamburg; anchor European hacker congress β longstanding free-software, civil-liberties, and disclosure-ethics venue. Event page
Mar 30-Apr 2, 2027 β CVE/FIRST VulnCon 2027 & Annual CNA Summit
Scottsdale, Arizona; annual vulnerability coordination conference co-hosted by CVE Program and FIRST β directly relevant to the CVE ecosystem, CNA coordination, and vulnerability disclosure practitioners. FIRST
Jun 13-18, 2027 β FIRST Annual Conference 2027
Bangkok, Thailand; FIRST's global annual conference for incident response and security teams β premier CERT/CSIRT coordination venue; CFP not yet open. FIRST
Summer 2026 β RSAC 2027 Call for Submissions opens
San Francisco event Apr 5-8 2027; pattern from RSAC26 = July open, ~Aug 18 close. Submissions page
H2 2026 (TBD) β Pall Mall Process next diplomatic conference
Venue not yet public; prior plenaries: London 2024, Paris 2026; Code of Practice on commercial cyber intrusion capabilities now signed by 25 states including the US. Pall Mall Declaration
International Developments
Jul 14, 2026 β UK Cyber Security and Resilience Bill: House of Lords Second Reading
The NIS2-style bill expanding incident-reporting duties to MSPs and data centres has its Lords Second Reading; Royal Assent still expected late 2026, with phased implementation via secondary legislation running through 2028. UK Parliament
Jul 20-24, 2026 β UN Global Mechanism on ICT Security: First Substantive Plenary
New York; new single-track permanent mechanism's first substantive plenary (successor to the OEWG, which concluded July 2025) β the venue for state-level negotiations on cyber norms, application of international law, vulnerability-equities, and capacity building. Process tracker
Sep 28, 2026 β CIRMP Annual Reports due under Australia's SOCI Act
Responsible Entities must submit a board-approved Critical Infrastructure Risk Management Program annual report via the CISC online form within 90 days of FY end (30 June) β locked-in annual cadence for critical-infrastructure cyber risk management programs. CISC online form
Oct 12-15, 2026 β Singapore International Cyber Week (SICW) 2026
Singapore; APAC's premier cybersecurity policy event β ministerial roundtables, GFCE Southeast Asia regional meeting, and GovWare 2026; historically the window for Counter Ransomware Initiative summit announcements. SICW
Nov 9-27, 2026 β ITU Plenipotentiary Conference 2026 (PP-26)
Doha, Qatar; ITU's quadrennial top governance conference attended by all 194 member states β sets the Union's strategic plan, elects leadership, and will address AI security, cybersecurity mandates, and emerging technology governance. ITU PP-26
Nov 13, 2026 β India DPDP Rules: Consent Manager Framework Becomes Operational
Phase 2 of India's Digital Personal Data Protection Rules 2025 (notified November 13, 2025) activates β consent-manager registration and operation under the DPDPA becomes functional; core data fiduciary compliance (Phase 3) follows May 13, 2027; relevant for security researchers handling Indian personal data. IAPP
Dec 2, 2026 β Australia: PJCIS Statutory Review of SOCI Act Must Commence
The Parliamentary Joint Committee on Intelligence and Security must begin its statutory review of the Security of Critical Infrastructure Act no later than this date β will assess the effectiveness of Australia's critical infrastructure regime including cyber incident obligations. Ashurst
Dec 7-11, 2026 β UN Global Mechanism on ICT Security: Dedicated Thematic Groups
New York; first working-level meetings of the permanent UN cyber mechanism's Dedicated Thematic Groups β where the technical detail behind state-level cyber-norm and vulnerability-equities discussions is worked out. Process tracker
Dec 10, 2026 β Australia SOCI: Enhanced CIRMP All-Hazards Compliance
Six-month grace period for the Enhanced Critical Infrastructure Risk Management Program Rules (F2026L00701, commenced June 10, 2026) expires β requiring all-hazards material-risk compliance across nine high-risk asset classes including cyber hazards. cyberassure
Dec 11, 2026 β EU CRA: target for sufficient notified bodies
Member States are to ensure enough notified bodies exist to perform CRA conformity assessments, avoiding market-entry bottlenecks ahead of the main obligations. EC CRA implementation
Dec 31, 2026 β UN Cybercrime Convention (Hanoi) closes for signature
40 ratifications required for entry into force; a handful deposited so far against ~76 signatories β Articles 6-10 risk criminalizing unauthorized-access research without sufficient safeguards. UNODC convention page
Budapest Convention Protocol II β 5th Ratification Watch
Protocol II (CETS 224) requires 5 ratifications to enter into force; currently at 4 (Hungary, Costa Rica among the most recent) β a single additional ratification triggers entry into force, enabling cross-border law enforcement access to stored electronic evidence with direct implications for international CVD investigations. Council of Europe
H2 2026 β UK Computer Misuse Act statutory defence: expected via National Security Bill
The Crime and Policing Act 2026 received Royal Assent Apr 29, 2026 without a CMA statutory defence; a new National Security Bill (announced in the King's Speech May 13, 2026) is the named vehicle β bill not yet introduced to Parliament as of this writing; proposed defence is narrowly scoped (~300 UK Cyber Security Council chartered professionals). Computer Weekly
H2 2026 β Australia SOCI Act: Ministerial Directions Powers + Enhanced CIRMP Rules finalisation
Post-Slay-Review consultation closed May 1, 2026; the package expands sectoral scope and adds broader ministerial directions powers, but no implementation timeframe has yet been proposed. Home Affairs consultation
Q4 2026 β Final NIS2 transposition (France and Ireland outstanding)
25+ of 27 EU member states have now transposed NIS2; Luxembourg transposed May 10, 2026 and the Netherlands passed the Tweede Kamer April 15, 2026 β France (targeting an extraordinary parliamentary session) and Ireland remain the final two states without enacted transposition law. NIS2 transposition tracker
Late 2026 β UK Cyber Security and Resilience Bill: Royal Assent
Following the Jul 14, 2026 Lords Second Reading, the Bill is expected to receive Royal Assent later this year; phased implementation via secondary legislation runs through 2028 β expands NIS scope to MSPs and data centres. Bill stages
Late 2026 β EU Cybersecurity Reserve operational under Cyber Solidarity Act
ENISA-operated β¬36M reserve of trusted incident-response providers; formal stand-up targeted end-2025 but provider onboarding and operational ramp has extended into 2026. ENISA Cybersecurity Reserve
Late 2026 (unconfirmed) β Counter Ransomware Initiative 6th Summit
5th Summit held in Singapore Oct 2025; 6th summit host and date not yet announced β historically annual at Oct/Nov, likely co-located with SICW 2026 (Oct 12-15, Singapore). CRI
Oct 2026 + ~Nov 2026 (targets) β Japan Active Cyber Defence Law: core provisions in force
Core incident-notification/reporting provisions for designated critical infrastructure target Oct 2026, with the incident-reporting obligation around Nov 2026 β the first hard compliance phase ahead of full effect in 2027 (government countermeasure powers ~Nov 2027). Baker McKenzie analysis
2026-2027 β Pall Mall Process Industry Guidelines drafted
Stakeholder consultation closed Jan 16, 2026 (NCSC explicitly sought input from vulnerability researchers); the Industry Guidelines for commercial cyber intrusion capabilities are now in drafting β affects offensive-tool vendor due diligence with indirect effects on legitimate research tooling. GOV.UK consultation
TBD (designation dates not yet set) β Canada: Critical Cyber Systems Protection Act (Bill C-8) coming into force
Royal Assent received Jun 15, 2026 (telecom-related amendments took immediate effect); substantive obligations for designated critical-infrastructure operators phase in gradually via future Governor-in-Council regulations and designations β designated operators get 90 days from designation to stand up cybersecurity programs, but no designation dates are set yet. Revives the reform previously known as Bill C-26, which died on the order paper in early 2025. The Deep Dive
Pending / TBD (2026)
Jul 2026 β Ofcom Online Safety Act: Categorisation Register publication
Determines which services face Category 1/2A/2B duties β indirectly affects vulnerability-reporting expectations for designated services. Ofcom roadmap
Sep 30, 2026 β WIMWIG Act (H.R. 5079): CISA 2015 reauthorization vehicle
Garbarino's Widespread Information Management for the Welfare of Infrastructure and Government Act would renew the lapsing Cybersecurity Information Sharing Act of 2015; cleared House Homeland Security (25-0) but awaits a House floor vote, with the Senate companion stalled, before the Sep 30 deadline β the core federal liability/info-sharing framework underpinning coordinated disclosure. H.R. 5079
H2 2026 β H.R. 872 / S. 1899 (Federal Contractor Cybersecurity Vulnerability Reduction Act)
H.R. 872 passed the House (Mar 2025) and is with the Senate (companion S. 1899, no committee action yet); would mandate FAR-level VDPs (NIST / ISO 29147 & 30111) for federal contractors β likely to ride the FY27 NDAA; single largest VDP expansion since BOD 20-01. H.R. 872
H2 2026 β FY27 NDAA (H.R. 8800): Title XV cyber provisions
House Armed Services reported the bill after its Jun 4, 2026 markup; Senate Armed Services completed its markup Jun 11 (18-9); both bills head to floor votes then conference in the fall β historically the highest-leverage federal vehicle for VDP-related amendments and DoD/DIB-VDP expansion. H.R. 8800
H2 2026 β Active Cyber Defense Certainty Act (ACDC)
Reintroduced May 18, 2026 with 15 bipartisan co-sponsors (Graves/Gottheimer); referred to House Judiciary, no markup scheduled β most significant CFAA amendment proposal in years, creating a "hack back" carve-out with FBI pre-notification and direct implications for the boundary between defensive research and unauthorized access. Sponsor release
Summer 2026 β Great American AI Act (discussion draft, ObernolteβTrahan)
Bipartisan House discussion draft released Jun 4, 2026: a federal frontier-AI framework with critical-safety-incident reporting (15 days; 24 hours for imminent harm), whistleblower protections, a Cybersecurity title, and a contested 3-year preemption of state AI-development laws β not yet formally introduced. Sponsor release
H2 2026 β Australia Privacy Act Tranche 2 exposure draft expected
AG confirmed Tranche 2 is progressing (fair-and-reasonable test, GDPR-style individual rights) β a privacy-tort cause of action would change the legal risk calculus for researchers handling personal data during disclosure. Privacy Act review
H2 2026 β California SB 53: Transparency in Frontier AI Act enforcement build-out
In force from Jan 1, 2026; first annual transparency reports due 2026; Cal OES critical-incident-reporting infrastructure stands up across H2 β creates a researcher/employee disclosure channel distinct from CFAA. CA SB 53
2026 β EU AI Act Annex III High-Risk Systems: compliance deferred to Dec 2, 2027
The Digital Omnibus (EP plenary Jun 16, 2026; Council adoption expected Jun 29) defers compliance for standalone Annex III high-risk AI systems (recruitment, credit scoring, law enforcement, education, border control) from the original Aug 2, 2026 statutory date to Dec 2, 2027; Annex I embedded high-risk systems move further to Aug 2, 2028; Article 50 transparency obligations were NOT deferred. Gibson Dunn
This page is maintained by disclose.io as a community resource. Have a date we should add? Reply to any Policy Pulse issue or reach out on Twitter/X.