Upcoming Dates
Key dates for the vulnerability disclosure and security research community: policy comment deadlines, regulations, CFPs, and international developments.
A continually updated reference for the vulnerability disclosure and security research community. Dates are organized by category and updated weekly alongside Policy Pulse.
Last updated: April 14, 2026
Policy Comment Deadlines
May 6, 2026 — NIST CSF 2.0 Quick-Start Guide comment period closes
Public comment on draft guidance integrating CSF 2.0 with enterprise risk management and workforce practices. VDP advocates can push for explicit references to ISO/IEC 29147 and 30111 coordinated disclosure standards. NIST CSRC
Regulations Coming Into Effect
Jun 1, 2026 — Australia ransomware reporting civil penalties
Civil penalty provisions take effect under Cyber Security Act 2024. Businesses with AUD $3M+ turnover must report ransomware payments within 72 hours. Cyber Security Act 2024
Jun 11, 2026 — EU Cyber Resilience Act conformity assessment framework applies
Legal framework for notified bodies activates, setting certification infrastructure for products with digital elements. EC CRA Implementation
Jul 1, 2026 — Queensland mandatory data breach notification (local govt)
Local government obligations commence under QLD mandatory data breach scheme. QLD OIC guidance
Aug 2, 2026 — EU AI Act high-risk system obligations
High-risk AI system rules, transparency obligations, and national enforcement begin. Security researchers gain formal engagement pathways for AI conformity assessments. EU AI Act
Aug 30, 2026 — EU CRA Type A horizontal standards compliance deadline
Product manufacturers for horizontal Type A categories must comply with secure-by-design requirements. Hogan Lovells CRA Guide
Sep 11, 2026 — EU Cyber Resilience Act vulnerability reporting
Manufacturers must report actively exploited vulnerabilities: 24-hour early warning, 72-hour full notification, 14-day final report. Reports via Single Reporting Platform to CSIRTs and ENISA. EU CRA
Sep 30, 2026 — CISA 2015 (Cybersecurity Information Sharing Act) expires
Liability protections for sharing cyber threat indicators with the federal government lapse unless Congress renews. Congress.gov
Oct 30, 2026 — EU CRA Type B horizontal & Type C vertical standards compliance
Higher-risk product classes including IoT devices and industrial control systems must meet enhanced cybersecurity requirements. Hogan Lovells CRA Guide
Dec 11, 2026 — EU CRA EUCC Delegated Act due
European Union Common Criteria conformity assessment presumption rules. Sets certification pathway for qualifying products with digital elements. EC CRA
Dec 31, 2026 — UN Cybercrime Treaty signature period closes
74 signatories, 2 ratifications (Qatar, Vietnam). 40 ratifications needed to enter force. US has declined to sign. Concerns persist about provisions criminalizing good-faith security research. UN Convention Info
Jan 1, 2027 — NY RAISE Act effective
Frontier AI developers (revenue >$500M) must implement safety frameworks with 72-hour incident reporting. Governor Hochul announcement
Dec 11, 2027 — Full EU Cyber Resilience Act application
All CRA obligations apply: secure-by-design, SBOM, VDP, lifecycle support for every product with digital elements on EU market. EC CRA
Conferences, CFPs, and Events
Apr 29, 2026 — ACM CCS 2026 Cycle 2 papers deadline
Conference on Computer and Communications Security, The Hague, Nov 15-19. Final submission opportunity for premier academic security venue. ACM CCS CFP
May 1, 2026 — DEF CON 34 Policy Track CFP deadline
25-minute, 50-minute, and 80-minute slots. Final abstracts and bios due Jun 15 for accepted speakers. Submit via OpenConf
Jun 14-19, 2026 — FIRST Conference 38
Global incident response and vulnerability coordination community gathering, Denver. CFP typically closes Q1. FIRST 2026
Aug 1-6, 2026 — Black Hat USA 2026
Premier commercial security conference, Las Vegas. Research presentations on emerging vulnerabilities and attack techniques. Black Hat
Aug 3-5, 2026 — BSides Las Vegas 2026
Community-driven security conference, now 2.5 days. Proving Ground track for first-time speakers. BSides LV
Aug 6-9, 2026 — DEF CON 34
Las Vegas Convention Center. Policy Village and main tracks covering vulnerability research, coordinated disclosure, and cybersecurity policy. defcon.org
Aug 12-14, 2026 — USENIX Security Symposium 2026
Leading academic security research conference, Baltimore. Peer-reviewed research on systems security and privacy. USENIX Security
Aug 25, 2026 — USENIX Security '27 Cycle 1 papers deadline
First submission cycle for USENIX Security 2027, Denver, Aug 11-13, 2027. Register Aug 18, submit Aug 25. USENIX Security '27
Nov 6, 2026 — IEEE S&P 2027 Cycle 2 abstracts deadline
IEEE Symposium on Security and Privacy, Quebec, Canada, ~May 17, 2027. Papers due Nov 13. IEEE Security
Nov 15-19, 2026 — ACM CCS 2026
Conference on Computer and Communications Security, The Hague. Premier academic venue for computer security research. ACM CCS
Apr 5-8, 2027 — RSA Conference 2027
San Francisco. 2027 CFP expected to open ~June 2026, close ~August 2026 by historical pattern. RSA Conference
International Developments
Feb 2026+ — Budapest Convention Second Additional Protocol entry into force
Hungary became 3rd ratifier Feb 5, 2026. Need 2 more ratifications for entry into force. Speeds cross-border subscriber and traffic data disclosure. CoE Cybercrime
Spring 2026 — UK Crime and Policing Bill Lords stages
Lord Clement-Jones amendment for Computer Misuse Act statutory defence for security researchers. Would be first Five Eyes statutory good-faith protection. UK Parliament
Throughout 2026 — Pall Mall Process Industry Guidelines
27 state signatories drafting commercial cyber intrusion capabilities governance. Industry guidelines distinguish legitimate security research from spyware proliferation. GOV.UK
Pending / TBD (2026)
May 2026+ — CIRCIA final rule
72-hour incident reporting and 24-hour ransomware payment disclosure for 316,000 entities across 16 critical infrastructure sectors. Further delayed by DHS appropriations lapse; no firm date. CISA CIRCIA
2026 — H.R.872 Federal Contractor Cybersecurity Vulnerability Reduction Act
Passed House March 2025; awaiting Senate HSGAC action. Would mandate VDP policies for federal contractors >$250K threshold using federal information systems. Congress.gov H.R.872
2026 — CISA BOD 26-02 edge device replacement
Agencies inventorying end-of-support edge devices (May 5 milestone). Full replacement within 18 months. BOD 26-02
2026 — Machine-readable cybersecurity policy pilot
"Rules-as-code" pilot program for machine-readable policy (CISA/NIST/ONCD/OMB, per EO 14144/14306). EO 14144
2026 — NIST AI Agent Security draft standards
Following 932 RFI submissions (closed March 9). April workshops planned, draft standards expected later in 2026. NIST CAISI
2026 — UK Computer Misuse Act statutory defence
Security Minister Dan Jarvis confirmed government pursuing statutory defence for researchers. Progressing via Crime and Policing Bill. Jarvis keynote
2026 — EU Cybersecurity Act recast
European Commission proposal (January 2026) for ICT supply chain security and enhanced ENISA role. EU proposal
This page is maintained by disclose.io as a community resource. Have a date we should add? Reply to any Policy Pulse issue or reach out on Twitter/X.