Cybersecurity

EEA Joint Committee Decision 9/2026 Incorporates Delegated Regulation (EU) 2025/1455 on L-Category Vehicle Cybersecurity Into Annex II to the EEA Agreement

The EEA Joint Committee has amended Annex II to the EEA Agreement to incorporate EU Delegated Regulation 2025/1455 on technical requirements and testing to protect L-category vehicles against cyberattacks, with the decision entering into force on 7 February 2026. This ensures that manufacturers and importers of L-category vehicles in EEA countries face harmonised cybersecurity expectations with the EU, tightening compliance for vehicle design, testing, and market access planning.

21 May 2026, 06:54eur-lex.europa.euEuropean UnionEuropean Economic Area

Netherlands Health Ministry Sets Applicability Date for New NEN 7510 Edition in Healthcare IT Systems

The Dutch Ministry of Health has formally set 1 June 2026 as the date when the latest NEN 7510 information security standard (parts 1 and 2) becomes applicable to electronic exchange systems and healthcare information systems. Healthcare providers and IT vendors operating these systems in the Netherlands must ensure their information security management aligns with NEN 7510-1:2024 and NEN 7510-2:2024+A1:2026 by that date, potentially requiring system, contract, and governance updates.

20 May 2026, 06:19zoek.officielebekendmakingen.nlNetherlands

US FDA Updates Final Guidance on Cybersecurity in Medical Devices Premarket Submissions

In February 2026, the US FDA issued updated final guidance on cybersecurity in medical devices, aligning expectations with its new Quality Management System Regulation and clarifying how premarket submissions should demonstrate compliance with section 524B of the FD&C Act. Device manufacturers now need to embed cybersecurity into their quality systems and development lifecycles, and be ready to provide robust risk management documentation, software bills of materials, security testing evidence, and lifecycle vulnerability management plans for US submissions involving devices with cybersecurity risk.

18 May 2026, 17:31fda.govUnited States

US FCC Adopts Second EA Integrity Order Strengthening Equipment Authorization Testing and Enforcement

The US FCC has adopted a Second Equipment Authorization Integrity Order that creates a fast-track review channel for devices tested in trusted labs, expands ownership and staffing transparency requirements for test labs and certification bodies, and strengthens post-market surveillance and enforcement, with most changes effective from 15 June 2026. These measures will push manufacturers and test labs toward domestic or reciprocal-economy testing partners, add new reporting and screening obligations, and raise compliance and enforcement expectations across the equipment authorization supply chain.

18 May 2026, 13:21govinfo.govUnited States

UK Reintroduces Cyber Security and Resilience (NIS) Bill at Commons Report Stage

In May 2026 the UK Government reintroduced its Cyber Security and Resilience (Network and Information Systems) Bill for the 2026–27 parliamentary session, publishing an updated text at Commons report stage. If adopted, this legislation would significantly tighten cyber and resilience duties for operators of essential services and critical digital infrastructure, so affected organisations should plan for stronger oversight, incident reporting, and continuity requirements.

15 May 2026, 15:24publications.parliament.ukUnited Kingdom

UK Government Sets Energy and Cyber Security Agenda for Manufacturers in King’s Speech 2026

The 2026 King’s Speech sets out a 35‑Bill programme focused on energy independence, digital resilience and closer EU relations, with a carried‑over Cyber Security and Resilience Bill and new energy measures that matter for manufacturers. For UK manufacturing and critical‑infrastructure suppliers, this signals likely future obligations on cyber‑secure supply chains and a long‑term shift in energy policy, but limited near‑term relief from high energy costs or labour‑market pressures.

15 May 2026, 13:36gov.ukUnited Kingdom

EEA Council Drafts Conclusions on Internal Market, Climate and Digital Frameworks (62nd Meeting)

EU and EEA EFTA ministers have circulated draft conclusions for the 62nd EEA Council that set shared priorities on Internal Market resilience, climate and energy transition, and digital regulation including the DSA, DMA, AI Act, CBAM and EU ETS cooperation in the run-up to the 27 May 2026 meeting. While not creating immediate new obligations, this signals that Iceland, Liechtenstein and Norway are likely to remain closely aligned with EU frameworks on carbon pricing, border adjustment, platforms, AI and health data, so cross-EEA operators should anticipate converging compliance expectations over the coming years.

15 May 2026, 12:44data.consilium.europa.euEuropean UnionEuropean Economic Area

US House Introduces CHARGE Act to Restrict EVs and Charging Components From Foreign Entities of Concern

In May 2026, a US House bill (H.R. 8768, the CHARGE Act) was introduced to amend federal motor vehicle safety law so that electric vehicles, related equipment, and certain charging power-control components linked to a defined “foreign entity of concern” would be treated as noncomplying motor vehicles under Title 49. If adopted, this would significantly tighten US market access for EVs and charging hardware tied to countries of concern, forcing automakers and suppliers to remap supply chains, verify origin of critical electronics, and plan for potential bans on affected products.

15 May 2026, 09:01congress.govUnited States

Germany Cabinet Approves Draft Cyberresilience Regulation Implementing EU Cyber Resilience Act

The German Federal Cabinet has approved a draft Cyberresilienz-Verordnung to implement the EU Cyber Resilience Act, making cybersecurity a mandatory condition for CE marking and designating BSI as the market surveillance authority for products with digital elements. Manufacturers, importers and distributors of connected hardware and software should prepare for stricter security-by-design, conformity assessment and oversight requirements ahead of full CRA application for new products by the end of 2027.

14 May 2026, 19:18bundesregierung.deGermanyEuropean Union

Germany: VCI Launches NIS2 Cybersecurity Webinar Series and Member Guidance

Germany’s NIS2 implementation law is being operationalised through a VCI-led cybersecurity webinar series and member guidance tailored to chemical companies. This provides a practical roadmap for medium-sized operators to meet new governance, reporting, risk-management and lawful AI-use obligations ahead of upcoming compliance deadlines.

11 May 2026, 11:33recht.bund.deGermanyEuropean Union

EU Commission Delegated Regulation 2026/339 Sets 2027 Repeal Of Radio Equipment Cybersecurity Delegated Regulation 2022/30

In April 2026 the EU published Delegated Regulation (EU) 2026/339 setting 11 December 2027 as the repeal date for Delegated Regulation (EU) 2022/30 on radio-equipment cybersecurity. This moves cybersecurity obligations for affected radio equipment onto the horizontal Cyber Resilience Act, giving manufacturers and importers a clear transition window to consolidate compliance under a single EU framework.

3 May 2026, 14:31eur-lex.europa.euEuropean Union

Japan METI Issues Second Edition of Technology Leakage Countermeasures Guidance

Japan’s Ministry of Economy, Trade and Industry has issued a significantly expanded second edition of its non-binding Guidance on Countermeasures Against Technology Leakage, adding detailed chapters on joint research, overseas production, and supplier coordination in line with new economic security expectations. For manufacturers and research-intensive firms in Japan, this guidance effectively raises the bar for governance, partner due diligence, contract design, and cyber and research security around sensitive technologies, signalling closer regulatory scrutiny of export control and technology-management practices over the coming years.

30 Apr 2026, 09:00meti.go.jpJapan

Netherlands RIVM Publishes Inventory of External Threats for Companies Working With Hazardous Substances

The Dutch public health institute RIVM has published a 2026 inventory for the Netherlands Labour Authority identifying six categories of external threats that could trigger major accidents at companies handling hazardous substances. While it does not create new legal obligations, the report offers structured input for incorporating pandemics, natural disasters, infrastructure and cyber failures, violence, and geopolitical shocks into existing safety and major-accident risk management.

28 Apr 2026, 11:50rivm.nlNetherlands

Slovenia Government Committee To Review Draft Regulation Implementing EU Cyber Resilience Act

In April 2026 Slovenia’s government scheduled discussion of a draft national regulation to implement the EU Cyber Resilience Act for products with digital elements, signalling the start of its domestic rulemaking process. This means detailed Slovenian rules on authorities, enforcement and practical CRA compliance for digital products are imminent, so technology and electronics suppliers should closely track this process and prepare for additional national obligations.

25 Apr 2026, 10:49gov.siSlovenia

Swiss Federal Council Moves Toward Stronger Critical Infrastructure Resilience and Data Security

The Swiss Federal Council has instructed the defence ministry and other departments to prepare, by the end of 2026, the key parameters and impact assessment for two federal laws to strengthen the resilience and data security of critical infrastructures. Operators of essential services and public authorities should anticipate future binding requirements on outage resilience and protection of security-relevant digital data, signalling tighter expectations for cyber and infrastructure risk management.

24 Apr 2026, 08:04admin.chSwitzerland

EU Publishes Delegated Regulation 2026/881 on Cybersecurity Grounds to Delay CRA Notifications

The EU has published Delegated Regulation (EU) 2026/881 under the Cyber Resilience Act, setting binding rules on when CSIRTs may delay sharing vulnerability and incident notifications for products with digital elements on cybersecurity grounds. This clarifies how highly sensitive cyber disclosures are handled, giving manufacturers and CSIRTs clearer expectations on confidentiality, timing, and coordination while preserving core notification duties from May 2026 onward.

23 Apr 2026, 14:32eur-lex.europa.euEuropean Union

Minnesota HF 4532 Proposes AI Safety and Disclosure Requirements for AI Developers

Minnesota has introduced HF 4532, the Responsible Artificial Intelligence Safety and Education Act, which would require AI developers to implement documented safety protocols, publish redacted versions, report safety incidents within 72 hours, and face substantial civil penalties and private lawsuits for non-compliance. If enacted, this would create a stringent state-level AI governance regime that technology and data-intensive companies must factor into product design, risk management, and governance of high-risk AI models operating in or from Minnesota.

16 Apr 2026, 15:46revisor.mn.govUnited States

Netherlands Lower House Approves NIS2 and CER Implementation Bills

The Dutch lower house has approved national laws implementing the EU NIS2 and CER directives, creating new cybersecurity and critical-entities resilience regimes that are planned to take effect around the second quarter of 2026. Essential and critical entities in the Netherlands will face duty-of-care, incident reporting and registration obligations and should begin strengthening governance and operational resilience now ahead of final Senate approval and detailed sector designations.

16 Apr 2026, 14:23rijksoverheid.nlNetherlands

UK Parliament Bill To Strengthen NIS Cyber Security Regime Reaches Commons Report Stage

The UK Government’s Cyber Security and Resilience (Network and Information Systems) Bill, now at Commons report stage, would create a new Act that significantly expands and strengthens the existing NIS Regulations 2018 for critical network and information systems. By bringing large data centres, managed and cloud service providers, energy load controllers and designated critical suppliers into a unified, high-penalty cyber resilience regime with national security direction powers, it signals far-reaching future obligations for organisations whose digital infrastructure underpins essential activities.

14 Apr 2026, 12:41publications.parliament.ukUnited Kingdom

US EPA Announces SDWA Section 1433 Webinars on Risk and Resilience Assessments and Emergency Response Plans

US EPA has launched compliance support for community water systems facing mandatory five-year recertification of risk assessments and emergency plans throughout 2026. Operators must integrate cybersecurity and power resilience into their updated filings to align with heightened federal standards for critical infrastructure protection.

6 Apr 2026, 16:35epa.govUnited States