EU’s 24-Hour Security Deadline

The European Union will enforce a new cybersecurity rule starting September 11, 2026, requiring any vendor selling hardware that connects to EU networks—whether wired or wireless—to report actively exploited vulnerabilities within 24 hours. The regulation, overseen by ENISA, expands the scope of mandatory disclosure beyond software to include every component, sub‑module, or “Lego‑piece” of a product.

Under the rule, manufacturers must notify ENISA, affected customers, and other designated authorities as soon as they become aware that a vulnerability is being actively exploited. This deadline is starkly shorter than the United States’ 72‑hour SEC disclosure window, intensifying the pressure on firms to maintain real‑time threat‑intelligence and rapid response capabilities. The definition of “actively exploited” hinges on the vendor’s own detection mechanisms, prompting questions about the evidentiary standards for such disclosures.

The speaker highlighted the practical challenges, noting the difficulty of confirming exploitation and the reliance on continuous threat‑intel monitoring. He also pointed out the regulatory ambiguity: “How does the manufacturer know it’s actively exploited?” – a query that remains largely unanswered, leaving firms to err on the side of caution and report any potential exploitation.

For global hardware manufacturers, the 24‑hour clock represents a significant operational shift. Companies must invest in automated vulnerability detection, streamline reporting workflows, and prepare for potential fines or market restrictions for non‑compliance. The rule is poised to raise the overall security baseline across the EU, influencing product design, supply‑chain risk assessments, and cross‑border compliance strategies.