EU breach meets product‑liability rules

The Commission says it discovered the intrusion on 24 March and published a press notice on 27 March stating early findings “suggest that data have been taken” while its internal systems were not affected. (ec.europa.eu) Security reporting links the incident to at least one compromised Amazon Web Services account, and AWS told reporters the cloud provider did not experience a service breach, attributing the event to compromised account credentials. (bleepingcomputer.com) A threat actor claiming responsibility has posted a dark‑web listing for about 350GB of Commission files and supplied screenshots plus a SHA256 checksum that independent outlets used to corroborate parts of the claim. (cybernews.com) The Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024 and its core market obligations are staged to apply from 11 December 2027. (eur-lex.europa.eu) The Commission released draft implementation guidance on 13 March 2026 to help industry and market surveillance authorities operationalize CRA requirements ahead of full application. (dlapiper.com) Germany’s BSI technical guideline TR‑03183—published in parts—defines SBOM structure and metadata and maps required fields to SPDX and CycloneDX formats, with Part 2 providing the formal SBOM specification. (bsi.bund.de) Article 14 of the CRA obliges manufacturers to notify ENISA and the designated CSIRT of actively exploited vulnerabilities via the Single Reporting Platform with an early‑warning submission within 24 hours and a follow‑up detailed report within 72 hours. (zealience.com) The UK’s Cyber Security and Resilience (NIS) Bill, as summarised by the House of Commons Library and updated on the parliamentary bills portal in March 2026, expands scope, tightens incident‑reporting duties and increases upstream obligations and enforcement powers for vendors selling into the UK market. (commonslibrary.parliament.uk)