How do the latest CISA directives affect private sector compliance obligations?

Recent CISA directives influence private sector cybersecurity practices by shaping expectations around vulnerability remediation, critical infrastructure protection, incident reporting, and management of Known Exploited Vulnerabilities (KEVs). Many organisations align with CISA guidance to support cyber resilience, regulatory readiness, cyber insurance requirements, and third-party risk management.

What is the deadline for complying with the latest CISA Known Exploited Vulnerabilities directive?

CISA KEV remediation deadlines vary depending on the specific directive, affected systems, and risk severity. Federal agencies are typically required to remediate KEVs within defined timelines, often ranging from days to weeks after publication. Private sector organisations commonly adopt similar remediation windows for actively exploited vulnerabilities to reduce exposure risk.

Government & Regulatory Alerts

Active exploitation of vulnerability affecting Microsoft Office SharePoint Server products in the UK

Hackerstorm Threat Intelligence Government & Regulatory Alerts 22 July 2025

Microsoft has published a security advisory detailing a vulnerability affecting on-premises SharePoint Server instances. Microsoft and the NCSC are aware that an exploit for this vulnerability exists in the wild and have observed active attacks.

ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

Hackerstorm Threat Intelligence Government & Regulatory Alerts 02 April 2025

The Russian state-sponsored cyber actor known as Midnight Blizzard has exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts.

CERT-EU: Security Advisory 2024-016 - High Vulnerability in the runc package

Hackerstorm Threat Intelligence Government & Regulatory Alerts 06 February 2024

A critical vulnerability affecting Docker, Kubernetes, and other containerisation technologies enables attackers to potentially gain unauthorised access to the host operating system.

Vulnerability affecting Next.js web development framework

Hackerstorm Threat Intelligence Government & Regulatory Alerts 28 March 2025

The NCSC is encouraging UK organisations to take immediate action to mitigate a vulnerability (CVE-2025-29927) affecting the Next.js framework used to build web applications.

CISA - ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities

Hackerstorm Threat Intelligence Government & Regulatory Alerts 02 February 2024

Emergency Directive (ED) - Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and

Page 2 of 3

FAQs

The SEC cybersecurity disclosure rules and EU NIS2 Directive require organisations to strengthen incident reporting, cyber risk governance, supply chain security, and executive accountability. In 2026, affected organisations must rapidly report significant cyber incidents, maintain documented risk management processes, and demonstrate stronger operational resilience and vulnerability management practices.

Government & Regulatory Cybersecurity Alerts | NIS2 & SEC Compliance