Europese Commissie publiceert CRA-conceptrichtlijnen voor productfabrikanten. Eerste DSA-transparantierapporten deadline verstreken. Westerse coalitie lanceert 6G-cyberbeveiligingsrichtlijnen. AI-beveiligingskwetsbaarheden benadrukken urgentie EU AI Act. Wekelijks regelgevingsoverzicht 7 maart 2026.
On 3 maart 2026, the European Commission published draft guidance to help companies meet the obligations of the Cyber Resilience Act (CRA). The guidance is open for public feedback, marking a critical milestone as the regulation moves from legislation to implementation.
The CRA, which entered into force in December 2024, establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU. Manufacturers, importers, and distributors must ensure products meet essential security requirements throughout their lifecycle.
The Commission's guidance addresses the most common implementation questions from industry:
Action required: Product manufacturers, software companies, and IoT vendors operating in the EU should review the draft guidance and submit feedback before the consultation period closes. Companies should begin CRA compliance programs now — September 2026 reporting obligations are only six months away.
The first round of harmonised transparency reports under the Digital Services Act (DSA) were due by the end of February 2026. Providers of intermediary services — including platforms, hosting services, and search engines — were required to publish reports detailing their content moderation activities, government requests, and algorithmic recommendation systems.
The European Commission is now reviewing the first batch of reports. Non-compliant platforms face fines of up to 6% of global annual turnover. Several smaller intermediary services reportedly missed the deadline, and the Commission has signaled it will pursue handhavingsacties.
On 4 maart 2026, a coalition of seven Western nations — including EU lidstaten — launched comprehensive cybersecurity guidelines for future 6G telecommunications standards. The framework mandates security-by-design principles be integrated from the earliest stages of 6G development.
The guidelines directly address lessons learned from 5G security controversies, particularly around toeleveringsketen risks and vendor trust. Key principles include:
The framework aligns with the EU's broader approach under NIS2 and the CRA, creating a unified regulatory posture across critical telecommunications infrastructure.
This week's AI security developments underscore the critical need for the EU AI Act's regulatory framework:
Google patched a high-severity vulnerability (CVSS 8.8) in its Gemini AI implementation within the Chrome browser. Reported by Palo Alto Networks' Unit 42, the verhoging van rechten flaw could have allowed malicious browser extensions with basic permissions to hijack the Gemini Live panel — accessing user conversations and executing actions on behalf of the user.
Beveiligingsonderzoekers continue to flag a surge of trojanized "AI" browser extensions appearing in official app stores. These extensions claim to provide AI functionality while secretly exfiltrating user data, session tokens, and browsing activity. The trend exploits consumer demand for AI tools without adequate marketplace security.
A critical vulnerability dubbed "ContextCrush" was discovered in the Context7 MCP Server, a tool used in AI development pipelines. De fout kan aanvallers in staat stellen om inject malicious instructions into AI development workflows, potentially poisoning AI training data or model outputs at the source.
EU AI Act Timeline: The Act's prohibited practices provisions took effect in February 2025. High-risk AI system obligations apply from August 2026. The EU AI Office is developing harmonized standards and guidance. These vulnerabilities demonstrate exactly why mandatory AI security requirements — including risicobeoordelings, vulnerability management, and transparency obligations — are essential.
EU lidstaten continue to ramp up NIS2 enforcement. Key developments this week:
The Digital Operational Resilience Act has been in effect since 17 januari 2025. Financial entities should now be in full compliance. Key Q1 2026 compliance activities:
| Date | Regulation | Milestone |
|---|---|---|
| Jun 2026 | NIS2 | Netherlands: Entity self-assessment deadline |
| Aug 2026 | EU AI Act | High-risk AI system obligations apply |
| Sep 2026 | CRA | Vulnerability reporting obligations begin |
| Q4 2026 | DORA | First TLPT cycle completion for significant entities |
| Dec 2027 | CRA | Full product compliance required |
Continuous compliance monitoring for NIS2, DORA, CRA, GDPR, and EU AI Act. Real-time regulatory tracking with automated gap analysis.
Start Free Assessment →Stay compliant. Stay ahead.
🗡️ KENSAI Compliance Intelligence
7 maart 2026