CISA BOD 22-01, NIS2, and DORA: How to Align Patching Workflows with EU Cyber Regulations

The CISA Emergency Patch Order: What Happened?

On April 28, 2026, CISA added CVE-2026-32202 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to patch the Windows zero-day by May 12, 2026. The vulnerability — a zero-click NTLM hash leak — was left after Microsoft incompletely patched a remote code execution bug (CVE-2026-21510) exploited by the Russian APT28 group against targets in Ukraine and EU countries. Akamai reported the flaw, which enables pass-the-hash attacks for lateral movement and data theft. While Microsoft confirmed exploitation, they found no direct link to APT28 for CVE-2026-32202 itself.

Three other Windows flaws — BlueHammer, RedSun, and UnDefend — are also actively exploited, with two still unpatched. This incident underscores a critical reality: vulnerability management is no longer just a technical concern — it is a regulatory compliance imperative.

NIS2 Requirements for Vulnerability Management and Incident Reporting

The NIS2 Directive (EU 2022/2555) applies to essential and important entities across 18 sectors. Member states were required to transpose it by October 17, 2024. Under NIS2, organizations must implement risk management measures that include vulnerability handling and disclosure, as well as incident reporting obligations.

Key NIS2 Obligations

• Risk management measures: Entities must adopt technical and organizational measures to manage cybersecurity risks, including vulnerability management, patch management, and supply chain security.
• Incident reporting: Entities must report significant incidents to the competent authority within 24 hours (early warning), followed by a detailed notification within 72 hours, and a final report within one month.
• Supply chain security: Organizations must assess the security of their direct suppliers and service providers, including software vendors like Microsoft.
• Management accountability: Senior management can be held personally liable for non-compliance, with penalties up to EUR 10 million or 2% of global turnover for essential entities.

For an organization subject to NIS2, the CISA KEV addition of CVE-2026-32202 should trigger immediate action. Under NIS2, a known exploited vulnerability that could lead to a significant incident must be patched promptly as part of the entity's risk management obligations. Failure to do so could result in regulatory penalties.

DORA Obligations for ICT Risk Management and Digital Operational Resilience Testing

The Digital Operational Resilience Act (DORA, Regulation EU 2022/2554) applies to financial entities from January 17, 2025. DORA requires a comprehensive ICT risk management framework, including vulnerability management, incident reporting, and digital operational resilience testing.

Key DORA Requirements

• ICT risk management framework: Financial entities must establish and maintain a sound, comprehensive, and documented ICT risk management framework. This includes identifying, classifying, and adequately documenting all ICT-supported business functions, roles, and responsibilities.
• Incident reporting: Major ICT-related incidents must be reported to the competent authority. Initial notification within 24 hours, intermediate report within 72 hours, and final report within one month.
• Digital operational resilience testing: Entities must regularly test their ICT systems, including vulnerability assessments and, for larger entities, threat-led penetration testing (TLPT) every three years.
• Third-party risk management: DORA imposes stringent requirements on managing risks from ICT third-party service providers, including cloud providers and software vendors.

Under DORA, a vulnerability like CVE-2026-32202 that is actively exploited and added to CISA's KEV would likely be considered a major incident, requiring immediate notification. Furthermore, the vulnerability must be addressed as part of the entity's ICT risk management framework, with patching integrated into the testing and reporting cycle.

Step-by-Step Guide: Aligning Patching Workflows with NIS2 and DORA

Integrating CISA KEV patching into NIS2 and DORA compliance requires a structured approach. Here is a step-by-step guide:

Step 1: Monitor Vulnerability Sources

Subscribe to CISA's Known Exploited Vulnerabilities catalog, Microsoft Security Response Center (MSRC) alerts, and national CSIRT feeds. Under NIS2 and DORA, threat intelligence is a key component of risk management.

Step 2: Assess Impact on Your Systems

When a new vulnerability is published (e.g., CVE-2026-32202), immediately assess whether it affects your ICT systems. Use asset management tools to identify vulnerable endpoints, servers, and applications.

Step 3: Prioritize Patching Based on Risk

Align patching priority with regulatory requirements. For vulnerabilities on CISA's KEV, treat them as high priority. Under NIS2, this is part of your risk management obligation. Under DORA, failure to patch could lead to a major incident.

Step 4: Document the Patching Process

Maintain audit trails of patching decisions, including risk assessments, patch testing results, and deployment timelines. Both NIS2 and DORA require evidence of compliance. Use automated tools to capture this documentation.

Step 5: Report Incidents Promptly

If a vulnerability is exploited before patching, report the incident according to regulatory timelines: 24-hour early warning under both NIS2 and DORA, followed by detailed notifications within 72 hours. Ensure your incident response plan includes these reporting obligations.

Step 6: Conduct Regular Testing

Under DORA, perform vulnerability assessments and threat-led penetration testing. Under NIS2, conduct regular security audits. Use the CISA KEV as a baseline for testing scenarios.

Step 7: Review and Improve

After each patching cycle, review the process and update your risk management framework. Both NIS2 and DORA require continuous improvement.

How AIGovHub's CCM Module Automates Multi-Framework Compliance

Managing vulnerability patching across multiple regulatory frameworks is complex. AIGovHub's Continuous Compliance Monitoring (CCM) module helps organizations automate compliance monitoring and evidence collection for NIS2, DORA, and other frameworks.

Key Capabilities for Vulnerability Management

• ERP connectors: CCM connects to SAP, Microsoft Dynamics 365, Workday, Oracle Cloud Fusion, and NetSuite to extract real-time data for compliance monitoring, including patch status.
• AI-native rule engine: Uses DeepSeek R1 reasoning to analyze patching data and flag critical or high findings, such as unpatched CISA KEV vulnerabilities.
• Automated evidence collection: Automatically captures patching records, risk assessments, and incident reports as evidence for NIS2 and DORA audits.
• Remediation workflow: Integrates with Jira and ServiceNow to track patching tasks and ensure they are completed within regulatory deadlines.
• Anomaly detection: Detects deviations from baselines, such as delayed patching, and triggers alerts for compliance teams.

By using AIGovHub CCM, organizations can reduce manual effort, improve audit readiness, and ensure that patching workflows are aligned with NIS2 and DORA requirements.

Key Takeaways

• CISA's addition of CVE-2026-32202 to the KEV catalog highlights the need for rapid patching, which is also a regulatory requirement under NIS2 and DORA.
• NIS2 requires essential and important entities to implement vulnerability management as part of risk management measures, with incident reporting within 24 hours.
• DORA mandates financial entities to have an ICT risk management framework that includes vulnerability management, incident reporting, and resilience testing.
• Aligning patching workflows with both frameworks requires monitoring vulnerability sources, assessing impact, prioritizing based on risk, documenting the process, reporting incidents, and conducting regular testing.
• Automation tools like AIGovHub CCM can streamline compliance by connecting to ERP systems, automating evidence collection, and providing AI-driven risk analysis.

This content is for informational purposes only and does not constitute legal advice. Organizations should consult with legal and compliance professionals to ensure adherence to specific regulatory requirements.

Take the Next Step

Ready to simplify multi-framework compliance? Try AIGovHub's interactive compliance tools and CCM module to automate vulnerability management, evidence collection, and regulatory reporting for NIS2, DORA, and beyond. Visit AIGovHub to learn more.