CISA replaces the flat KEV 14-day rule with risk-tiered remediation (BOD 26-04)

CISA issued Binding Operational Directive 26-04 on 10 June, superseding BOD 19-02 and BOD 22-01 and replacing the flat 14-day KEV remediation rule with risk-tiered deadlines, including a 3-day class for the worst exposures (CISA; daily 06-12). The deadlines bind only US Federal Civilian Executive Branch agencies and carry no compliance weight in CH/EU. What to do differently — and what not to: the useful signal for a Swiss/EU SOC is the risk-tiering model (exploitation status and exposure driving remediation urgency), not the deadlines themselves; the KEV listing flag remains jurisdiction-agnostic confirmation of in-the-wild exploitation, but a KEV deadline is never the reason an item is urgent for this audience.