Skip to content
EU digital regulation · as of 2026

Which EU rules actually affect you in 2026.

AI Act, NIS2, Data Act, Cyber Resilience Act, DORA – five regulations, five sets of deadlines. We bring order: take the quick check, see in two minutes what applies to you, and grab the roadmap.

Start compliance check → Book an intro call

Across 2025 and 2026, a wave of EU digital regulation has come into force. Much of it sounds like an enterprise concern, but it long since reaches the mid-market too – and much of it is, at its core, technical: AI labelling, secure software, data access, reporting processes. Where law meets code is where the real work appears.

This radar sorts the five most important regulations: who is affected, which deadlines actually apply (including the recent AI Act shifts), and what to do. The quick check gives you an honest first orientation in a few questions – no legalese, no scaremongering.

Compliance radar check

Five short questions – then you'll know which EU digital regulations likely affect your company and which deadlines are coming up. No sign-up, no legal advice.

1 of 5

Compliance roadmap 2026/2027
All deadlines of the five regulations at a glance – free as a PDF to tick off.

The five regulations at a glance

EU AI Act, NIS2, Data Act, Cyber Resilience Act and DORA – who is affected, which deadlines apply and what to do.

EU AI Act

High relevance

Regulation (EU) 2024/1689 (AI Act)

Affected: Providers and deployers of AI systems plus GPAI providers. For the mid-market mainly transparency and AI-literacy duties; high-risk covers e.g. AI in HR, credit, education.

02 Feb 2025 · Bans + AI literacy (in force)02 Aug 2026 · Transparency duties, Art. 5002 Dec 2027 · High-risk (Annex III) – postponed
  • Ensure AI literacy in your team (since February 2025)
  • Avoid prohibited AI practices (e.g. social scoring)
  • Label chatbots & AI-generated content (from August 2026)
  • High-risk AI: risk management, documentation, human oversight (future)

NIS2

High relevance

Directive (EU) 2022/2555 / NIS2UmsuCG

Affected: Medium and large companies across 18 sectors. 'Important': from 50 staff or €10m turnover; 'essential': from 250 staff or €50m turnover.

06 Dec 2025 · In force in Germany (NIS2UmsuCG)06 Mar 2026 · BSI registration deadline (passed)ongoing · Reporting duty 24 h / 72 h / 1 month
  • Register with the BSI
  • Risk management per § 30 BSIG (10 mandatory areas)
  • Report incidents: 24 h / 72 h / 1 month
  • Management: approval, oversight, personal liability

EU Data Act

Relevant

Regulation (EU) 2023/2854

Affected: Makers and sellers of connected products (IoT), data holders and providers of cloud/data-processing services.

12 Sep 2025 · Core duties apply (EU-wide)30 May 2026 · DADG in force in Germany12 Jan 2027 · Ban on cloud switching charges
  • Give users access to their product data
  • Share data with nominated third parties on request
  • Access by design (from Sept 2026 for new products)
  • Easier cloud switching & fair contract terms

Cyber Resilience Act

High relevance

Regulation (EU) 2024/2847

Affected: Makers, importers and distributors of 'products with digital elements' – hardware and software with a network or data connection (incl. standalone software, apps, SaaS).

11 Sep 2026 · Reporting duty for exploited vulnerabilities11 Dec 2027 · Full requirements + CE marking
  • Security-by-design and security-by-default
  • Vulnerability management + free updates over the support period
  • Define and communicate a clear support period
  • Conformity assessment + CE marking; report vulnerabilities (from Sep 2026)

DORA

Relevant

Regulation (EU) 2022/2554

Affected: Financial entities (banks, insurers, payment providers and more) and their critical ICT third-party providers.

17 Jan 2025 · Full application (in force)30 Mar 2026 · BaFin register of information
  • Set up an ICT risk-management framework
  • Classify and report major ICT incidents
  • Run resilience testing (incl. TLPT)
  • Manage third-party risk; keep a register of information

How we help

01

Assess

We clarify which regulations affect you and where you stand – without legalese.

02

Implement

Where it concerns your website, software or AI features, we implement the needed measures directly in code – labelling, security, transparency.

03

Document

We help you build records and processes so you can respond to authorities.

04

Stay on track

Deadlines and duties shift. We keep the roadmap in view with you.

FAQ

Does any of this even affect us as a small company?

Often yes – but specifically. The AI Act applies regardless of size once you use AI; NIS2 only from 50 staff or €10m turnover in certain sectors. The quick check above gives a first orientation.

Is all of this already in force?

Mostly yes. NIS2 has been in force in Germany since 6 December 2025, the Data Act since September 2025, DORA since January 2025. For the AI Act and Cyber Resilience Act, duties phase in – some deadlines are still in 2026 and 2027.

Didn't the AI Act deadlines shift?

Yes. The 'Digital Omnibus on AI' (agreement in May 2026) postpones much of the high-risk duties – standalone high-risk AI (Annex III) now likely applies from December 2027 instead of August 2026. The transparency duties (labelling) stay at August 2026.

What does this have to do with a web/AI agency?

Much of it is technical: AI labelling, secure software (CRA), data access and cloud switching (Data Act), reporting processes (NIS2). That's exactly where we help – from the website to the AI feature.

Does this replace legal advice?

No. The radar and check are a factual orientation. For a binding legal assessment, involve qualified advisors – we handle the technical implementation.

Keep the overview – and let the technical part be handled.

We assess what affects you and implement the technical measures – from AI labelling to secure software.

Book an intro call
⚠️ Disclaimer: This content is for general information and is not legal advice. Deadlines and obligations may change; whether you are affected depends on your specific case. For a binding assessment, consult qualified advisors. As of June 2026.