From GDPR to the EU AI Act, European regulation has been moving on a fixed timeline since 2018. Below is every major enforcement date, past and future, with what each one means for your business.
Dates your legal and compliance team should have on the wall. Click through to the relevant tool for each regulation.
The General Data Protection Regulation became enforceable across all EU member states. Any company that processes personal data of EU residents must comply, with fines up to €20M or 4% of global annual turnover.
Check your GDPR compliance →EU member states were required to transpose NIS2 into national law by 17 October 2024. Over 160,000 entities in essential and important sectors across the EU are in scope, including energy, transport, health, finance, and digital infrastructure.
Check your NIS2 readiness →The Digital Operational Resilience Act became applicable on 17 January 2025. Banks, insurers, investment firms, crypto-asset service providers, and their critical ICT third-party providers must now maintain ICT risk frameworks, incident reporting procedures, and resilience testing programmes.
Check your DORA readiness →Large public-interest entities with more than 500 employees began reporting on FY2024 sustainability data under the Corporate Sustainability Reporting Directive. Reports must follow ESRS standards, covering climate, environment, workforce, governance, and supply chain.
Check your CSRD readiness →Article 5 of the EU AI Act became enforceable on 2 February 2025. AI systems that manipulate behaviour, exploit vulnerabilities, use real-time biometric surveillance in public spaces, or apply social scoring are now banned. Companies must verify that none of their AI tools fall under these prohibitions.
Classify your AI systems →On 2 August 2025, governance rules and General Purpose AI (GPAI) model obligations became applicable. Providers of foundation models must meet transparency, copyright, and technical documentation requirements. Most SMEs using these models are not directly affected: the obligations apply primarily to the model providers themselves.
Full enforcement begins on 2 August 2026 for most high-risk AI systems (Annex III). Companies that develop, deploy, or use AI in areas such as employment, education, credit scoring, biometrics, critical infrastructure, and law enforcement must have risk management systems, technical documentation, human oversight, and conformity assessments in place. Update (7 May 2026): the EU Parliament and Council reached a provisional Digital Omnibus agreement to postpone this deadline to 2 December 2027 (Annex III) and 2 August 2028 (Annex I). Formal adoption by both co-legislators is still pending. Until adoption, 2 August 2026 remains the legal deadline.
Build your AI Act compliance roadmap →Post-Omnibus I scope (Directive (EU) 2026/470, in force 18 March 2026): large EU undertakings meeting both cumulative thresholds, more than 1,000 employees AND more than €450M net turnover, begin reporting on FY2027 data. First reports due in 2028. The original pre-Omnibus "2-of-3" test (250 employees / €50M / €25M) has been removed.
Run your ESRS gap analysis →The Corporate Sustainability Due Diligence Directive (Directive (EU) 2024/1760, as amended by Directive (EU) 2026/470, Omnibus I, in force 18 March 2026) now applies from July 2029 to EU companies with more than 5,000 employees AND more than €1.5bn worldwide net turnover, and to non-EU companies with more than €1.5bn of EU turnover. The pre-Omnibus 3-wave phasing (5,000/€1.5bn → 3,000/€900m → 1,000/€450m) has been removed. Member-state transposition deadline: 26 July 2028. Due diligence scope is narrowed to Tier-1 direct business partners (with deeper assessment only where there is plausible evidence of adverse impact); the CS3D climate transition plan obligation has been removed.
Check your supply chain readiness →The original Phase 3 obligation on EU-listed SMEs has been removed by Directive (EU) 2026/470 (Omnibus I, in force 18 March 2026). Listed SMEs are no longer in mandatory CSRD scope and may report voluntarily using the VSME standard. Non-listed SMEs were never directly obligated, but will continue to face reporting requests from larger companies in their supply chains (value-chain flow-down).
Start your CSRD assessment →High-risk AI systems that are safety components of products already regulated under other EU legislation (Annex I, e.g. medical devices, machinery, aviation, automotive) have an extended compliance deadline of 2 August 2027, aligned with the product regulation timelines. Update (7 May 2026): the Digital Omnibus provisional agreement targets 2 August 2028 for Annex I, pending formal adoption.
Classify your AI systems →Not all regulations apply to every company. Take the free diagnostic and get a personalised view of your obligations, in under 2 minutes.