From GDPR to the EU AI Act, European regulation has been moving on a fixed timeline since 2018. Below is every major enforcement date — past and future — with what each one means for your business.
Dates your legal and compliance team should have on the wall. Click through to the relevant tool for each regulation.
The General Data Protection Regulation became enforceable across all EU member states. Any company that processes personal data of EU residents must comply — with fines up to €20M or 4% of global annual turnover.
Check your GDPR compliance →EU member states were required to transpose NIS2 into national law by 17 October 2024. Over 160,000 entities in essential and important sectors across the EU are in scope — including energy, transport, health, finance, and digital infrastructure.
Check your NIS2 readiness →The Digital Operational Resilience Act became applicable on 17 January 2025. Banks, insurers, investment firms, crypto-asset service providers, and their critical ICT third-party providers must now maintain ICT risk frameworks, incident reporting procedures, and resilience testing programmes.
Check your DORA readiness →Large public-interest entities with more than 500 employees began reporting on FY2024 sustainability data under the Corporate Sustainability Reporting Directive. Reports must follow ESRS standards — covering climate, environment, workforce, governance, and supply chain.
Check your CSRD readiness →Article 5 of the EU AI Act became enforceable on 2 August 2025. AI systems that manipulate behaviour, exploit vulnerabilities, use real-time biometric surveillance in public spaces, or apply social scoring are now banned. Companies must verify that none of their AI tools fall under these prohibitions.
Classify your AI systems →Full enforcement begins on 2 August 2026 for most high-risk AI systems (Annex III). Companies that develop, deploy, or use AI in areas such as employment, education, credit scoring, biometrics, critical infrastructure, and law enforcement must have risk management systems, technical documentation, human oversight, and conformity assessments in place.
Build your AI Act compliance roadmap →Large companies not already in Phase 1 — broadly those meeting two of three thresholds: 250+ employees, €50M+ turnover, €25M+ balance sheet — begin reporting on FY2027 data (delayed 2 years by Directive 2025/794). First reports due in 2028.
Run your ESRS gap analysis →The Corporate Sustainability Due Diligence Directive applies in three waves: Wave 1 (July 2027) for companies with >5,000 employees and >€1.5bn turnover; Wave 2 (July 2028) for >3,000 employees and >€900m; Wave 3 (July 2029) for >1,000 employees and >€450m. It requires due diligence on human rights and environmental impacts across value chains.
Check your supply chain readiness →Listed small and medium-sized enterprises begin reporting on FY2028 data under a simplified sustainability reporting standard (delayed 2 years by Directive 2025/794). First reports due in 2029. Non-listed SMEs are not directly required, but will increasingly face reporting requests from larger companies in their supply chains.
Start your CSRD assessment →High-risk AI systems that are safety components of products already regulated under other EU legislation (Annex I — medical devices, machinery, aviation, automotive) have an extended compliance deadline of 2 August 2027, aligned with the product regulation timelines.
Classify your AI systems →Not all regulations apply to every company. Take the free diagnostic and get a personalised view of your obligations — in under 2 minutes.