What's changed across CSRD, GDPR, EU AI Act, DMA, and EU Taxonomy — and what it means for your business.
Cyber1 Apr 2026
NIS2 Compliance Deadline: October 2026 — First Audits Due by June
Companies in scope of the NIS2 Directive have until October 2026 to achieve full compliance. The first audit deadline has been set for 30 June 2026, and Member States must identify critical entities by 17 July 2026.
What changed
The NIS2 Directive (2022/2555) significantly expanded the scope of EU cybersecurity obligations from the original NIS Directive. It covers medium and large organisations in 18 sectors including energy, transport, banking, health, digital infrastructure, and ICT service management. Companies must implement risk management measures, incident reporting procedures, supply chain security assessments, and business continuity plans.
The first compliance audit deadline was originally set for 31 December 2025 but has been moved to 30 June 2026. By 17 July 2026, each Member State must formally identify the critical entities in their jurisdiction. Penalties for non-compliance include fines of up to €10M or 2% of global turnover for essential entities, and €7M or 1.4% for important entities. Senior management can be held personally liable.
What it means for your business
If you operate in any of the 18 NIS2 sectors: The compliance deadline is now less than 6 months away. Start with a gap assessment to understand your current posture — particularly around incident reporting (72-hour notification requirement), supply chain risk management, and board-level accountability. Not sure if NIS2 applies to you? Run the free NIS2 Readiness Assessment.
CSRD Omnibus Now Law: Scope Cut by 80%, Only 1,000+ Employee Companies In
The EU's Omnibus I simplification package raises the CSRD reporting threshold to companies with 1,000+ employees and €450M+ in turnover, removing roughly 80% of previously in-scope businesses. Listed SMEs are fully exempt.
What changed
The Omnibus I Directive has raised the CSRD applicability threshold from the original 250-employee threshold to 1,000 employees and €450 million in net turnover. The law also removes listed SMEs from mandatory scope entirely — they will only report on a voluntary basis using a simplified VSME standard.
The wave 2 deadline (financial year 2025, reporting in 2026) and wave 3 deadline (FY 2026) are both postponed by two years. Wave 1 companies (those already reporting for FY 2024) are not affected. The Omnibus I Directive was published in the EU Official Journal on 26 February 2026 and entered into force on 19 March 2026. These changes are now binding law.
What it means for your business
If you have under 1,000 employees: You are likely out of mandatory scope under the new threshold. However, large customers and financial institutions may still require CSRD-aligned disclosures through their own value chain reporting. If you have 1,000+ employees: Mandatory reporting continues — the core ESRS standards remain unchanged. Use the delay to strengthen your data collection processes.
AI Act High-Risk Deadline Extended to December 2027 — Now Law
As part of the EU Omnibus simplification package, the EU has extended the compliance deadline for high-risk AI systems from August 2026 to December 2027, giving businesses 16 additional months.
What changed
The Omnibus I Directive, which entered into force on 19 March 2026, extends the deadline for high-risk AI system compliance under the EU AI Act. The original Article 6 Annex III deadline was August 2, 2026 — the new law pushes this to December 2027.
The extension covers obligations under Articles 9–15 of the AI Act: risk management systems, data governance, technical documentation, logging, transparency, human oversight, and accuracy/robustness requirements. The prohibited practices ban (effective August 2025) and GPAI model obligations are not affected.
What it means for your business
If you deploy high-risk AI: The extra time is valuable — use it to build compliant risk management and documentation processes rather than scrambling. The extension was formally adopted as part of the Omnibus I Directive (in force since 19 March 2026). The new deadline of December 2027 is now binding law.
ECB, EBA and ESMA Warn: ESRS Simplifications Risk Undermining Data Quality
Four EU financial regulators published joint opinions warning that the Omnibus reliefs and permanent exemptions in the revised ESRS could significantly reduce the availability of decision-useful sustainability data.
What changed
In February 2026, the European Central Bank (ECB), European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), and European Securities and Markets Authority (ESMA) published their opinions on the revised European Sustainability Reporting Standards. All four regulators share a core concern: the cumulative effect of permanent reliefs, phase-ins, and exemptions risks undermining the availability of key quantitative data that financial institutions need for risk assessment and lending decisions.
The regulators also highlighted that several reliefs go beyond, or deviate from, the IFRS/ISSB framework — creating interoperability gaps between EU and international sustainability reporting standards. This matters for companies with global investors or operations, who may need to report under both frameworks.
What it means for your business
If you report under ESRS: Even though the Omnibus reduces mandatory scope, the financial sector — your banks, investors, and insurers — still expects comprehensive sustainability data. Companies that only meet the minimum simplified requirements may face challenges accessing green finance or satisfying due diligence requests from larger clients.
EU Taxonomy Reporting Simplified: 10% Materiality Threshold Introduced
A new EU delegated act introduces a 10% materiality threshold for Taxonomy reporting, significantly reducing the number of activities companies must assess and disclose.
What changed
The European Commission adopted a new delegated act amending the EU Taxonomy Disclosures Delegated Regulation. The key change is a 10% materiality threshold: companies no longer need to assess and report on Taxonomy alignment for activities that represent less than 10% of their total revenue, capital expenditure (CapEx), or operating expenditure (OpEx).
The delegated act also introduces simplifications to the "Do No Significant Harm" (DNSH) assessment, reduces the number of mandatory data points, and provides clearer guidance on how to handle activities that span multiple NACE codes.
What it means for your business
If you're already reporting: Review which activities fall below the 10% threshold — you may be able to exclude a significant portion of your current assessment scope. If you haven't started: This simplification makes first-time Taxonomy reporting considerably more manageable. The threshold applies for reporting periods from 2025 onwards.
EU AI Act: Prohibited AI Practices Are Now Enforceable
From 2 August 2025, the EU AI Act's ban on unacceptable-risk AI systems became legally enforceable across all Member States. Systems that manipulate users, exploit vulnerabilities, or enable social scoring are now prohibited by law.
What changed
Article 5 of the EU AI Act — listing AI systems with unacceptable risk — became enforceable on 2 August 2025, 12 months after the regulation entered into force. This includes absolute prohibitions on: AI systems that use subliminal techniques to influence behaviour, systems that exploit vulnerabilities of specific groups, real-time biometric identification in public spaces (with narrow exceptions), social scoring by public authorities, and AI used to infer emotions in workplaces and schools.
Member States were required to designate national market surveillance authorities and notify the European AI Office by this date. The AI Office, established within the European Commission, oversees enforcement for general-purpose AI models. National authorities handle enforcement for other AI systems.
What it means for your business
Immediate action required: If your organisation uses or deploys AI systems, review them against the Article 5 prohibited practices list now. Violations can result in fines of up to €35M or 7% of global annual turnover. Most business AI tools (productivity, analytics, customer service) are not prohibited — but AI used in recruitment, credit scoring, or affecting individuals in sensitive contexts requires careful review.
First DMA Penalties: Apple Fined €500M, Meta €200M
The European Commission issued its first-ever Digital Markets Act enforcement decisions, fining Apple €500M and Meta €200M for failing to comply with their DMA obligations as designated gatekeepers.
What changed
On 23 April 2025, the European Commission issued its first enforcement decisions under the Digital Markets Act (DMA). Apple was fined €500M for its App Store practices — specifically for not allowing app developers to freely direct users to alternative purchasing options outside the App Store. Meta was fined €200M for its "pay or consent" advertising model on Facebook and Instagram, which the Commission found did not give users a genuine free alternative to data-based advertising.
Both companies were also ordered to remedy their non-compliant practices within 60 days. The DMA targets large digital platforms designated as "gatekeepers" — currently Apple, Alphabet, Meta, Amazon, Microsoft, ByteDance, and Booking.com. The fines can reach up to 10% of global annual turnover (20% for repeat infringements) and up to 5% of average daily worldwide turnover per day for non-compliance with interim measures.
What it means for your business
If you use gatekeeper platforms: These decisions signal that app stores, search rankings, and advertising systems on major platforms may change to comply with DMA requirements — potentially affecting your distribution and marketing strategies. If you are a gatekeeper platform: The DMA is now actively enforced. Non-compliance carries substantial financial risk.
GDPR Enforcement Record: TikTok Fined €530M for Sending EU Data to China
Ireland's Data Protection Commission fined TikTok €530M — the third largest GDPR fine on record — for transferring EU users' personal data to China without adequate legal safeguards under Chapter V of the GDPR.
What changed
The Irish Data Protection Commission (DPC) concluded a multi-year investigation into TikTok's international data transfers, finding that TikTok had transferred EU/EEA user data to its parent company ByteDance in China without meeting the strict adequacy requirements of GDPR Chapter V. The €530M fine consists of €485M for the transfer violations and €45M for a transparency infringement regarding TikTok's privacy policy.
This is the third largest GDPR fine ever issued, behind Meta's €1.2B fine (2023) and Amazon's €746M fine (2021). TikTok was also ordered to bring its data processing into compliance within six months. More than 360 GDPR fines were issued across Europe in 2025, with total enforcement reaching a record high.
What it means for your business
For any company that transfers personal data outside the EU/EEA: This fine reinforces that transfer mechanisms must be watertight. Standard Contractual Clauses (SCCs) are not sufficient if the destination country's laws prevent the data importer from complying with them in practice. Review your data transfer impact assessments (DTIAs), particularly for transfers to the US, India, and China. Consider data localisation where technically feasible.