Regulatory Intelligence Hub
Comprehensive regulatory intelligence covering DORA, NIS2, EU AI Act, CRA, GDPR, UK and Ireland cyber regulations with live countdown timers.
Regulatory Intelligence
Live Regulatory Landscape
Comprehensive monitoring of EU, UK, and international cybersecurity, AI, and data protection enforcement — mapped to institutional doctrine response.
EU Cybersecurity Regulations
| Regulation | Status | Key Deadline | Scope & Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|---|
| DORA EU 2022/2554 |
In Force | 17 Jan 2025 — Active enforcement. Register of Information submitted Q1 2026; on-site ICT risk inspections underway; first compulsion payments issued. Only 50% of entities reached full compliance by end-2025 (Deloitte). | Financial sector ICT resilience. Firms must withstand, respond to, and recover from ICT disruptions. Strict 4-hour incident reporting for major incidents. | EBA / EIOPA / ESMA | Evidence Chain Model™ + Recoverability Mandate™ |
| NIS2 Directive EU 2022/2555 |
Transposition | 17 Oct 2024 — 13 of 27 EU member states still not transposed (Apr 2026). EC proposed targeted NIS2 amendments 20 Jan 2026 to simplify compliance. First administrative penalties issued Q1 2026; first audits due 30 Jun 2026. Fines up to €10M or 2% global turnover. | Replaces NIS1. Mandatory cybersecurity requirements for essential sectors (energy, health, finance, transport) and digital services. Mandates strict risk management, governance, and incident reporting. Art. 20 imposes personal liability on directors. | National CAs + ENISA | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| EU AI Act EU 2024/1689 |
Phased Rollout | 2 Aug 2026 — Most remaining provisions apply. EU Digital Omnibus proposes extending stand-alone high-risk AI systems to Dec 2027, embedded systems to Aug 2028. AI sandboxes due by Aug 2026 (may be delayed to Dec 2027). Watermarking deadline may shift to Feb 2027. Council agreed streamlining position Mar 2026. | Risk-based AI classification: Prohibited (social scoring, cognitive manipulation), High-Risk (critical infrastructure, employment, law enforcement), Limited Risk (transparency rules for chatbots/deepfakes), Minimal Risk. GPAI models must comply with transparency and copyright obligations. Penalties: up to 7% global annual turnover for high-risk violations. | National Market Surveillance + EU AI Office | AI Accountability Stack™ |
| Cyber Resilience Act EU 2024/2847 |
Phased Rollout | 11 Sep 2026 — Vulnerability reporting obligations begin; 11 Dec 2027 — Full application | Manufacturers of products with digital elements must meet high-security standards throughout product lifecycle. Mandates "security by design," automatic updates, and vulnerability handling obligations. Conformity assessment bodies begin notifying 11 Jun 2026. Commission first standardisation deliverables expected Q3 2026. Non-compliant products face serious penalties across all 27 member states from Dec 2027 (Hogan Lovells/Keysight, Apr 2026). | National Market Surveillance Authorities | Evidence Chain Model™ + Contract Control Matrix™ |
| EU Cybersecurity Act EU 2019/881 + 2026 Revision |
Revision Proposed | 20 Jan 2026 — COM(2026)11 published; under EU legislative procedure (Parliament + Council) | Strengthened ENISA and established EU-wide ICT certification framework. COM(2026)11 published 20 Jan 2026: adds managed security services to certification, significantly expands ENISA's operational support role (€341M budget 2028–2034), and addresses ICT supply-chain security as a strategic risk. | ENISA + National Certification Authorities | Evidence Chain Model™ |
| Cyber Solidarity Act EU 2025 |
Implementation | In force 4 Feb 2025 — €36M Cybersecurity Reserve launched; cross-border SOC hubs deploying | Establishes EU-wide Security Operations Centre network for active threat detection. Creates Cyber Emergency Mechanism and €36M Cybersecurity Reserve for cross-border incident response. ENISA Single Reporting Platform launching September 2026. | ENISA + National SOCs | Recoverability Mandate™ |
| eIDAS2 EU Digital Identity Regulation |
Implementation | Dec 2026 — All 27 Member States must provide EU Digital Identity Wallets | Provides secure, trustworthy digital identity solutions across Europe. Member states must offer EU Digital Identity Wallets to all citizens and residents. Pilot programmes expanding; technical specifications and implementing regulations finalised. | National Supervisory Bodies | Decision Rights Architecture™ |
| ISO 42001 | Published | Certification available now | International standard for AI management systems. Provides framework for establishing, implementing, and improving AI governance within organisations. | Accredited Certification Bodies | AI Accountability Stack™ (aligned) |
EU Data Protection & Digital Markets
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| GDPR EU 2016/679 |
In Force | Data protection by design and by default. 72-hour breach notification. DPIAs mandatory for high-risk processing. Cross-border transfer safeguards (SCCs, adequacy decisions). Fines up to 4% of global turnover. Total EU enforcement exceeds €7.1B; Irish DPC has issued €4.04B. 2026 Coordinated Enforcement Framework focuses on transparency obligations. | National DPAs (CNIL, ICO, BfDI) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| ePrivacy Directive 2002/58/EC |
In Force | Regulates cookies, electronic marketing, email spam, and privacy of electronic communications. Awaiting ePrivacy Regulation replacement. | National DPAs | Contract Control Matrix™ |
| Digital Markets Act DMA |
In Force | Designates gatekeepers (Meta, Alphabet, Apple, etc.) — mandates interoperability, prohibits self-preferencing, prevents combining user data across services without consent. | European Commission (DG COMP) | Decision Rights Architecture™ |
| Digital Services Act DSA |
In Force | Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster removal of illegal content. Algorithmic transparency obligations. | European Commission + National Digital Services Coordinators | AI Accountability Stack™ |
UK Cybersecurity & Data Protection
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| UK FCA PS21/3 Operational Resilience |
In Force | Financial firms must identify important business services, set impact tolerances, and test ability to remain within tolerances under severe-but-plausible scenarios. Full compliance 31 Mar 2025. | FCA / PRA | Recoverability Mandate™ + Decision Rights Architecture™ |
| UK GDPR + DPA 2018 | In Force | Appropriate technical and organisational security measures. 72-hour breach reporting to ICO. DPA 2018 supplements UK GDPR for law enforcement and intelligence processing. | ICO | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| NIS Regulations 2018 | In Force | Operators of essential services (energy, health, transport) and digital service providers must implement robust security measures and report incidents. | Sector-specific CAs (Ofcom, Ofgem, ICO) | Recoverability Mandate™ |
| NCSC CAF Cyber Assessment Framework |
In Force | UK national framework for assessing cyber security of operators of essential services and critical national infrastructure. Four objectives: Managing Security Risk (A), Protecting Against Cyber Attack (B), Detecting Cyber Security Events (C), Minimising Impact of Incidents (D). 14 security principles assessed via NCSC-led or sector CA-led assessments. | NCSC / Sector CAs (Ofgem, Ofcom, CAA, NHSE) | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| ECAF Electricity Cyber Assessment Framework (Ofgem) |
In Force | Ofgem-enforced cyber assessment framework for UK electricity sector operators of essential services — generation, transmission, distribution, and supply licensees. Applies CAF 14 security principles to IT/OT convergence environments. Profile-based assessment: Ofgem issues improvement plans where gaps are identified. Non-compliance reportable under NIS Regulations 2018. | Ofgem | Control Collapse Model™ + Recoverability Mandate™ |
| Cyber Security & Resilience Bill 2025 |
In Progress | Expands NIS Regulations scope to more digital services and supply chains. Tightens incident reporting rules. Increases fines and enhances regulator enforcement powers. Introduced 12 Nov 2025; going through Commons and expected to become UK law in 2026 (Commons Library, Apr 2026). | DSIT / Sector CAs | Decision Rights Architecture™ + Recoverability Mandate™ |
| Product Security Act 2022 PSTI Act |
In Force | Security requirements for consumer-connectable products — bans default passwords, mandates vulnerability disclosure, requires minimum security update periods. Non-compliance: fines up to £10M or 4% global turnover, plus £20,000/day for ongoing contraventions (OPSS, 2024). | OPSS | Contract Control Matrix™ |
| Telecoms Security Act 2021 | In Force | Stricter security duties on public telecom providers. Supply chain security requirements for network equipment and services. | Ofcom | Contract Control Matrix™ |
| Computer Misuse Act 1990 | In Force | Criminal offences for unauthorised access to computer material, unauthorised modification, and making/supplying tools for computer misuse. | CPS / NCA | Board-Survivable Cyber Architecture™ |
| Data (Use and Access) Act 2025 | Enacted | Reforms data protection to simplify compliance for research and AI. Clarifies international data transfer mechanisms post-Brexit. | ICO | AI Accountability Stack™ |
| AI Regulation Bill 2025 Private Members' Bill |
Proposed | Proposes establishing a central AI Authority. Potential mandatory reporting for high-risk, advanced AI models. | Proposed AI Authority | AI Accountability Stack™ |
| SEC Cyber Rules US — Global Impact |
In Force | Material cyber incident disclosure within 4 business days. Annual reporting of cyber risk management, strategy, and governance. Board-level oversight requirements. | SEC / DOJ | Board-Survivable Cyber Architecture™ |
International Standards & Frameworks
Globally adopted security and risk management standards referenced across 231 published doctrines — each carries direct compliance obligations or is accepted as equivalent assurance by major regulators including NCSC, Ofgem, EBA, and national CAs.
| Standard | Status | Key Requirements | Governing Body | Doctrine Response |
|---|---|---|---|---|
| ISO 27001:2022 Information Security Management System |
In Force | 93 controls across 4 themes (Organisational, People, Physical, Technological). Mandatory risk treatment plan, Statement of Applicability, and internal audit programme. 2022 revision aligns with DORA and NIS2 control language. Certification accepted by Ofgem as partial CAF evidence. | ISO / IEC BSI (UK) · NSAI (IE) |
Decision Rights Architecture™ + Evidence Chain Model™ |
| NIST CSF 2.0 Cybersecurity Framework |
In Force | Six core functions: Govern, Identify, Protect, Detect, Respond, Recover. Version 2.0 (Feb 2024) adds Govern function and expands supply chain guidance. Globally recognised — Crown Commercial Service and NCSC recommend CSF alignment for UK CNI operators. | NIST (US) Globally adopted |
Board-Survivable Cyber Architecture™ |
| NIST AI RMF 1.0 AI Risk Management Framework |
In Force | Four core functions: GOVERN, MAP, MEASURE, MANAGE for AI risk. Aligned to EU AI Act Annex III High-Risk obligations and ISO/IEC 42001. Referenced in all 20 NIS/CAF doctrine papers. Provides quantitative AI risk scoring complementary to the EU AI Act's qualitative risk classification. | NIST (US) EU AI Office aligned |
AI Accountability Stack™ |
| ISO 22301 Business Continuity Management |
In Force | BCMS framework covering BIA, RTO/RPO definition, plan design, testing, and continual improvement. Mandated or strongly recommended under DORA, NIS2, and UK FCA PS21/3 operational resilience rules. Accepted as partial assurance evidence by regulated sector CAs. | ISO / IEC BSI (UK) |
Recoverability Mandate™ |
| SOC 2 Type II Trust Services Criteria (AICPA) |
In Force | Independent auditor assessment against Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Type II covers operating effectiveness over a period (minimum 6 months). Accepted by CNI operators and financial sector regulators as third-party assurance evidence. | AICPA (US) Globally accepted |
Evidence Chain Model™ |
| ETSI TS 104 223 AI Baseline Cyber Security |
Published · Adoption | First dedicated AI cybersecurity standard from ETSI. Establishes baseline security requirements for AI systems including data integrity, model security, adversarial robustness, and monitoring. Directly complements EU AI Act Annex III High-Risk requirements and ISO/IEC 42001. | ETSI EU bodies aligned |
AI Accountability Stack™ |
| IEC 62443 Industrial Automation & Control Security |
In Force | OT/ICS security framework structured across 4 series — General, Policies & Procedures, System, Component. Security Levels SL-1 to SL-4. Directly referenced by Ofgem ECAF for electricity OT environments and NIS2 for operators of essential services in energy and water sectors. | IEC Ofgem · NCSC aligned |
Control Collapse Model™ |
| NIST 800-53 Rev 5 Security & Privacy Controls |
In Force | 20 control families covering access control, audit, incident response, supply chain risk management, and privacy. Used as baseline by US federal agencies and widely adopted in international regulated environments. Crosswalks with ISO 27001 and NIST CSF. | NIST (US) | Decision Rights Architecture™ |
| COBIT 2019 Governance of Enterprise IT |
In Force | Governance framework covering 40 governance and management objectives. Aligns board-level IT governance with operational delivery. Used alongside ISO 27001 for GRC programme design in regulated financial, CNI, and public sector environments. | ISACA | Decision Rights Architecture™ |
US & Global Regulations
US-origin regulations with global extraterritorial reach — affecting UK, Irish, and EU-headquartered organisations operating in regulated sectors or holding dual listings. Referenced across 130+ published doctrines.
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| HIPAA Health Insurance Portability & Accountability Act |
In Force | Security Rule requires administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI). Breach notification within 60 days. HHS HITECH Act increases penalties to $1.9M per violation category. Extraterritorial reach for any entity processing US patient data. | HHS / OCR (US) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| GLBA Gramm-Leach-Bliley Act · Safeguards Rule |
In Force | FTC Safeguards Rule (updated 2023): Financial institutions must implement a written information security programme. Requires encryption, MFA, penetration testing, and incident response. Designated Qualified Individual responsible for CISO-equivalent accountability. Applies to non-bank financial companies globally handling US customer data. | FTC / Federal Financial Regulators (US) | Decision Rights Architecture™ |
| SOX Sarbanes-Oxley Act · Sections 302 & 404 |
In Force | Section 302: CEO/CFO personally certify accuracy of financial disclosures including IT controls. Section 404: Annual assessment of internal controls over financial reporting (ICFR). IT General Controls (ITGCs) covering access management, change management, and operations are mandatory assessment scope. Applies to all SEC-registered entities including non-US filers. | SEC / PCAOB (US) | Board-Survivable Cyber Architecture™ |
| PCI DSS v4.0 Payment Card Industry Data Security Standard |
In Force | 12 requirements for cardholder data protection: network segmentation, encryption, access control, vulnerability management, monitoring, and policy. v4.0 (March 2024) introduces customised approach for mature programmes. Annual QSA assessment or SAQ for smaller merchants. Applies globally to any entity handling payment card data. | PCI SSC Enforced by card networks |
Control Collapse Model™ + Evidence Chain Model™ |
| FAIR Factor Analysis of Information Risk |
Active Standard | Quantitative risk analysis framework enabling financial expression of cyber risk (Loss Event Frequency × Loss Magnitude). Open FAIR standard adopted by The Open Group. Bridges the language gap between security teams and boards/CFOs. Widely used alongside NIST CSF for board-level cyber risk reporting. | FAIR Institute The Open Group |
Board-Survivable Cyber Architecture™ |
Threat Intelligence & Red Team Frameworks
Adversary emulation and threat-led testing frameworks mandated or recommended by DORA, NIS2, and the NCSC. Referenced across 96+ published doctrines — integral to tabletop design, CAF assessment evidence, and board-level assurance programmes.
| Framework | Status | Key Requirements | Authority | Doctrine Response |
|---|---|---|---|---|
| MITRE ATT&CK Adversarial Tactics, Techniques & Common Knowledge |
Living Framework | 14 tactics, 200+ techniques and sub-techniques for enterprise adversary emulation. Updated quarterly. Used as the primary reference for threat modelling, detection engineering, tabletop exercise design, and purple team exercises across NIS2 and DORA programmes. CAF assessment evidence accepted when mapped to ATT&CK techniques. | MITRE Corporation (US) NCSC · ENISA endorsed |
Control Collapse Model™ + Board-Survivable Cyber Architecture™ |
| MITRE ATLAS Adversarial Threat Landscape for AI Systems |
Living Framework | AI/ML-specific attack taxonomy covering 14 tactics and 80+ techniques including model evasion, data poisoning, model inversion, and supply chain compromise. Purple team and adversarial validation of AI systems against MITRE ATLAS is referenced in EU AI Act Annex III conformity assessments and NIST AI RMF MEASURE function. | MITRE Corporation (US) EU AI Office aligned |
AI Accountability Stack™ |
| TIBER-EU Threat Intelligence-Based Ethical Red Teaming |
In Force | ECB framework for red teaming financial infrastructure using real threat intelligence. Mandated for systemically important financial institutions. Tests entire kill-chain from reconnaissance to impact. TIBER-IE, TIBER-NL, TIBER-UK (CBEST equivalent) are national implementations. DORA TLPT is built on TIBER-EU methodology. | ECB / National Central Banks | Board-Survivable Cyber Architecture™ |
| TLPT Threat-Led Penetration Testing (DORA Art. 26) |
In Force | Mandatory under DORA Article 26 for significant financial entities and critical ICT third-party providers. Based on TIBER-EU methodology. Must be conducted every 3 years by qualified external testers using current threat intelligence. Results shared with competent authorities. Distinct from standard penetration testing — full kill-chain, intelligence-led scenarios. | EBA / EIOPA / ESMA | Board-Survivable Cyber Architecture™ + Control Collapse Model™ |
MENA & Sovereign Regulatory Frameworks
Sovereign cyber regulatory frameworks governing operations in Gulf Cooperation Council (GCC) jurisdictions — relevant to regulated entities operating in Saudi Arabia, UAE, and the broader Gulf region. Referenced across 40+ published doctrines.
| Framework | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| Saudi NCA ECC Essential Cybersecurity Controls |
In Force | 114 controls across 5 domains: Cybersecurity Governance, Risk Management, Compliance, Human Aspects, Information Asset Management, Identity & Access, Operations Security, Third-Party Security, Physical Security, and Resilience. Mandatory for all government entities and critical national infrastructure operators in Saudi Arabia. Annual self-assessment required. | Saudi National Cybersecurity Authority (NCA) | Board-Survivable Cyber Architecture™ + Decision Rights Architecture™ |
| SAMA CSF Saudi Arabian Monetary Authority Cybersecurity Framework |
In Force | Cybersecurity framework for Saudi financial sector regulated entities (banks, insurance, fintechs). Three-tier maturity model. 140+ controls covering governance, risk, compliance, and technical domains. Aligns with NIST CSF and ISO 27001. Mandatory annual maturity assessment submitted to SAMA. Financial penalties for non-compliance. | SAMA (Saudi Arabia) | Decision Rights Architecture™ + Evidence Chain Model™ |
🇮🇪 Ireland Digital Regulation Matrix (2026)
Ireland's regulatory environment has transitioned from high-level EU directives to specific, enforceable Irish statutes. Ireland holds a unique "Single Point of Contact" role for many multinational tech firms — Irish regulators often act as lead enforcer for the entire EU under the "One-Stop-Shop" mechanism.
| Regulatory Area | Key Irish Legislation | Primary Oversight Body | 2026 Status & Key Focus | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data Protection Act 2018 (Revised 2026) | Data Protection Commission (DPC) | Active. Enhanced focus on "Dark Patterns" in UI/UX and mandatory "Right to be Forgotten" for children's data. | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| Cybersecurity | National Cyber Security Bill 2024/26 | National Cyber Security Centre (NCSC) | Enforced (NIS2). Places the NCSC on a statutory footing; introduces personal liability for Board members regarding cyber negligence. | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| Artificial Intelligence | Regulation of AI Bill 2026 | AI Office of Ireland (Oifig IS) | Transitional (targeting 1 Aug 2026 statutory establishment). General Scheme of AI Bill 2026 published Feb 2026; Oifig IS currently operating on an administrative basis coordinating AI Act enforcement across existing sector regulators (Central Bank, DPC, etc.). | AI Accountability Stack™ |
| Data Sharing / IoT | Data Bill 2025/26 | CCPC & ComReg | Implementation. Transposes the EU Data Act; ensures users can access and move data generated by connected devices (IoT). | Contract Control Matrix™ |
| Online Safety | Online Safety & Media Regulation Act | Coimisiún na Meán | Active. Governs harmful content on social media and video platforms; can issue fines up to €20m or 10% of turnover. | Decision Rights Architecture™ |
| Digital Services | Digital Services Act 2024 (Revised 2026) | Coimisiún na Meán | Active. Regulates online marketplaces and intermediaries to prevent illegal content and ensure transparency in advertising. | AI Accountability Stack™ |
Critical Threshold
Cyber Incident: 24 Hours
Under the 2026 Cyber Security Bill (NIS2), "Essential" and "Important" entities must provide an early warning to the NCSC within 24 hours of a significant incident.
Critical Threshold
AI Fines: Up to €35m / 7%
The AI Bill introduces penalties up to €35m or 7% of global turnover for prohibited AI practices. Dual-supervision applies when AI processes personal data (DPC + AI Office).
Critical Threshold
AI High-Risk Registry
Providers of high-risk AI systems (recruitment, credit scoring) must register in the National AI Register managed by Oifig IS before deployment.
🇬🇧 UK Digital & AI Regulation Matrix (2026)
The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — avoiding one-size-fits-all legislation in favour of giving specific powers to existing sector regulators. Despite 2026 reforms, the UK maintains Data Adequacy with the EU (renewed December 2025 until 2031), allowing cross-border data flows without additional safeguards.
| Regulatory Area | Primary UK Legislation | Lead Regulator | 2026 Status & Key Requirements | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data (Use and Access) Act 2026 (DUAA) | ICO | Active. Streamlines GDPR; allows "opt-out" for analytics cookies and provides broader consent for scientific research. | Evidence Chain Model™ |
| Artificial Intelligence | Sectoral Principles (Non-statutory) | Distributed (ICO, FCA, CMA) | Active. No single "AI Act." Regulators apply five principles (Safety, Fairness, Transparency, Accountability, Contestability) within their own industries. | AI Accountability Stack™ |
| Cybersecurity | Cyber Security & Resilience Bill 2026 | NCSC | Enforced. Extends NIS1 to include data centres and Managed Service Providers. Mandatory 24-hour incident reporting. | Recoverability Mandate™ + Decision Rights Architecture™ |
| IoT / Smart Tech | PSTI Act 2022 | OPSS | Strict Enforcement. Bans universal default passwords. Mandatory "Security Update" period labels on consumer products. | Contract Control Matrix™ |
| Online Safety | Online Safety Act 2023 | Ofcom | Active enforcement. CSEA reporting duty in force 7 Apr 2026. Ofcom orders 40+ services to revise risk assessments. 77 of top 100 pornography services now have age assurance. Categorisation register delayed to Jul 2026. Technology notices guidance due Apr 2026. | Decision Rights Architecture™ |
| Digital Markets | DMCC Act 2024 | CMA (DMU) | Active. Targets "Strategic Market Status" firms to prevent anti-competitive behaviour in mobile ecosystems and search. | Contract Control Matrix™ |
UK vs Ireland/EU — Critical Regulatory Differences (2026)
| Feature | United Kingdom (2026) | Ireland / EU (2026) |
|---|---|---|
| AI Oversight | Sector-led: No new laws; existing regulators (FCA, ICO) adapt principles to their domains. | Centralised: The EU AI Act provides a single, horizontal law for all sectors. |
| Cookie Consent | Less Strict: Moving toward "Opt-out" for non-intrusive tracking. | Strict: "Reject All" buttons must be as prominent as "Accept All." |
| Cyber Liability | Supply Chain Focus: Targets providers like data centres and IT managed services. | Board Liability: Personal legal liability for CEOs/Boards under NIS2 Art. 20. |
| Automated Decisions | Flexible: Broadens "lawful bases" for AI-driven decision making. | Restricted: Users have a strong "Right to Explanation" and human intervention. |
| Data Adequacy | Maintained & Renewed: Adequacy renewed December 2025 until 2031 — data flows from Dublin to London without extra paperwork. | Standard: GDPR adequacy decisions and SCCs govern cross-border transfers. |
April 2026
PSTI Enforcement
Retailers and importers face massive fines if selling smart devices with default passwords or missing security update information.
May 2026
Online Safety — Hash Matching
Ofcom's final codes take effect, requiring platforms to proactively block non-consensual intimate imagery.
August 2026
AI Safety Institute Testing
UK AI Safety Institute begins mandatory pre-deployment testing for "frontier" AI models developed or significantly deployed within the UK.
Cross-Regulatory Focus Areas
Incident Reporting
Strict timelines across all frameworks: 4 hours (DORA/financial), 24 hours (NIS2 early warning), 72 hours (GDPR breach notification). Non-compliance triggers personal liability for directors.
Supply Chain Security
DORA, NIS2, CRA, and the Telecoms Security Act all emphasise securing the entire ICT supply chain. Third-party risk management is now a regulatory requirement, not a best practice.
Active Surveillance
The EU Cyber Solidarity Act establishes SOC networks for cross-border threat detection. Combined with ENISA strengthening under the revised CSA, the EU is building active defence capability.
Last updated: April 2026 · Sources: EUR-Lex, European Commission, FCA, PRA, ICO, SEC, ENISA, UK Parliament, DPC, NCSC Ireland, Oifig IS, Ofcom, CMA, OPSS
Live Status
Regulatory Enforcement Countdown
Real-time tracking of critical compliance deadlines. These timers update live — when they reach zero, enforcement begins.
Critical Deadline
EU AI Act — Full Application
---Days
--Hours
--Min
--Sec
EU 2024/1689 Art. 113 — High-risk AI obligations enforceable
Active Enforcement
DORA — Supervisory Reviews
LIVEStatus
---Days Active
EU 2022/2554 — In force since 17 January 2025
Monitoring
NIS2 — Transposition Status
19EC Infringement Proceedings
---Days Overdue
EU 2022/2555 — Deadline was 17 October 2024 · EC infringement proceedings vs 19 states · First audits due 30 June 2026 · First penalties issued Q1 2026
Self-Assessment
Governance Readiness Score
Evaluate your organisation's cyber governance maturity in 60 seconds. This diagnostic maps your current posture against DORA, NIS2, and EU AI Act enforcement requirements.
1. Does your board receive structured cyber risk reports at least quarterly?
2. Do you have documented Decision Rights for cyber incident escalation?
3. Can you produce an evidence chain for any control within 24 hours?
4. Have you stress-tested your operational resilience under a severe-but-plausible scenario?
5. Do you have AI governance controls mapped to EU AI Act requirements?
6. Are your third-party/outsourcing contracts governed by enforceable cyber controls?
Compliance is a commercial weapon for those who understand it and an extinction event for those who do not.
DORA. NIS2. EU AI Act. CRA. The organisations that move first set the enforcement standard for everyone else.