Cyber
Applying
Cyber Resilience Act
Regulation (EU) 2024/2847
11 Sep 2026Key deadline
Article 14 reporting obligations apply, including to products already on the market
GovernsCybersecurity of products with digital elements on the EU market.
Applies toManufacturers, importers, distributors and open-source stewards of products with digital elements.
The EU's cybersecurity rules for products with digital elements. The first duty to bite is vulnerability reporting from 11 September 2026, not full application in 2027.
Cyber
Transposing
NIS2 Directive
Directive (EU) 2022/2555
17 Oct 2024Passed
National transposition deadline
GovernsBaseline cyber-risk management, ICT supply-chain security and incident reporting.
Applies toEssential and important entities across 18 sectors providing critical services in the EU.
The EU's baseline cybersecurity directive for essential and important entities, extended by the digital-infrastructure implementing regulation and the NIS Cooperation Group's ICT supply-chain toolbox.
Cyber
In negotiation
Cybersecurity Act revision (CSA2)
COM(2026) 11
In negotiation
Proposal published by the Commission
GovernsRevision of the Cybersecurity Act: ENISA mandate and certification, ICT supply-chain security framework.
Applies toENISA, national cybersecurity authorities, ICT product and service vendors and customers.
Reworks the EU Cybersecurity Act by updating ENISA’s mandate, reshaping certification and adding an ICT supply-chain security framework.
Omnibus
In negotiation
Digital Omnibus (data)
COM(2025) 837
In negotiation
EDPB-EDPS joint opinion
GovernsSimplification of the data and cyber acquis; single incident-reporting entry point; merges DGA, Open Data Directive, Free Flow of Non-Personal Data and P2B into the Data Act.
Applies toAnyone under the EU data and cybersecurity acquis.
The Commission’s clean-up pass on the EU data rulebook, cutting overlap across GDPR, the Data Act, ePrivacy and NIS2.
Omnibus
In negotiation
Digital Omnibus on AI
COM(2025) 836
In negotiation
Provisional agreement (Parliament / Council)
GovernsSimplification of the AI Act, chiefly the timing of high-risk obligations ("stop-the-clock").
Applies toAnyone in scope of the AI Act.
The Commission’s proposal to ease AI Act implementation, mainly by delaying high-risk obligations until relevant standards are available.
Omnibus
Applying
Artificial Intelligence Act
Regulation (EU) 2024/1689
2 Aug 2026Key deadline
High-risk (Annex III) obligations apply
GovernsAI systems placed on the EU market, regulated by risk tier.
Applies toProviders, deployers, importers and distributors of AI systems placed on the EU market.
The EU's risk-based AI rulebook. The Digital Omnibus proposes moving high-risk obligations, tied to available standards with a long-stop of December 2027.
Omnibus
Applying
Data Act
Regulation (EU) 2023/2854
12 Sep 2026Key deadline
Connected-product design obligations apply
GovernsAccess to and sharing of connected-product data; cloud switching.
Applies toMakers, holders and recipients of connected-product data, and the public sector.
Rules on who can access and share data from connected products and related services, now being amended by the data omnibus.
Omnibus
Being merged
Data Governance Act
Regulation (EU) 2022/868
Being merged
Repeal and merge into the Data Act via the data omnibus (COM(2025) 837)
GovernsData-sharing framework, data intermediaries, data altruism.
Applies toData intermediaries, public-sector bodies, data-altruism organisations.
The EU’s framework for data intermediaries and data altruism, set to be repealed and folded into the Data Act.
Infrastructure
In negotiation
Digital Networks Act
COM(2026) 16
In negotiation
Proposal published by the Commission
GovernsTelecoms framework reform replacing the EECC: spectrum, 'fair share', satellite connectivity, and equipment supply-chain security.
Applies toElectronic-communications operators and providers.
A rewrite of EU telecom rules covering spectrum, investment, satellite connectivity and equipment supply-chain security.
Infrastructure
In negotiation
Cloud and AI Development Act
COM(2026) 502
In negotiation
Proposal published (COM(2026) 502 final)
GovernsCloud sovereignty tiers, public procurement and EU compute capacity.
Applies toCloud and AI infrastructure providers, and public buyers.
Sets sovereignty tiers for cloud and AI infrastructure, especially in public procurement, while pushing EU compute capacity.
Infrastructure
In negotiation
Chips Act 2.0
COM(2026) TBC
In negotiation
Proposal published (COM(2026) 504 final)
GovernsRevision of the 2023 Chips Act: supply-chain resilience, demand-side measures, emergency powers.
Applies toThe semiconductor supply chain and end markets.
The semiconductor arm of the tech-sovereignty package, updating resilience tools, investment rules and crisis powers.
Infrastructure
In negotiation
EU Space Act
COM(2025) 335
1 Jan 2030Proposed
Application under the current draft
GovernsSafety, resilience and sustainability of space activities; lex specialis to NIS2 for space operators.
Applies toSpace operators and operators of ground and space infrastructure.
Tailored safety, resilience and cybersecurity rules for space activities, acting as a sector-specific rulebook alongside NIS2.
Corporate
In negotiation
EU Inc (28th regime)
COM(2026) 321
1 Jan 2028Proposed
Applicable under the current draft
GovernsOptional EU-wide corporate legal form for innovative companies, digital-only.
Applies toStartups and scaleups incorporating across borders.
Creates an optional EU-wide company form for innovative firms to incorporate digitally across borders under one regime.
Corporate
In negotiation
European Business Wallets
COM(2025) 838
In negotiation
Public bodies to accept within 24 months of entry into force
GovernsSecure cross-border identification, e-signing and document exchange for businesses.
Applies toEconomic operators and public-sector bodies.
A business digital wallet for cross-border identification, signing and document exchange, built on the eIDAS framework.