Regulatory Year in Review 2026: DORA, NIS2, AI Act — What Was Implemented and What Comes Next

2026 was the year when the EU’s digital regulation wave hit shore simultaneously. DORA became applicable in January, NIS2 national transposition deadlines passed and enforcement began, the AI Act’s high-risk obligations took effect in August, and the CRA’s vulnerability reporting requirement started in September. For many organizations, 2026 meant implementing multiple regulatory frameworks in parallel — a challenge that tested governance structures, budgets, and organizational patience.

This review takes stock: what worked, what didn’t, what surprised us, and what organizations must prepare for as 2027 brings the next wave of deadlines.

DORA: First Year in Practice

DORA became applicable on January 17, 2026. Financial institutions and their critical ICT service providers had to demonstrate compliance with ICT risk management, incident reporting, resilience testing, and third-party risk management requirements.

Implementation reality: Most large banks achieved baseline compliance for the January deadline, but the quality of implementation varied significantly. Common challenges: ICT third-party contract renegotiation proved more time-consuming than anticipated (many contracts required fundamental restructuring to meet Article 30 requirements), the ICT incident classification and reporting framework (Article 18) created confusion about what constitutes a reportable incident versus a near-miss, TLPT (Threat-Led Penetration Testing) scoping and provider selection took longer than expected for institutions in the first testing cycle, and management body oversight requirements (Article 5) required board training and reporting restructuring.

Key lesson: Organizations that started DORA preparation in 2024 (18+ months before the deadline) fared dramatically better than those who started in mid-2025. The framework is comprehensive, and last-minute compliance is superficial compliance.

NIS2: The Enforcement Challenge

NIS2 significantly expanded the scope of cybersecurity regulation to approximately 160,000 entities across the EU. National implementations varied widely: some member states transposed on time, others did not. Germany’s BSI gained expanded enforcement powers.

Implementation reality: Many newly in-scope organizations, especially mid-sized enterprises, underestimated the effort required. The 24-hour initial incident reporting requirement proved particularly challenging for organizations without established SOC operations. Supply chain security requirements (Article 21(2)(d)) created cascading compliance demands through vendor relationships. Management liability provisions (Article 20) triggered board-level engagement for the first time in many organizations.

EU AI Act: High-Risk Phase Begins

August 2, 2026 marked the deadline for high-risk AI systems. Organizations deploying AI in credit scoring, recruitment, critical infrastructure, or biometric identification had to demonstrate conformity assessments, risk management, and human oversight.

Implementation reality: The biggest surprise was the AI inventory gap. Many organizations discovered they could not answer a basic question: which AI systems do we actually use? Shadow AI (departmental tools, vendor-embedded AI, automated decision-making in legacy systems) was far more prevalent than anticipated. The intersection with existing regulations (MaRisk model risk management, DORA ICT risk) created both efficiency opportunities and coordination challenges.

CRA: Vulnerability Reporting Starts

Since September 11, 2026, manufacturers of products with digital elements must report actively exploited vulnerabilities to ENISA within 24 hours. This first CRA milestone revealed how many manufacturers lacked the basic infrastructure for compliance: no SBOM (Software Bill of Materials) to identify affected products quickly, no coordinated vulnerability disclosure policy, no established relationship with ENISA’s reporting platform, and no internal escalation process from engineering to legal to management for vulnerability disclosure decisions.

Cross-Regulation Lessons

1. Start early: 18+ months before deadlines. Organizations that waited until 6 months before consistently delivered incomplete, superficial compliance.
2. Exploit synergies: DORA, NIS2, and ISO 27001 share 60–70% of requirements. Implementing them in silos wastes resources and creates inconsistency. Build a unified control framework.
3. The human factor: Technology and documentation are necessary but insufficient. Training, awareness, and process integration into daily operations determine actual resilience.
4. Continuous compliance: These regulations are not projects with end dates. Build compliance into business-as-usual processes from day one.
5. Board engagement matters: Regulations that impose management liability (NIS2 Article 20, DORA Article 5) drive fundamentally different organizational engagement than those that don’t.

Looking Ahead: 2027 Priorities

• CRA full compliance by December 11, 2027: All products must meet essential requirements and carry CE marking.
• DORA TLPT first cycle: Systemically important institutions must complete threat-led penetration testing.
• NIS2 enforcement maturation: Expect the first significant penalties and systematic audits.
• AI Act general-purpose AI: Continued enforcement development for GPAI models.

Frequently Asked Questions

Which regulation should we prioritize?

Start with whatever has the nearest enforcement deadline or highest penalty exposure. For most organizations in 2027: NIS2 (active enforcement with significant fines), DORA (if in financial services — supervisory expectations are already high), CRA (if you manufacture digital products — December 2027 is the hard deadline), and AI Act (if you deploy high-risk AI — obligations are already active).

Can we achieve compliance with multiple regulations simultaneously?

Absolutely, and you should. Map requirements to a single control framework and implement once. The overlap between DORA, NIS2, and ISO 27001 is substantial enough that a unified approach saves 40–50% of implementation effort compared to treating each regulation separately.