IT Compliance Checklist 2027: Every Deadline and Obligation at a Glance
2027 brings continued enforcement of regulations that took effect in 2025–2026, plus the critical CRA full compliance deadline in December. This quarterly checklist ensures compliance officers, CISOs, and IT leaders can track every obligation, assign ownership, and avoid the costly surprises that come from missed deadlines.
Q1 2027 (January–March)
DORA
- Complete annual ICT risk management framework review and update
- Submit any outstanding incident reports from 2026 to the competent authority
- Review and update ICT third-party register
- Begin TLPT planning for designated institutions (provider selection, scope definition)
NIS2
- Verify registration with national authority (BSI) is current
- Review and update cybersecurity risk management measures against Article 21
- Conduct Q1 security awareness training refresh
- Review supply chain security assessments for critical vendors
GDPR
- Annual records of processing activities (ROPA) review
- Update DPIAs for processing activities that changed in 2026
- Review and renew data processing agreements with processors
- Conduct data retention review and purge expired data
ISO 27001
- Prepare for annual surveillance audit (if certified)
- Update risk treatment plan for changes since last audit
- Review and update Statement of Applicability
- Complete management review
Q2 2027 (April–June)
DORA
- Begin TLPT execution for designated institutions
- Conduct ICT business continuity plan testing (annual requirement)
- Review ICT incident classification against updated RTS
NIS2
- Prepare for potential BSI audit — ensure all documentation is current and accessible
- Document supply chain security measures and vendor assessment results
- Conduct mid-year vulnerability assessment
AI Act
- Review AI system inventory for new deployments since last review
- Ensure high-risk systems meet ongoing monitoring and logging requirements
- Update conformity assessment documentation for modified systems
Security Operations
- Conduct mid-year phishing simulation campaign
- Schedule annual penetration test
- Review and update incident response plan based on Q1 lessons
Q3 2027 (July–September)
CRA (Critical Phase)
- Final push for December compliance — complete conformity assessments for all products
- Finalize SBOMs for all products
- Complete technical documentation per Annex VII
- Engage notified bodies for Class II products (if not already done)
- Prepare EU declarations of conformity
DORA
- Complete TLPT cycle and document results
- Review ICT third-party contracts for renewal or renegotiation
- Ensure critical provider register is up to date
Security Testing
- Complete annual penetration test
- Remediate critical and high findings within defined SLAs
- Conduct tabletop exercise for incident response
Q4 2027 (October–December)
CRA (Deadline: December 11)
- Complete all conformity assessments
- Affix CE marking to all compliant products
- Verify all documentation is complete and archived (10-year retention)
- Train sales and distribution teams on CRA compliance status
- Plan for products that cannot meet the deadline (withdrawal or transition plan)
DORA
- Prepare annual digital operational resilience report
- Document testing results and improvement actions
- Plan 2028 ICT risk management framework improvements
NIS2
- Year-end incident review and lessons learned
- Update incident response plans based on 2027 experience
- Review and refresh risk management measures for 2028
Budget and Planning
- Finalize 2028 compliance budget based on 2027 experience and upcoming regulatory changes
- Review compliance tool stack — consolidate or upgrade as needed
- Set 2028 compliance objectives and KPIs
Who Owns What?
- CISO: Security operations, risk management, penetration testing, awareness programs
- DPO: GDPR compliance, DPIAs, data subject rights, ROPA
- Compliance Officer: Regulatory monitoring, audit coordination, reporting
- CTO/IT Director: CRA product compliance, technical documentation, SBOM management
- Executive Management: DORA governance oversight, NIS2 management liability, budget approval
- Legal: Contractual compliance (DORA third-party clauses), regulatory notifications, liability assessment
Frequently Asked Questions
Who is responsible for IT compliance in the organization?
Ultimate responsibility lies with executive management — DORA and NIS2 make this explicit with personal liability provisions. Day-to-day coordination typically falls to the CISO, compliance officer, or DPO depending on the regulation. An integrated compliance function that coordinates across frameworks works best for managing multiple overlapping requirements.
How do we track compliance across multiple regulations?
Use a GRC platform that maps controls to multiple regulatory frameworks. This avoids duplicate effort and provides a single dashboard for compliance status. If budget is limited, a structured spreadsheet mapping controls to requirements works as a starting point. The key is having one unified view, not separate tracking per regulation.
What are the biggest compliance risks in 2027?
CRA non-compliance (products blocked from EU market after December 11), NIS2 audit failures (fines up to EUR 10M or 2% turnover), DORA enforcement actions for inadequate ICT risk management, and AI Act violations for high-risk systems (fines up to EUR 35M or 7% turnover). Prioritize by your specific exposure.