📅 Upcoming Regulatory Deadlines
- Feb 20
- 2 min read
2026 is a milestone year for regulatory compliance, particularly with the "full-strength" activation of the EU AI Act and the final implementation phases of India's DPDP Act.
The following table summarizes the most critical upcoming deadlines across these three major jurisdictions.
Jurisdiction | Regulatory Area | Key Deadline | Compliance Requirement |
USA | ESG/Climate | Fiscal Year 2026 | Large Accelerated Filers (LAFs) must file their first SEC Climate Disclosure (based on FY2025 data). |
USA | Privacy | Jan 1, 2026 | CCPA amendments & new state laws in Indiana, Kentucky, and Rhode Island become enforceable (including GPC signal support). |
USA | Finance | Jan 1, 2026 | Initial Margin Requirements apply to covered swap entities with material exposure (Prudential Regulations). |
USA | Privacy | July 1, 2026 | Connecticut updates: Expanded sensitive data categories (neural/genetic) and automated decision-making opt-outs. |
EU | AI | Aug 2, 2026 | EU AI Act "Big Bang": Most rules become applicable, specifically for High-Risk AI systems and Transparency (Art. 50). |
EU | Data / Tech | Sept 12, 2026 | Data Act: Core B2B data-sharing and product-access obligations become mandatory for manufacturers of connected products. |
EU | Cybersecurity | Sept 11, 2026 | Cyber Resilience Act (CRA): Mandatory reporting of actively exploited vulnerabilities and serious incidents begins. |
EU | Environment | Jan 1, 2026 | EU Deforestation Regulation (EUDR): Large operators and traders must comply with strict supply chain reporting. |
EU | Sustainability | Jan 1, 2026 | CBAM (Carbon Border Adjustment Mechanism) enters its definitive period; mandatory carbon cost payments for importers. |
EU | ICT | March 20, 2026 | Register of Information (RoI) Submission Financial entities must submit their full register of ICT third-party contracts to National Competent Authorities (NCAs) (e.g., BaFin, DNB, MFSA). |
EU | NCA to ESA Reporting | March 31, 2026 | National regulators must forward consolidated registers to the European Supervisory Authorities (EBA, ESMA, EIOPA). |
EU | Active Incident Reporting | Ongoing (2026) | The "4-hour to 24-hour" initial notification window for major ICT-related incidents is now fully active. |
EU | Designation of CTPPs | Ongoing (2026) | The ESAs will continue designating Critical Third-Party Providers (CTPPs), subjecting them to direct oversight and potential daily fines. |
India | Data Privacy | May 2026 | DPDP Act (Phase 2 Close): Completion of internal data mapping, gap analysis, and DPO appointments. |
India | Data Privacy | Nov 13, 2026 | Consent Manager Registration: Deadline for entities to register as Consent Managers with the Data Protection Board. |
India | Data Privacy | May 13, 2027 | DPDP Full Enforcement: Grace period ends; non-compliance penalties (up to ₹250 Cr) become active. |
Q1 2026:
📅 DORA: ICT Risk Management Framework documentation deadline
Without AI: 3 months manual work. With REDE: 3 weeks automated
📅 EU AI Act: High-risk AI system registration opens Penalty: €35M or 7% turnover
Q2 2026:
📅 EU AI Act high-risk system registration
📅 CMS Prior Authorization: API compliance deadline
Healthcare compliance deadline. Our Info Blocking Monitor ensures 100% compliance.
📅 SEC Cybersecurity: Enhanced requirements begin. Real-time monitoring required.
Q3 2026: CMS Prior Authorization API testing window
📅 DORA: Threat-led penetration testing. Penalty: €10M+
📅 FCA Consumer Duty: Enhanced monitoring requirements for UK financial services.
Q4 2026
📅 PSD3: Strong customer authentication changes for EU payments.
📅 FDA: CDRH guidance final. GxP automation accelerators ready.
Comments