2026 Regulatory Calendar and Compliance Deadline Planning

The 2026 regulatory environment presents numerous compliance deadlines requiring organizational preparation. The EU AI Act enters substantive compliance phases, the Data Act achieves full application, and financial services regulations including DORA reach operational milestones. Organizations must inventory applicable requirements, assess readiness status, and develop compliance roadmaps addressing upcoming deadlines. this analysis provides a thorough overview of major 2026 regulatory dates to support compliance planning.

Q1 2026 regulatory deadlines

January 2026 marks ongoing DORA compliance requirements for financial services entities. Organizations must maintain digital operational resilience capabilities, third-party risk registers, and incident reporting processes. Supervisory authorities expect full operational compliance and may conduct examinations.

February 2026 brings the EU AI Act prohibited practices full enforcement following the August 2025 effective date. Organizations must ensure complete elimination of prohibited AI systems including social scoring, manipulation systems, and certain biometric applications. Enforcement actions become fully applicable with significant potential penalties.

March 2026 SEC cybersecurity disclosure requirements continue with annual report obligations. Public companies must include cybersecurity risk management and governance disclosures in Form 10-K filings. Material incident disclosure requirements remain ongoing throughout the year.

PCI DSS 4.0 requirements that received extended timelines reach full enforcement in Q1. Organizations processing payment card data must implement all standard requirements without remaining transition accommodations. Assessment against full 4.0 requirements becomes mandatory.

Q2 2026 regulatory deadlines

April 2026 brings UK FCA Consumer Duty ongoing compliance requirements including board review obligations. Financial services firms must demonstrate continued compliance and conduct required board-level reviews of consumer duty implementation effectiveness.

May 2026 includes multiple US state privacy law effective dates. States with privacy laws becoming effective join the patchwork of state privacy requirements. Organizations must track applicable state requirements and ensure compliance programs cover newly effective laws.

June 2026 marks important CSRD reporting deadlines for in-scope companies. Large public-interest entities must have sustainability reporting processes operational for reporting on 2025 fiscal years. Report filing deadlines approach requiring completed data collection and assurance processes.

EU taxonomy reporting requirements expand with additional disclosure obligations. Organizations subject to taxonomy reporting must address expanded scope requirements in their sustainability disclosures.

Q3 2026 regulatory deadlines

August 2026 marks the EU AI Act general-purpose AI provider obligation effective date. Foundation model providers must implement transparency requirements, technical documentation, and safety evaluation obligations. Providers of GPAI models with systemic risk face enhanced requirements including model evaluation and serious incident reporting.

September 2026 brings the EU Data Act full application creating thorough data sharing and portability requirements. IoT manufacturers, cloud providers, and data holders face obligations for data access, switching, and interoperability. Implementation requires technical capabilities and contractual arrangements.

State privacy law developments continue with additional effective dates throughout Q3. Organizations must maintain awareness of state-by-state privacy requirements and ensure compliance programs adapt to new obligations.

Industry-specific requirements including updated healthcare interoperability deadlines and financial services reporting requirements create sector-specific compliance obligations.

Q4 2026 regulatory deadlines

October 2026 ISO 27001:2022 transition deadline requires organizations maintaining certification to complete transition from 2013 version. Certifications against the 2013 standard expire, requiring either transition or recertification against the current standard.

November 2026 DORA third-party risk register annual reporting requirements apply. Financial entities must submit updated registers of critical ICT third-party providers. Register maintenance and reporting processes must be operational.

December 2026 year-end reporting obligations include various regulatory filings and attestations. Organizations should ensure compliance reporting processes accommodate year-end deadlines while managing holiday staffing constraints.

Annual compliance program reviews should occur in Q4 to assess 2026 compliance effectiveness and plan 2027 requirements. Lessons learned from 2026 compliance activities inform program improvements.

EU AI Act implementation timeline

The EU AI Act phases in requirements over multiple years with 2026 representing critical implementation milestones. The prohibited practices prohibition that took effect in February 2025 has its first full calendar year of enforcement in 2026. Organizations must have fully eliminated any prohibited systems.

General-purpose AI provider obligations effective August 2026 require foundation model providers to implement substantial technical and documentation requirements. Providers must prepare transparency documentation, implement safety evaluation processes, and establish serious incident reporting capabilities.

High-risk AI system requirements phase in throughout 2026-2027 depending on specific application areas. Organizations deploying AI systems in high-risk categories should track applicable timeline requirements and prepare conformity assessment capabilities.

National competent authorities designated to oversee AI Act enforcement will establish enforcement approaches during 2026. Organizations should monitor guidance from relevant authorities and establish relationships supporting compliance.

Data Act application preparation

The EU Data Act achieves full application in September 2026 following entry into force in January 2024. The extended implementation period allows affected organizations time for compliance preparation. Organizations should use remaining time for implementation completion.

IoT data access requirements affect manufacturers of connected products. Products must be designed enabling users to access data generated through product use. Technical capabilities and terms of service must support data access rights.

Cloud switching requirements affect cloud service providers with obligations to support customer migration. Technical portability, contractual arrangements, and switching assistance requirements create provider obligations. Customers benefit from improved switching capabilities.

Data sharing obligations address business-to-business and business-to-government data access. Organizations may face obligations to share data with business partners or public authorities under specified conditions. Data sharing processes and agreements require preparation.

US regulatory developments

US federal AI regulation remains uncertain entering 2026 with ongoing policy debates about legislative approaches. Executive branch AI governance requirements from M-24-10 continue for federal agencies and contractors. Organizations should track both federal and state AI regulatory developments.

State privacy law expansion continues with multiple states implementing thorough privacy laws. The state patchwork creates compliance complexity requiring organizations to track applicable requirements across their operational footprint.

SEC climate disclosure requirements face ongoing implementation with timeline uncertainty from litigation challenges. Organizations should prepare for disclosure requirements while monitoring judicial and regulatory developments affecting applicability.

FTC enforcement priorities including AI, privacy, and competition matters continue presenting enforcement risk. Organizations should ensure practices align with FTC expectations across relevant domains.

International regulatory coordination

Cross-border regulatory coordination continues evolving affecting multinational organizations. EU adequacy decisions, bilateral agreements, and international standards influence compliance approaches. Organizations should track coordination developments affecting their international operations.

AI governance coordination through forums including OECD, G7, and bilateral arrangements may produce additional guidance or commitments. While formal regulations remain primarily national or regional, international coordination influences regulatory direction.

Data transfer mechanism developments affect international data flows. Standard contractual clauses, certification mechanisms, and transfer impact assessments remain important compliance tools. Organizations should maintain awareness of transfer mechanism developments.

Sanctions and export control compliance intersects now with technology regulation. Organizations must ensure technology-related activities comply with applicable trade restrictions alongside other regulatory requirements.

Compliance program recommendations

Regulatory deadline inventory should comprehensively identify applicable requirements across jurisdictions and domains. Gap analysis against deadline inventory identifies priority compliance activities. Resource allocation should address highest-priority gaps first.

Compliance roadmap development translates deadline inventory into implementation plans with milestones and responsibilities. Roadmaps should include buffer time for unexpected challenges and dependencies. Regular roadmap review ensures plans remain current.

Resource planning should account for compliance program staffing, technology, and external service requirements. Compliance resource demands peak around deadlines requiring advance planning. Shared service arrangements may address resource constraints efficiently.

Board and executive reporting should include regulatory environment overview and compliance status. Leadership visibility into regulatory obligations supports resource allocation decisions. Regular compliance reporting maintains organizational attention on regulatory requirements.

60-day priority list

• Conduct thorough inventory of 2026 regulatory deadlines applicable to the organization.
• Assess current compliance readiness against inventoried requirements.
• Develop compliance roadmap with prioritized implementation activities.
• Allocate resources for compliance program execution including staffing and technology.
• Establish monitoring processes for regulatory developments affecting timeline or requirements.
• Prepare board and executive briefing on 2026 regulatory calendar.
• Engage legal counsel and compliance advisors on complex requirements.
• Coordinate with business units on compliance requirements affecting operations.

Assessment

The 2026 regulatory calendar presents substantial compliance obligations across multiple domains and jurisdictions. EU regulations including the AI Act and Data Act enter critical implementation phases. US requirements continue evolving at both federal and state levels. Organizations face complex compliance landscapes requiring systematic planning and execution.

Deadline awareness alone proves insufficient for compliance success. Organizations must translate awareness into implementation roadmaps with resources, responsibilities, and milestones. Procrastination until deadline proximity creates compliance risk and organizational stress.

Cross-functional coordination enables efficient compliance across organizational silos. Requirements spanning legal, technology, operations, and business functions require coordinated response. Siloed compliance efforts create gaps and inefficiencies.

Regulatory monitoring should continue throughout 2026 as requirements may change or new obligations emerge. Static compliance planning proves inadequate in dynamic regulatory environments. Organizations should maintain awareness and adaptation capabilities.

This analysis recommends organizations treat 2026 regulatory compliance as requiring immediate planning attention. The volume and complexity of applicable requirements necessitate systematic approaches beginning in early 2026 to achieve compliance by relevant deadlines.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 92/100 · December 27, 2025

2025 Regulatory Year in Review and 2026 Enforcement Priorities

Regulators globally increased enforcement activity in 2025 with record GDPR fines, SEC cybersecurity actions, and FTC privacy settlements. The EU AI Act entered its first compliance phase while DORA and NIS2 approached…

Compliance · Credibility 93/100 · December 15, 2025

Compliance — Regulatory compliance

It is year-end, which means it is time to take stock of what compliance teams got done in 2025 and what is coming down the pike. PCI DSS 4.0 full compliance hits in March, DORA is now in effect for financial services…

Compliance · Credibility 94/100 · February 13, 2026

EU Digital Operational Resilience Act First Enforcement Wave Reveals ICT Risk Management Gaps Across Financial Sector

The European Supervisory Authorities have initiated the first coordinated enforcement actions under the Digital Operational Resilience Act, issuing supervisory findings to over forty financial institutions across…

Compliance · Credibility 95/100 · February 20, 2026

EU AI Act Enforcement Begins — First High-Risk Classification Decisions Signal Strict Interpretation of Article 6 and Annex III Requirements

The European Commission's AI Office issued its first formal enforcement decisions under the EU AI Act, classifying three deployed AI systems as high-risk under Article 6 and Annex III and requiring retroactive compliance…

Compliance · Credibility 96/100 · February 23, 2026

DORA Six-Month Review — Financial Institutions Report 847 Major ICT Incidents as Operational Resilience Testing Reveals Third-Party Concentration Risk

Six months after the Digital Operational Resilience Act went into effect across EU financial institutions, supervisory authorities report 847 major ICT incidents classified under Article 19 reporting obligations, with…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

January 1, 2026

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

Regulatory Calendar · Compliance Planning · EU AI Act · Data Act · DORA · Privacy Laws

Sources cited

3 sources (eur-lex.europa.eu, pwc.com)

Reading time

7 min

Documentation

1. EU AI Act Official Text and Timeline — eur-lex.europa.eu
2. EU Data Act Regulation Text — eur-lex.europa.eu
3. 2026 Global Regulatory Outlook — pwc.com