The year 2026 marks a turning point in the timeline for compliance with the EU's digital regulations. The AI Act, MiCA, the Cyber Resilience Act, and the Data Act—each will introduce specific obligations with clear deadlines this year. Here is what businesses, technology providers, and policy makers need to know.
AI Act
Regulation on Artificial Intelligence
August 2nd, 2026
Application of the remaining general provisions of the AI Act
The main AI Act compliance date in 2026 remains August 2, 2026. As of that date, the remaining general provisions of the AI Act become applicable. However, the obligations relating to high-risk AI systems under Article 6(2) and Annex III and under Article 6(1) and Annex I follow later, revised application dates. (Legislative basis: Article 113, as amended)
August 2, 2026
Transitional regime for systems already placed on the market
High-risk AI systems placed on the market or put into service before August 2, 2026, are not automatically subject to the new regulation. It applies to them only if, after that date, they undergo significant design changes. A key provision for operators with existing systems. In parallel, the amendments introduce a specific 2026 transitional deadline for providers of AI systems generating synthetic audio, image, video or text content that were placed on the market before August 2, 2026, requiring compliance with Article 50(2) by November 2, 2026.
(Legislative basis: Article 111(2) and Article 111(4), as amended)
August 2, 2026
Obligations for Member States: regulatory sandboxes and penalty regimes
Member States must have at least one regulatory sandbox for AI in operation and must adopt and notify their national penalty regime—both by August 2, 2026. (Legislative basis: Art. 57(1))
MiCA
Regulation on Crypto Asset Markets
July 1, 2026
Expiration of the transition period for crypto-asset service providers
Providers that have operated in accordance with applicable national law prior to December 30, 2024, may continue to operate until July 1, 2026, at the latest—or until they receive or are denied authorization under Article 63 of MiCA.
The national legal framework for implementing MiCA is currently being developed in Romania, with a draft legislative act under public consultation at the Ministry of Finance available at the following web address: https://mfinante.gov.ro/acasa/transparenta/proiecte-acte-normative.
(Legislative basis: Article 143(3) of Regulation 2023/1114)
Cyber Resilience Act
Regulation on Cyber Resilience
June 11, 2026
Functional notification system for conformity assessment bodies
By June 11, 2026, Member States must implement the notification system for conformity assessment bodies—including the designation of notifying authorities and the establishment of operational requirements for notified bodies. (Legislative basis: Chapter IV, Articles 35–51)
September 11, 2026
Obligations to report vulnerabilities and security incidents
Starting September 11, 2026, covered economic operators must actively report exploited vulnerabilities and serious incidents affecting the security of products with digital components. This is one of the most concrete operational obligations in the CRA for companies. (Legislative basis: Art. 14)
December 11, 2026
Ensuring a sufficient number of notified bodies
The 2026 deadline in the CRA timeline: By December 11, 2026, Member States must ensure that an adequate number of notified bodies are available to assess the conformity of digital products. (Legislative basis: Article 35(2))
Data Act
Data Regulation
September 12, 2026
Data accessibility for users: obligations for connected products
For connected products placed on the market after September 12, 2026, manufacturers are required to design and manufacture them in such a way that the data generated is directly accessible to the user—by default, easily, securely, and free of charge, in a structured and machine-readable format. The same requirement applies to related services. (Legislative basis: Art. 3(1))
Note: DORA, NIS2, and the Data Governance Act do not contain obligations with deadlines that are due or expire in 2026.