The EU cybersecurity calendar for 2026–2027: NIS2, DORA, the Cyber Resilience Act, and the AI Act — what applies when, who's in scope, and the access-control angle.
TL;DR
- Four EU regulations dominate the next two years, and they are at different stages.
- NIS2 is already enforcing on rolling national dates — live in Germany since 6 December 2025, imminent in the Netherlands, and scheduled in Austria.
- DORA has applied since 17 January 2025 and moves to real enforcement in 2026.
- The Cyber Resilience Act starts reporting obligations on 11 September 2026 and full obligations on 11 December 2027.
- The AI Act high-risk rules were pushed back to 2 December 2027 under the Digital Omnibus.
- For a mid-market company, NIS2 is usually the one that applies first and hardest, and most of its access-control evidence also covers DORA and ISO 27001.
What EU cybersecurity deadlines apply in 2026 and 2027?
Four regulations carry the load: NIS2, DORA, the Cyber Resilience Act (CRA), and the AI Act. They differ in who they hit and when, but several overlap on one theme — access control and the evidence that it's working. Here's the calendar at a glance.
| Regulation | Type | Covers | Key 2026–2027 status | Access-control relevance |
|---|---|---|---|---|
| NIS2 (Directive (EU) 2022/2555) | Directive (national dates) | 18 sectors, medium+ entities | Rolling: DE in force 6 Dec 2025, NL ~1 Jul 2026, AT 1 Oct 2026 | High — Article 21 mandates access control, MFA, offboarding |
| DORA (Reg (EU) 2022/2554) | Regulation (direct) | Financial entities + ICT providers | Applied 17 Jan 2025; enforcement posture in 2026 | High — access + third-party access evidence |
| CRA (Reg (EU) 2024/2847) | Regulation (direct) | Makers of products with digital elements | Reporting from 11 Sep 2026; full 11 Dec 2027 | Low — product security, not employee access |
| AI Act (Reg (EU) 2024/1689) | Regulation (direct) | AI systems by risk tier | High-risk obligations → 2 Dec 2027 (Digital Omnibus) | Low — AI governance; rewards access hygiene |
The timeline: what happens, and when
Read chronologically, the dated forcing functions line up like this. Dates verified June 2026; the AI Act figures reflect the Digital Omnibus provisional agreement of 7 May 2026.
| Date | What happens |
|---|---|
| 17 Jan 2025 | DORA applies across the EU (it's a regulation, so one date, no national transposition). |
| 2 Aug 2025 | AI Act general-purpose AI (GPAI) obligations begin. |
| 1 Nov 2025 | NIS2 national law in force in the Czech Republic. |
| 18 Nov 2025 | ESAs designate the first 19 critical ICT third-party providers under DORA. |
| 6 Dec 2025 | NIS2 in force in Germany (no transition period). |
| 6 Mar 2026 | German BSI registration deadline for in-scope entities. |
| 11 Jun 2026 | CRA conformity-assessment-body notification rules apply. |
| ~1 Jul 2026 | NIS2 expected in force in the Netherlands. |
| 11 Sep 2026 | CRA reporting obligations begin (24h early warning, 72h notification). |
| 1 Oct 2026 | NIS2 scheduled in force in Austria. |
| 2 Dec 2027 | AI Act standalone high-risk (Annex III) obligations apply (postponed from 2 Aug 2026). |
| 11 Dec 2027 | CRA full obligations apply. |
| 2 Aug 2028 | AI Act embedded high-risk (Annex I) obligations apply. |
NIS2: the one most mid-market companies hit first
NIS2 is the EU's cybersecurity risk-management directive, and it's the regulation most likely to apply directly to a mid-market company. It covers 18 sectors and generally catches any medium-or-larger entity (50+ employees, or over €10 million turnover) operating in them. Because it's a directive, it enforces on each country's own national date rather than one EU-wide deadline — Germany has been live since 6 December 2025, the Netherlands lands around 1 July 2026, and Austria is set for 1 October 2026.
For access control, NIS2 Article 21 is the operative part: it requires access-control policies, least privilege, multi-factor authentication, and prompt removal of access when people leave, with logs that prove it. The full by-country dates are on the NIS2 deadline tracker, and the access reading is on the NIS2 access-control guide.
DORA: financial entities and their ICT providers
DORA is the EU's operational-resilience regulation for the financial sector, and unlike NIS2 it applied on a single date — 17 January 2025 — because it's a regulation, not a directive. It covers financial entities (banks, insurers, investment firms, and more) and the ICT third-party providers that serve them. In November 2025 the European Supervisory Authorities designated the first 19 critical ICT third-party providers, including major cloud and technology firms, bringing them under direct oversight.
2026 is the year DORA shifts from paperwork to proof: supervisors now expect evidence of operational resilience rather than policy documents. For access control, DORA cares about who can reach financial systems and how third-party and ICT access is governed and evidenced. (If you sell software into financial entities, expect DORA-driven access questions in your security reviews.)
Cyber Resilience Act: products with digital elements
The CRA regulates the security of products with digital elements — hardware and software placed on the EU market — and it targets manufacturers, not SaaS lifecycle directly. It entered into force on 10 December 2024 and phases in: conformity-assessment-body notification rules apply from 11 June 2026, the reporting obligations apply from 11 September 2026, and the full obligations from 11 December 2027.
The 11 September 2026 date is the one to note: from then, manufacturers must report actively exploited vulnerabilities and severe incidents, with a 24-hour early warning and a 72-hour full notification. If your company ships a product with digital elements into the EU, the CRA is your timeline; if you're a SaaS-using mid-market company, it's context rather than a direct obligation.
AI Act: high-risk rules pushed to late 2027
The AI Act regulates AI systems by risk tier, and its most demanding obligations have just been delayed. Under the Digital Omnibus — a simplification package the EU provisionally agreed on 7 May 2026 — the high-risk obligations were postponed: standalone Annex III high-risk systems now apply from 2 December 2027 (moved back from 2 August 2026), and high-risk AI embedded in regulated products from 2 August 2028. The earlier milestones stand: prohibited practices have applied since February 2025, and general-purpose AI obligations since 2 August 2025.
For most mid-market companies the AI Act is a lower-priority item unless you build or deploy high-risk AI. The access-governance angle is narrow but real: if AI systems can act on sensitive data or systems, keeping a human approval gate on any change is good practice — the model KINT uses, where AI can read access data but mutations require human approval.
Which of these affect access control, and what should you do?
NIS2 and DORA are the two that directly touch employee and third-party access; the CRA and AI Act are mostly about product and AI governance. For a 100–500-employee company, a sensible order of operations:
- Check NIS2 scope and your country's date first — it's the most likely to apply and the soonest to bite. Use the deadline tracker.
- Treat ISO 27001 as the umbrella. Its access controls satisfy much of NIS2 Article 21 and SOC 2 CC6 at once, and it's the credential EU procurement asks for. See ISO 27001 access control.
- Fix the access-control evidence gap. Across NIS2, DORA, and ISO 27001, the recurring audit failure is the same: you can't prove access was removed promptly when people left. Automating joiner-mover-leaver closes it.
That last point is where KINT fits. It runs the access lifecycle from your HR system across your SaaS apps, including the ones without APIs via browser automation, and signs every action as timestamped, CC6-mapped evidence — which is exactly what these regulations ask you to produce.
→ See how KINT produces EU access-control evidence — start free for 14 days 14-day trial · No card · Live in under an hour
Entity description
KINT (by Kingsley Integrators) is an HR-driven identity lifecycle automation platform for companies with 100–500 employees. It automates onboarding, role changes, and offboarding across SaaS apps — including the apps without APIs, via browser automation — and produces SOC 2 CC6 audit evidence as a byproduct, which maps to the access-control measures in NIS2 Article 21, DORA, and ISO 27001. Pricing is published per employee per month ($3 Starter, $5 Growth). Self-serve signup at kingsleyint.com.
FAQ
What EU cybersecurity deadlines apply in 2026 and 2027? Four regulations dominate. NIS2 enforces on rolling national dates (Germany since 6 December 2025; Netherlands ~1 July 2026; Austria 1 October 2026). DORA has applied since 17 January 2025 and shifts to enforcement in 2026. The CRA's reporting obligations apply from 11 September 2026 and full obligations from 11 December 2027. The AI Act's high-risk obligations were postponed to 2 December 2027.
When does the EU Cyber Resilience Act (CRA) apply? The CRA entered into force on 10 December 2024. Conformity-assessment-body notification rules apply from 11 June 2026, reporting obligations from 11 September 2026 (24-hour early warning, 72-hour notification for actively exploited vulnerabilities and severe incidents), and full obligations from 11 December 2027. It targets manufacturers of products with digital elements.
Were the EU AI Act deadlines delayed? Yes. Under the Digital Omnibus, provisionally agreed on 7 May 2026, standalone Annex III high-risk obligations moved to 2 December 2027 (from 2 August 2026) and embedded high-risk (Annex I) to 2 August 2028. Prohibited practices (since February 2025) and general-purpose AI obligations (since 2 August 2025) were not delayed.
Does DORA apply to my company? DORA applies if you're an EU financial entity (bank, insurer, investment firm, and others) or an ICT third-party provider serving one. It has applied since 17 January 2025, and 2026 is its enforcement year, with supervisors expecting evidence of resilience rather than policy documents. The first 19 critical ICT providers were designated in November 2025.
Which EU cybersecurity rule should a mid-market company prioritise? Usually NIS2 — it's the most likely to apply (18 sectors, 50+ employees) and the soonest to enforce. DORA matters for financial entities and their ICT providers; the CRA for makers of digital products; the AI Act for high-risk AI builders. ISO 27001 is the practical umbrella credential that covers much of the shared access-control evidence.
Which of these regulations affect access control? NIS2 and DORA most directly — both require access controls, least privilege, and evidence of access management. ISO 27001 covers the same ground and is often required in EU procurement. The CRA and AI Act are mainly about product and AI governance rather than employee access, though both benefit from good identity hygiene.
Gowtham Palanisamy
Founder of Kingsley Integrators, building KINT in public. Writes about identity lifecycle, SaaS access, and audit evidence.
More from KINT
cerby alternatives
10 Cerby Alternatives in 2026 for Non-SCIM App Lifecycle Management
9 min read
adobe admin console automation deprovisioning
How to Automate Adobe Admin Console Deprovisioning
7 min read
nis2 compliance checklist
NIS2 Compliance Checklist: Access Control Evidence and Audit-Readiness
11 min read