{"$schemaVersion":"1.0.0","$source":"Compiled from Regulation/Directive text on EUR-Lex (https://eur-lex.europa.eu). Informational only — not legal advice. Field values are the EuroComply team's reading of the published text; final classification is the responsibility of the provider/deployer/controller. Citations link to the Official Journal so every claim is verifiable at source.","$lastReviewed":"2026-05-12","$nextReviewDue":"2026-08-12","$consumers":["Planned MCP server at mcp.eurocomply.app — regulation_lookup tool","App-side regulation-content.ts data module (eventual unification)","Markdown companion routes (/{slug}.md responses)","/api/regulations.json public endpoint"],"regulations":{"ai-act":{"slug":"ai-act","shortName":"EU AI Act","alternateNames":["AI Act","Artificial Intelligence Act"],"fullName":"Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act)","regulationNumber":"(EU) 2024/1689","instrumentType":"regulation","celex":"32024R1689","summary":"The EU's horizontal law for artificial-intelligence systems. Classifies AI systems by risk level — prohibited, high-risk, limited-risk, minimal-risk — and imposes obligations that scale with the assigned tier. Applies to providers, deployers, importers and distributors of AI systems on the EU market.","scope":"Applies to providers placing AI systems on the EU market, deployers established or located in the EU using AI systems in the course of professional activity, importers and distributors of AI systems in the EU, and providers/deployers in third countries when the output is used in the EU.","extraterritorialReach":true,"status":"phased","inForceDate":"2024-08-01","applicationDate":"2026-08-02","transpositionDeadline":null,"keyDates":[{"date":"2024-08-01","event":"Entry into force","articleRef":"Article 113"},{"date":"2025-02-02","event":"Prohibitions (Article 5) and AI-literacy obligation (Article 4) apply","articleRef":"Article 113(a)"},{"date":"2025-08-02","event":"Obligations for General-Purpose AI (GPAI) models apply","articleRef":"Article 113(b)"},{"date":"2026-08-02","event":"Most obligations for high-risk AI systems apply","articleRef":"Article 113"},{"date":"2027-08-02","event":"High-risk obligations for Annex I-listed products apply","articleRef":"Article 113(c)"}],"maxFine":{"headline":"€35 million or 7% of global annual turnover, whichever is higher","tiers":[{"category":"Prohibited AI practices (Article 5)","fixedEur":35000000,"turnoverPercent":7,"rule":"max","articleRef":"Article 99(3)"},{"category":"High-risk obligations and GPAI non-compliance","fixedEur":15000000,"turnoverPercent":3,"rule":"max","articleRef":"Article 99(4)"},{"category":"Supplying incorrect/incomplete/misleading information to authorities","fixedEur":7500000,"turnoverPercent":1,"rule":"max","articleRef":"Article 99(5)"}]},"supervisingAuthorities":[{"name":"European AI Office","level":"EU","url":"https://digital-strategy.ec.europa.eu/en/policies/ai-office"},{"name":"National competent authorities","level":"member-state"},{"name":"European Data Protection Supervisor","level":"EU","scopeNote":"for EU institutions, bodies and agencies"}],"appliesTo":["providers","deployers","importers","distributors","GPAI providers"],"sectorApplicability":["all sectors (horizontal)","specific Annex III sectors: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice"],"primaryArticles":{"scope":"Article 2","prohibitions":"Article 5","highRiskClassification":"Articles 6 and 7, Annex III","providerObligations":"Chapter III, Section 2","deployerObligations":"Article 26","transparency":"Article 50","gpaiModels":"Title V (Articles 51–56)","penalties":"Article 99","entryIntoForce":"Article 113"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2024/1689/oj","officialJournalRef":"OJ L, 12.7.2024","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/ai-act","penalties":"/regulations/ai-act/penalties","timeline":"/regulations/ai-act/timeline","smePersona":"/regulations/ai-act/persona/sme-startup","decisionTrees":["/decide/ai-act/applies","/decide/ai-act/risk-tier","/decide/ai-act/general-purpose-model","/decide/ai-act/deployer-obligations","/decide/ai-act/sme-derogations"],"deadline":"/ai-act-deadline"}},"gdpr":{"slug":"gdpr","shortName":"GDPR","alternateNames":["General Data Protection Regulation"],"fullName":"Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)","regulationNumber":"(EU) 2016/679","instrumentType":"regulation","celex":"32016R0679","summary":"The EU's data protection law. Binding rules for how organisations collect, store, and process personal data of people in the EU. Applies regardless of where the organisation is based.","scope":"Applies to any organisation — public or private, EU-based or not — processing the personal data of individuals located in the EU, by offering goods/services or monitoring behaviour. Enforced by national Data Protection Authorities, coordinated by the EDPB.","extraterritorialReach":true,"status":"in-force","inForceDate":"2016-05-24","applicationDate":"2018-05-25","transpositionDeadline":null,"keyDates":[{"date":"2016-05-24","event":"Entry into force","articleRef":"Article 99"},{"date":"2018-05-25","event":"Direct applicability across all EU member states","articleRef":"Article 99(2)"}],"maxFine":{"headline":"€20 million or 4% of global annual turnover, whichever is higher","tiers":[{"category":"Lower tier — procedural duties (records, DPO designation, breach notification)","fixedEur":10000000,"turnoverPercent":2,"rule":"max","articleRef":"Article 83(4)"},{"category":"Upper tier — core principles, data subject rights, international transfers","fixedEur":20000000,"turnoverPercent":4,"rule":"max","articleRef":"Article 83(5)"}]},"supervisingAuthorities":[{"name":"National Data Protection Authorities","level":"member-state"},{"name":"European Data Protection Board (EDPB)","level":"EU","url":"https://www.edpb.europa.eu/"},{"name":"European Data Protection Supervisor","level":"EU","scopeNote":"for EU institutions"}],"appliesTo":["controllers","processors","joint controllers"],"sectorApplicability":["all sectors (horizontal) — no industry carve-out"],"primaryArticles":{"territorialScope":"Article 3","lawfulBasis":"Article 6","specialCategoryData":"Article 9","dataSubjectRights":"Articles 12–22","controllerObligations":"Article 24","ropa":"Article 30","breachNotification":"Articles 33 and 34","dpia":"Article 35","dpo":"Articles 37–39","internationalTransfers":"Chapter V","penalties":"Article 83"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2016/679/oj","officialJournalRef":"OJ L 119, 4.5.2016, p. 1–88","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/gdpr","penalties":"/regulations/gdpr/penalties","timeline":"/regulations/gdpr/timeline","smePersona":"/regulations/gdpr/persona/sme-non-eu-company","decisionTrees":["/decide/gdpr/saas-startup","/decide/gdpr/ecommerce","/decide/gdpr/non-eu-company","/decide/gdpr/dpo-required","/decide/gdpr/dpia-required"],"fineCalculator":"/tools/gdpr-fine-calculator"}},"nis2":{"slug":"nis2","shortName":"NIS 2","alternateNames":["NIS2","NIS 2 Directive","Network and Information Security Directive 2"],"fullName":"Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union","regulationNumber":"(EU) 2022/2555","instrumentType":"directive","celex":"32022L2555","summary":"The EU's network and information security law. Requires essential and important entities in 18 critical sectors to put cybersecurity risk-management measures in place, report significant incidents to national CSIRTs, and meet supply-chain security duties. Replaces the original NIS Directive (2016/1148).","scope":"Covers medium-sized and large entities operating in 18 sectors listed in Annexes I and II, split into 'essential' (11 sectors) and 'important' (7 sectors) categories. Default size threshold: ≥ 50 employees or > €10m annual turnover. Some entity types in-scope regardless of size.","extraterritorialReach":false,"status":"in-force","inForceDate":"2023-01-16","applicationDate":"2024-10-18","transpositionDeadline":"2024-10-17","keyDates":[{"date":"2023-01-16","event":"Entry into force","articleRef":"Article 45"},{"date":"2024-10-17","event":"Transposition deadline for member states","articleRef":"Article 41"},{"date":"2024-10-18","event":"Date from which national measures must apply","articleRef":"Article 41"}],"maxFine":{"headline":"Essential: €10 million or 2% of global turnover. Important: €7 million or 1.4% of global turnover.","tiers":[{"category":"Essential entities","fixedEur":10000000,"turnoverPercent":2,"rule":"max","articleRef":"Article 34(4)"},{"category":"Important entities","fixedEur":7000000,"turnoverPercent":1.4,"rule":"max","articleRef":"Article 34(5)"}]},"supervisingAuthorities":[{"name":"National competent authorities","level":"member-state"},{"name":"National CSIRTs","level":"member-state"},{"name":"ENISA — European Union Agency for Cybersecurity","level":"EU","url":"https://www.enisa.europa.eu/"},{"name":"NIS Cooperation Group","level":"EU"}],"appliesTo":["essential entities (Annex I)","important entities (Annex II)"],"sectorApplicability":["Essential: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space","Important: postal/courier, waste management, chemicals, food, manufacturing, digital providers, research"],"primaryArticles":{"scope":"Articles 2 and 3","riskManagement":"Article 21","incidentReporting":"Article 23","management":"Article 20","enforcement":"Article 32","penalties":"Article 34","transposition":"Article 41"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2022/2555/oj","officialJournalRef":"OJ L 333, 27.12.2022, p. 80–152","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/nis2","penalties":"/regulations/nis2/penalties","timeline":"/regulations/nis2/timeline","smePersona":"/regulations/nis2/persona/sme-saas","decisionTrees":["/decide/nis2/applies","/decide/nis2/essential-vs-important"]}},"dora":{"slug":"dora","shortName":"DORA","alternateNames":["Digital Operational Resilience Act"],"fullName":"Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector","regulationNumber":"(EU) 2022/2554","instrumentType":"regulation","celex":"32022R2554","summary":"The EU's ICT-risk regulation for the financial sector. Requires financial entities to manage ICT risk, classify and report major incidents, regularly test their digital resilience, and oversee critical ICT third-party providers. Harmonises rules previously fragmented across banking, insurance and investment legislation.","scope":"Applies to a broad set of financial entities and — uniquely — directly to ICT third-party service providers designated as critical to the EU financial system (CTPPs).","extraterritorialReach":true,"status":"in-force","inForceDate":"2023-01-16","applicationDate":"2025-01-17","transpositionDeadline":null,"keyDates":[{"date":"2023-01-16","event":"Entry into force","articleRef":"Article 64"},{"date":"2025-01-17","event":"Direct application across the EU","articleRef":"Article 64(2)"}],"maxFine":{"headline":"CTPPs: up to 1% of average daily global turnover, applied daily for up to six months. Financial entities: per national law.","tiers":[{"category":"Critical ICT Third-Party Providers (periodic penalty payment)","fixedEur":null,"turnoverPercent":1,"rule":"daily, max 6 months","articleRef":"Article 35(6)"},{"category":"Financial entities","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 50"}]},"supervisingAuthorities":[{"name":"European Banking Authority (EBA)","level":"EU","url":"https://www.eba.europa.eu/"},{"name":"European Securities and Markets Authority (ESMA)","level":"EU","url":"https://www.esma.europa.eu/"},{"name":"European Insurance and Occupational Pensions Authority (EIOPA)","level":"EU","url":"https://www.eiopa.europa.eu/"},{"name":"National competent authorities","level":"member-state"},{"name":"ESAs Lead Overseer for CTPPs","level":"EU"}],"appliesTo":["credit institutions","payment institutions","e-money institutions","investment firms","crypto-asset service providers","central securities depositories","central counterparties","trading venues","insurance and reinsurance undertakings","IORPs","credit-rating agencies","critical ICT third-party providers"],"sectorApplicability":["financial services sector — full scope across banking, payments, securities, insurance, crypto"],"primaryArticles":{"scope":"Article 2","proportionality":"Article 4","ictRiskFramework":"Article 5","simplifiedFramework":"Article 16","majorIncidentReporting":"Article 19","thirdPartyRegister":"Article 28","tlpt":"Article 26","ctppOversight":"Article 35","penalties":"Article 50","entryIntoForce":"Article 64"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2022/2554/oj","officialJournalRef":"OJ L 333, 27.12.2022, p. 1–79","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/dora","penalties":"/regulations/dora/penalties","timeline":"/regulations/dora/timeline","smePersona":"/regulations/dora/persona/sme-financial-entity","decisionTrees":["/decide/dora/applies","/decide/dora/in-scope"]}},"cra":{"slug":"cra","shortName":"CRA","alternateNames":["Cyber Resilience Act"],"fullName":"Regulation (EU) 2024/2847 of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements (Cyber Resilience Act)","regulationNumber":"(EU) 2024/2847","instrumentType":"regulation","celex":"32024R2847","summary":"The EU's horizontal cybersecurity law for products with digital elements. Introduces mandatory cybersecurity requirements covering design, development, vulnerability handling, and security across the product's supported lifetime. Most software and hardware products with a digital component placed on the EU market are in scope.","scope":"Applies to any 'product with digital elements' — hardware or software — placed on the EU market whose intended or reasonably foreseeable use includes a direct or indirect data connection. Excludes products already covered by equivalent sectoral rules (MDR, IVDR, motor-vehicle type-approval, civil aviation, defence).","extraterritorialReach":true,"status":"phased","inForceDate":"2024-12-10","applicationDate":"2027-12-11","transpositionDeadline":null,"keyDates":[{"date":"2024-12-10","event":"Entry into force","articleRef":"Article 71"},{"date":"2026-09-11","event":"Vulnerability and incident reporting obligations apply","articleRef":"Article 14"},{"date":"2027-12-11","event":"Main body of substantive obligations applies","articleRef":"Article 71"}],"maxFine":{"headline":"Up to €15 million or 2.5% of global annual turnover, whichever is higher","tiers":[{"category":"Essential cybersecurity requirements (Annex I) and obligations of manufacturers (Articles 13, 14)","fixedEur":15000000,"turnoverPercent":2.5,"rule":"max","articleRef":"Article 64(2)"},{"category":"Other obligations under the Regulation","fixedEur":10000000,"turnoverPercent":2,"rule":"max","articleRef":"Article 64(3)"},{"category":"Supplying incorrect/misleading information to notified bodies and market surveillance authorities","fixedEur":5000000,"turnoverPercent":1,"rule":"max","articleRef":"Article 64(4)"}]},"supervisingAuthorities":[{"name":"National market surveillance authorities","level":"member-state"},{"name":"ENISA — European Union Agency for Cybersecurity","level":"EU","url":"https://www.enisa.europa.eu/"},{"name":"Notified bodies (for conformity assessment of important and critical classes)","level":"designated"}],"appliesTo":["manufacturers of products with digital elements","importers","distributors","open-source software stewards (with limited scope)"],"sectorApplicability":["all sectors with hardware or software products with digital connectivity — including consumer IoT, industrial control, application software, operating systems"],"primaryArticles":{"scope":"Article 2","manufacturerObligations":"Article 13","vulnerabilityReporting":"Article 14","essentialRequirements":"Annex I","importantProducts":"Annex III","criticalProducts":"Annex IV","conformityAssessment":"Articles 32 and 33","penalties":"Article 64","entryIntoForce":"Article 71"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2024/2847/oj","officialJournalRef":"OJ L, 20.11.2024","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/cra","penalties":"/regulations/cra/penalties","timeline":"/regulations/cra/timeline","smePersona":"/regulations/cra/persona/saas-product","decisionTrees":["/decide/cra/in-scope"]}},"data-act":{"slug":"data-act","shortName":"Data Act","alternateNames":["EU Data Act"],"fullName":"Regulation (EU) 2023/2854 of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)","regulationNumber":"(EU) 2023/2854","instrumentType":"regulation","celex":"32023R2854","summary":"The EU's horizontal law on access to and use of data. Gives users of connected products and related services the right to access the data they generate, regulates business-to-business and business-to-government data sharing, and imposes cloud-switching rules to reduce vendor lock-in.","scope":"Applies to manufacturers and providers of connected products and related services made available in the EU, data holders providing data to recipients in the EU, providers of data processing services (cloud and edge) serving EU customers, and public-sector bodies of EU member states.","extraterritorialReach":true,"status":"phased","inForceDate":"2024-01-11","applicationDate":"2025-09-12","transpositionDeadline":null,"keyDates":[{"date":"2024-01-11","event":"Entry into force","articleRef":"Article 50"},{"date":"2025-09-12","event":"Most provisions apply","articleRef":"Article 50"},{"date":"2027-01-12","event":"Cloud switching charges (over and above costs incurred) must be removed","articleRef":"Article 29"}],"maxFine":{"headline":"Where personal data is involved: GDPR Article 83 rates apply (€20M / 4%). Other breaches: set by member states.","tiers":[{"category":"Personal-data provisions (parallel GDPR application)","fixedEur":20000000,"turnoverPercent":4,"rule":"max","articleRef":"Article 40(3) referencing GDPR Article 83"},{"category":"Non-personal-data provisions","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 40"}]},"supervisingAuthorities":[{"name":"Member-state designated competent authorities","level":"member-state"},{"name":"National Data Protection Authorities (for personal-data overlap)","level":"member-state"}],"appliesTo":["manufacturers of connected products","providers of related services","data holders","recipients","data processing service providers (cloud/edge)","public-sector bodies (B2G)"],"sectorApplicability":["all sectors with connected products (consumer IoT, industrial, automotive, healthcare devices, smart-home)","all data processing service providers (IaaS/PaaS/SaaS)"],"primaryArticles":{"subjectMatter":"Article 1","designForAccess":"Article 3","onRequestAccess":"Article 4","thirdPartySharing":"Article 5","frandTerms":"Article 8","b2gAccess":"Article 14","cloudSwitching":"Article 25","switchingCharges":"Article 29","technicalSwitchingDuties":"Article 30","thirdCountryAccess":"Article 32","penalties":"Article 40","entryIntoForce":"Article 50"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2023/2854/oj","officialJournalRef":"OJ L, 22.12.2023","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/data-act","penalties":"/regulations/data-act/penalties","timeline":"/regulations/data-act/timeline","smePersona":"/regulations/data-act/persona/connected-product","decisionTrees":["/decide/data-act/in-scope"]}},"dma":{"slug":"dma","shortName":"DMA","alternateNames":["Digital Markets Act"],"fullName":"Regulation (EU) 2022/1925 of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act)","regulationNumber":"(EU) 2022/1925","instrumentType":"regulation","celex":"32022R1925","summary":"The EU's competition regulation for large online platforms. Designates certain platform operators as 'gatekeepers' and imposes ex-ante obligations on them — covering self-preferencing, data combination, interoperability, and business-user terms — to keep core platform services contestable and fair.","scope":"Applies to undertakings designated as gatekeepers by the Commission for one or more of ten 'core platform services' (CPS). Quantitative thresholds: ≥ €7.5bn annual EU turnover (or ≥ €75bn market cap), ≥ 45m monthly active EU end users, ≥ 10,000 yearly active EU business users — sustained over three years.","extraterritorialReach":true,"status":"in-force","inForceDate":"2022-11-01","applicationDate":"2023-05-02","transpositionDeadline":null,"keyDates":[{"date":"2022-11-01","event":"Entry into force","articleRef":"Article 54"},{"date":"2023-05-02","event":"Application date","articleRef":"Article 54"},{"date":"2023-09-06","event":"First gatekeeper designations issued by the European Commission","articleRef":"Article 3"},{"date":"2024-03-06","event":"Designated gatekeepers must comply with Articles 5, 6, 7 obligations","articleRef":"Article 3(10)"}],"maxFine":{"headline":"Up to 10% of global annual turnover (20% for repeat infringements)","tiers":[{"category":"Single infringement of Articles 5, 6 or 7","fixedEur":null,"turnoverPercent":10,"rule":"max","articleRef":"Article 30(1)"},{"category":"Repeat infringement","fixedEur":null,"turnoverPercent":20,"rule":"max","articleRef":"Article 30(2)"}]},"supervisingAuthorities":[{"name":"European Commission (DG COMP and DG CONNECT)","level":"EU","url":"https://digital-markets-act.ec.europa.eu/"}],"appliesTo":["designated gatekeepers"],"sectorApplicability":["ten core platform services: online intermediation, search engines, social networking, video-sharing, communication services, operating systems, web browsers, virtual assistants, cloud computing, online advertising"],"primaryArticles":{"definitions":"Article 2","designation":"Article 3","obligationsForGatekeepers":"Article 5","anticircumvention":"Article 6","interoperability":"Article 7","fines":"Article 30","entryIntoForce":"Article 54"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2022/1925/oj","officialJournalRef":"OJ L 265, 12.10.2022, p. 1–66","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/dma","penalties":"/regulations/dma/penalties","timeline":"/regulations/dma/timeline","smePersona":"/regulations/dma/persona/business-user-of-gatekeeper"}},"dsa":{"slug":"dsa","shortName":"DSA","alternateNames":["Digital Services Act"],"fullName":"Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act)","regulationNumber":"(EU) 2022/2065","instrumentType":"regulation","celex":"32022R2065","summary":"The EU's law for online intermediaries. Modernises liability rules for hosting services, imposes due-diligence obligations on online platforms, and adds heightened risk-management duties for Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) reaching ≥ 45 million monthly active EU users.","scope":"Layered obligations: baseline rules for all intermediary services offered in the EU, additional rules for hosting providers, further rules for online platforms, and the strictest tier for designated VLOPs/VLOSEs.","extraterritorialReach":true,"status":"in-force","inForceDate":"2022-11-16","applicationDate":"2024-02-17","transpositionDeadline":null,"keyDates":[{"date":"2022-11-16","event":"Entry into force","articleRef":"Article 93"},{"date":"2023-04-25","event":"First VLOP/VLOSE designations","articleRef":"Article 33"},{"date":"2023-08-25","event":"Obligations apply to designated VLOPs/VLOSEs","articleRef":"Article 33(6)"},{"date":"2024-02-17","event":"Obligations apply to all other in-scope services","articleRef":"Article 93"}],"maxFine":{"headline":"Up to 6% of global annual turnover for VLOPs/VLOSEs; member states set penalties for other intermediaries","tiers":[{"category":"VLOPs and VLOSEs (Commission fines)","fixedEur":null,"turnoverPercent":6,"rule":"max","articleRef":"Article 74"},{"category":"Other intermediary services (national fines)","fixedEur":null,"turnoverPercent":null,"rule":"set by national law, with EU-level guidance","articleRef":"Article 52"}]},"supervisingAuthorities":[{"name":"European Commission (for VLOPs/VLOSEs)","level":"EU"},{"name":"National Digital Services Coordinators (DSCs)","level":"member-state"},{"name":"European Board for Digital Services","level":"EU"}],"appliesTo":["intermediary services (mere conduit, caching, hosting)","hosting providers","online platforms","Very Large Online Platforms (VLOPs)","Very Large Online Search Engines (VLOSEs)"],"sectorApplicability":["all online intermediary services offered in the EU regardless of establishment"],"primaryArticles":{"scope":"Article 2","noticeAndAction":"Article 16","transparencyOfRecommenderSystems":"Article 27","darkPatterns":"Article 25","vlopDesignation":"Article 33","systemicRiskAssessment":"Article 34","audits":"Article 37","crisisResponse":"Article 36","fines":"Article 74","nationalPenalties":"Article 52","entryIntoForce":"Article 93"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2022/2065/oj","officialJournalRef":"OJ L 277, 27.10.2022, p. 1–102","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/dsa","penalties":"/regulations/dsa/penalties","timeline":"/regulations/dsa/timeline"}},"eaa":{"slug":"eaa","shortName":"EAA","alternateNames":["European Accessibility Act","Accessibility Act"],"fullName":"Directive (EU) 2019/882 of the European Parliament and of the Council on the accessibility requirements for products and services","regulationNumber":"(EU) 2019/882","instrumentType":"directive","celex":"32019L0882","summary":"The EU's accessibility directive. Sets common EU accessibility requirements for specified consumer products (computers, smartphones, payment terminals, e-readers) and services (e-commerce, banking, e-books, transport ticketing, telecoms, audiovisual access). Aims to harmonise national rules and improve market access for people with disabilities.","scope":"Applies to economic operators placing in-scope products on or providing in-scope services to the EU market. Microenterprises (< 10 employees, < €2m turnover) providing services are exempt; manufacturers of microenterprise size have proportionate-effort obligations.","extraterritorialReach":true,"status":"in-force","inForceDate":"2019-06-27","applicationDate":"2025-06-28","transpositionDeadline":"2022-06-28","keyDates":[{"date":"2019-06-27","event":"Entry into force","articleRef":"Article 33"},{"date":"2022-06-28","event":"Transposition deadline for member states","articleRef":"Article 31"},{"date":"2025-06-28","event":"National measures apply","articleRef":"Article 31(2)"},{"date":"2030-06-28","event":"End of transitional period for service providers using products in service before 28 June 2025","articleRef":"Article 32"}],"maxFine":{"headline":"Penalties set by national law — must be effective, proportionate, and dissuasive","tiers":[{"category":"Member-state penalties","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 30"}]},"supervisingAuthorities":[{"name":"National market surveillance authorities (for products)","level":"member-state"},{"name":"National service compliance authorities","level":"member-state"}],"appliesTo":["manufacturers","importers","distributors","service providers (excluding microenterprises providing services)"],"sectorApplicability":["Products: computers and OS, payment terminals, self-service terminals (ATMs, ticketing, check-in), smartphones, smart TVs and set-top boxes, e-readers","Services: e-commerce, electronic communications, AV media access services, banking services for consumers, e-books and reading software, passenger transport (information, ticketing, kiosks)"],"primaryArticles":{"scope":"Articles 1 and 2","accessibilityRequirements":"Article 4 and Annex I","microenterpriseExemption":"Article 4(5)","fundamentalChange":"Article 14","disproportionateBurden":"Article 14(8)","penalties":"Article 30","transposition":"Article 31"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2019/882/oj","officialJournalRef":"OJ L 151, 7.6.2019, p. 70–115","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/accessibility-act","penalties":"/regulations/accessibility-act/penalties","timeline":"/regulations/accessibility-act/timeline"}},"pay-transparency":{"slug":"pay-transparency","shortName":"Pay Transparency Directive","alternateNames":["EU Pay Transparency Directive"],"fullName":"Directive (EU) 2023/970 of the European Parliament and of the Council to strengthen the application of the principle of equal pay for equal work or work of equal value between men and women through pay transparency and enforcement mechanisms","regulationNumber":"(EU) 2023/970","instrumentType":"directive","celex":"32023L0970","summary":"The EU's pay transparency law. Requires employers to disclose pay information to job applicants and employees, conduct pay gap reporting (for organisations above size thresholds), and provide remedies for pay discrimination. Strengthens enforcement of the equal-pay principle in Article 157 TFEU.","scope":"Applies to employers in both the public and private sectors. Pay-gap reporting obligations phase in by size: ≥ 250 employees from 7 June 2027; ≥ 150 from June 2027; ≥ 100 from June 2031.","extraterritorialReach":false,"status":"transposing","inForceDate":"2023-06-06","applicationDate":"2026-06-07","transpositionDeadline":"2026-06-07","keyDates":[{"date":"2023-06-06","event":"Entry into force","articleRef":"Article 34"},{"date":"2026-06-07","event":"Transposition deadline for member states","articleRef":"Article 34"},{"date":"2027-06-07","event":"First pay-gap reports due (employers ≥ 250 employees, ≥ 150 employees)","articleRef":"Article 9"},{"date":"2031-06-07","event":"Pay-gap reporting obligation extends to employers with ≥ 100 employees","articleRef":"Article 9"}],"maxFine":{"headline":"Penalties set by national law — must be effective, proportionate, dissuasive; recital references penalties proportional to seriousness","tiers":[{"category":"Member-state penalties","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 23"}]},"supervisingAuthorities":[{"name":"National equality bodies","level":"member-state"},{"name":"National labour inspectorates","level":"member-state"}],"appliesTo":["all employers (public and private sector)"],"sectorApplicability":["all sectors (horizontal)"],"primaryArticles":{"rightToInformation":"Articles 5 and 7","preEmploymentTransparency":"Article 5","payGapReporting":"Article 9","jointPayAssessment":"Article 10","remedies":"Articles 14 and following","burdenOfProof":"Article 18","penalties":"Article 23","transposition":"Article 34"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2023/970/oj","officialJournalRef":"OJ L 132, 17.5.2023, p. 21–44","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/pay-transparency","tool":"/tools/pay-transparency"}},"eprivacy":{"slug":"eprivacy","shortName":"ePrivacy Directive","alternateNames":["Cookie Law","Directive on privacy and electronic communications"],"fullName":"Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2009/136/EC)","regulationNumber":"2002/58/EC","instrumentType":"directive","celex":"32002L0058","summary":"The EU's directive on privacy in electronic communications. Sets rules on confidentiality of communications, cookies and similar tracking technologies (Article 5(3)), unsolicited marketing communications, and traffic/location data. The intended replacement ePrivacy Regulation has been in EU legislative negotiation since 2017 and has not been adopted; the current Directive remains in force.","scope":"Applies to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the EU.","extraterritorialReach":false,"status":"in-force","inForceDate":"2002-07-31","applicationDate":"2003-10-31","transpositionDeadline":"2003-10-31","keyDates":[{"date":"2002-07-31","event":"Entry into force","articleRef":"Article 21"},{"date":"2003-10-31","event":"Transposition deadline","articleRef":"Article 17"},{"date":"2009-11-19","event":"Amendments by Directive 2009/136/EC (cookies, breach notification)","articleRef":"Article 5(3) amended"}],"maxFine":{"headline":"Penalties set by national law. Cookie/consent violations may also trigger GDPR Article 83 penalties via the personal-data overlap.","tiers":[{"category":"Member-state penalties for ePrivacy violations","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 15a"},{"category":"GDPR overlap for personal-data consent breaches","fixedEur":20000000,"turnoverPercent":4,"rule":"max — via GDPR Article 83(5)","articleRef":"GDPR Article 83"}]},"supervisingAuthorities":[{"name":"National DPAs (in most member states)","level":"member-state"},{"name":"National communications regulators (in some member states)","level":"member-state"}],"appliesTo":["providers of publicly available electronic communications services","operators of cookies / similar tracking technologies on user devices"],"sectorApplicability":["telecoms, ISPs, OTT communications, any website using cookies or similar tracking"],"primaryArticles":{"confidentialityOfCommunications":"Article 5","cookiesAndTracking":"Article 5(3)","trafficData":"Article 6","locationData":"Article 9","unsolicitedCommunications":"Article 13","penalties":"Article 15a"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2002/58/oj","officialJournalRef":"OJ L 201, 31.7.2002, p. 37–47","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/eprivacy"}},"whistleblower":{"slug":"whistleblower","shortName":"Whistleblower Directive","alternateNames":["EU Whistleblower Directive","Whistleblowing Directive"],"fullName":"Directive (EU) 2019/1937 of the European Parliament and of the Council on the protection of persons who report breaches of Union law","regulationNumber":"(EU) 2019/1937","instrumentType":"directive","celex":"32019L1937","summary":"The EU's whistleblower protection directive. Requires legal entities above size thresholds to establish internal reporting channels and procedures, and protects whistleblowers from retaliation. Covers reports on breaches of EU law in specified areas (public procurement, financial services, product safety, AML/CFT, environment, etc.).","scope":"Applies to legal entities in the private sector with 50+ workers, and to public-sector entities (with some exceptions for small municipalities). Covers persons working in the entity who report breaches of Union law in the listed material scope.","extraterritorialReach":false,"status":"in-force","inForceDate":"2019-12-16","applicationDate":"2021-12-17","transpositionDeadline":"2021-12-17","keyDates":[{"date":"2019-12-16","event":"Entry into force","articleRef":"Article 28"},{"date":"2021-12-17","event":"Transposition deadline (entities with 250+ employees)","articleRef":"Article 26"},{"date":"2023-12-17","event":"Extended deadline for entities with 50–249 employees","articleRef":"Article 26(2)"}],"maxFine":{"headline":"Penalties set by national law — must be effective, proportionate, dissuasive","tiers":[{"category":"Member-state penalties for hindering reporting, retaliation, breach of confidentiality, or malicious reports","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 23"}]},"supervisingAuthorities":[{"name":"Member-state designated bodies (varies by country: national integrity authorities, ombudspersons, labour inspectorates)","level":"member-state"}],"appliesTo":["private-sector legal entities with 50+ employees","public-sector entities","designated competent authorities"],"sectorApplicability":["Material scope: public procurement, financial services, product safety, transport safety, environment, radiation protection and nuclear safety, food and feed safety, animal health and welfare, public health, consumer protection, privacy and personal data protection, network and information systems security","Plus: breaches affecting EU financial interests and breaches of internal market rules (including competition and state aid)"],"primaryArticles":{"materialScope":"Article 2","internalReportingChannels":"Article 8","externalReporting":"Article 11","protectionFromRetaliation":"Article 19","remediesAndCompensation":"Article 21","penalties":"Article 23","transposition":"Article 26"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2019/1937/oj","officialJournalRef":"OJ L 305, 26.11.2019, p. 17–56","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/whistleblower"}},"mica":{"slug":"mica","shortName":"MiCA","alternateNames":["Markets in Crypto-Assets Regulation"],"fullName":"Regulation (EU) 2023/1114 of the European Parliament and of the Council on markets in crypto-assets","regulationNumber":"(EU) 2023/1114","instrumentType":"regulation","celex":"32023R1114","summary":"The EU's regulatory framework for crypto-assets not covered by existing financial-services legislation. Creates authorisation regimes for issuers of asset-referenced tokens (ARTs), e-money tokens (EMTs), and crypto-asset service providers (CASPs); imposes prudential, governance, market-integrity, and consumer-protection rules.","scope":"Applies to persons engaged in the issuance, offer to the public, or admission to trading of crypto-assets in the EU, and to persons providing crypto-asset services in the EU. Excludes crypto-assets already qualifying as financial instruments under MiFID II.","extraterritorialReach":true,"status":"in-force","inForceDate":"2023-06-29","applicationDate":"2024-12-30","transpositionDeadline":null,"keyDates":[{"date":"2023-06-29","event":"Entry into force","articleRef":"Article 149"},{"date":"2024-06-30","event":"Application of Titles III and IV (ARTs and EMTs)","articleRef":"Article 149(2)"},{"date":"2024-12-30","event":"Full application (CASP rules, other titles)","articleRef":"Article 149"}],"maxFine":{"headline":"Tiered by infringement type and entity: up to 12.5% of global annual turnover for ART/EMT issuer core breaches; up to 15% for market abuse; up to 3% for CASP breaches. The 'higher of' fixed-amount fallback applies (€5M–€15M depending on tier).","$note":"Simplified summary. Article 111 sets eight distinct sanction bands across the regulation; this representation captures the four most-cited ones. Always verify against Article 111 for the exact applicable cap.","tiers":[{"category":"ART issuer — breaches of core obligations (Articles 16, 17, 19, 21, 22, 23, 24, 25, 26)","fixedEur":15000000,"turnoverPercent":12.5,"rule":"the higher of, for legal persons","articleRef":"Article 111(2)(a)"},{"category":"EMT issuer — breaches of core obligations (Articles 48, 51)","fixedEur":15000000,"turnoverPercent":12.5,"rule":"the higher of, for legal persons","articleRef":"Article 111(3)(a)"},{"category":"Market abuse (Articles 88–92)","fixedEur":15000000,"turnoverPercent":15,"rule":"the higher of, for legal persons","articleRef":"Article 111(5)"},{"category":"Crypto-asset service provider (CASP) breaches","fixedEur":5000000,"turnoverPercent":3,"rule":"the higher of, for legal persons","articleRef":"Article 111(4)(a)"},{"category":"Natural persons — most infringements","fixedEur":700000,"turnoverPercent":null,"rule":"max","articleRef":"Article 111(4)(b)"},{"category":"Natural persons — market abuse","fixedEur":5000000,"turnoverPercent":null,"rule":"max","articleRef":"Article 111(5)(b)"}]},"supervisingAuthorities":[{"name":"European Securities and Markets Authority (ESMA)","level":"EU","url":"https://www.esma.europa.eu/"},{"name":"European Banking Authority (EBA)","level":"EU","scopeNote":"for significant ARTs and EMTs"},{"name":"National competent authorities","level":"member-state"}],"appliesTo":["issuers of crypto-assets, ARTs, and EMTs","crypto-asset service providers (CASPs)","trading platforms for crypto-assets"],"sectorApplicability":["crypto and digital-asset sector","fintech entities offering crypto services in the EU"],"primaryArticles":{"scope":"Articles 1 and 2","cryptoAssetWhitepaper":"Articles 6 and following","artAuthorisation":"Article 16","emtAuthorisation":"Article 48","caspAuthorisation":"Articles 59 and following","marketAbuse":"Article 86 and following","penalties":"Article 111","entryIntoForce":"Article 149"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2023/1114/oj","officialJournalRef":"OJ L 150, 9.6.2023, p. 40–205","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/mica"}},"eidas2":{"slug":"eidas2","shortName":"eIDAS 2","alternateNames":["eIDAS 2.0","Revised eIDAS"],"fullName":"Regulation (EU) 2024/1183 of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework","regulationNumber":"(EU) 2024/1183","instrumentType":"regulation","celex":"32024R1183","summary":"The EU's revised electronic identification and trust services regulation. Establishes the European Digital Identity (EUDI) Framework — a Wallet that EU citizens, residents, and businesses can use to identify themselves and store and present credentials (qualified electronic attestations of attributes) across the EU.","scope":"Amends Regulation (EU) No 910/2014. Applies to trust service providers and to relying parties using the EUDI Wallet. Each member state must offer at least one EUDI Wallet to its citizens and residents.","extraterritorialReach":false,"status":"phased","inForceDate":"2024-05-20","applicationDate":"2026-12-21","transpositionDeadline":null,"keyDates":[{"date":"2024-05-20","event":"Entry into force","articleRef":"Article 2"},{"date":"2026-12-21","event":"Application of most provisions (24 months after entry into force)","articleRef":"Article 2"},{"date":"2027-05-20","event":"Wallet rollout — member states required to issue EUDI Wallets to citizens/residents (target)","articleRef":"Article 5a"}],"maxFine":{"headline":"Penalties set by national law for trust service providers; subject to GDPR for personal data overlap","tiers":[{"category":"Trust service providers — national penalties","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 16 of base eIDAS"}]},"supervisingAuthorities":[{"name":"National supervisory bodies for trust services","level":"member-state"},{"name":"EU Cooperation Group on EUDI Wallet","level":"EU"}],"appliesTo":["qualified and non-qualified trust service providers","EUDI Wallet providers (member-state-issued)","relying parties using the EUDI Wallet"],"sectorApplicability":["public-sector services (mandatory acceptance of EUDI Wallet for cross-border use cases)","very large online platforms (VLOPs under DSA, mandatory acceptance)","regulated sectors: banking, financial services, telecoms, transport, health, education"],"primaryArticles":{"euDigitalIdentityWallet":"Article 5a","trustServices":"Chapter III of base Regulation 910/2014 as amended","qualifiedElectronicAttestation":"Article 45a","implementingActsAndStandards":"Article 5c","entryIntoForce":"Article 2"},"eurlexUrl":"https://eur-lex.europa.eu/eli/reg/2024/1183/oj","officialJournalRef":"OJ L, 30.4.2024","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/eidas2"}},"product-liability":{"slug":"product-liability","shortName":"Product Liability Directive","alternateNames":["PLD","Revised Product Liability Directive"],"fullName":"Directive (EU) 2024/2853 of the European Parliament and of the Council on liability for defective products","regulationNumber":"(EU) 2024/2853","instrumentType":"directive","celex":"32024L2853","summary":"The EU's revised product liability directive. Replaces Directive 85/374/EEC. Modernises the strict-liability regime to cover software (including AI systems) as products, digital services integrated into products, and updates to compensable damages (including data loss).","scope":"Applies to economic operators placing products on the EU market — including software, AI systems, and digital services that affect the product's function. Strict liability for damage caused by defective products to natural persons.","extraterritorialReach":true,"status":"transposing","inForceDate":"2024-12-08","applicationDate":"2026-12-09","transpositionDeadline":"2026-12-09","keyDates":[{"date":"2024-12-08","event":"Entry into force","articleRef":"Article 23"},{"date":"2026-12-09","event":"Transposition deadline for member states","articleRef":"Article 22"}],"maxFine":{"headline":"No administrative fines — liability is for damages awarded by courts. Compensable damage includes death, personal injury, damage to property, and loss/corruption of data.","tiers":[{"category":"Civil liability for damages","fixedEur":null,"turnoverPercent":null,"rule":"no statutory cap (member states may apply ones consistent with EU law)","articleRef":"Article 6"}]},"supervisingAuthorities":[{"name":"National civil courts","level":"member-state"}],"appliesTo":["manufacturers","importers","authorised representatives","fulfilment service providers","any party that substantially modifies a product"],"sectorApplicability":["all sectors with products placed on the EU market (newly including software and AI as products)"],"primaryArticles":{"scopeAndDefinitions":"Articles 1 and 4","liability":"Article 6","defectiveness":"Article 7","burdenOfProof":"Article 10","disclosureOfEvidence":"Article 9","limitationPeriods":"Articles 16 and 17","transposition":"Article 22"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2024/2853/oj","officialJournalRef":"OJ L, 18.11.2024","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/product-liability"}},"csrd":{"slug":"csrd","shortName":"CSRD","alternateNames":["Corporate Sustainability Reporting Directive"],"fullName":"Directive (EU) 2022/2464 of the European Parliament and of the Council as regards corporate sustainability reporting","regulationNumber":"(EU) 2022/2464","instrumentType":"directive","celex":"32022L2464","summary":"The EU's corporate sustainability reporting directive. Replaces and significantly expands the Non-Financial Reporting Directive (NFRD). Requires in-scope undertakings to report sustainability information under the European Sustainability Reporting Standards (ESRS) on a 'double materiality' basis. The Omnibus simplification proposal (2025) has narrowed the in-scope SME population and may further phase in changes.","scope":"Phased: large public-interest entities (≥ 500 employees), other large undertakings, listed SMEs, and certain non-EU groups. The Omnibus simplification package (proposed 2025; status fluid at last review) substantially narrowed the in-scope SME population and deferred several waves — always cross-check against the latest adopted text.","extraterritorialReach":true,"status":"phased","inForceDate":"2023-01-05","applicationDate":"2024-01-01","transpositionDeadline":"2024-07-06","$omnibusNote":"All wave dates below reflect the original CSRD as adopted. The Omnibus reform deferred the 'other large undertakings' wave (originally FY2025) and the listed-SME wave (originally FY2026) by 2 years — confirm the currently-adopted dates before relying on these for compliance planning.","keyDates":[{"date":"2023-01-05","event":"Entry into force","articleRef":"Article 5"},{"date":"2024-01-01","event":"First reporting year (FY2024) for large public-interest entities (NFRD predecessors)","articleRef":"Article 5(2)"},{"date":"2025-01-01","event":"First reporting year for other large undertakings (subject to Omnibus 2-year deferral)","articleRef":"Article 5(2)"},{"date":"2026-01-01","event":"First reporting year for listed SMEs (LSME standard) — subject to Omnibus 2-year deferral","articleRef":"Article 5(2)"},{"date":"2028-01-01","event":"First reporting year for certain non-EU groups","articleRef":"Article 5(2)"}],"maxFine":{"headline":"Penalties set by national law; reporting non-compliance may trigger statutory audit qualifications and securities-regulator action","tiers":[{"category":"Member-state penalties for non-disclosure or false reporting","fixedEur":null,"turnoverPercent":null,"rule":"set by national law","articleRef":"Article 51 of Accounting Directive (as amended)"}]},"supervisingAuthorities":[{"name":"National competent authorities (securities regulators for listed undertakings)","level":"member-state"},{"name":"ESMA — coordinating role for listed companies","level":"EU"},{"name":"EFRAG — sets the ESRS standards","level":"EU"}],"appliesTo":["large undertakings (≥ 250 employees or thresholds)","listed SMEs","certain non-EU parent companies with EU subsidiaries/branches"],"sectorApplicability":["all sectors — horizontal disclosure framework; sector-specific ESRS to be added"],"primaryArticles":{"scope":"Article 19a of Accounting Directive (as amended)","doubleMateriality":"ESRS 1","assurance":"Article 34 of Audit Directive (as amended)","transposition":"Article 5"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2022/2464/oj","officialJournalRef":"OJ L 322, 16.12.2022, p. 15–80","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/csrd","smePersona":"/regulations/csrd/persona/sme"}},"csddd":{"slug":"csddd","shortName":"CSDDD","alternateNames":["Corporate Sustainability Due Diligence Directive","CS3D"],"fullName":"Directive (EU) 2024/1760 of the European Parliament and of the Council on corporate sustainability due diligence","regulationNumber":"(EU) 2024/1760","instrumentType":"directive","celex":"32024L1760","summary":"The EU's corporate sustainability due diligence directive. Requires in-scope undertakings to identify, prevent, mitigate, and bring to an end actual and potential adverse human-rights and environmental impacts in their operations, subsidiaries, and chains of activities. Phased in by size starting 2027.","scope":"Applies to EU undertakings above size thresholds (phased: ≥ 5,000 employees + €1.5bn turnover; ≥ 3,000 + €900m; ≥ 1,000 + €450m) and to non-EU undertakings with EU turnover above corresponding thresholds.","extraterritorialReach":true,"status":"transposing","inForceDate":"2024-07-25","applicationDate":"2027-07-26","transpositionDeadline":"2026-07-26","keyDates":[{"date":"2024-07-25","event":"Entry into force","articleRef":"Article 38"},{"date":"2026-07-26","event":"Transposition deadline","articleRef":"Article 37"},{"date":"2027-07-26","event":"Application — first wave (EU ≥ 5,000 + €1.5bn; non-EU ≥ €1.5bn EU turnover)","articleRef":"Article 37"},{"date":"2028-07-26","event":"Application — second wave (EU ≥ 3,000 + €900m; non-EU ≥ €900m EU turnover)","articleRef":"Article 37"},{"date":"2029-07-26","event":"Application — third wave (EU ≥ 1,000 + €450m; non-EU ≥ €450m EU turnover)","articleRef":"Article 37"}],"maxFine":{"headline":"Up to 5% of net worldwide turnover","tiers":[{"category":"Maximum administrative pecuniary penalties","fixedEur":null,"turnoverPercent":5,"rule":"max — set by member states","articleRef":"Article 27"}]},"supervisingAuthorities":[{"name":"Member-state designated supervisory bodies","level":"member-state"},{"name":"European Network of Supervisory Authorities (coordination)","level":"EU"}],"appliesTo":["EU undertakings above size thresholds (phased)","non-EU undertakings with EU turnover above thresholds"],"sectorApplicability":["all sectors above the size thresholds"],"primaryArticles":{"scope":"Articles 1 and 2","dueDiligenceObligation":"Article 5","preventionAndMitigation":"Article 10","bringingActualImpactsToAnEnd":"Article 11","climateTransitionPlan":"Article 22","civilLiability":"Article 29","penalties":"Article 27","applicationDates":"Article 37"},"eurlexUrl":"https://eur-lex.europa.eu/eli/dir/2024/1760/oj","officialJournalRef":"OJ L, 5.7.2024","lastReviewed":"2026-05-12","appPaths":{"hub":"/regulations/csddd"}}}}