EU Regulations
Compliance guides, obligations, deadlines, and enforcement data for every major EU regulation — from GDPR and the AI Act to NIS2, DORA, and beyond.
AI Act
Phased rolloutThe EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.
Max fine: €35M or 7% of global turnover · Deadline: August 2, 2026 (high-risk systems)
GDPR
In forceGDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.
Max fine: €20M or 4% of global turnover · Deadline: In force since May 25, 2018
NIS2
In forceNIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.
Max fine: €10M or 2% / €7M or 1.4% (essential / important entities) · Deadline: October 17, 2024 (transposition deadline)
CRA
Phased rolloutThe CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.
Max fine: €15M or 2.5% of global turnover · Deadline: December 11, 2027
DORA
In forceDORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.
Max fine: CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law · Deadline: January 17, 2025
Data Act
Phased rolloutThe Data Act ensures fair access to and use of data generated by connected products and related services. It establishes rules for data sharing between businesses and with public bodies.
Max fine: Per member state (effective, proportionate, dissuasive) · Deadline: September 12, 2025
ePrivacy
In forceThe ePrivacy Directive governs electronic communications privacy, covering cookies, email marketing, and confidentiality of communications. Its replacement (ePrivacy Regulation) is pending but the Directive remains law.
Max fine: Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR) · Deadline: In force — update expected 2025-2026
DSA
In forceThe DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.
Max fine: Up to 6% of global turnover (VLOPs/VLOSEs); per member state for others · Deadline: February 17, 2024 (all platforms)
DMA
In forceThe DMA designates large online platforms as 'gatekeepers' and imposes obligations to ensure contestable and fair digital markets. Targets the largest tech platforms operating in the EU.
Max fine: Up to 10% of global turnover; 20% for repeat infringements · Deadline: May 2023 (enforcement ongoing)
Pay Transparency
Transposition pendingThe Pay Transparency Directive requires employers to disclose salary ranges in job postings, report on gender pay gaps, and enable employees to compare pay. Targets the gender pay gap across the EU.
Max fine: Per member state (compensation + penalties) · Deadline: June 7, 2026 (transposition deadline)
Whistleblower
In forceThe Whistleblower Directive protects persons who report breaches of EU law. It requires organisations with 50+ employees to establish internal reporting channels and prohibits retaliation.
Max fine: Per member state · Deadline: December 17, 2021 (250+ employees); December 17, 2023 (50–249 employees)
MiCA
In forceMiCA creates a comprehensive regulatory framework for crypto-assets in the EU, covering issuers of asset-referenced tokens and e-money tokens, and crypto-asset service providers (CASPs).
Max fine: €15M or 12.5% (ART/EMT issuers); €5M or 3% (CASPs); €15M or 15% (market abuse) · Deadline: December 30, 2024 (full application)
eIDAS 2.0
Phased rollouteIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.
Max fine: Per member state · Deadline: December 2026 (provisions apply); May 2027 (wallet rollout target)
PLD
Transposition pendingThe revised PLD modernises liability rules for defective products, extending coverage to software, AI systems, and digital services. Shifts some burden of proof to manufacturers for complex cases.
Max fine: No cap — civil liability for all damage caused · Deadline: December 2026 (transposition)
CSRD
Phased rolloutCSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.
Max fine: Per member state (audit-based enforcement) · Deadline: Phased: large PIEs from FY2024; other large undertakings from FY2025 (Omnibus deferral may apply); listed SMEs from FY2026 (Omnibus deferral likely — verify current dates)
CS3D
Transposition pendingCS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.
Max fine: At least 5% of net worldwide turnover (member state minimum floor, Art. 27) · Deadline: 2027-2029 (phased by company size)
Green Claims
UpcomingThe Green Claims Directive requires companies to substantiate and verify environmental claims before using them in marketing, combating greenwashing across the EU market.
Max fine: 4% of annual turnover per member state · Deadline: 2026 (implementation phased)
EAA
In forceThe EAA sets harmonised accessibility requirements across the EU for key products and services, ensuring people with disabilities have equal access to the digital economy and essential services.
Max fine: Per member state · Deadline: June 28, 2025
Machinery Reg
UpcomingThe EU Machinery Regulation updates safety requirements for machinery and related products, with new provisions for autonomous and collaborative robots, AI-integrated machinery, and cybersecurity.
Max fine: Per member state · Deadline: January 20, 2027
Not sure which regulations apply to you?
Answer 5 questions — get a personalised EU compliance checklist.
Run the checker — freeFor informational purposes only. This is not legal advice — consult qualified legal counsel.