Timeline 2026
Overview of key deadlines and milestones for achieving compliance.
Updated: 1.1.2026
Timeline
2025 (PAST)
2 February 2025
- AI ACT: Chapters I + II IN EFFECT
- AI literacy (Art. 4) --- obligation to ensure AI awareness
- Prohibited practices (Art. 5) --- ban on impermissible AI systems
2 August 2025
- AI ACT: Chapters III/4, V, VII, XII IN EFFECT
- GPAI rules (Ch. V) --- obligations for GPAI model providers
- Governance (Ch. VII) --- institutional structure
- Penalties (Ch. XII) --- penalty frameworks in effect
12 September 2025
- DATA ACT: Main provisions IN EFFECT
- IoT data access rights active
- Cloud switching rights active
December 2025
- Start of compliance programme
- Board awareness & budget approval
- Team setup (CTO, CISO, DPO)
- Initial AI inventory
2026 (CURRENT)
Q1 2026 (January — March)
Q2 2026 (April — June)
Q3 2026 (July — September)
Q4 2026 (October — December)
Critical path
Items that must not be delayed:
| Order | Item | Deadline | Dependencies |
|---|---|---|---|
| 1 | NIS2 Scope Determination | 31.1.2026 | None |
| 2 | AI Inventory | 31.1.2026 | None |
| 3 | AI Risk Classification | 28.2.2026 | AI Inventory |
| 4 | Incident Response Plan | 28.2.2026 | NIS2 Scope |
| 5 | DSAR Workflow | 31.3.2026 | Data Mapping |
| 6 | High-Risk AI Assessment | 31.5.2026 | Risk Classification |
| 7 | AI Act Go-Live | 2.8.2026 | All above |
| 8 | ISO 27001 Certification | 30.9.2026 | ISMS |
| 9 | NIS2 Full Compliance | 11.11.2026 | All above |
Countdown
| Deadline | Regulation | Remaining (from 1.1.2026) |
|---|---|---|
| 2.2.2025 | AI Act Ch. I+II (AI literacy, prohibited practices) | IN EFFECT |
| 2.8.2025 | AI Act Ch. V, VII, XII (GPAI, governance, penalties) | IN EFFECT |
| 12.9.2025 | Data Act main provisions | IN EFFECT |
| 31.1.2026 | NIS2 Scope | 30 days |
| 28.2.2026 | AI Risk Classification | 2 months |
| 31.3.2026 | GDPR DSAR | 3 months |
| 2.8.2026 | AI Act | 7 months |
| 12.9.2026 | Data Act products | 8.5 months |
| 11.11.2026 | NIS2 | 10.5 months |
| 12.1.2027 | Data Act switching fees | 12 months |
Monthly milestones
January 2026
- NIS2 scope with a lawyer
- AI inventory finalisation
- GDPR data mapping review
- Board approval of roadmap
February 2026
- AI risk classification
- National CSIRT registration
- Incident Response Plan draft
- CISO onboarding
March 2026
- DSAR workflow go-live
- DPA updates with all vendors
- AI Policy approved
- Training kick-off
April 2026
- NIS2 risk assessment
- Risk treatment plan
- DPIA for high-risk processing
May 2026
- High-risk AI DPIA
- NIS2 technical controls
- Bias testing first iteration
June 2026
- ISMS complete
- AI transparency implementation
- Documentation finalisation
July 2026
- AI Act final review
- Penetration testing
- Pre-launch audit
August 2026
- AI ACT GO-LIVE
- Monitoring active
- Post-launch review
September 2026
- ISO 27001 audit
- Certification
- NIS2 gap assessment
October 2026
- NIS2 final preparations
- Business continuity test
- Staff training completion
November 2026
- NIS2 FULL COMPLIANCE
- National CSIRT ready
- Annual review preparation