regulation_update2024-12-10deadline 2026-09-11confidence: high
Cyber Resilience Act reporting obligations apply from 11 September 2026
The European Commission states that the Cyber Resilience Act (Regulation (EU) 2024/2847) entered into force on 10 December 2024. Its reporting obligations apply as of 11 September 2026, and its main obligations apply from 11 December 2027. The CRA sets cybersecurity requirements for products with digital elements placed on the EU market, including vulnerability handling and reporting and CE-marking conformity.
Why it matters: Manufacturers, importers and distributors of products with digital elements are subject to CRA reporting obligations from 11 September 2026, ahead of the main obligations in December 2027. Both are fixed regulatory milestones.
hardwaresoftwareIoTcross-sectorcrareporting-obligationsproduct-securitycompliance-deadlineofficial-sourcesource-verified
regulation_update2024-08-01deadline 2026-08-02confidence: high
EU AI Act becomes fully applicable on 2 August 2026
The European Commission states that the EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026, with specified exceptions. Prohibited AI practices and AI literacy obligations have applied since 2 February 2025, and obligations for general-purpose AI (GPAI) models have applied since 2 August 2025. Rules for high-risk AI systems embedded into regulated products have an extended transition period until 2 August 2028.
Why it matters: From 2 August 2026 the main body of AI Act obligations applies to in-scope providers and deployers, including most high-risk AI systems. It is a fixed, near-term EU regulatory milestone for any organisation using AI.
cross-sectorhigh-risk AIai-actapplication-datecompliance-deadlineofficial-sourcesource-verified