Skip to content

DOMAIN:EU_REGULATION

OWNER: julian
UPDATED: 2026-03-18
SCOPE: all client projects targeting EU market

TIMELINE

Regulation Date Status
GDPR May 2018 ACTIVE
EU AI Act — prohibited AI Feb 2, 2025 IN_FORCE
EU AI Act — GPAI Aug 2, 2025 IN_FORCE
PCI DSS v4.0.1 future-dated Mar 31, 2025 IN_FORCE
EAA / EN 301 549 Jun 28, 2025 IN_FORCE
Data Act Sep 12, 2025 IN_FORCE
NIS2 / Cbw (Netherlands) Q2 2026 expected BILL_IN_PARLIAMENT
EU AI Act — high-risk Aug 2, 2026 UPCOMING
CRA — reporting Sep 2026 UPCOMING
eIDAS 2.0 — wallet End 2026 UPCOMING
CRA — full compliance Dec 2027 UPCOMING
Peppol B2B (NL) Jul 2030 FUTURE

EU_AI_ACT (Regulation (EU) 2024/1689)

RISK_CLASSIFICATION

UNACCEPTABLE (BANNED since Feb 2025): social scoring, manipulative subliminal AI, emotion recognition at work/school, real-time biometric in public
HIGH_RISK (Annex III): credit scoring, recruitment AI, education assessment, critical infrastructure, law enforcement
LIMITED_RISK: chatbots, AI-generated content, deepfakes → transparency obligations only
MINIMAL_RISK: spam filters, AI games → no obligations

ROLE_DETERMINATION

IF agency builds AI system placed on market under own/client brand THEN role = PROVIDER (heaviest obligations)
IF client integrates third-party AI (Claude API) THEN client = DEPLOYER (Art. 26)
IF agency modifies high-risk AI or changes purpose THEN agency becomes PROVIDER

PROVIDER_OBLIGATIONS (high-risk, from Aug 2026)

  • risk management system (Art. 9)
  • data governance (Art. 10)
  • technical documentation per Annex IV (Art. 11)
  • automatic logging (Art. 12)
  • transparency to deployers (Art. 13)
  • human oversight design (Art. 14)
  • accuracy, robustness, cybersecurity (Art. 15)
  • quality management system (Art. 17)
  • conformity assessment (Art. 43)
  • EU database registration (Art. 49)

DEPLOYER_OBLIGATIONS (Art. 26)

  • human oversight: decisions reviewable, contestable, correctable
  • log retention for traceability
  • use only per provider instructions
  • inform affected individuals
  • FRIA for certain deployments

AI_LITERACY (Art. 4) — ALREADY IN FORCE

ALL deployers must ensure AI literacy within organization since Aug 2, 2025

GPAI_LLM (Claude, GPT, Gemini)

CLASSIFICATION: General Purpose AI models
PROVIDER_OBLIGATIONS (Anthropic/OpenAI): technical docs, training data summaries, model cards
ANTHROPIC: signed GPAI Code of Practice (July 2025)
GE_AS_DEPLOYER: vet vendor compliance, ensure user transparency, classify any high-risk apps built on top

PENALTIES

PROHIBITED: EUR 35M or 7% global turnover
HIGH_RISK: EUR 15M or 3%
FALSE_INFO: EUR 7.5M or 1%

NIS2 (Directive (EU) 2022/2555)

SCOPE

ESSENTIAL (Annex I): energy, transport, banking, health, digital infrastructure, ICT service management, public admin, space
IMPORTANT (Annex II): postal, waste, chemicals, food, manufacturing, digital providers
SIZE_THRESHOLD: 50+ employees OR EUR 10M+ turnover

SUPPLY_CHAIN_IMPACT

  • regulated clients MUST manage supply chain cybersecurity
  • creates cascading contractual obligations on software vendors (= GE)
  • demonstrating NIS2-aligned security = commercial differentiator
  • management boards have personal liability

OBLIGATIONS (Art. 21)

  1. risk analysis and security policies
  2. incident handling
  3. business continuity
  4. supply chain security
  5. security in system development
  6. effectiveness assessment
  7. cybersecurity hygiene and training
  8. cryptography and encryption
  9. access control and asset management
  10. multi-factor authentication

INCIDENT_REPORTING

24h: early warning to CSIRT
72h: full notification with assessment
1 month: final report with root cause

DUTCH_IMPLEMENTATION (Cyberbeveiligingswet)

REPLACES: Wbni
STATUS: delayed — deadline expired Oct 2024; bill in Parliament Jun 2025; expected Q2 2026
NOTE: Commission sent reasoned opinion to NL May 2025 for failure to transpose
CURRENT: Wbni remains in force until Cbw takes effect

PENALTIES

ESSENTIAL: EUR 10M or 2% global turnover
IMPORTANT: EUR 7M or 1.4%

CRA (Cyber Resilience Act — Regulation (EU) 2024/2847)

SCOPE: all products with digital elements on EU market — includes software
IF client-deployed software THEN CRA likely applies

REQUIREMENTS:
- mandatory security in design, development, production
- vulnerability handling (coordinated disclosure, security updates)
- SBOM requirement
- security updates for product lifetime (minimum 5 years)

TIMELINE:
- Sep 2026: reporting obligations
- Dec 2027: full compliance

EIDAS_2.0 — EU Digital Identity

STANDARD: Regulation (EU) 2024/1183
WALLET_AVAILABLE: end of 2026 in all Member States
MANDATORY_ACCEPTANCE: banking, healthcare, telecom, transport, large online platforms
FEATURES: selective disclosure (prove age without revealing full identity), strong customer auth, QWACs
OPEN_SOURCE: wallet component source code must be open-source

CURRENT_STATE: no production wallets yet. 350+ companies in pilots across 26 Member States.
ACTION_NOW: gap analysis for auth flows. design flexible architecture for wallet integration.

DATA_ACT (Regulation (EU) 2023/2854)

STATUS: applicable from Sep 12, 2025
SCOPE: access to data from IoT products, cloud switching, interoperability
RELEVANT_WHEN: clients building connected products

PEPPOL

NETHERLANDS

B2G: mandatory via Peppol BIS 3.0 since 2019
B2B: voluntary now. mandate planned Jul 2030 (five-corner model)
FORMAT: Peppol BIS Billing 3.0 (UBL 2.1 + EN 16931 + Peppol business rules)
NLCIUS: Dutch Core Invoice Usage Specification
ARCHIVING: 7 years (10 for immovable property)

CROSS_BORDER

BELGIUM: B2B mandatory via Peppol from Jan 2026 (fines EUR 1,500-5,000)
GERMANY: B2B requirements from 2025

IF building ERP/invoicing for Dutch SMEs THEN implement Peppol BIS 3.0 now for B2G
IF clients trade with BE/DE THEN B2B e-invoicing may be needed sooner

PCI_DSS_V4.0.1

STATUS: all future-dated requirements mandatory since Mar 31, 2025

KEY_CHANGES:
- customized approach allowed (innovative controls)
- MFA for ALL CDE access (not just remote)
- passwords minimum 12 chars
- client-side script security NEW (Req 6.4.3, 11.6.1)
- ASV scans even for SAQ A merchants
- targeted risk analysis required
- control failure monitoring mandatory

WEB_APP_IMPACT:
CHECK: payment page scripts inventoried and authorized (Req 6.4.3)
CHECK: client-side script integrity monitoring (Req 11.6.1)
CHECK: HTTP header security monitoring
CHECK: quarterly vulnerability scans

INDUSTRY_SPECIFIC

FINANCIAL — DORA

STANDARD: Regulation (EU) 2022/2554
STATUS: applicable since Jan 17, 2025
SCOPE: ICT risk management, incident reporting, resilience testing, third-party risk
RELEVANT_WHEN: building fintech products

HEALTHCARE

MDR: Regulation (EU) 2017/745 — Software as Medical Device classification
NEN_7510: Dutch healthcare information security
NEN_7512: trusted data exchange in healthcare
NEN_7513: logging of access to patient data
EHDS: Regulation (EU) 2025/327 — entered force Mar 2025
- EHR manufacturers certify by Jan 2026
- primary/secondary use obligations from Mar 2029

REGULATORY_ASSESSMENT_FRAMEWORK

1. processes personal data? → GDPR (always for EU)
   → Art. 25 (by design), Art. 32 (security), Art. 35 (DPIA?)
   → cookie consent if web-facing
   → international transfers if US services used

2. uses AI/ML? → EU AI Act
   → classify risk level
   → determine role: provider or deployer
   → AI literacy (already in force)

3. client in regulated sector?
   energy/transport/banking/health/digital infra → NIS2
   financial → DORA
   healthcare → MDR + NEN 7510 + EHDS

4. handles payments? → PCI DSS v4.0.1
   → client-side script security

5. consumer-facing? → EAA / EN 301 549
   → WCAG 2.1 AA + EN 301 549 extras

6. deploys software to EU market? → CRA (from 2027)
   → SBOM + vulnerability handling

7. handles invoicing?
   B2G → Peppol BIS 3.0 mandatory (NL)
   B2B → voluntary NL, mandatory BE (2026)

8. handles health data? → MDR + EHDS + NEN 7510/7512/7513

READ_ALSO: domains/privacy/index.md, domains/accessibility/index.md, domains/compliance-frameworks/index.md