In 2026, several major regulatory frameworks will either start to apply or reach important implementation milestones. Companies should prepare in time for the upcoming changes.
I. AI Act: Regulation for High-Risk AI System Starting 2026, 2027 or 2028?
The remaining provisions of the AI Act will generally apply from 2 August 2026. However, the rules on high-risk AI systems might be deferred. Following the “Digital Omnibus” proposal of the European Commission from November 2025, the application of these provisions shall depend on a Commission decision confirming that adequate compliance support measures are in place.
If such a decision is adopted, obligations shall apply:
- after six months for high-risk systems under Article 6(2) AI Act, and
- after twelve months for high-risk systems under Article 6(1) AI Act.
Without a Commission decision, the rules shall apply only from December 2027 or August 2028. However, this postponement of the effective date is only a proposal by the EU Commission at this stage. To be on the safe side, providers and deployers should already start aligning with the upcoming requirements.
II. Data Act: New Obligations for Manufacturers of Connected Products
The EU Data Act introduces far-reaching rules on access to and use of data generated by connected products. From 12 September 2026, manufacturers placing connected products on the market must comply with the principle of direct accessibility of product data for users (Article 3(1) Data Act).
The German implementation act of the Data Act is expected to be adopted in 2026. Current drafts designate the Federal Network Agency (Bundesnetzagentur) as the central enforcement authority and provide for significant fines, including penalties of up to 4% of annual EU turnover for certain infringements by gatekeepers.
III. NIS 2: Focus on Practical Implementation
The German implementation act of the NIS 2 Directive fundamentally expands the Act on the Federal Office for Information Security (BSIG). The scope of affected entities has increased considerably.
Affected companies should urgently address the implementation of the new regulations in 2026, if they have not already done so.
IV. Cyber Resilience Act: New Reporting Obligations for Manufacturers of Products With Digital Elements
The Cyber Resilience Act (CRA) will introduce binding cybersecurity requirements for products with digital elements. Key reporting and information obligations apply from June and September 2026. Manufacturers must report actively exploited vulnerabilities and security incidents and inform users accordingly. These obligations require close coordination between legal, IT security and product teams.
V. Digital Omnibus: More Changes Ahead?
Finally, the already mentioned Digital Omnibus proposal addresses also a number of further laws, including the GDPR, Data Act and cookie rules, and introduces a unified platform for reporting obligations arising from different laws. However, it remains uncertain whether the intended simplifications for businesses will take effect in 2026 or later.
VI. Outlook
2026 will bring a series of targeted obligations with significant operational impact. Early preparation, cross-functional coordination and ongoing monitoring of legislative developments will be key to managing regulatory risk in the evolving IT law landscape.