The regulated-IT
deadlines that actually bite.

The regulations that drive IT programmes in Denmark and the EU — NIS2, DORA, the EU AI Act and PCI-DSS — in one plain-English timeline. What’s already live, what’s coming, and what each one means for your delivery.

Reviewed July 2026 · dates move — verify before you plan to them
17 Jan 2025In force
DORALive
DORA applies to financial entities

ICT risk management, third-party oversight, incident reporting and resilience testing are mandatory across banking, insurance, payments and investment. If it’s still on paper, that’s exposure — not compliance. See the NIS2 / DORA playbook →

2 Feb 2025In force
EU AI ActLive
Prohibited AI practices + AI literacy

Banned AI uses must be gone, and staff need demonstrable AI literacy. The cheapest AI Act obligation to miss — and the easiest to prove you’ve met.

31 Mar 2025In force
PCI-DSS v4.0.1Live
Future-dated v4 requirements become mandatory

The ~50 “future-dated” v4 requirements are now mandatory for every cardholder-data environment. Uncontrolled CDE scope is where recertification quietly stalls.

1 Jul 2025In force
NIS2 (DK)Live
The Danish NIS2 Act enters into force

~6,000 Danish entities across ~15 sectors, with no transition period. Risk-management measures, incident reporting and supply-chain security have to operate, not just exist. See the NIS2 playbook →

2 Aug 2025In force
EU AI ActLive
GPAI, governance & penalties apply

General-purpose AI model obligations, the governance structures and the penalty regime take effect. This is where the AI Act grows teeth.

1 Oct 2025Passed
NIS2 (DK)Live
NIS2 self-registration deadline

Covered entities had to register themselves with the authorities. Missed it? That’s the first thing a supervisor checks — and the cheapest gap to close.

Today
2 Aug 2026Upcoming
EU AI ActUpcoming
Transparency obligations (Article 50)

Disclosure duties for AI systems people interact with — chatbots, and AI-generated or manipulated content. Largely held on the original schedule through the 2026 Digital Omnibus, so plan to it.

2 Aug 2027Upcoming
EU AI ActUpcoming
High-risk AI embedded in regulated products (Annex I)

High-risk AI built into products already under EU safety law (machinery, medical devices and the like) must comply. Long lead time — the conformity work starts well before the date.

2 Dec 2027Deferred
EU AI ActDeferred
Standalone high-risk AI (Annex III)

Standalone high-risk uses — hiring, credit scoring, biometrics — deferred from 2 Aug 2026 to 2 Dec 2027 under the provisional Digital Omnibus agreement (May 2026). The date most likely to move again; treat it as a plan, not a promise.

Compiled from public regulation and reviewed July 2026. Regulatory timelines shift — the EU AI Act’s high-risk dates in particular are under a provisional Digital Omnibus deferral and may change again. This tracker is orientation, not legal advice; verify against the primary source before you commit a programme to any date.

Primary sources: EU AI Act timeline · Digitaliseringsstyrelsen (NIS2 DK) · DORA · PCI SSC.

New to the acronyms? The regulated-IT glossary explains NIS2, DORA, GxP, TSA, cutover and the rest in plain English.

Compliant on paper, exposed in practice?

If a deadline is behind you and the controls only exist in a binder, that’s a delivery problem, not a legal one. That’s the part I fix.

See how I’d approach it →