The regulated-IT
deadlines that actually bite.
The regulations that drive IT programmes in Denmark and the EU — NIS2, DORA, the EU AI Act and PCI-DSS — in one plain-English timeline. What’s already live, what’s coming, and what each one means for your delivery.
ICT risk management, third-party oversight, incident reporting and resilience testing are mandatory across banking, insurance, payments and investment. If it’s still on paper, that’s exposure — not compliance. See the NIS2 / DORA playbook →
Banned AI uses must be gone, and staff need demonstrable AI literacy. The cheapest AI Act obligation to miss — and the easiest to prove you’ve met.
The ~50 “future-dated” v4 requirements are now mandatory for every cardholder-data environment. Uncontrolled CDE scope is where recertification quietly stalls.
~6,000 Danish entities across ~15 sectors, with no transition period. Risk-management measures, incident reporting and supply-chain security have to operate, not just exist. See the NIS2 playbook →
General-purpose AI model obligations, the governance structures and the penalty regime take effect. This is where the AI Act grows teeth.
Covered entities had to register themselves with the authorities. Missed it? That’s the first thing a supervisor checks — and the cheapest gap to close.
Disclosure duties for AI systems people interact with — chatbots, and AI-generated or manipulated content. Largely held on the original schedule through the 2026 Digital Omnibus, so plan to it.
High-risk AI built into products already under EU safety law (machinery, medical devices and the like) must comply. Long lead time — the conformity work starts well before the date.
Standalone high-risk uses — hiring, credit scoring, biometrics — deferred from 2 Aug 2026 to 2 Dec 2027 under the provisional Digital Omnibus agreement (May 2026). The date most likely to move again; treat it as a plan, not a promise.
Compiled from public regulation and reviewed July 2026. Regulatory timelines shift — the EU AI Act’s high-risk dates in particular are under a provisional Digital Omnibus deferral and may change again. This tracker is orientation, not legal advice; verify against the primary source before you commit a programme to any date.
Primary sources: EU AI Act timeline · Digitaliseringsstyrelsen (NIS2 DK) · DORA · PCI SSC.
New to the acronyms? The regulated-IT glossary explains NIS2, DORA, GxP, TSA, cutover and the rest in plain English.
Compliant on paper, exposed in practice?
If a deadline is behind you and the controls only exist in a binder, that’s a delivery problem, not a legal one. That’s the part I fix.
See how I’d approach it →