8 EU Regulations That Changed in 2026. Here’s What Actually Matters for Your Business.

The EU regulatory landscape shifted more in the first quarter of 2026 than in all of 2025. Reporting thresholds moved. Enforcement began. Deadlines passed quietly while others accelerated. If you’re a compliance officer at a mid-sized European company, you need to know which ones hit your desk first.

This is a triage guide. Eight regulations, ranked by urgency. What changed, who’s affected, what to do now.

1. CSRD. Dramatically Narrowed by Omnibus I

What changed: The Omnibus I Directive entered into force on 18 March 2026. It rewrites the scope of the Corporate Sustainability Reporting Directive. The threshold now sits at 1,000+ employees AND €450 million+ net turnover. Companies below that line are out. Wave 2 reporting shifts to financial year 2027, with the first reports due in 2028. Sector-specific ESRS standards have been scrapped entirely. Simplified ESRS are expected by September 2026.

Who’s affected: Thousands of companies that were preparing for CSRD are no longer in scope. Wave 1 companies below the new thresholds can be exempted by their member state for financial years 2025 and 2026. SMEs in the value chain are shielded by a new “value chain cap.” Companies with fewer than 1,000 employees can refuse data requests that exceed voluntary reporting standards.

What to do now: Check whether your company still meets the revised thresholds. If you fall out of scope, don’t abandon your sustainability reporting infrastructure. The Commission must review by April 2031 whether to expand the scope again. If you’re still in scope, monitor the simplified ESRS delegated act expected in Q3 2026.

Sources:

• Directive (EU) 2026/470 — Official Journal, 26 February 2026
• Gibson Dunn: Omnibus Simplification of EU’s Sustainability Rules Enacted
• Accountancy Europe: Omnibus Explained — Key Changes to the CSRD and CSDDD

2. CBAM — Definitive Phase Is Live, Authorisation Deadline on 31 March

What changed: The Carbon Border Adjustment Mechanism entered its compliance phase on 1 January 2026. Importers of cement, iron and steel, aluminium, fertilisers, electricity, and hydrogen now face financial obligations tied to embedded emissions. Default emission values rise by 10% in 2026, 20% in 2027, and 30% from 2028. The Omnibus simplification introduced a de minimis threshold: importers below 50 tonnes per year are exempt.

Who’s affected: EU importers of the six covered product categories. More than 12,000 operators have submitted authorisation applications. If you import covered goods and haven’t applied yet, you have until 31 March 2026 to submit your application and continue importing while it’s processed.

What to do now: If you haven’t applied for authorised declarant status, do it this week. The deadline is 31 March. Engage your non-EU suppliers on installation-level emissions data. Without verified actual data, you’ll pay based on default values, which are intentionally set high. First CBAM certificate purchases begin 1 February 2027, covering 2026 imports.

Sources:

• European Commission: CBAM — Carbon Border Adjustment Mechanism
• European Commission: CBAM Successfully Entered into Force on 1 January 2026
• ICAP: EU CBAM Enters Compliance Phase and Outlines Path Ahead

3. NIS2. Patchy Transposition, Audits Starting

What changed: The transposition deadline was October 2024. As of early 2026, 19 member states still received a reasoned opinion from the Commission for incomplete implementation. Germany transposed in December 2025 with stricter-than-minimum requirements. France is still legislating. The Commission proposed targeted NIS2 amendments in January 2026 to improve clarity and reduce burden for 28,700 companies. First formal audit cycles are starting across the EU.

Who’s affected: Essential and important entities across 18 sectors. In countries that have transposed (Germany, Italy, Belgium, Croatia, among others), registration and compliance obligations are already live. Germany requires registration with the BSI within three months of the law taking effect. Fines reach €10 million or 2% of global turnover for essential entities.

What to do now: Check your member state’s transposition status. If your national law is in force, verify whether you fall within scope (generally 50+ employees, €10 million+ turnover in a covered sector). Prioritise incident reporting processes: 24-hour early warning, 72-hour full notification. If you operate across borders, map which jurisdictions apply.

Sources:

• European Commission: NIS2 Directive Transposition in EU Countries
• ECSO: NIS2 Directive Transposition Tracker
• Morrison Foerster: Flipping the NIS2 Switch — Germany’s Implementation

4. EU AI Act. High-Risk Deadline Approaching, Guidance Missing

What changed: Prohibited AI practices have been enforceable since February 2025. General-purpose AI rules apply since August 2025. The next major milestone is 2 August 2026: full requirements for high-risk AI systems under Annex III. But the Commission missed its own deadline for publishing high-risk classification guidance. Harmonised standards from CEN-CENELEC are delayed until late 2026. The Digital Omnibus proposes extending the Annex III deadline to December 2027. That extension hasn’t been adopted yet.

Who’s affected: Any organisation developing or deploying AI systems in biometrics, critical infrastructure, education, employment, essential services, law enforcement, or migration. Penalties run up to €35 million or 7% of global turnover for prohibited practices, €15 million or 3% for high-risk non-compliance.

What to do now: Don’t wait for the potential extension. Inventory your AI systems and classify them against Annex III categories. Start conformity assessment preparation for high-risk systems. Ensure AI literacy obligations (already in force) are met across your organisation. Spain’s AESIA has published 16 practical guidance documents that are useful even for non-Spanish entities.

Sources:

• European Commission: AI Act — Regulatory Framework
• IAPP: European Commission Misses Deadline for AI Act Guidance on High-Risk Systems
• Artificial Intelligence Act EU: Implementation Timeline

5. DORA. Enforcement in Full Swing, Register Submissions Due

What changed: The Digital Operational Resilience Act has been fully enforceable since 17 January 2025. In 2026, the focus shifts to operational enforcement. Financial entities must submit their Register of Information (RoI) documenting all ICT third-party arrangements. Several regulators (AFM, DNB, BaFin) set Q1 2026 deadlines for submissions. The Commission’s Article 58 review assessed whether to extend DORA to auditors and audit firms. Automated supervisory tools are now cross-referencing RoI data across entities.

Who’s affected: Banks, insurance companies, investment firms, payment providers, and their critical ICT service providers. 19 major tech firms (including AWS, Google Cloud, Microsoft) have been designated as critical third-party providers under direct regulatory oversight.

What to do now: Ensure your RoI is submitted in the correct xBRL-CSV format by your NCA’s deadline. Appoint a dedicated board-level owner for digital operational resilience. Verify that incident reporting processes meet the 24-hour early warning standard. Update third-party contracts with DORA-aligned clauses.

Sources:

• EIOPA: Digital Operational Resilience Act (DORA)
• Thomas Murray: DORA Register of Information — 2026 Outlook and Guidance
• Regulation (EU) 2022/2554 — EUR-Lex Full Text

6. CRA. Reporting Obligations Hit in September 2026

What changed: The Cyber Resilience Act entered into force in December 2024 and fully applies from December 2027. But manufacturers face an earlier obligation: from 11 September 2026, they must report actively exploited vulnerabilities and severe incidents via ENISA’s Single Reporting Platform. The Commission published draft guidance for feedback in March 2026. Member states must designate notifying authorities for conformity assessment bodies by June 2026.

Who’s affected: Manufacturers, importers, and distributors of products with digital elements (hardware and software) placed on the EU market. This includes IoT devices, mobile applications, operating systems, and industrial equipment. Penalties reach €15 million or 2.5% of global turnover.

What to do now: Map your product portfolio against CRA scope. Establish vulnerability monitoring and incident response workflows ahead of the September 2026 reporting deadline. This applies to products already on the market, not just new ones. Start building technical documentation for the December 2027 full-compliance date.

Sources:

• European Commission: Cyber Resilience Act — Summary
• European Commission: CRA Reporting Obligations
• Hogan Lovells: EU CRA — Key 2026 Milestones Toward Compliance

7. CSDDD. Pushed Back to 2029

What changed: The Omnibus I Directive significantly weakened the Corporate Sustainability Due Diligence Directive. Scope thresholds rose to 5,000+ employees and €1.5 billion+ net turnover. Transition plan requirements were removed. The application date moved to 26 July 2029. Member states must transpose by 26 July 2028.

Who’s affected: Far fewer companies than originally planned. The obligation to publish an annual sustainability due diligence statement now applies to financial years starting on or after 1 January 2030. If you’re a mid-market company, CSDDD is likely no longer on your immediate compliance radar.

What to do now: Reassess whether you’re in scope under the revised thresholds. If you fall below 5,000 employees, you can deprioritise CSDDD preparation. But don’t ignore due diligence entirely. Value chain expectations from in-scope companies will trickle down through contractual requirements.

Sources:

• Lexology: The EU Formally Adopts the Omnibus I Directive
• Crowell & Moring: EU Sustainability Reporting Revamp — Key Updates from Omnibus I

8. EUDR. Delayed to December 2026

What changed: The EU Deforestation Regulation, originally due to apply from December 2025, was postponed by 12 months. Large operators must comply from 30 December 2026. Small and micro enterprises have until 30 June 2027.

Who’s affected: Market participants and traders importing, placing on the market, or exporting cocoa, coffee, soya, palm oil, beef, wood, rubber, and derived products. Due diligence requires proof that no deforestation occurred after 31 December 2020.

What to do now: Use the extra year to build traceability systems and collect geolocation data from suppliers. The risk classification system for source countries hasn’t been finalised yet, which creates uncertainty. But supply chain mapping should start now regardless.

Sources:

• Regulation (EU) 2023/1115 — EUR-Lex Full Text
• KPMG Law: Legal Changes in 2026 — New Obligations and Relief for Companies

What this means for Q2 2026

Three trends define EU compliance in 2026.

First, simplification is real but selective. The Omnibus package cut the number of companies in CSRD and CSDDD scope. But NIS2, DORA, and the AI Act are expanding, not contracting. The regulatory load is shifting, not shrinking.

Second, enforcement is uneven. Germany has some of the EU’s strictest NIS2 rules. France is still passing its law. If you operate in multiple member states, compliance means navigating 27 variations of the same directive.

Third, deadlines cluster. CBAM authorisation (31 March), DORA register submissions (Q1), CRA reporting (September), AI Act high-risk (August). Q3 2026 is going to be intense.

Pick the two or three regulations that affect your business most. Start there. We’ll cover each one in depth in the coming weeks.