Regulatory Intelligence Hub
Comprehensive regulatory intelligence covering DORA, NIS2, EU AI Act, CRA, GDPR, UK and Ireland cyber regulations with live countdown timers.
Live Regulatory Landscape
Comprehensive monitoring of EU, UK, and international cybersecurity, AI, and data protection enforcement — mapped to institutional doctrine response.
EU Cybersecurity Regulations
| Regulation | Status | Key Deadline | Scope & Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|---|
| DORA EU 2022/2554 |
In Force | 17 Jan 2025 — Active supervision | Financial sector ICT resilience. Firms must withstand, respond to, and recover from ICT disruptions. Strict 4-hour incident reporting for major incidents. | EBA / EIOPA / ESMA | Evidence Chain Model™ + Recoverability Mandate™ |
| NIS2 Directive EU 2022/2555 |
Transposition | 17 Oct 2024 — EC infringement proceedings vs 19 states (May 2025); first NIS2 audits due June 30, 2026; first administrative penalties issued Q1 2026. Fines up to €10M or 2% global turnover. | Replaces NIS1. Mandatory cybersecurity requirements for essential sectors (energy, health, finance, transport) and digital services. Mandates strict risk management, governance, and incident reporting. Art. 20 imposes personal liability on directors. | National CAs + ENISA | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| EU AI Act EU 2024/1689 |
Phased Rollout | 2 Aug 2026 — Full application. EU Digital Omnibus (Dec 2025) proposes delaying high-risk AI obligations deeper into 2027 — monitoring ongoing. | Risk-based AI classification: Prohibited (social scoring, cognitive manipulation), High-Risk (critical infrastructure, employment, law enforcement), Limited Risk (transparency rules for chatbots/deepfakes), Minimal Risk. GPAI models must comply with transparency and copyright obligations. Penalties: up to 7% global annual turnover for high-risk violations. | National Market Surveillance + EU AI Office | AI Accountability Stack™ |
| Cyber Resilience Act EU 2024/2847 |
Phased Rollout | 11 Sep 2026 — Vulnerability reporting obligations begin; 11 Dec 2027 — Full application | Manufacturers of products with digital elements must meet high-security standards throughout product lifecycle. Mandates "security by design," automatic updates, and vulnerability handling obligations. Commission draft guidance published March 2026. | National Market Surveillance Authorities | Evidence Chain Model™ + Contract Control Matrix™ |
| EU Cybersecurity Act EU 2019/881 + 2026 Revision |
Revision Proposed | 20 Jan 2026 — COM(2026)11 published; under EU legislative procedure (Parliament + Council) | Strengthened ENISA and established EU-wide ICT certification framework. COM(2026)11 published 20 Jan 2026: adds managed security services to certification, significantly expands ENISA's operational support role (€341M budget 2028–2034), and addresses ICT supply-chain security as a strategic risk. | ENISA + National Certification Authorities | Evidence Chain Model™ |
| Cyber Solidarity Act EU 2025 |
Implementation | In force 4 Feb 2025 — €36M Cybersecurity Reserve launched; cross-border SOC hubs deploying | Establishes EU-wide Security Operations Centre network for active threat detection. Creates Cyber Emergency Mechanism and €36M Cybersecurity Reserve for cross-border incident response. ENISA Single Reporting Platform launching September 2026. | ENISA + National SOCs | Recoverability Mandate™ |
| eIDAS2 EU Digital Identity Regulation |
Implementation | Dec 2026 — All 27 Member States must provide EU Digital Identity Wallets | Provides secure, trustworthy digital identity solutions across Europe. Member states must offer EU Digital Identity Wallets to all citizens and residents. Pilot programmes expanding; technical specifications and implementing regulations finalised. | National Supervisory Bodies | Decision Rights Architecture™ |
| ISO 42001 | Published | Certification available now | International standard for AI management systems. Provides framework for establishing, implementing, and improving AI governance within organisations. | Accredited Certification Bodies | AI Accountability Stack™ (aligned) |
EU Data Protection & Digital Markets
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| GDPR EU 2016/679 |
In Force | Data protection by design and by default. 72-hour breach notification. DPIAs mandatory for high-risk processing. Cross-border transfer safeguards (SCCs, adequacy decisions). Fines up to 4% of global turnover. Total EU enforcement exceeds €7.1B; Irish DPC has issued €4.04B. 2026 Coordinated Enforcement Framework focuses on transparency obligations. | National DPAs (CNIL, ICO, BfDI) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| ePrivacy Directive 2002/58/EC |
In Force | Regulates cookies, electronic marketing, email spam, and privacy of electronic communications. Awaiting ePrivacy Regulation replacement. | National DPAs | Contract Control Matrix™ |
| Digital Markets Act DMA |
In Force | Designates gatekeepers (Meta, Alphabet, Apple, etc.) — mandates interoperability, prohibits self-preferencing, prevents combining user data across services without consent. | European Commission (DG COMP) | Decision Rights Architecture™ |
| Digital Services Act DSA |
In Force | Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster removal of illegal content. Algorithmic transparency obligations. | European Commission + National Digital Services Coordinators | AI Accountability Stack™ |
UK Cybersecurity & Data Protection
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| UK FCA PS21/3 Operational Resilience |
In Force | Financial firms must identify important business services, set impact tolerances, and test ability to remain within tolerances under severe-but-plausible scenarios. Full compliance 31 Mar 2025. | FCA / PRA | Recoverability Mandate™ + Decision Rights Architecture™ |
| UK GDPR + DPA 2018 | In Force | Appropriate technical and organisational security measures. 72-hour breach reporting to ICO. DPA 2018 supplements UK GDPR for law enforcement and intelligence processing. | ICO | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| NIS Regulations 2018 | In Force | Operators of essential services (energy, health, transport) and digital service providers must implement robust security measures and report incidents. | Sector-specific CAs (Ofcom, Ofgem, ICO) | Recoverability Mandate™ |
| Cyber Security & Resilience Bill 2025 |
In Progress | Expands NIS Regulations scope to more sectors. Tightens incident reporting rules. Increases fines and enhances regulator enforcement powers. Bill progressed to House of Lords in 2026; Royal Assent expected later 2026. | DSIT / Sector CAs | Decision Rights Architecture™ + Recoverability Mandate™ |
| Product Security Act 2022 PSTI Act |
In Force | Security requirements for consumer-connectable products — bans default passwords, mandates vulnerability disclosure, requires minimum security update periods. | OPSS | Contract Control Matrix™ |
| Telecoms Security Act 2021 | In Force | Stricter security duties on public telecom providers. Supply chain security requirements for network equipment and services. | Ofcom | Contract Control Matrix™ |
| Computer Misuse Act 1990 | In Force | Criminal offences for unauthorised access to computer material, unauthorised modification, and making/supplying tools for computer misuse. | CPS / NCA | Board-Survivable Cyber Architecture™ |
| Data (Use and Access) Act 2025 | Enacted | Reforms data protection to simplify compliance for research and AI. Clarifies international data transfer mechanisms post-Brexit. | ICO | AI Accountability Stack™ |
| AI Regulation Bill 2025 Private Members' Bill |
Proposed | Proposes establishing a central AI Authority. Potential mandatory reporting for high-risk, advanced AI models. | Proposed AI Authority | AI Accountability Stack™ |
| SEC Cyber Rules US — Global Impact |
In Force | Material cyber incident disclosure within 4 business days. Annual reporting of cyber risk management, strategy, and governance. Board-level oversight requirements. | SEC / DOJ | Board-Survivable Cyber Architecture™ |
🇮🇪 Ireland Digital Regulation Matrix (2026)
Ireland's regulatory environment has transitioned from high-level EU directives to specific, enforceable Irish statutes. Ireland holds a unique "Single Point of Contact" role for many multinational tech firms — Irish regulators often act as lead enforcer for the entire EU under the "One-Stop-Shop" mechanism.
| Regulatory Area | Key Irish Legislation | Primary Oversight Body | 2026 Status & Key Focus | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data Protection Act 2018 (Revised 2026) | Data Protection Commission (DPC) | Active. Enhanced focus on "Dark Patterns" in UI/UX and mandatory "Right to be Forgotten" for children's data. | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| Cybersecurity | National Cyber Security Bill 2024/26 | National Cyber Security Centre (NCSC) | Enforced (NIS2). Places the NCSC on a statutory footing; introduces personal liability for Board members regarding cyber negligence. | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| Artificial Intelligence | Regulation of AI Bill 2026 | AI Office of Ireland (Oifig IS) | Transitional (targeting 1 Aug 2026 statutory establishment). General Scheme of AI Bill 2026 published Feb 2026; Oifig IS currently operating on an administrative basis coordinating AI Act enforcement across existing sector regulators (Central Bank, DPC, etc.). | AI Accountability Stack™ |
| Data Sharing / IoT | Data Bill 2025/26 | CCPC & ComReg | Implementation. Transposes the EU Data Act; ensures users can access and move data generated by connected devices (IoT). | Contract Control Matrix™ |
| Online Safety | Online Safety & Media Regulation Act | Coimisiún na Meán | Active. Governs harmful content on social media and video platforms; can issue fines up to €20m or 10% of turnover. | Decision Rights Architecture™ |
| Digital Services | Digital Services Act 2024 (Revised 2026) | Coimisiún na Meán | Active. Regulates online marketplaces and intermediaries to prevent illegal content and ensure transparency in advertising. | AI Accountability Stack™ |
Cyber Incident: 24 Hours
Under the 2026 Cyber Security Bill (NIS2), "Essential" and "Important" entities must provide an early warning to the NCSC within 24 hours of a significant incident.
AI Fines: Up to €35m / 7%
The AI Bill introduces penalties up to €35m or 7% of global turnover for prohibited AI practices. Dual-supervision applies when AI processes personal data (DPC + AI Office).
AI High-Risk Registry
Providers of high-risk AI systems (recruitment, credit scoring) must register in the National AI Register managed by Oifig IS before deployment.
🇬🇧 UK Digital & AI Regulation Matrix (2026)
The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — avoiding one-size-fits-all legislation in favour of giving specific powers to existing sector regulators. Despite 2026 reforms, the UK maintains Data Adequacy with the EU (renewed December 2025 until 2031), allowing cross-border data flows without additional safeguards.
| Regulatory Area | Primary UK Legislation | Lead Regulator | 2026 Status & Key Requirements | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data (Use and Access) Act 2026 (DUAA) | ICO | Active. Streamlines GDPR; allows "opt-out" for analytics cookies and provides broader consent for scientific research. | Evidence Chain Model™ |
| Artificial Intelligence | Sectoral Principles (Non-statutory) | Distributed (ICO, FCA, CMA) | Active. No single "AI Act." Regulators apply five principles (Safety, Fairness, Transparency, Accountability, Contestability) within their own industries. | AI Accountability Stack™ |
| Cybersecurity | Cyber Security & Resilience Bill 2026 | NCSC | Enforced. Extends NIS1 to include data centres and Managed Service Providers. Mandatory 24-hour incident reporting. | Recoverability Mandate™ + Decision Rights Architecture™ |
| IoT / Smart Tech | PSTI Act 2022 | OPSS | Strict Enforcement. Bans universal default passwords. Mandatory "Security Update" period labels on consumer products. | Contract Control Matrix™ |
| Online Safety | Online Safety Act 2023 | Ofcom | Active. Platforms must remove "Priority Offences" (AI deepfakes, cyber-flashing) and perform mandatory child risk assessments. | Decision Rights Architecture™ |
| Digital Markets | DMCC Act 2024 | CMA (DMU) | Active. Targets "Strategic Market Status" firms to prevent anti-competitive behaviour in mobile ecosystems and search. | Contract Control Matrix™ |
UK vs Ireland/EU — Critical Regulatory Differences (2026)
| Feature | United Kingdom (2026) | Ireland / EU (2026) |
|---|---|---|
| AI Oversight | Sector-led: No new laws; existing regulators (FCA, ICO) adapt principles to their domains. | Centralised: The EU AI Act provides a single, horizontal law for all sectors. |
| Cookie Consent | Less Strict: Moving toward "Opt-out" for non-intrusive tracking. | Strict: "Reject All" buttons must be as prominent as "Accept All." |
| Cyber Liability | Supply Chain Focus: Targets providers like data centres and IT managed services. | Board Liability: Personal legal liability for CEOs/Boards under NIS2 Art. 20. |
| Automated Decisions | Flexible: Broadens "lawful bases" for AI-driven decision making. | Restricted: Users have a strong "Right to Explanation" and human intervention. |
| Data Adequacy | Maintained & Renewed: Adequacy renewed December 2025 until 2031 — data flows from Dublin to London without extra paperwork. | Standard: GDPR adequacy decisions and SCCs govern cross-border transfers. |
PSTI Enforcement
Retailers and importers face massive fines if selling smart devices with default passwords or missing security update information.
Online Safety — Hash Matching
Ofcom's final codes take effect, requiring platforms to proactively block non-consensual intimate imagery.
AI Safety Institute Testing
UK AI Safety Institute begins mandatory pre-deployment testing for "frontier" AI models developed or significantly deployed within the UK.
Cross-Regulatory Focus Areas
Incident Reporting
Strict timelines across all frameworks: 4 hours (DORA/financial), 24 hours (NIS2 early warning), 72 hours (GDPR breach notification). Non-compliance triggers personal liability for directors.
Supply Chain Security
DORA, NIS2, CRA, and the Telecoms Security Act all emphasise securing the entire ICT supply chain. Third-party risk management is now a regulatory requirement, not a best practice.
Active Surveillance
The EU Cyber Solidarity Act establishes SOC networks for cross-border threat detection. Combined with ENISA strengthening under the revised CSA, the EU is building active defence capability.
Last updated: April 2026 · Sources: EUR-Lex, European Commission, FCA, PRA, ICO, SEC, ENISA, UK Parliament, DPC, NCSC Ireland, Oifig IS, Ofcom, CMA, OPSS
The Doctrine Compliance Matrix
Governance doctrine mapped against current and emerging regulatory obligations through 2030.
DORA Compliance
Focus Area: Operational Resilience Article 24, Governance Article 21, Third-party Article 28.
Your Frameworks: Evidence Chain Model™, Decision Rights Architecture™, Recoverability Mandate™, Contract Control Matrix™.
EU AI Act Governance
Focus Area: High-risk classification, Model Risk Management, Algorithmic Accountability.
Your Frameworks: AI Accountability Stack™, Evidence Chain Model™, board-level decision governance.
NIS2 Directive Readiness
Focus Area: Essential & Important Entity Status, Incident Reporting Obligations, Supply Chain Risk.
Your Frameworks: Decision Rights Architecture™, Recoverability Mandate™, Third-Party Control Matrix™.
ISO 42001 Alignment
Focus Area: AI Control Plane, Model Governance, Bias & Safety Auditing, Accountability.
Your Frameworks: AI Accountability Stack™, Evidence Chain Model™, control ownership architecture.
Board & CISO Accountability
Focus Area: Personal Liability (SEC/DOJ precedent), Board-mandated Risk Governance, Disclosure Obligations.
Your Frameworks: Decision Rights Architecture™, Evidence Chain Model™, board reporting protocols.
2030 Regulatory Curve
Forward Position: Quantum-ready identity, Sovereign AI controls, Evidence expectations escalation.
Your Architecture: All five frameworks engineered to absorb 2030 obligations without retrofit.
Regulatory Enforcement Countdown
Real-time tracking of critical compliance deadlines. These timers update live — when they reach zero, enforcement begins.
EU AI Act — Full Application
EU 2024/1689 Art. 113 — High-risk AI obligations enforceable
DORA — Supervisory Reviews
EU 2022/2554 — In force since 17 January 2025
NIS2 — Transposition Status
EU 2022/2555 — Deadline was 17 October 2024 · EC infringement proceedings vs 19 states · First audits due 30 June 2026 · First penalties issued Q1 2026
Governance Readiness Score
Evaluate your organisation's cyber governance maturity in 60 seconds. This diagnostic maps your current posture against DORA, NIS2, and EU AI Act enforcement requirements.
1. Does your board receive structured cyber risk reports at least quarterly?
2. Do you have documented Decision Rights for cyber incident escalation?
3. Can you produce an evidence chain for any control within 24 hours?
4. Have you stress-tested your operational resilience under a severe-but-plausible scenario?
5. Do you have AI governance controls mapped to EU AI Act requirements?
6. Are your third-party/outsourcing contracts governed by enforceable cyber controls?