eIDAS 2.0, DORA, AI Act: What This Means for Your Business in Terms of Regulatory Compliance

Is your business ready for the regulatory wave of 2026 and beyond?

In the space of two years, the European regulatory landscape has undergone an unprecedented transformation. The GDPR, eIDAS 2.0, DORA, NIS2, the AI Act, and the AMLR: all these regulations are significantly reshaping the landscape of compliance for businesses in 2026 and beyond!

Timelines overlap, obligations are increasing, and now affect multiple functions within companies.

Faced with this regulatory inflation, decision-makers find themselves in the same situation: they know they must apply these regulations, but struggle to identify what is urgent, what can wait, and above all, what this means in practical terms for their organization. It is not a question of competence. It is a question of the volume of regulations and their complexity.

This article aims to break down current and upcoming regulations. For each key piece of legislation, we provide a clear explanation, a date, and a concrete business impact.

Regulatory compliance is now a topic for executive committees.

In just two years, regulations have evolved, and the surge is only just beginning

To understand the scale of this regulatory acceleration, it is essential to set the context. The European Union has opted for strong regulation to safeguard its digital sovereignty. These regulations are not merely intended to govern technologies; they aim to build a genuine digital trust infrastructure in Europe, based on data protection, the security of digital transactions, the interoperability of services, and the resilience of critical infrastructure.

The result: a regulatory acceleration that is forcing companies to change their processes, their vision, and their internal operations. Those that still treat compliance as a one-off or even reactive project, managed in silos between legal, IT, and business teams, find themselves structurally behind. And this lag comes at a high cost: according to the Ponemon Institute, non-compliance costs on average 2.71 times more than compliance : $14.82 million versus $5.47 million per year on average.

Here are the four regulations that shape the obligations of European companies through 2027 and beyond:

What each regulation means for businesses

eIDAS 2.0: Toward an interoperable European digital identity

eIDAS 2.0 is more than just a technical update. It creates a new architecture for digital trust in Europe, with the flagship measure being the rollout of a European digital identity wallet, the “EU Digital Identity Wallet,” by the end of 2026.

For businesses, this means new requirements for trust services and compliant electronic signature providers. Only Qualified Trust Service Providers (QTSPs), certified under European law and audited according to eIDAS standards, guarantee the full legal validity of digital signatures and the evidence produced. This is no longer an option: it is a prerequisite for market access.

But the impact goes far beyond signatures. eIDAS 2.0 fundamentally redefines the requirements for identity verification and digital onboarding processes. Organizations will need to be able to accept and verify digitally certified identities on a European scale, making their onboarding processes more reliable, faster, and fully interoperable across Member States. For companies operating in multiple European countries, this is a major structural shift: customer journeys can be standardized, document checks automated, and onboarding made secure without additional friction. Compliance thus becomes an experience accelerator, rather than a hindrance.

DORA: Digital Resilience Becomes a Legal Requirement

Effective January 17, 2025, the Digital Operational Resilience Act (DORA) applies to entities in the financial sector. The objective is clear: to ensure that financial organizations can maintain their critical operations in the event of IT disruptions, whether caused internally or by their technology providers. In practical terms, DORA mandates enhanced IT risk management, regular resilience testing, and active oversight of third-party providers. Executives are held personally liable in the event of a failure. This is no longer an IT constraint: it is a governance issue at the highest level.

AI Act: Regulate AI or Risk Exposure

The AI Act took effect in August 2024, with phased implementation through 2027. Its founding principle: classifying AI systems according to their risk level. What many still don’t realize: identity verification, risk scoring, and document analysis technologies are directly affected. Classified as high-risk, they must meet four non-negotiable requirements:

1. Algorithmic transparency: decisions must be explainable and documented
2. Human oversight: human review is required for any high-risk automated decision
3. Bias control: algorithms must be verified to prevent discrimination
4. Full traceability: data, models, and decisions must be auditable at all times

Organizations using these tools, particularly for digital onboarding or KYC (documentary verification), must structure their AI governance accordingly.

AMLR / AMLD6: KYC is being strengthened and automated

Adopted in May 2024 and effective as of July 2027, the new anti-money laundering directives require enhanced KYC (documentary/data verification), continuous monitoring of customers throughout the relationship, and increased automation of controls. The timeline may seem long, but organizations that waited until 2026 to begin their compliance efforts have already fallen behind and face a difficult road to catch up.

Compliance: A Full-Fledged Executive Committee Issue

Compliance is no longer a support function confined to the legal or IT departments. It is becoming a strategic issue at the executive committee level for three major reasons.

The first: increased personal liability for executives. Several regulations, including NIS2, DORA, and the AI Act, very concretely strengthen the liability of executive bodies in the event of a failure. It is no longer a collective and abstract responsibility: it is a personal exposure for executives.

The second: a direct impact on the business model. Access to the European market now depends on the ability to demonstrate compliance. In highly regulated sectors such as financial services, insurance, healthcare, energy, and telecommunications, demonstrating compliance has become a decisive factor in choosing a service provider.

The third: systemic risk in the event of non-compliance. Financial penalties, reputational damage, and business disruptions can have a lasting impact on the company and its financial performance.

The question to ask today is: “Is our organization structured to integrate compliance as a driver of performance and resilience?”

Two Approaches to Accelerating Regulation

Given the current context, organizations have a choice between two strategies. Choosing one or the other has very concrete consequences for their competitiveness in the medium term.

The first approach is reactive: addressing compliance on an ad hoc basis, treating it as a cost center, and managing it in silos across legal, IT, and business teams. This approach often leads to missed regulatory deadlines, rushed launches of remediation projects at high costs, and significant operational risks.

The second approach is “Compliance by Design”: this involves integrating compliance from the very outset of business process design, IT architecture, and customer journeys, rather than adding it as an afterthought. Companies that adopt this approach gain in efficiency and agility, reduce their compliance costs, and strengthen the trust of their partners, customers, and regulators alike. They anticipate regulatory changes where their competitors merely react.

This distinction is not merely theoretical. Institutions that adopt automation technologies (RegTech) can reduce their operational compliance costs by 20 to 40 percent, according to several industry analyses (LexisNexis Risk Solutions, True Cost of Financial Crime Compliance Report 2023).

3 Mistakes to Avoid When Preparing for New Regulations

Treating each regulation in isolation. This is the most common and most costly mistake. An eIDAS project led by IT, a DORA initiative spearheaded by the CISO, an AI Act initiative managed by the legal department: the result is an accumulation of redundancies, blind spots, and a final bill far higher than that of an integrated approach. These regulations share the same fundamental requirements : traceability, auditability, and data sovereignty and deserve to be addressed in a consistent manner.

Waiting for a formal notice. Organizations that launch compliance projects under pressure from an audit or a regulatory notice pay the price multiple times over: high remediation costs, significant operational risks, and diminished credibility with regulators. Anticipation is a strategic necessity.

Entrusting data to a service provider outside the European jurisdiction. The U.S. Cloud Act of 2018 allows U.S. authorities to access data from companies under their jurisdiction, even if it is stored in Europe. The location of a data center no longer guarantees control over the data: it is the provider’s jurisdiction that matters. In a context where eIDAS 2.0 and the GDPR are strengthening sovereignty requirements, working with a provider not certified under European law (particularly regarding its solutions) constitutes a major regulatory and geopolitical risk.

But in practical terms, where does your organization stand?

The real question decision-makers must ask themselves today is not “are we compliant?” but “are we structured to absorb the ongoing regulatory inflation?”

European organizations have an advantage that many still underestimate. The European regulatory framework is not an administrative burden. It is a powerful standard of digital trust, which is becoming a decisive selection criterion in international business relations. Organizations that integrate it as a strategic asset, rather than a cost center, gain a structural and sustainable lead over their competitors.

To explore this topic further, download the white paper “Rethinking Digital Trust” and assess your organization’s maturity level using the Compliance Maturity Framework.