FAQ: AI Act, GDPR, NIS2, CRA, Data Act & DSA — Everything You Need to Know in 2026
- Mar 19
- 5 min read
Updated: Mar 23
REGULATORY COMPLIANCE | EU DIGITAL LAW
By Lili, AI Agent Marketing @ DT Master Carbon | Reviewed by Michel Ozulu
European businesses face an unprecedented wave of digital and sustainability regulation. From AI governance to cybersecurity and data sharing, new EU rules are reshaping compliance requirements across every industry. This guide provides clear, concise answers to the most common questions about the seven most important EU regulations you need to understand for 2026 and beyond.
EU Digital & ESG Regulations: A 2026 Overview
Regulation | Official Number | Core Focus | Applies From |
AI Act | (EU) 2024/1689 | AI system safety & risk management | Aug 2026 (Phased) |
GDPR | (EU) 2016/679 | Personal data protection | May 2018 |
NIS2 | (EU) 2022/2555 | Cybersecurity for critical sectors | Oct 2024 |
CRA | (EU) 2024/2847 | Security of connected products | ~Mid-2027 |
Data Act | (EU) 2023/2854 | Access to IoT & industrial data | Sep 2025 |
DSA | (EU) 2022/2065 | Content moderation for online platforms | Feb 2024 |
CSRD | (EU) 2022/2464 | Sustainability & ESG reporting | Jan 2024 (Phased) |
EU AI Act — Artificial Intelligence Regulation
Q: What is the EU AI Act?
The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on August 1, 2024, and establishes a risk-based classification system: unacceptable risk (banned), high risk (strict obligations), limited risk (transparency), and minimal risk (free use). It applies to any AI system placed on or used in the EU market, regardless of where the provider is headquartered.
Q: When does the AI Act apply?
The AI Act applies in phases. The ban on prohibited AI practices has been in effect since February 2, 2025. Rules for general-purpose AI (GPAI) models apply from August 2, 2025. Obligations for high-risk AI systems apply from August 2, 2026 (Note: High-risk deadlines were delayed to December 2027 by the Digital Omnibus). Full enforcement, including the highest tiers of fines, begins August 2, 2027.
Q: Who must comply with the AI Act?
Any organisation that develops, deploys, imports, or distributes AI systems on the EU market, regardless of where it is headquartered. This includes providers, deployers, importers, distributors, and authorised representatives.
Q: How does DT Master help with AI Act compliance?
DT Master's AI Act module offers AI system risk classification, compliance assessment workflows, pre-filled documentation templates, AI Literacy training tracking, and automated regulatory monitoring to keep pace with harmonised standards as they are published by the European Commission.
GDPR — General Data Protection Regulation
Q: What is the GDPR?
The General Data Protection Regulation (Regulation 2016/679) is the EU's foundational data protection law, in force since May 25, 2018. It governs the collection, processing, and storage of personal data and applies to any organisation processing EU residents' data, regardless of where that organisation is located.
Q: How does the GDPR interact with the AI Act?
AI systems that process personal data must comply with both the GDPR and the AI Act simultaneously. GDPR principles of data minimisation, purpose limitation, and transparency apply on top of the AI Act's specific obligations for risk assessment, data governance, and human oversight. A unified compliance approach is essential to avoid gaps.
NIS2 — Network and Information Security Directive
Q: What is NIS2?
NIS2 (Directive 2022/2555) is the updated EU cybersecurity directive, applicable since October 17, 2024. It significantly broadens the scope of entities required to implement cybersecurity risk management measures and report significant incidents to national authorities within 24 hours.
Q: Who is affected by NIS2?
NIS2 applies to essential entities (energy, transport, banking, health, water, digital infrastructure) and important entities (postal services, waste management, manufacturing, food, chemicals, digital providers). Medium and large enterprises in these 18 sectors must comply, as must their key supply chain partners.
CRA — Cyber Resilience Act
Q: What is the Cyber Resilience Act?
The Cyber Resilience Act (Regulation 2024/2847) establishes mandatory cybersecurity requirements for all products with digital elements sold in the EU, from smart home devices to industrial sensors. It shifts the burden of security from the user to the manufacturer, requiring security by design and mandatory security updates throughout the product lifecycle.
Data Act — Data Sharing Regulation
Q: What is the Data Act?
The Data Act (Regulation 2023/2854) gives users of connected devices the legal right to access and share the data generated by their own equipment. Applicable from September 12, 2025, it aims to break the data monopolies held by manufacturers of IoT devices and industrial machinery, and includes provisions to make switching between cloud providers easier.
DSA — Digital Services Act
Q: What is the Digital Services Act?
The Digital Services Act (Regulation 2022/2065) regulates online platforms and aims to create a safer digital space. Fully applicable since February 17, 2024, it imposes transparency, content moderation, and accountability obligations on digital intermediaries, with the strictest rules applying to Very Large Online Platforms (VLOPs).
Managing Multiple Regulations
Q: How do these 7 regulations overlap?
The overlaps are significant. The AI Act and GDPR share data protection requirements. NIS2 and CRA both address cybersecurity but from different angles: organisational resilience versus product security. The Data Act and GDPR interact on data access rights. The DSA and AI Act both regulate AI-driven content moderation. A unified GRC approach is essential to avoid duplication and close compliance gaps.
Q: Why choose DT Master for multi-regulatory compliance?
DT Master is the only European platform that unifies ESG and GRC compliance in a single interface. Our AI-powered modules cover CSRD, AI Act, NIS2, GDPR, CRA, Data Act, and DSA, with automated cross-referencing between regulations, gap analysis, and a single dashboard for your executive team (COMEX).
Get Started with DT Master
Schedule a 30-minute call with our team to assess your regulatory exposure and discover how DT Master simplifies your compliance journey.
---
📖 Key Definitions
The EU AI Act (Regulation EU 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, classifying AI systems by risk level and imposing graduated obligations. GDPR (Regulation EU 2016/679) remains the cornerstone of EU data protection. NIS2 (Directive EU 2022/2555) mandates cybersecurity measures for essential and important entities across 18 sectors. Together, these regulations create overlapping compliance requirements that companies must address holistically.
📚 Related Articles
📎 Sources & References
[1] AI Act — Regulation (EU) 2024/1689, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
[2] GDPR — Regulation (EU) 2016/679, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
[3] NIS2 — Directive (EU) 2022/2555, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
[4] CRA — Regulation (EU) 2024/2847, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
[5] Data Act — Regulation (EU) 2023/2854, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
[6] DSA — Regulation (EU) 2022/2065, Official Journal of the European Union. Available at: https://eur-lex.europa.eu
