Compliance Annual Plan 2026: Quarterly Activities and Deadlines

April 27, 2026· Category: Compliance · Reading time: 4 min · As of 2026-05-02

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Most important date 2026: 7 June 2026 — EU Pay Transparency reporting; preparation should start 4-6 months earlier
Q1: audit preparation, RoPA refresh, plus the new HinSchG Section 22 audit (mandatory for the first time in 2026)
Q2: EU Pay Transparency reporting plus GDPR adjustments from DSK (German Data Protection Conference) decisions
Q3: NIS2 supplier audits and GPAI (general-purpose AI model) Code of Practice updates effective 2 August 2026
Time budget for SMEs (50-150 employees): 5-10 person-days per quarter for the compliance officer plus 1 person-day for management

1. Q1 (Jan-Mar): audit preparation

RoPA (Records of Processing Activities) update, DPA reconciliation, training refresh, quarterly risk review. Use Q1 to enter the year with documentation in defensible state.

2. Q1: HinSchG Section 22 audit (new in 2026)

First mandatory audit period under the German Whistleblower Protection Act (HinSchG). Book external auditors early; capacity in DACH is tight.

3. Q2 (Apr-Jun): EU Pay Transparency reporting

Latest deadline: 7 June 2026. Job evaluation methodology and pay-gap calculation required. Start preparation in Q4 of the prior year for credible numbers.

4. Q2: GDPR adjustments from DSK decisions

The DSK (Datenschutzkonferenz, the joint conference of German data protection supervisory authorities) publishes new decisions twice a year. Q2 is the right time to assimilate the spring batch into RoPA and TOM (Technical and Organizational Measures).

5. Q3 (Jul-Sep): NIS2 supplier audit

Evaluate supplier self-assessments returned over Q1-Q2. Conduct on-site audits for the most critical suppliers. Document findings for the supervisory authority.

6. Q3: GPAI Code of Practice update

2 August 2026: GPAI provider obligations under the EU AI Act take effect. Review provider DPAs, update AI inventory, refresh acceptable use policies.

7. Q4 (Oct-Dec): awareness training and AI literacy

Mandatory refresher under Art. 4 EU AI Act (AI literacy). Q4 is ideal because of budget clarity and lower seasonal workload.

8. Q4: management review and year-end audit

Management plus compliance officer review the annual compliance report. Document acceptance of residual risks and budget the next year.

9. Recurring quarterly meetings

Schedule a fixed compliance officer meeting on the first Wednesday of each quarter. Standing agenda: RoPA, DPAs, incidents, training, supervisory authority news.

Summary

A predictable quarterly cadence beats firefighting. The single highest-impact date for 2026 is 7 June (EU Pay Transparency). Plan around it, then layer the routine compliance work onto a recurring meeting structure. For SMEs, 5-10 person-days per quarter is the realistic floor.

View Compliance-Kit overview →

Frequently Asked Questions

How much time must be budgeted?

SMEs with 50-150 employees: 5-10 person-days/quarter for the compliance officer + 1 person-day for the managing director.

What is the most important deadline?

2026-06-07 EU Pay Transparency. Start preparation 4-6 months in advance.

Sources

Directive (EU) 2023/970 — Pay Transparency (transposition deadline 07.06.2026) (As of: 2026-05-02)
Whistleblower Protection Act (HinSchG) (As of: 2026-05-02)
BSI Act 2025 (BSIG, NIS2 implementation) (As of: 2026-05-02)
Regulation (EU) 2024/1689 — EU AI Act (As of: 2026-05-02)

Tools & self-assessments

Fining Calculator Estimate the potential fine exposure for your organisation. Compliance Deadlines Calendar 2026-2028 All relevant compliance deadlines (GDPR, AI Act, NIS2, Whistleblower Act, AGG).