Compliance Future 2027/2028: What Comes After EU AI Act and NIS2
TL;DR
- Cyber Resilience Act (CRA): Regulation 2024/2847, fully applicable 11 December 2027 — cybersecurity for all products with digital elements
- AI Liability Directive (AILD): expected in force 2027/2028 — reversal of burden of proof for AI-caused damages
- EU Data Act: Regulation 2023/2854 applicable since 12 September 2025; DACH reporting obligations from September 2026
- ePrivacy Regulation: long-debated, expected adoption 2027/2028; will replace Section 25 TDDDG (German telecom telemedia data protection)
- Pay Transparency wave: follow-on rules on promotion transparency, mandatory mediation, and a 2029 EU evaluation likely
1. AI Liability Directive (AILD)
Expected in force 2027/2028. Provides relief on the burden of proof for parties harmed by AI systems. Currently the claimant must prove fault and causation — near-impossible for opaque AI. AILD effect: presumption of causation when an EU AI Act obligation is breached, plus disclosure duties for providers. Impact on SMEs (small and medium enterprise): higher liability exposure for AI providers and deployers, broader D&O insurance scope, stronger documentation needs (FRIA, Art. 12 logging).
2. Cyber Resilience Act (CRA)
Regulation (EU) 2024/2847, in force since 11 December 2024, fully applicable 11 December 2027. Addresses every manufacturer of "products with digital elements" — software, hardware with software, IoT devices. SME relevance: high if you manufacture or distribute software or devices. Obligations: cybersecurity-by-design, regular vulnerability updates throughout the product lifecycle, incident notification within 24 hours, conformity assessment plus CE marking. Sanctions: up to 15 million EUR or 2.5% of worldwide turnover.
3. EU Data Act
Regulation (EU) 2023/2854, applicable since 12 September 2025. DACH reporting obligations from September 2026. Most affected: IoT manufacturers, cloud providers, data intermediaries. SME relevance: moderate — users of IoT data gain rights to access and portability (analogous to Art. 20 GDPR for machine data); B2B data transfers eased; cloud switching simplified through anti-lock-in provisions; mandatory contractual clauses for organizations with 250+ employees.
4. Digital Services Act 2.0
Reform expected from 2027: stricter platform obligations, transparency for AI recommendation systems. Will primarily affect online platforms above the very-large threshold; SME impact mostly indirect through advertising and platform-vendor changes.
5. ePrivacy Regulation
In discussion since 2017. Expected adoption 2027/2028. Will replace national implementations such as Section 25 TDDDG (German telecom telemedia data protection act). Practical effects: harmonized cookie / tracking rules across the EU, stricter consent standards.
6. EU Pay Transparency follow-on
2029: first EU-level effectiveness review of Directive 2023/970. Likely follow-on regulation: promotion-transparency rules, bonus transparency, mandatory mediation when a pay gap above 5% is identified, EU-wide gender quota for supervisory boards (already partially in force via Directive 2022/2381).
Summary
The 2027-2028 horizon is dominated by CRA and AILD. CRA forces every connected-product company to operationalize secure-by-design and lifecycle vulnerability management. AILD changes the liability calculus for AI deployers. Both are best prepared during 2026 by maturing the existing NIS2 and EU AI Act foundations rather than waiting for the deadlines.
View Compliance-Kit overview →
Frequently Asked Questions
What is the Cyber Resilience Act and when do I have to implement it?
Regulation (EU) 2024/2847, in force since 11.12.2024, fully applicable **11.12.2027**. Addressees: all manufacturers of 'products with digital elements' — software, hardware with software, IoT devices. SME relevance: high if you manufacture/distribute software or devices. Obligations: cybersecurity by design, regular vulnerability updates during the product lifecycle, 24h incident reporting, conformity assessment + CE marking. Preparation: implement SBOM (Software Bill of Materials), vulnerability management process, patch management obligation 24 months after placement on the market. Violation: up to EUR 15 million or 2.5% of global turnover.
What does the AI Liability Directive 2027 bring?
Expected 2027/28: easing of the burden of proof for injured parties in cases of AI-caused damages. To date: the injured party must prove fault + causality — practically impossible with opaque AI systems. AILD effect: presumption of causality in case of violations of the EU AI Act + disclosure obligation for providers regarding evidence. Impact on SMEs: 1) Increased liability risk for AI providers AND operators. 2) Expansion of D&O insurance required. 3) Better documentation necessary (FRIA, logging per Art. 12 EU AI Act). 4) An insurance market for 'AI liability' is developing. Preparation: maintain AI inventory, establish FRIA processes, involve insurance advisors.
How does the EU Data Act affect my company?
Regulation (EU) 2023/2854, applicable since 12.09.2025, DACH reporting obligations from 09/2026. Primarily affected: IoT manufacturers, cloud providers, data intermediaries. SME relevance is moderate — but as a 'data user' you should know: 1) Users of IoT data have the right to access + portability (analogous to GDPR Art. 20 for machine data). 2) B2B data transfers are facilitated. 3) Cloud switching is simplified (anti-lock-in provisions). 4) Mandatory data economy contract clauses from 250 employees. Preparation: review DPA templates, update cloud contracts for switching clauses, extend data governance to machine data.
What comes after EU Pay Transparency 2026?
Expected follow-up wave 2027-2029: 1) **EU-wide minimum wage indexation** (potentially EU directive 2027). 2) **Promotion transparency** — criteria for promotions must be transparently communicated. 3) **Bonus/special payment transparency** — differences by gender/demographics made public. 4) **Mandatory mediation** in case of an identified pay gap >5%. 5) **EU-wide women's quota for supervisory boards** (Directive 2022/2381 already in effect). In addition: first review of EU Pay Transparency in 2029, possibly resulting in tightening. Preparation: implement pay equity audit tooling, formalize job evaluation methodology, document transparent promotion criteria.
Sources
- Regulation (EU) 2024/2847 — Cyber Resilience Act (As of: 2026-05-02)
- Regulation (EU) 2023/2854 — Data Act (As of: 2026-05-02)
- Directive (EU) 2023/970 — Pay Transparency (2029 review clause) (As of: 2026-05-02)