State of EU Compliance 2026

Despite the October 2024 transposition deadline, NIS2 implementation remains fragmented across the EU. Our survey finds that 41% of organisations — particularly those operating across multiple member states — report significant uncertainty about their specific NIS2 obligations. This uncertainty stems not from the Directive itself, which provides a clear harmonised floor, but from the varying pace and approach of national transposition.

Organisations headquartered in member states that transposed early (Belgium, Croatia, Hungary) report significantly higher confidence in their compliance posture. In contrast, organisations in member states where transposition was delayed — including several major economies — face a dual challenge: preparing for requirements that are not yet formally enforceable in national law, while anticipating that eventual transposition may introduce national additions beyond the Directive minimum.

The practical impact is substantial: 67% of multi-jurisdictional organisations report maintaining parallel compliance approaches for different member states, effectively doubling their compliance effort for what was intended to be a harmonising measure. The entities most affected are those classified as 'important' rather than 'essential' — where national discretion in scope and proportionality creates the widest variation.

DORA has been applicable since 17 January 2025, yet only 58% of in-scope financial entities report having a complete register of information for ICT third-party providers as required by Article 28(3). The register — widely considered a foundational DORA requirement — has proven more operationally challenging than anticipated, particularly for larger groups with complex ICT supply chains spanning hundreds of providers.

Readiness varies dramatically by entity type. Large credit institutions (banks with >EUR 30B in assets) report the highest completion rate at 79%, reflecting earlier investment in third-party risk management under existing EBA outsourcing guidelines. At the other end, smaller investment firms and crypto-asset service providers report completion rates below 35% — suggesting that the proportionality principle has not yet translated into proportionate implementation guidance.

The TLPT (threat-led penetration testing) requirement under Articles 26-27 shows an even sharper divide: only 23% of entities designated for advanced testing have completed their first TLPT cycle. Supervisory authorities have acknowledged the resource constraints but have signalled that expectations will sharpen throughout 2026, with ICT third-party risk management and TLPT progress as primary supervisory examination themes.

The EU AI Act's prohibited practices provisions took effect in February 2025, with high-risk AI system obligations phasing in through August 2026. Yet our survey reveals a striking governance gap: 73% of organisations that are actively deploying AI systems report having no formal AI governance framework aligned with the Act's requirements.

This is not a technology gap — it is a governance gap. The same organisations report high levels of AI adoption: 82% use AI for at least one business function, with customer service (67%), fraud detection (54%), and compliance automation (48%) as the most common use cases. The disconnect between deployment pace and governance maturity represents one of the most significant compliance risks emerging in 2026.

Organisations with existing compliance platforms report significantly better AI governance readiness (41% have frameworks in place) compared to those managing compliance manually (18%). This suggests that the infrastructure and discipline required for framework-based compliance — structured risk assessments, documentation, evidence collection — translates directly to AI governance capability.

The average EU organisation now manages compliance with 3.2 concurrent regulatory frameworks, up from 2.1 in 2024 and 1.6 in 2022. This escalation — driven by the convergence of NIS2, DORA, the EU AI Act, and evolving GDPR enforcement expectations — is creating a cumulative burden that organisations describe as their single biggest compliance challenge.

Among organisations managing three or more frameworks, 71% report significant duplication in compliance activities: the same security controls documented separately for each framework, the same evidence collected multiple times in different formats, and the same risks assessed through parallel but disconnected processes. The estimated cost of this duplication is substantial — organisations report spending an average of 34% of their compliance budget on activities that serve multiple frameworks but are performed independently for each.

Organisations using unified compliance platforms report 40-60% reduction in duplication-related effort compared to those managing frameworks independently. The efficiency gain comes not from simplifying the requirements — which remain distinct and must be met individually — but from centralising the underlying controls, evidence, and risk assessments that map to multiple frameworks simultaneously.