NIS2, DORA, EU AI Act, and cross-border regulatory exposure for enterprises operating in the EU and US.
The CRA has been binding law since December 2024, but its obligations arrive in phases. This week the conformity-assessment machinery switched on. The first reporting deadline is 11 September 2026. For most smaller product companies the gap is not capability. It is evidence.
The Digital Omnibus consolidates incident reporting into one ENISA-run portal. The five underlying regimes do not go away. The work moves upstream, into the controls crosswalk.
On 19 May 2026 the European Commission published draft guidelines clarifying when an AI system is high-risk under Article 6. The exceptions are narrower than the market assumed.
NIS2, DORA, CRA, the revised CSA, and the EU AI Act each evaluate different dimensions of the same vendor. Running them as separate programs hides cross-framework exposure.
Sweden's Cybersecurity Act (SFS 2025:1506) entered into force on 15 January 2026, shifting cybersecurity obligations to entity-wide scope with explicit management accountability requirements and fines up to €10M.