State of EU Compliance 2026

Despite the October 2024 transposition deadline, NIS2 implementation remains fragmented across the EU. The public-data analysis indicates that an estimated 41% of EU-active organisations — particularly those operating across multiple member states — face significant uncertainty about their specific NIS2 obligations. This uncertainty stems not from the Directive itself, which provides a clear harmonised floor, but from the varying pace and approach of national transposition.

Organisations headquartered in member states that transposed early (Belgium, Croatia, Hungary) show signals of higher compliance-posture confidence in public regulatory engagement. In contrast, organisations in member states where transposition was delayed — including several major economies — face a dual challenge: preparing for requirements that are not yet formally enforceable in national law, while anticipating that eventual transposition may introduce national additions beyond the Directive minimum.

The practical impact is substantial: an estimated 67% of multi-jurisdictional organisations appear to maintain parallel compliance approaches for different member states, effectively doubling their compliance effort for what was intended to be a harmonising measure. The entities most affected are those classified as 'important' rather than 'essential' — where national discretion in scope and proportionality creates the widest variation.

DORA has been applicable since 17 January 2025, yet the projection — calibrated against supervisory authority public statements and EBA/EIOPA/ESMA early-implementation reporting — is that only around 58% of in-scope financial entities have a complete register of information for ICT third-party providers as required by Article 28(3). The register has proven more operationally challenging than anticipated, particularly for larger groups with complex ICT supply chains spanning hundreds of providers.

Readiness appears to vary dramatically by entity type. Large credit institutions (banks with >EUR 30B in assets) show the highest projected completion rate (around 79%), reflecting earlier investment in third-party risk management under existing EBA outsourcing guidelines. At the other end, smaller investment firms and crypto-asset service providers appear to be below 35% — suggesting that the proportionality principle has not yet translated into proportionate implementation guidance.

The TLPT (threat-led penetration testing) requirement under Articles 26-27 shows an even sharper divide: only an estimated 23% of entities designated for advanced testing have completed their first TLPT cycle. Supervisory authorities have acknowledged the resource constraints but have signalled in public statements that expectations will sharpen throughout 2026, with ICT third-party risk management and TLPT progress as primary supervisory examination themes.

The EU AI Act's prohibited practices provisions took effect in February 2025, with high-risk AI system obligations phasing in through August 2026. The public-data analysis indicates a striking governance gap: an estimated 73% of organisations that are actively deploying AI systems lack a formal AI governance framework aligned with the Act's requirements.

This is not a technology gap — it is a governance gap. The same population shows high AI adoption levels in public disclosures: approximately 82% appear to use AI for at least one business function, with customer service (around 67%), fraud detection (around 54%), and compliance automation (around 48%) as the most common use cases. The disconnect between deployment pace and governance maturity represents one of the most significant compliance risks emerging in 2026.

Organisations with existing compliance platforms appear to have meaningfully better AI governance readiness (an estimated 41% have frameworks in place) compared to those managing compliance manually (around 18%). This suggests that the infrastructure and discipline required for framework-based compliance — structured risk assessments, documentation, evidence collection — translates directly to AI governance capability.

The average EU organisation now appears to manage compliance with around 3.2 concurrent regulatory frameworks, up from an estimated 2.1 in 2024 and 1.6 in 2022. This escalation — driven by the convergence of NIS2, DORA, the EU AI Act, and evolving GDPR enforcement expectations — is creating a cumulative burden that compliance practitioners increasingly describe in industry publications as their single biggest challenge.

Among organisations managing three or more frameworks, an estimated 71% face significant duplication in compliance activities: the same security controls documented separately for each framework, the same evidence collected multiple times in different formats, and the same risks assessed through parallel but disconnected processes. The estimated cost of this duplication is substantial — public budget benchmarks and industry survey signals suggest around 34% of the compliance budget is spent on activities that serve multiple frameworks but are performed independently for each.

Organisations using unified compliance platforms appear to achieve a 40-60% reduction in duplication-related effort compared to those managing frameworks independently. The efficiency gain comes not from simplifying the requirements — which remain distinct and must be met individually — but from centralising the underlying controls, evidence, and risk assessments that map to multiple frameworks simultaneously.