The date is real. Your operating plan still has to catch up.
A compliance deadline is not a target you aim at. It is a wall you hit unless the law itself moves it. It was set in legislation, published by the institutions, and printed on a calendar that no regulator will re-print because your team was underwater.
The EU AI Act entered into force on 1 August 2024 and applies in stages. Chapters I and II, including prohibited AI practices and AI literacy obligations, applied from 2 February 2025. The general-purpose AI model rules, governance chapters, penalty rules, and Article 78 applied from 2 August 2025. The Regulation's general application date is 2 August 2026. In June 2026, the Council gave final green light to simplification changes that delay high-risk rules to 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products. That is a legal change to track precisely, not a reason to ignore AI inventory, transparency, literacy, governance, or GPAI duties that did not move with it.
NIS2 carried a transposition deadline of 17 October 2024 and repealed NIS1 from 18 October 2024. DORA became applicable on 17 January 2025. None of these waited for anyone to feel ready. The date arrived. The only variable was whether the work arrived with it.
A phased rollout is not a reprieve.
Teams read "applies progressively" as "we have time," and that is exactly the trap. A staged rollout is not one soft deadline. It is a sequence of hard ones.
The AI Act proves the point. Prohibitions hit first, then general-purpose AI obligations, then the general application date, then delayed high-risk dates. Every phase is a separate wall. Clearing the first one buys you nothing on the next.
And even when a phase moves, it does not rescue you automatically. Treat every amendment or deferral as its own regulatory change: identify which obligation moved, which systems it covers, which internal plan dates change, and which duties did not move at all. Betting your program on a delay that may not cover your obligation is not a plan. It is a countdown without owners attached.
The penalty is the point of the date.
A deadline without a consequence is a memo. These have consequences. The reason the date is hard is that the enforcement machinery behind it is real.
The AI Act sets penalties of up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher, for the most serious violations. NIS2 requires Member States to provide maximum administrative fines of at least EUR 10 million or 2% of worldwide annual turnover for essential entities, and it makes management bodies responsible for approving and overseeing cybersecurity risk-management measures. DORA became applicable to financial entities on 17 January 2025 and gives supervisors a detailed operational-resilience rulebook for ICT risk, incidents, testing, and third-party risk.
These are not rounding errors, and they are not abstract compliance dates. Some are aimed at named management bodies. When the accountability is personal, "we ran out of time" is not a defense anyone wants to give.
Plan backward from the date, not forward from today.
Most teams plan forward: start now, do the work, hope it lands before the date. That is how you arrive late. The date is the only fixed point in the whole exercise, so start there and work back.
Backward planning is blunt. Create the legal date, the internal readiness date, the evidence freeze date, the owner review date, the dependency deadline, and the escalation date. Then attach the evidence expected at each point. If your relevant date later moves because a formal amendment applies to your exact obligation, move the plan deliberately and keep the old record.
Done backward, the deadline stops being a cliff and becomes a series of checkpoints you can actually see coming. Done forward, it stays invisible until it is on top of you. Same date. Completely different experience.
A date without an owner and evidence is a wish.
Two things decide whether you clear a deadline: someone who owns it, and proof that you did the work. Miss either and the date owns you.
An owner is not a distribution list. It is one named person accountable for one obligation hitting one date. NIS2 makes this explicit by putting the responsibility on management bodies, not on a shared inbox. If nobody can say their own name when asked who owns a 2026, 2027, or 2028 milestone, nobody owns it.
Evidence is the other half. On the date, no regulator accepts intention. They accept records: the policy that was approved, the assessment that was run, the control that was tested, the log that shows when. If the evidence is not collected and organized before the date, you did not meet the deadline. You met a story about the deadline. Tracking the obligation and its due date is exactly the job of a live regulatory register, which is what the Sorena Law Tracker exists to keep. The same discipline of named owners and dated evidence carries straight into ESG and CSRD reporting, where the phased disclosure dates are just as unforgiving.
The deadlines stack. They do not queue.
The AI Act, NIS2, DORA, and CSRD did not agree to take turns. Their dates overlap, and a single organization can sit under several at once, each with its own clock and its own penalty.
A financial entity can owe DORA from 17 January 2025 and still fall under NIS2 for anything DORA does not cover. A manufacturer using AI may have AI Act inventory, literacy, transparency, GPAI, and high-risk planning milestones while its sustainability team works CSRD's phased reporting calendar. Treating these as a tidy queue, one deadline finished before the next begins, guarantees you are late on at least one.
The fix is a single view of applicable obligations and critical dates, so nothing hides behind the deadline in front of it. You cannot plan backward from a date you forgot was on the calendar.
Beat the date, or the date beats you.
The deadline is the one thing in this that will not negotiate with your backlog. Your workload will change, your priorities will shift, your quarter will get away from you. The legal date in force will not care about any of it.
So stop planning forward from a busy today and start planning backward from a fixed tomorrow. Name the owner. List the evidence. Start early enough that the deadline is a checkpoint you pass, not a wall you hit. The teams that get burned are not the ones that lacked ability. They are the ones that treated a legal date like a soft one until it stopped being either.
Frequently asked questions
Isn't a phased rollout basically extra time to comply?+
No. A phased rollout is a sequence of separate deadlines, not one soft one. The [EU AI Act](/artifacts/eu/artificial-intelligence-act), for example, has already applied some obligations in 2025, has a 2 August 2026 general application milestone, and now has delayed high-risk dates in 2027 and 2028. Clearing an early phase does not buy you time on a later one, and a delay to one obligation does not move the others.
What does missing an EU compliance deadline actually cost?+
It depends on the regime, but the numbers and supervisory consequences are large. The [AI Act](/artifacts/eu/artificial-intelligence-act) reaches up to EUR 35 million or 7% of global turnover for the most serious violations. [NIS2](/artifacts/eu/nis2-directive) requires Member States to set maximum fines of at least EUR 10 million or 2% of worldwide turnover for essential entities and places responsibility on management bodies. [DORA](/artifacts/eu/digital-operational-resilience-act) became applicable on 17 January 2025 and gives financial supervisors a detailed operational-resilience rulebook for ICT risk, incident reporting, testing, and third-party risk.
What does planning backward from a deadline mean in practice?+
It means starting from the fixed date and subtracting every step that has to happen before it: review cycles, evidence collection, sign-offs, remediation, and buffer. What remains is your real start date, which is usually earlier than instinct suggests. Each step becomes a checkpoint with a named owner, so the deadline arrives as something you pass rather than something you hit.
Sources
- European Commission, Timeline for the implementation of the EU AI Acthttps://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act?ref=sorena.io
- Council of the EU, Artificial Intelligence: Council gives final green light to simplify and streamline ruleshttps://www.consilium.europa.eu/en/press/press-releases/2026/06/29/artificial-intelligence-council-gives-final-green-light-to-simplify-and-streamline-rules/?ref=sorena.io
- European Commission, NIS2 Directive: securing network and information systemshttps://digital-strategy.ec.europa.eu/en/policies/nis2-directive?ref=sorena.io
- Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA)https://eur-lex.europa.eu/eli/reg/2022/2554/oj?ref=sorena.io
- European Commission, Corporate sustainability reportinghttps://finance.ec.europa.eu/financial-markets/company-reporting-and-auditing/company-reporting/corporate-sustainability-reporting_en?ref=sorena.io


