The Law Changed Overnight. Your Compliance Didn't.

The rulebook you complied with last quarter may not be the rulebook you are held to today. Regulators publish amendments, guidance, enforcement decisions, and incident-reporting signals faster than most teams can triage by hand. Miss the one that touches you and the first notice you get may not be a warning. It may be an enforcement letter.

Sorena AI TeamRegulatory Intelligence8 min read

The rules do not wait for your quarterly review

Compliance is not a state you reach. It is a moving target you track. The rulebook keeps changing across jurisdictions and sectors, and the calendars do not coordinate around yours. A clause changes in Brussels on a Tuesday. A guidance note drops in Washington on a Thursday. A supervisory authority publishes an enforcement decision while your team is still closing last quarter's findings.

Most companies treat compliance like an annual checkup: assess once, file the report, move on. But the ground can shift under that report the moment it is signed. By the time your next review comes around, the rule, guidance, deadline, or standard you planned against may have changed. You did not fall out of compliance because you got sloppy. You fell out of compliance because the definition of compliant moved and nobody routed the change to the owner.

The volume is not big. It is inhuman.

No team should rely on memory and inbox scanning to keep pace with what regulators publish. You are not tracking one rulebook. You are tracking many at once. GDPR, NIS2, DORA, the EU AI Act, CSRD, the EU Data Act, and the Cyber Resilience Act each move on their own schedule, and that is before national laws and sector regulators add their own updates on top. Every one of those regimes can produce amendments, guidance, enforcement decisions, templates, standards, delegated acts, or supervisory expectations on a clock nobody synchronizes with yours.

The enforcement machine gives a useful scale marker. In its January 2026 survey, DLA Piper reported that European supervisory authorities received an average of 443 personal-data breach notifications every day between 28 January 2025 and 27 January 2026, up 22% from 363 the year before. DLA Piper also reported EUR 7.1 billion in aggregate GDPR fines from 25 May 2018 to 10 January 2026. Those numbers are one corner of the landscape, and they already describe a system running every day, without a weekend. Even the slice that touches your industry, geography, and product is more than a person can reliably review, interpret, and route by hand before the next wave arrives. This is not a backlog you clear by staying late. It is a firehose, and manual tracking against it is a control weakness.

How companies actually find out the law changed

The problem is not that rules change. It is how you learn they did. In a healthy system, you learn from an alert: a monitored source flags a relevant change, someone assesses the impact, and you adjust before it bites. That only works when the sources in your regulatory perimeter are watched consistently.

So the real notification channel is often the one you never wanted. You find out the rule changed when an auditor cites a standard you have never seen. You find out from a customer's security questionnaire asking about a control you do not have. You find out from a regulator's enforcement letter referencing an obligation that took effect months ago. Every one of those is the same event arriving too late to fix cheaply. The change did not necessarily sneak up on the market. It sneaked up on you, because between the day it published and the day it hit you, no monitored workflow routed it to the right owner.

Build a regulatory perimeter you can defend

Watching the law means defining the perimeter first. List the official sources, jurisdictions, regulators, product lines, entities, and topics that matter. Then classify each change: new obligation, changed definition, changed date, guidance, enforcement signal, or low-relevance noise.

That is more defensible than claiming to watch everything. You can show which sources are monitored, when they were checked, what changed, why it mattered, who received it, and what action followed. A law tracker is valuable when the monitoring record is as auditable as the alert.

Finding out late has a price, and it is set by someone else

When you miss a change, you do not get to negotiate the consequence. The regulator sets it. Under the GDPR alone, DLA Piper reported EUR 7.1 billion in aggregate fines from 25 May 2018 to 10 January 2026. The largest GDPR fine remains the Irish Data Protection Commission's EUR 1.2 billion action against Meta Platforms Ireland in 2023, and Article 83 allows fines up to EUR 20 million or 4% of total worldwide annual turnover for specified infringements. That is not a rounding error. That is a number that reshapes a balance sheet.

And the fine is only the visible cost. Behind it sit the remediation scramble, the legal fees, the lost deals from a failed vendor review, and the reputational hit that outlasts the penalty. Every one of those costs grows the later you catch the change. Caught early, a regulatory update may be a small adjustment to a policy or a control. Caught by an enforcement letter, the same update can become a crisis with a price tag attached. Lateness is not neutral. It multiplies what a missed rule ends up costing you.

Continuous monitoring is the only honest answer

If the rules move continuously, checking once a quarter is theater. The gap between how fast regulation moves and how often most companies look at it is exactly where risk lives. Closing that gap does not mean hiring an army to read every alert manually. Humans should make judgment calls; they should not be the only sensor watching the perimeter.

It means the watching has to be continuous and automated, so that a change relevant to you is surfaced when it publishes, not when it is enforced. The bar is not perfect coverage of everything. It is reliable coverage of what actually applies to you, delivered fast enough to act on. That is the difference between a program that manages regulatory change and one that merely reacts to it after the damage is done. Continuous monitoring is not a nice-to-have on top of compliance. In a world moving this fast, it is the load-bearing part.

Let the machine read the firehose

This is exactly the job we built Sorena Law Tracker to do. A machine can watch the sources that matter, on a schedule you can prove, without fatigue, without a weekend, without a backlog. It reads the flood you cannot, filters it down to the changes that touch your obligations, and tells you what actually moved before it moves against you.

Instead of learning about a new rule from an auditor or an enforcement letter, you learn about it from the system that never stops watching. The change is flagged, tied to the obligations it affects, and put in front of the person who owns them, while there is still time to act cheaply. You stop finding out too late. You start finding out first. That is the whole point: turn regulatory change from an ambush into a routine, tracked event you handle before it costs anything.

Find out first, or find out the hard way

The law may change before your next review. The only question is when you hear about it. You can hear it early, from a system built to watch the sources in your regulatory perimeter and surface what matters to you, while a fix is still a small edit. Or you can hear it late, from a fine, a failed audit, or a lost deal, when the same change has already become a crisis. Regulators are not going to slow down to your review schedule. A rulebook that shifts across every market you touch is the world you operate in now. Stop hoping the ones that matter will wait for you to notice. Put something in place that notices for you.

Frequently asked questions

How much regulatory change is there really?+

More than a team should track by inbox and memory. You are not following one regulation but many at once ([GDPR](/artifacts/eu/general-data-protection-regulation), [NIS2](/artifacts/eu/nis2-directive), [DORA](/artifacts/eu/digital-operational-resilience-act), the [EU AI Act](/artifacts/eu/artificial-intelligence-act), [CSRD](/artifacts/eu/corporate-sustainability-reporting-directive), the [EU Data Act](/artifacts/eu/data-act), the [Cyber Resilience Act](/artifacts/eu/cyber-resilience-act), plus national and sector rules), each amended on its own schedule. As one measure of the pace, DLA Piper reported European supervisory authorities received an average of 443 personal-data breach notifications per day between 28 January 2025 and 27 January 2026.

Isn't an annual compliance review enough?+

No. An annual review tests against a point-in-time view of the rulebook. By the time the next review comes, the rule, guidance, deadline, or standard you planned against may have changed. Point-in-time checks cannot cover a target that keeps moving; continuous monitoring is how you catch the movement between reviews.

What does it actually cost to find out about a change too late?+

Far more than catching it early. Caught on time, a regulatory change may be a small adjustment. Caught by enforcement, it can mean fines set by the regulator, not you: DLA Piper reported EUR 7.1 billion in aggregate [GDPR](/artifacts/eu/general-data-protection-regulation) fines through 10 January 2026, the largest action remains EUR 1.2 billion, and Article 83 allows up to EUR 20 million or 4% of worldwide annual turnover for specified infringements.

Sources

Share

See Sorena do the work

Book a demo and watch one real compliance workflow go from question to audit-ready output.