Compliance Deadlines Roadmap 2026 / 27 / 28: All EU/DACH Dates

Q: What happens if I miss a deadline?

It depends on the regulation. NIS2 (BSI registration deadline 6 March 2026 passed): fines up to EUR 10 m. GDPR: supervisory proceedings, up to 4% of annual turnover. AGG (Section 12): the employer’s liability privilege lapses. EU AI Act: from 2 August 2025 (GPAI) or 2 August 2026 (high-risk, legally binding; Digital Omnibus proposal: postponement to 2 December 2027 — not yet adopted): up to EUR 35 m or 7% turnover.

Q: Does the Digital Omnibus postpone the EU AI Act deadlines?

Status 2 May 2026: The European Commission published the Digital Omnibus proposal on 19 November 2025 — trilogue is ongoing, NOT YET adopted. Planned changes: Annex III (high-risk AI) postponement to 2 December 2027 (instead of 2 August 2026); Annex I (AI in regulated products) to 2 August 2028. Until the proposal is adopted, 2 August 2026 remains the legally binding deadline. Art. 5 (prohibited practices), Art. 4 (AI literacy) and the GPAI obligations remain on their original dates (2 February 2025 and 2 August 2025 respectively).

Q: Which deadline should I tackle first?

Sorted by fining risk and time pressure: (1) NIS2 BSI registration — if not yet completed, complete now. (2) EU Pay Transparency 7 June 2026 — the job-posting obligation applies immediately. (3) HinSchG anonymous-reporting (in force since 1 January 2025) plus an annual effectiveness self-review as a best-practice (not a statutory audit obligation). (4) Art. 4 EU AI Act — AI literacy training, due since 2 February 2025.

Last reviewed: 2 May 2026 · Category: Cross-Topic · Reading time: 8 min · As of 2026-05-02

Practitioner note: This article is practice-oriented compliance documentation, not legal advice. We are compliance specialists, not a law firm. For legally binding advice, consult a licensed attorney.

TL;DR

18 EU/DACH compliance deadlines across GDPR, EU AI Act, NIS2, Whistleblower Protection (HinSchG), Anti-Discrimination (AGG) and Pay Transparency, sorted by date.
Already passed: NIS2 BSI registration deadline (6 March 2026); HinSchG anonymous-reporting obligation (1 January 2025).
Top 2026 deadline: EU Pay Transparency Directive obligations on job postings (7 June 2026).
EU AI Act Annex III (high-risk AI) is legally binding from 2 August 2026; the Digital Omnibus proposal (Commission, 19 November 2025) suggests postponement to 2 December 2027 — trilogue ongoing, not yet adopted.
Top fining risks: EU AI Act (EUR 35 m / 7% turnover), NIS2 (EUR 10 m / 2%), GDPR (EUR 20 m / 4%).

Methodology

This roadmap aggregates compliance deadlines from the GDPR, the EU AI Act (Regulation (EU) 2024/1689), NIS2 Directive 2022/2555 + the German NIS2UmsuCG, the Whistleblower Protection Act (HinSchG), the General Equal Treatment Act (AGG) including the planned EntgTranspG reform, and the EU Pay Transparency Directive 2023/970. Status: 2 May 2026 (the Digital Omnibus proposal of 19 November 2025 has not yet been adopted).

We refresh this list quarterly. For short-term changes (trilogue outcome, BAG ruling), subscribe to the newsletter.

Deadlines 2026

6 March 2026 — NIS2: BSI registration deadline

Status: PASSED. Essential and important entities had to register with the German BSI by 6 March 2026 (Section 33 BSIG). Entities that missed the deadline should register without further delay — registration is a precondition for all further compliance steps.

1 April 2026 — Germany NIS2UmsuCG: enforcement starts

The BSI began operational supervision. First audit requests have been documented since April 2026.

7 June 2026 — EU Pay Transparency Directive (transposition deadline)

Obligation for ALL employers (including <100 employees): salary range in job postings, employee right to information, ban on asking about prior salary. Full guidance. The German transposition is delayed; EU law applies via primacy.

1 July 2026 — Austria EntgleichV (Pay Transparency transposition)

Expected effective date of the Austrian transposition of Directive 2023/970. The 03/2026 consultation draft is expected to be adopted with minimal changes.

2 August 2026 — EU AI Act: high-risk AI Annex III (legally binding)

Legally binding as of 2 May 2026. Digital Omnibus proposal of 19 November 2025: postponement to 2 December 2027 — trilogue ongoing, NOT YET adopted. Obligations for high-risk AI systems under Annex III: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness/cybersecurity (Art. 15), QMS (Art. 17), conformity assessment (Art. 43), EU database registration (Art. 49), and FRIA for deployers (Art. 27).

1 October 2026 — Austria NISG 2026 (effective)

Effective date of the Austrian NIS2 transposition act. Approximately 4,500 entities in Austria are in scope.

Deadlines 2027

1 January 2027 — Germany EntgTranspG reform (expected)

Expected German transposition of Directive 2023/970. Status as of 04/2026: the Federal Ministry of Labour announced a draft for Q3/2026; adoption expected mid-to-late 2026; effective date for the right to information 1 January 2027 (reporting obligations from 7 June 2027).

7 June 2027 — EU Pay Transparency: first reports (250+ employees)

First pay-gap reports due for employers with 250 or more employees. Content: median comparison, quartile distribution, pay gap by category of work (Art. 9).

2 August 2027 — EU AI Act: GPAI transition period ends

Providers of GPAI models placed on the market before 2 August 2025 must now meet the full set of obligations (Art. 53–55).

2 August 2027 — EU AI Act: Annex I (regulated products, legally binding)

Obligations for AI in products covered by Union harmonisation legislation (Annex I) — machinery, toys, medical devices, lifts, pressure equipment, and so on. Digital Omnibus proposal of 19 November 2025: postponement to 2 August 2028 — trilogue ongoing, not yet adopted.

Deadlines 2028

7 June 2028 — EU Pay Transparency: reports for 100–249 employees (every three years)

Employers with 100–249 employees publish their first triennial pay-gap report. Note: the lower-threshold 100–149 cohort starts only on 7 June 2031.

Standing tasks (annual)

Obligation	Legal basis	Frequency
Records of processing update	Art. 30 GDPR	Annually + on changes
TOM review (Art. 32 GDPR)	Art. 32 GDPR	Annually + after incidents
NIS2 risk analysis update	Section 30(2) BSIG	Annually + on material changes
NIS2 management training	Section 38(3) BSIG	Regularly (in practice 1–2× per year)
AI literacy training	Art. 4 EU AI Act	Annually + when new systems are deployed
Whistleblower reporting-channel effectiveness self-review (best practice)	HinSchG; not a statutory audit obligation	Annually (recommended)
AGG employee training	Section 12(2) AGG	Every 2–3 years
Pay-gap report (250+ employees)	Art. 9 Directive 2023/970	Annually (from 7 June 2027)

Prioritisation by fining risk

Regulation	Maximum fine	Practical risk
EU AI Act Art. 5 (prohibited practices)	EUR 35 m / 7% turnover	HIGH
GDPR Art. 83	EUR 20 m / 4% turnover	HIGH (frequent supervisory action)
EU AI Act other	EUR 15 m / 3% turnover	MEDIUM (binding from 2 August 2026; Digital Omnibus proposal: 2 December 2027 — not adopted)
NIS2 essential entities	EUR 10 m / 2% turnover	HIGH + management personal liability under Section 38(5) BSIG
NIS2 important entities	EUR 7 m / 1.4% turnover	MEDIUM
Pay Transparency	per national law (e.g. BE: EUR 187,000)	RISING
HinSchG Section 40	EUR 50,000 / 500,000 (legal entity)	MEDIUM — anonymous reporting mandatory since 1 January 2025
AGG Section 15	typically 1–3 gross monthly salaries per claimant	case-dependent; in systematic AI discrimination cases, multiplication by claimant count is possible

Frequently asked questions

What happens if I miss a deadline?

It depends on the regulation. NIS2 (BSI registration deadline 6 March 2026 passed): fines up to EUR 10 m. GDPR: supervisory proceedings, up to 4% of annual turnover. AGG (Section 12): the employer’s liability privilege lapses. EU AI Act: from 2 August 2025 (GPAI) or 2 August 2026 (high-risk, legally binding; Digital Omnibus proposal: postponement to 2 December 2027 — not yet adopted): up to EUR 35 m or 7% turnover.

Does the Digital Omnibus postpone the EU AI Act deadlines?

Status 2 May 2026: The European Commission published the Digital Omnibus proposal on 19 November 2025 — trilogue is ongoing, NOT YET adopted. Planned changes: Annex III (high-risk AI) postponement to 2 December 2027 (instead of 2 August 2026); Annex I (AI in regulated products) to 2 August 2028. Until the proposal is adopted, 2 August 2026 remains the legally binding deadline. Art. 5 (prohibited practices), Art. 4 (AI literacy) and the GPAI obligations remain on their original dates (2 February 2025 and 2 August 2025 respectively).

Which deadline should I tackle first?

Sorted by fining risk and time pressure: (1) NIS2 BSI registration — if not yet completed, complete now. (2) EU Pay Transparency 7 June 2026 — the job-posting obligation applies immediately. (3) HinSchG anonymous-reporting (in force since 1 January 2025) plus an annual effectiveness self-review as a best-practice (not a statutory audit obligation). (4) Art. 4 EU AI Act — AI literacy training, due since 2 February 2025.

Sources

Regulation (EU) 2024/1689 (AI Act); Digital Omnibus proposal of 19 November 2025 (trilogue ongoing, not adopted)
Directive (EU) 2022/2555 (NIS2), German NIS2UmsuCG (BGBl. 2025 I No. 301)
Regulation (EU) 2016/679 (GDPR)
Whistleblower Protection Act (HinSchG, BGBl. 2023 I No. 140)
General Equal Treatment Act (AGG)
Directive (EU) 2023/970 (Pay Transparency), OJ L 132/21
BSI: NIS2 registration statistics 03/2026
European Commission, Digital Omnibus proposal, 19 November 2025