All Compliance Deadlines

Indiana's comprehensive consumer data privacy law takes effect. Controllers must provide privacy notices, honor consumer rights (access, correction, deletion, data portability, opt-out), conduct data protection assessments, and implement reasonable security measures.

Kentucky's comprehensive consumer data privacy law takes effect. Includes standard consumer rights (access, correction, deletion, portability, opt-out of targeted advertising, sale of data, and profiling). Controllers must obtain consent for processing sensitive data.

Rhode Island's comprehensive privacy law takes effect. Uniquely, it applies to all entities doing business in the state regardless of size/revenue thresholds for some provisions. Includes consumer rights, privacy notice requirements, and restrictions on processing sensitive data.

Multiple Oregon Consumer Privacy Act amendments take effect: (1) Prohibition on selling precise geolocation data; (2) Ban on processing children's data for targeted advertising, selling, or profiling regardless of consent; (3) Mandatory universal opt-out mechanism recognition; (4) Cure period expires -- Attorney General can proceed directly to enforcement without notice.

Sweden's national implementation of NIS2 enters into force on January 15, 2026. Entities must register promptly and comply with all obligations including incident reporting within 24 hours (early warning) and 72 hours (full notification), risk management measures, supply chain security requirements, and business continuity management.

By January 17, 2026, the European Commission shall carry out a review of DORA requirements and submit a report to the European Parliament and the Council on the appropriateness of strengthened requirements for statutory auditors and audit firms. National competent authorities are expected to carry out audits and supervisory reviews in early 2026.

The Minnesota Consumer Data Privacy Act's 30-day cure period sunsets on January 31, 2026. After this date, the Attorney General is no longer required to provide notice and a 30-day cure window before bringing enforcement actions. Full enforcement begins immediately upon identification of violations.

The FDA's Quality Management System Regulation (QMSR) replaces the existing Quality System Regulation (QSR) under 21 CFR Part 820 by incorporating ISO 13485:2016 by reference. All medical device manufacturers marketing devices in the US must comply. Risk-based thinking must be embedded in all operations.

FDA published updated guidance on cybersecurity in medical devices. Under Section 524B, cyber device manufacturers must submit cybersecurity plans for postmarket vulnerability monitoring, demonstrate secure design practices, and provide Software Bill of Materials (SBOM) with all premarket submissions (510(k), PMA, De Novo, HDE).

Annual NIS2 entity registration window closes February 28, 2026. Essential and important entities must register with national authorities. The registration must include entity details, sector classification, and contact information for cybersecurity coordination.

Large accelerated filers with December 31, 2025 fiscal year-end must file Form 10-K including mandatory cybersecurity disclosures under Item 106 of Regulation S-K. Must include cybersecurity risk management processes, board oversight description, management role in cybersecurity, and whether risks have materially affected the company.

Financial entities must submit their Register of Information (RoI) detailing all contractual arrangements with ICT third-party service providers to their national competent authority by March 31, 2026. Data must reflect status as of December 31, 2025. Submissions must be in xBRL-CSV format.

Enforcement begins for MODPA. Notably stricter than most state privacy laws: requires data minimization (only collect data reasonably necessary), prohibits sale of sensitive data outright regardless of consent, and requires data protection assessments for high-risk processing.

TSA Security Directive Pipeline-2021-02F expires on May 2, 2026. Pipeline operators must have a TSA-approved Cybersecurity Implementation Plan, maintain an up-to-date Cybersecurity Incident Response Plan, and operate an annual Cybersecurity Assessment Program. TSA is expected to issue renewal or replacement directives.

CISA is expected to finalize the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) implementing regulations by May 2026. Once effective, critical infrastructure operators must report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.

Smaller financial institutions must comply with amendments to SEC Regulation S-P. Requirements include: written policies for detecting, responding to, and recovering from unauthorized access; customer notification within 30 days of breach discovery; service provider oversight with 72-hour breach notification clauses; incident response program; and enhanced recordkeeping.

Rules on notifying and appointing conformity assessment bodies become applicable to EU Member States. Member States must have notified bodies in place to assess products with digital elements for cybersecurity compliance.

The deadline for companies to complete their first audit verifying NIS2 compliance was extended from December 31, 2025, to June 30, 2026. Organizations must demonstrate implementation of cybersecurity risk management measures, incident response capabilities, and supply chain security.

Colorado SB24-205 Consumer Protections for AI takes effect (delayed from February 1, 2026). Developers must exercise reasonable care to prevent algorithmic discrimination, publish documentation on high-risk AI systems, and disclose known discrimination risks. Deployers must adopt risk management policies, conduct initial and annual impact assessments, and provide pre-decision and adverse-decision consumer notices.

The Netherlands' cybersecurity bill implementing NIS2 is expected to enter into force in Q2 2026. Essential and important entities will need to register, implement risk management measures, and establish incident reporting procedures.

Financial entities must review and update their ICT risk management frameworks at least annually. The 2026 mid-year review cycle is a critical checkpoint for demonstrating ongoing compliance. Entities must maintain and update ICT risk policies, business continuity plans, ICT incident management procedures, and digital operational resilience testing programs.

Significant amendments to Connecticut's Data Privacy Act take effect. Applicability threshold lowered from 100,000 to 35,000 consumers. Sensitive data definition expanded to include neural data, disability-related treatment, nonbinary status, financial account information, and government-issued ID data. New prohibition on sale of sensitive data without consent.

Utah's Digital Choice Act takes effect, requiring social media companies to implement data portability and interoperability tools. This is the first US state law explicitly requiring social media platforms to build tools allowing users to transfer personal data (friends, connections, photos, likes, social graph) to other services.

The majority of the EU AI Act rules come into force on August 2, 2026. Requirements for Annex III high-risk AI systems become enforceable, including AI used in employment, credit decisions, education, and law enforcement contexts. Organizations must have quality management systems, risk management frameworks, technical documentation, conformity assessments, and EU database registrations in place.

Article 50 transparency rules become enforceable. AI systems that interact with natural persons must be designed so that individuals are informed they are interacting with AI. Providers of AI systems that generate synthetic content (deepfakes, AI-generated text) must ensure outputs are marked as artificially generated.

Manufacturers of products with digital elements must begin reporting actively exploited vulnerabilities and severe incidents. Mandatory timelines include: early warning within 24 hours, full notification within 72 hours, and final report no later than 14 days after a corrective measure is available. These obligations apply to ALL products already on the EU market, including legacy products.

All new DoD contracts will require CMMC certification at the appropriate level (1, 2, or 3). Level 1 covers basic Federal Contract Information (FCI) with 17 practices and self-assessment. Level 2 covers Controlled Unclassified Information (CUI) with all 110 NIST SP 800-171 practices and third-party C3PAO assessment. Level 3 covers Advanced Persistent Threats with government-led assessment.

SWIFT customers must submit their annual security attestation via the KYC-SA platform by December 31, 2026, using CSCF v2026. New for 2026: Control 2.4 Back Office Data Flow Security becomes mandatory, requiring protection of bridging servers between secure zones and back-office systems. Independent assessments are required to support attestations.

Healthcare organizations classified as critical infrastructure under CIRCIA must prepare for compliance with final reporting rules expected by mid-2026. Once effective, covered healthcare entities must report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.

SWIFT mandates that all connected banks implement standardized cyber incident response protocols by 2026. Banks must establish formalized incident response procedures aligned with SWIFT CSP requirements, including detection, containment, eradication, and recovery phases. Banks must also demonstrate capability for coordinated response with SWIFT's CIRT.