EU Regulations in plain English
Every regulation that matters if your business touches the EU — what it is, who it applies to, and what happens if you ignore it.
The regulatory landscape
Five regulations. One direction.
The EU is building the world's most comprehensive digital regulatory framework. Here's what you need to know.
GDPR
General Data Protection Regulation
The foundation of EU data protection. If your business collects, stores, or processes personal data of anyone in the EU — regardless of where you're based — GDPR applies to you.
Key obligations:
- 72-hour breach notification to supervisory authority
- Record of Processing Activities (Article 30)
- Data Protection Impact Assessments for high-risk processing
- Lawful basis required for all personal data processing
- Right to erasure, portability, and access
NIS2
Network and Information Security Directive 2
The EU's updated cybersecurity framework. Covers essential and important entities across 18 sectors. Supply chain requirements mean your EU clients may need you to comply, even if you're not directly in scope.
Key obligations:
- Risk management measures for network and information systems
- 24-hour early warning, 72-hour incident notification
- Supply chain security assessment
- Management body accountability (personal liability)
- Business continuity and disaster recovery planning
DORA
Digital Operational Resilience Act
Specific to the financial sector. Banks, insurers, investment firms, and — critically — their ICT third-party service providers must meet strict operational resilience standards.
Key obligations:
- ICT risk management framework
- ICT incident classification, reporting, and response
- Digital operational resilience testing
- Register of Information for all ICT third-party providers
- Contractual provisions with ICT service providers
AI Act
Artificial Intelligence Act
The world's first comprehensive AI regulation. Risk-based approach: prohibited practices (banned Feb 2025), high-risk system obligations (phasing through 2026–2027), and transparency requirements for all AI systems.
Key obligations:
- Risk classification for all AI systems
- Prohibited practices: social scoring, real-time biometric ID (with exceptions)
- High-risk AI: conformity assessments, human oversight, documentation
- Transparency obligations for chatbots, deepfakes, emotion recognition
- General-purpose AI model obligations (GPAI)
CADA
Cloud and AI Development Act
Part of the EU's Tech Sovereignty Package (published June 3, 2025). Proposes a four-tier sovereignty framework for cloud services used by EU public sector and regulated industries. This is a legislative proposal — not yet law. It must pass through European Parliament and Council negotiations, typically 1–3 years.
What the proposal includes:
- Four-tier cloud sovereignty classification
- Tier 4 (highest): would likely exclude non-EU-headquartered providers from sensitive workloads
- Member States would conduct individual sovereignty risk assessments
- Builds on existing EU Cloud Sovereignty Framework
- Interoperability and portability requirements for cloud services
US CLOUD Act
Clarifying Lawful Overseas Use of Data Act
Not an EU regulation — but a critical factor in EU compliance. The US CLOUD Act lets US government agencies compel US-headquartered companies to produce data, even when stored outside the US. This creates a direct conflict with GDPR data protection requirements.
Why it matters:
- US agencies can demand data from AWS, Azure, GCP regardless of storage location
- Businesses can't guarantee EU data stays under EU jurisdiction
- GDPR requires adequate protection — CLOUD Act undermines this
- EU-sovereign cloud alternatives eliminate this risk
Timeline
Key compliance dates
What's already in force, what's coming, and what's still being negotiated.
GDPR enforcement begins
Full enforcement of the General Data Protection Regulation. Over €4.5 billion in fines issued to date.
US CLOUD Act executive agreements expand
Bilateral agreements enable cross-border data requests, increasing the urgency of data sovereignty planning.
NIS2 transposition deadline
EU Member States required to transpose NIS2 into national law. Supply chain obligations begin affecting non-EU providers.
DORA goes live
Financial entities and their ICT providers must comply with operational resilience requirements.
AI Act — prohibited practices enforced
Social scoring, manipulative AI, and real-time biometric identification (with exceptions) become illegal.
AI Act — GPAI and governance provisions
General-purpose AI model obligations and governance structures take effect.
AI Act — high-risk AI obligations
Full compliance required for high-risk AI systems including conformity assessments and documentation.
CADA — earliest possible enforcement
If the legislative process proceeds at typical speed. Subject to Parliament and Council negotiations. Plan now, comply when finalised.
Who's in scope
Does this apply to my business?
If any of these sound like you, the answer is yes.
You sell to EU customers
E-commerce, SaaS, or services marketed to EU residents — GDPR applies regardless of your location.
You process EU personal data
Employee data, customer records, analytics — if it belongs to EU individuals, it's regulated.
Your clients are EU-regulated
NIS2 and DORA have supply chain requirements. Your EU clients may need you to comply as a condition of doing business.
You serve financial institutions
DORA covers ICT third-party providers to financial entities. If your client is a bank or insurer, you're in scope.
You deploy AI in the EU
The AI Act applies to providers and deployers of AI systems used in the EU market — even if developed elsewhere.
You use US cloud providers
The CLOUD Act creates a GDPR tension. Upcoming sovereignty rules may require EU-based infrastructure for sensitive data.