EU Digital Law 2026: An overview of the most important changes

In 2026, European digital law will enter a new phase. Numerous regulations that have been adopted in recent years will now take full effect for the first time or reach decisive implementation stages. Companies will no longer be faced with strategic decisions alone, but with specific compliance, organizational, and technical obligations. At the same time, new initiatives from the European Commission – in particular the Digital Omnibus and the planned Digital Fairness Act – herald further regulatory adjustments that are intended to supplement or modify existing regulations. Against this backdrop, companies are once again faced with the question of which digital regulations will be particularly relevant in 2026 and which measures should be taken at an early stage. The following overview summarizes the most important developments in EU digital law for 2026 and provides practical guidance on implementation.

I. AI Regulation

Although the AI Regulation has been in force since August 2024, its practical relevance for companies will increase significantly, particularly in 2026. Individual obligations already apply, such as ensuring adequate AI competence among employees working with AI systems and certain transparency requirements, for example when interacting with chatbots or labeling AI-generated content (we reported on this in Data Protection Update No. 208). However, the actual regulatory change will take place with the broad applicability of the regulation from August 2, 2026.

From this date, comprehensive requirements will apply in particular to high-risk AI systems used in sensitive areas such as human resources management, performance evaluation, lending, access to education, or essential services. Providers and operators of such systems will then have to implement structured risk management throughout the entire life cycle of the AI system, maintain detailed technical documentation, and ensure that training, validation, and test data are suitable, representative, and as free from bias as possible. In addition, there are obligations to log data, monitor operations on an ongoing basis, and establish effective human oversight mechanisms. Serious incidents and malfunctions must also be reported to the competent authorities.

The Digital Omnibus announced by the EU Commission could modify these requirements in specific areas or extend their implementation period, in particular to avoid double regulation and reduce the burden on companies. However, no concrete relief measures have been decided upon yet.

II. E-evidence

From August 18, 2026, the E-Evidence Regulation will apply directly in all member states and will fundamentally change the way electronic evidence is handled (we reported on this in Data Protection Update No. 215). From this date, law enforcement authorities in the EU will be able to request electronic data directly from service providers in other EU member states for the first time without having to go through national legal assistance procedures. The core instrument is the European Production Order, which can be used to request certain inventory, access, and traffic data across borders.

In particular, it regulates a uniform, EU-wide procedure for accessing electronically stored evidence in communication, hosting, and other online services. The regulation sets binding deadlines within which service providers must respond to orders and, for the first time, establishes clearly structured requirements for securing data to prevent its deletion or alteration during ongoing investigations. At the same time, it prescribes a standardized communication channel via a secure IT system, which standardizes and accelerates the exchange of information between authorities and companies.

When it comes into force in August 2026, new organizational requirements will also become binding. Service providers offering their services in the EU without being established there must be accessible via a designated legal representative in the Union from that date onwards. The regulation thus clearly shifts responsibility and cooperation obligations to companies, making them key players in cross-border law enforcement in the digital space.

III. Data Act

Although the Data Act has been applicable since September 12, 2025 (we reported on this in Data Protection Update No. 200 and No. 214), another key part of its obligations will take effect on September 12, 2026. From that date, the obligation under Article 3(1) will apply to all connected products and related services placed on the market after that date. This means that the Data Act will become a product and development-related compliance requirement for manufacturers and suppliers by 2026 at the latest.

At the heart of the regulation is the obligation to design connected products and associated services in such a way that product data and associated service data are accessible to users by default. Data access must be simple, secure, and free of charge, and the data must be provided in a comprehensive, structured, commonly used, and machine-readable format. Where technically feasible, the data must also be directly accessible, i.e., without intermediate manual processes or separate requests. This covers not only the actual usage or sensor data, but also the metadata required for its interpretation and use.

With this regulation, the Data Act shifts the focus from purely contractual obligations to "access-by-design" requirements. From September 2026, manufacturers must ensure that data access is technically provided for as early as the development and product design stages.

IV. Cyber Resilience Act

The Cyber Resilience Act (CRA) came into force in December 2024, but its obligations are also staggered. The year 2026 is particularly important for companies, as key obligations for manufacturers of products with digital elements will take effect for the first time on September 11, 2026. From this date, Article 14 CRA will apply, which stipulates mandatory reporting obligations for actively exploited vulnerabilities and serious security incidents.

From this date, manufacturers must report identified vulnerabilities and security incidents that significantly compromise the security of a product to the competent market surveillance authorities within tight deadlines. The aim is to enable authorities to identify risks to users and the internal market at an early stage and to take coordinated action. The reporting obligation applies regardless of whether the product concerned is already fully CRA-compliant and requires appropriate internal processes for the detection, assessment, and escalation of security incidents.

The remaining substantive obligations of the CRA, in particular those relating to cybersecurity requirements throughout the product life cycle, technical documentation, CE marking, and the mandatory provision of security updates, will not become fully applicable until December 11, 2027.

However, it remains to be seen whether the Digital Omnibus will modify individual obligations and, in particular, implementation deadlines for the CRA (see below).

V. eIDAS 2.0

With the reformed eIDAS Regulation ("eIDAS 2.0"), the focus in 2026 will be on the practical introduction of the European Digital Identity Wallet (EU Digital Identity Wallet, "EUDI Wallet") in particular (we reported on this in Data Protection Update No. 218). While the regulation itself already sets the legal framework for a uniform digital identity across Europe, 2026 will be the year in which pilot projects and technical specifications give rise to the first binding applications on the market.

From 2026, member states will be required to provide their citizens and businesses with at least one EU-compliant digital identity wallet. This wallet will enable users to securely store identity data, credentials, and attributes—such as ID card data, driver's licenses, professional qualifications, or payment information—and disclose them selectively to public authorities and private providers. For companies, this means that they will have to adapt to new forms of digital identification and authentication.

2026 is also particularly relevant for large online platforms and regulated services, which may in future be obliged to accept the EU wallet as a means of identification where legal identification is required. This makes eIDAS 2.0 a central component for digital administrative services, financial and telecommunications services, and platforms with high requirements for identity verification and fraud prevention.

VI. Digital Omnibus

With the so-called Digital Omnibus, the European Commission has announced a comprehensive initiative (we reported on this in Data Protection Update No. 219 and No. 223) that is likely to become significantly important for European digital law in 2026. Unlike the regulations described above, this is not a stand-alone set of rules with directly applicable obligations, but rather a legislative package aimed at simplifying, harmonizing, and reducing the burden of existing digital law regulations.

The Digital Omnibus builds on several legal acts that have already been adopted, in particular the AI Regulation, data protection law, and other digital regulatory instruments such as the Data Act and CRA. Among other things, adjustments to deadlines, clarifications of obligations, and better coordination of parallel compliance requirements are being discussed in order to avoid double regulation and disproportionate burdens, especially for small and medium-sized enterprises. The focus is less on lowering protection standards in terms of content and more on fine-tuning the existing regime.

From a legal perspective, it should be noted that the Digital Omnibus will still be in the legislative process in 2026. Specific changes and their scope are therefore currently open and dependent on negotiations between the Commission, Parliament, and Council.

VII. Recommendations for action for companies

Against the backdrop of the developments described above, companies should use 2026 to review and further develop existing digital compliance structures in a targeted manner. In many areas, it is less a matter of new policy decisions than of the consistent implementation of already known regulatory requirements.

Companies that use or develop AI systems should clarify at an early stage whether existing or planned applications are classified as high-risk AI within the meaning of the AI Regulation and align their governance structures accordingly. By 2026 at the latest, robust processes for risk management, documentation, human oversight, and incident reporting must be established. Regardless of this, training and awareness concepts for AI competence and standardized transparency notices should already be implemented now to avoid short-term compliance gaps.

Providers of digital services should take the e-evidence regulation as an opportunity to fundamentally review their internal processes for regulatory inquiries. In particular, clear responsibilities, robust escalation processes, and technical requirements for the timely processing of disclosure and preservation orders must be established. Companies without a branch in the EU must prepare in good time to appoint a legal representative and ensure that their documentation and archiving obligations are covered organizationally.

Manufacturers of connected products and providers of connected services should make targeted use of 2026 to ensure Data Act readiness in product development. New products placed on the market in the EU from September 2026 onwards must already be technically designed in such a way that direct, standardized, and free data access is possible for users. This requires close coordination between legal, IT, product management, and development departments and should be integrated into development processes at an early stage.

In the area of cybersecurity, it is advisable to implement functioning processes for detecting, assessing, and reporting security incidents and vulnerabilities by September 2026 at the latest. Even though the full CRA obligations will not apply until 2027, the reporting obligations effectively serve as a preliminary stage to comprehensive CRA compliance and should not be viewed in isolation.

Finally, companies should actively monitor developments surrounding eIDAS 2.0 and examine in which business processes the integration of the EU Digital Identity Wallet will be necessary or strategically sensible in the future. Early technical and organizational preparation can create competitive advantages, especially for regulated industries and platforms.

VIII. Conclusion and outlook

The year 2026 will be marked by the further concretization and application of key European digital regulations. For companies, implementation issues will be at the forefront, while new policy regulations will initially play a subordinate role.

At the same time, the regulatory environment remains in flux. With the Digital Omnibus, further adjustments are foreseeable, the specific details of which are still open. Companies should monitor these developments and keep their compliance structures flexible in order to be able to respond appropriately to new requirements.