Brussels is not slowing down. If NIS2 and DORA felt heavy, the next wave ; already published, legislated, or in final negotiation ; is bigger, stricter, and more operational.
The era of “one regulation every few years” is over. We are entering continuous digital regulation.
Here is what’s actually coming next ; with clear, actionable implications for every CISO, DPO, and Digital Compliance Officer.
1. AI Act Enforcement (2025–2026): The New Governance Beast
The AI Act is the EU’s most ambitious regulation since GDPR. Unlike NIS2, it doesn’t only look at cybersecurity ; it governs how intelligence is built, tested, deployed, monitored, and documented.
What organisations will need to implement (not theory, reality):
- AI risk classification (prohibited / high-risk / limited / general-purpose)
- Model documentation packages (training data, evaluation, architecture)
- Mandatory risk assessments (aligned with ISO 42001)
- Continuous monitoring for drift, bias, hallucinations
- Red-teaming for high-risk and foundation models
- AI incident reporting to the new EU AI Office
- Human oversight functions
- Full traceability of decisions
- AI supplier accountability and audits
Impact:
This will require a new governance function inside organisations ; which is why Brussels is implicitly pushing the emergence of the Digital Compliance Officer (DCO).
2. Data Act (2025): Mandatory Data Access, Portability, and Interoperability
The Data Act changes how companies handle data at a structural level, especially cloud providers and data-rich industries.
Key obligations:
- Users must be able to switch cloud providers quickly and affordably
- Mandatory data portability between cloud infrastructures
- Prohibition of certain vendor lock-in practices
- Transparency on data processing and usage rights
- Mandatory interoperability between IoT devices and backend systems
- Access rights for public bodies during emergencies
Impact:
Vendor lock-in will become a regulatory non-compliance issue. Cloud architectures must be redesigned with exit and portability in mind ; aligning directly with DORA’s ICT resilience requirements.
3. Cyber Resilience Act (CRA): Secure-by-Design for Every Digital Product
The CRA imposes mandatory cybersecurity requirements for any product with digital elements ; hardware, software, embedded systems, IoT, industrial devices.
- Secure-by-design and by-default requirements
- Mandatory vulnerability management processes
- 24h early warning to ENISA for active exploitation
- 72h incident reporting
- 5–10 years of security updates depending on product criticality
- SBOM requirements (software bill of materials)
- Conformity assessments before products reach the market
Impact:
This will hit software vendors, SaaS companies, industrial producers, and even startups. Expect product teams to become part of the compliance ecosystem for the first time.
4. EUCS (EU Cloud Certification Scheme): The Coming Cloud Security Rulebook
EUCS will redefine cloud use across the EU. It’s more than certification ; it’s a sovereignty strategy.
What EUCS will impose:
- Three assurance levels (Basic, Substantial, High)
- Data residency requirements
- Mandatory transparency on subcontractors
- Restrictions on non-EU jurisdictional influence at “High” level (i.e., CLOUD Act conflicts)
- Stricter auditability for cloud vendors
- Incident reporting obligations aligned with NIS2/DORA
- Mandatory security controls beyond ISO 27001
Impact:
- AWS/Azure/GCP may not qualify for “High” unless they adapt governance models
- Critical sectors will be required to use EUCS-certified services
- Multi-cloud strategies will no longer be optional ; they will be regulatory insurance
This is the regulation that will reshape cloud strategies across Europe.
5. Stronger Penalties & Personal Executive Liability
NIS2 already introduced personal accountability for executives. Expect Brussels to go further and harmonise personal liability across digital regulations.
What’s coming:
- C-level liability for AI Act breaches (especially high-risk AI misuse)
- Fines tied to global revenue like GDPR
- Criminal liability discussions for severe negligence (under debate in several committees)
- Mandatory Board-level cybersecurity competence requirements
- SOX-style attestation for cybersecurity and operational resilience
Impact:
Boards will start demanding:
- Continuous compliance reporting
- Risk-based KPIs
- Clear ownership of cyber + AI decisions
- Evidence that compliance is embedded, not documented
Executives will no longer be insulated from digital governance failures.
6. Formalisation of the Digital Compliance Officer (DCO) Role
This is no longer theoretical. Brussels is already signalling ; through the AI Act, NIS2, CRA, DORA and upcoming guidance papers ; that organisations will need a cross-regulation governance role.
Why a DCO becomes mandatory (implicitly first, explicitly later):
- AI governance requires one point of accountability
- DORA requires ICT risk oversight and supplier governance
- NIS2 requires executive accountability and cross-functional coordination
- GDPR already mandates a DPO ; the DCO is its evolution for broader digital risks
- CRA requires product + cyber + supplier control coordination
Expected responsibilities:
- Oversee AI Act compliance
- Coordinate NIS2 + DORA + GDPR + CRA
- Manage cloud oversight under EUCS
- Run unified risk and control frameworks
- Build regulatory-aligned digital governance models
- Ensure evidence readiness for regulators
- Report directly to Board / executive committees
Impact:
By 2026–2027, the DCO will become as standard as the DPO became after GDPR. This will be the most strategic GRC role of the next decade.
7. The Next Phase: Unification of EU Digital Regulation (2027–2030)
Several internal EU documents and working groups are pushing for a single, integrated digital governance framework to reduce fragmentation.
This could consolidate:
- GDPR
- NIS2
- DORA
- AI Act
- Data Act
- CRA
- Digital Services Act
- Digital Markets Act
- eIDAS 2.0
What the unified model will introduce:
- A single taxonomy for digital risk
- A harmonised incident reporting model
- One control framework for multiple laws
- Cross-regulation audits
- Shared supervisory authority cooperation
- A pan-European digital oversight structure
Impact:
Compliance will evolve from “documents for auditors” → continuous digital governance for regulators.
This is where Brussels is heading.
Final Thought
Brussels is building the world’s first complete digital governance ecosystem ; covering data, AI, cloud, cybersecurity, resilience, and product security.
The next wave is not abstract. It’s concrete, legislated, and enforceable by 2025–2027.
The organisations that will survive (and thrive) are those that:
- adopt unified governance now
- understand each regulation’s operational impact
- redesign cloud strategies early
- prepare AI accountability structures
- appoint a Digital Compliance Officer
- build continuous compliance, not annual audits
Europe’s digital future is regulated ; intelligently, aggressively, and permanently.
The question is no longer “Is more coming?” It’s “Are you preparing for it before it arrives?”
If you want a practical, regulation-aligned roadmap for AI Act, Data Act, CRA, NIS2, DORA, EUCS and the rise of the Digital Compliance Officer, that’s exactly what we teach in the Cyber Academy European Digital Governance Program. Join the next session and stay ahead of Brussels’ next wave.
