--- title: "Regulatory Universal Timeline - 38 Source Timelines and 1297 Compliance Events" canonical_url: "https://www.sorena.io/artifacts/global/regulatory-universal-timelines" source_url: "https://www.sorena.io/artifacts/global/regulatory-universal-timelines" author: "Sorena AI" description: "Use Sorena AI Regulatory Universal Timeline to review 38 source timelines and 1297 dated compliance events in one view." published_at: "2026-02-12" updated_at: "2026-02-12" keywords: - "regulatory universal timeline" - "compliance timeline" - "compliance calendar" - "regulatory deadlines" - "deadline planning" - "governance reporting" - "PNG timeline export" - "Sorena AI timeline" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Regulatory Universal Timeline - 38 Source Timelines and 1297 Compliance Events Use Sorena AI Regulatory Universal Timeline to review 38 source timelines and 1297 dated compliance events in one view. ![Regulatory Universal Timeline - 38 Source Timelines and 1297 Compliance Events](https://cdn.sorena.io/cheatsheets/sorena-ai-regulatory-universal-timeline-small.png) *Universal Timeline* *Merged Local Dataset* ## Regulatory Universal Timeline This page merges 38 source timelines and 1297 dated events from the local artifacts catalog into one interactive compliance timeline. Filter by source label, inspect milestone detail, zoom from 1973 to 2050, and export the current view as a PNG snapshot. The viewer is built from local timeline JSON files. Labels are normalized from source keys and selected regulation identifiers so teams can compare timing across frameworks without rewriting the source events. [Create my custom view](/solutions/assessment.md) | [Talk to an expert](/contact.md) By Sorena AI | Updated Mar 2026 | No sign-up required **Key highlights:** 38 source timelines | PNG export and filters ## Topic Guides - [Framework Overlap and Evidence Reuse for Regulatory Universal Timeline](/artifacts/global/regulatory-universal-timelines/framework-overlap-and-evidence-reuse.md): Use Sorena AI Regulatory Universal Timeline to spot deadline overlap. - [How to Use Regulatory Universal Timelines for Execution Planning](/artifacts/global/regulatory-universal-timelines/how-to-use.md): Step by step guide for using Sorena AI Regulatory Universal Timeline: source filters, category chips, event detail, zoom, minimap navigation. - [Regulatory Universal Timeline Compliance Calendar Guide](/artifacts/global/regulatory-universal-timelines/compliance-calendar.md): Build an internal compliance calendar from Sorena AI Regulatory Universal Timeline by converting external events into owned milestones, collision windows. - [Regulatory Universal Timeline Export and Sharing Guide](/artifacts/global/regulatory-universal-timelines/export-and-sharing.md): Share Sorena AI Regulatory Universal Timeline correctly: browser generated PNG export, filter context, version notes, leadership reporting packs. - [Regulatory Universal Timeline Glossary](/artifacts/global/regulatory-universal-timelines/glossary.md): Glossary for Sorena AI Regulatory Universal Timeline covering source timelines, category chips, milestone events, ranged events, export snapshots. - [What Is Included in Regulatory Universal Timeline](/artifacts/global/regulatory-universal-timelines/what-is-included.md): Review current coverage for Sorena AI Regulatory Universal Timeline: which local timeline files are merged, what event fields are included. ## Universal timeline *38 source timelines* Use category chips, zoom controls, minimap navigation, and event detail to review the current merged dataset. The current build spans 1973 through 2050 and includes 339 milestone events. ## Merged compliance timeline viewer The viewer auto-builds from local timeline datasets. Use source and category filters to isolate a framework, compare overlapping deadlines, click an event for detail, and export the current state for governance or audit reporting. ## Move Regulatory Universal Timeline into live planning Regulatory Universal Timeline should be the shared entry point for your team. Route execution into Research Copilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis. [Open Research Copilot](/solutions/research-copilot.md) [Open SSOT](/solutions/ssot.md) ## EU NIS2 Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2020-12-16 | Commission publishes NIS2 proposal | Legislative History | COM(2020) 823 | | 2021-12-03 | Council agrees its position | Legislative History | | | 2022-05-13 | Political agreement reached | Legislative History | | | 2022-07-13 | ITRE committee adopts agreed text | Legislative History | | | 2022-11-10 | Parliament plenary adoption | Legislative History | | | 2022-11-28 | Council formal adoption | Legislative History | | | 2022-12-14 | Final act signed by co-legislators | Official Publication | | | 2022-12-27 | Published in Official Journal | Official Publication | OJ L 333, 27.12.2022 | | 2023-01-16 | Entry into force | Official Publication | | | 2023-07-17 | Commission deadline for Article 4 guidelines | Commission Deliverables | Art. 4(3) | | 2023-09-14 | Guidelines on Article 3(4) published | Commission Deliverables | 2023/C 324/02 | | 2023-09-18 | Guidelines on Article 4(1)-(2) published | Commission Deliverables | 2023/C 328/02 | | 2023-12-22 | Corrigendum: Article 19(1) deadline wording | Corrigendum | Art. 19(1) | | 2024-02-01 | Cooperation Group work programme due | Cooperation & Networks | Art. 14(7) | | 2024-07-17 | EU-CyCLONe first report due | Cooperation & Networks | Art. 16(7) | | 2024-10-17 | Implementing Regulation 2024/2690 adopted | Implementing Acts | Reg. (EU) 2024/2690 | | 2024-10-17 | Transposition deadline | National Transposition | Art. 41(1) | | 2024-10-18 | Implementing Regulation 2024/2690 published in OJ | Implementing Acts | OJ L 2024/2690 | | 2024-10-18 | NIS1 repealed, NIS2 measures apply | National Transposition | Art. 44 | | 2024-11-07 | Implementing Regulation 2024/2690 enters into force | Implementing Acts | OJ L 2024/2690 | | 2025-01-17 | Registry information submission due | National Obligations | Art. 27(2) | | 2025-01-17 | Member States notify penalty rules | National Obligations | Art. 36 | | 2025-01-17 | CSIRTs network progress report due | Cooperation & Networks | Art. 15(4) | | 2025-01-17 | Peer-review methodology due | Cooperation & Networks | Art. 19(1) | | 2025-04-17 | Entity list established | National Obligations | Art. 3(3) | | 2025-04-17 | Aggregate entity data notification | National Obligations | Art. 3(5) | | 2025-06-26 | ENISA technical implementation guidance published | Cooperation & Networks | Version 1.0 | | 2026-01-20 | Commission proposes NIS2 amendment | Legislative History | COM(2026) 13 | | 2027-10-17 | Commission review of NIS2 | Commission Deliverables | Art. 40 | **Event details:** - **2020-12-16 - Commission publishes NIS2 proposal**: European Commission publishes the NIS2 proposal COM(2020) 823 final, proposing measures for a high common level of cybersecurity across the Union. - **2021-12-03 - Council agrees its position**: Council agrees its position (general approach) to start negotiations with the European Parliament. - **2022-05-13 - Political agreement reached**: Council and European Parliament reach provisional political agreement on NIS2. - **2022-07-13 - ITRE committee adopts agreed text**: EP Industry, Research and Energy (ITRE) committee adopts the agreed text after trilogue. - **2022-11-10 - Parliament plenary adoption**: European Parliament adopts NIS2 in plenary: 577 in favour, 6 against, 31 abstentions. - **2022-11-28 - Council formal adoption**: Council of the EU formally adopts NIS2. - **2022-12-14 - Final act signed by co-legislators**: NIS2 Directive signed by both co-legislators on 14 December 2022. - **2022-12-27 - Published in Official Journal**: Directive (EU) 2022/2555 published in the Official Journal of the European Union (OJ L 333, 27.12.2022). - **2023-01-16 - Entry into force**: NIS2 enters into force on the 20th day following OJ publication (16 January 2023). Member States have until 17 October 2024 to transpose. - **2023-07-17 - Commission deadline for Article 4 guidelines**: Commission deadline to provide guidelines clarifying the application of Article 4(1) and Article 4(2). - **2023-09-14 - Guidelines on Article 3(4) published**: Commission publishes Guidelines on the application of Article 3(4) with a data-collection template for establishing entity lists. - **2023-09-18 - Guidelines on Article 4(1)-(2) published**: Commission publishes Guidelines on equivalence with sector-specific Union legal acts, pursuant to Article 4(3) (deadline was 17 Jul 2023). - **2023-12-22 - Corrigendum: Article 19(1) deadline wording**: Corrigendum changes Article 19(1) deadline wording from 'on' to 'by' 17 January 2025 for the Cooperation Group peer-review methodology. - **2024-02-01 - Cooperation Group work programme due**: Cooperation Group must establish a work programme by 1 February 2024 and every two years thereafter. - **2024-07-17 - EU-CyCLONe first report due**: EU-CyCLONe must submit a report assessing its work to the European Parliament and Council by 17 July 2024 and every 18 months thereafter. - **2024-10-17 - Implementing Regulation 2024/2690 adopted**: Commission adopts Implementing Regulation (EU) 2024/2690 specifying technical and methodological requirements and incident-significance criteria for listed digital infrastructure and service providers. OJ publication 18 Oct 2024; enters into force 20 days later. - **2024-10-17 - Transposition deadline**: Member States must adopt and publish national transposition measures by 17 October 2024. Measures apply from 18 October 2024. - **2024-10-18 - Implementing Regulation 2024/2690 published in OJ**: Commission Implementing Regulation (EU) 2024/2690 is published in the Official Journal on 18 October 2024. - **2024-10-18 - NIS1 repealed, NIS2 measures apply**: Directive (EU) 2016/1148 (NIS1) is repealed with effect from 18 October 2024. National NIS2 measures apply from this date. - **2024-11-07 - Implementing Regulation 2024/2690 enters into force**: Commission Implementing Regulation (EU) 2024/2690 enters into force on the twentieth day following its Official Journal publication (published 18 October 2024). - **2025-01-17 - Registry information submission due**: Member States must require entities referred to in Article 27(1) to submit registry information to competent authorities by 17 January 2025. - **2025-01-17 - Member States notify penalty rules**: Member States must notify the Commission of their national penalty rules and enforcement measures by 17 January 2025. - **2025-01-17 - CSIRTs network progress report due**: CSIRTs network must adopt a report assessing progress in operational cooperation by 17 January 2025 and every two years thereafter. - **2025-01-17 - Peer-review methodology due**: Cooperation Group must establish the peer-review methodology and organisational aspects by 17 January 2025. - **2025-04-17 - Entity list established**: Member States must establish a list of essential and important entities (and entities providing domain name registration services) by 17 April 2025. - **2025-04-17 - Aggregate entity data notification**: Competent authorities must notify the Commission and Cooperation Group of aggregate list data (number of essential and important entities per sector) by 17 April 2025 and every two years thereafter. - **2025-06-26 - ENISA technical implementation guidance published**: ENISA publishes the NIS2 Technical Implementation Guidance (version 1.0) supporting implementation of Implementing Regulation (EU) 2024/2690. - **2026-01-20 - Commission proposes NIS2 amendment**: Commission publishes proposal to amend NIS2 (simplification and alignment). This is a proposal, not yet law. - **2027-10-17 - Commission review of NIS2**: The Commission shall review the functioning of the NIS2 Directive by 17 October 2027 and every 36 months thereafter, and submit a report to the European Parliament and Council. ## EU AI Act Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2024-01-24 | Commission Decision establishes the European AI Office | Notified bodies & governance | | | 2024-07-12 | AI Act published in the Official Journal | Legislative milestones | | | 2024-08-01 | AI Act enters into force | Legislative milestones | | | 2025-02-02 | Chapters I and II apply (including prohibited AI practices) | Prohibitions | | | 2025-07-10 | General-Purpose AI Code of Practice published | GPAI | | | 2025-07-18 | Commission adopts guidelines on GPAI obligations scope | GPAI | | | 2025-08-02 | GPAI obligations and governance provisions apply | GPAI | | | 2025-09-01 | Consultation to develop guidelines and a Code of Practice (transparent AI systems) | Transparency & labelling | | | 2025-09-26 | Consultation on serious AI incident reporting interplay | Incident reporting & post-market | | | 2025-10-01 | Chairs and vice-chairs selection | Transparency & labelling | | | 2025-11-04 | Reporting template for serious incidents (GPAI systemic risk) published | Incident reporting & post-market | | | 2025-11-05 | Kick-off plenary (start of 1st drafting round) | Transparency & labelling | | | 2025-11-17 | 1st working group meetings | Transparency & labelling | | | 2025-12-05 | Template published for public summary of GPAI training content | GPAI | | | 2025-12-17 | First draft published | Transparency & labelling | | | 2026-01-12 | Working group meetings (start of 2nd drafting round) | Transparency & labelling | | | 2026-01-21 | Workshops (working groups 1 and 2) | Transparency & labelling | | | 2026-03-01 | Second draft published (TBC) | Transparency & labelling | | | 2026-04-01 | Working group meetings (TBC) | Transparency & labelling | | | 2026-05-01 | Closing plenary and final Code of Practice published | Transparency & labelling | | | 2026-08-02 | AI Act applies (main obligations start) | Legislative milestones | | | 2026-08-02 | Commission enforcement powers for GPAI enter into application | GPAI | | | 2027-08-02 | Article 6(1) and corresponding obligations apply | High-risk AI | | | 2027-08-02 | Existing GPAI providers must comply by this date | GPAI | | **Event details:** - **2024-01-24 - Commission Decision establishes the European AI Office**: 24 January 2024: European Commission publishes the decision establishing the European AI Office. - **2024-07-12 - AI Act published in the Official Journal**: 12 July 2024: Regulation (EU) 2024/1689 is published in the Official Journal (OJ L, 12.7.2024). - **2024-08-01 - AI Act enters into force**: 1 August 2024: The EU AI Act enters into force (20 days after publication). - **2025-02-02 - Chapters I and II apply (including prohibited AI practices)**: 2 February 2025: Chapters I and II apply under the AI Act entry into force and application rules. - **2025-07-10 - General-Purpose AI Code of Practice published**: 10 July 2025: The General-Purpose AI (GPAI) Code of Practice is published as a voluntary tool to help providers meet AI Act obligations. - **2025-07-18 - Commission adopts guidelines on GPAI obligations scope**: 18 July 2025: Commission finalises its guidelines on the scope of obligations for general-purpose AI models (C(2025) 5045 final). - **2025-08-02 - GPAI obligations and governance provisions apply**: 2 August 2025: Chapter V (general-purpose AI) and selected governance provisions start to apply (per Article 113). - **2025-09-01 - Consultation to develop guidelines and a Code of Practice (transparent AI systems)**: September 2025: Consultation to develop guidelines and a Code of Practice on transparent AI systems, plus a call for expression of interest to participate. - **2025-09-26 - Consultation on serious AI incident reporting interplay**: 26 September 2025: Consultation referenced alongside serious incident reporting guidance and templates for AI incidents. - **2025-10-01 - Chairs and vice-chairs selection**: October 2025: Eligibility checks and selection of applications for chairs and vice-chairs. - **2025-11-04 - Reporting template for serious incidents (GPAI systemic risk) published**: 4 November 2025: Commission publishes a reporting template for serious incidents involving general-purpose AI models with systemic risk. - **2025-11-05 - Kick-off plenary (start of 1st drafting round)**: 5 November 2025: Kick-off plenary; start of the first drafting round. - **2025-11-17 - 1st working group meetings**: 17-18 November 2025: First working group meetings. - **2025-12-05 - Template published for public summary of GPAI training content**: 5 December 2025: Commission publishes an explanatory notice and a template for the public summary of training content (Article 53(1)(d)). - **2025-12-17 - First draft published**: 17 December 2025: Publication of the first draft. - **2026-01-12 - Working group meetings (start of 2nd drafting round)**: 12 and 14 January 2026: Working group meetings; start of the second drafting round. - **2026-01-21 - Workshops (working groups 1 and 2)**: 21-22 January 2026: Workshops for working groups 1 and 2. - **2026-03-01 - Second draft published (TBC)**: March 2026 (TBC): Publication of the second draft; start of the final drafting round. - **2026-04-01 - Working group meetings (TBC)**: April 2026 (TBC): Working group meetings. - **2026-05-01 - Closing plenary and final Code of Practice published**: May-June 2026: Closing plenary; publication of the final Code of Practice. - **2026-08-02 - AI Act applies (main obligations start)**: 2 August 2026: The AI Act applies in general (per Article 113). - **2026-08-02 - Commission enforcement powers for GPAI enter into application**: 2 August 2026: Commission enforcement powers for obligations on providers of GPAI models enter into application (including fines). - **2027-08-02 - Article 6(1) and corresponding obligations apply**: 2 August 2027: Article 6(1) and corresponding obligations apply (per Article 113). - **2027-08-02 - Existing GPAI providers must comply by this date**: By 2 August 2027: Providers of GPAI models placed on the market before 2 August 2025 must comply, per Commission guidance. ## EU DORA Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2022-12-14 | DORA adopted | Legislative History | Reg. (EU) 2022/2554 (of 14 December 2022) | | 2022-12-27 | DORA published in Official Journal | Official Publication | OJ L 333, 27.12.2022 | | 2022-12-27 | Alignment Directive (EU) 2022/2556 published | Official Publication | | | 2023-01-16 | DORA enters into force | Official Publication | Art. 64 | | 2023-06-19 | ESAs first batch public consultation opens | ESAs Mandates & Deliverables | | | 2023-07-17 | Commission PSD2 review report deadline (cyber resilience of payment systems) | Commission Mandates & Reviews | Art. 58(2) | | 2023-09-11 | ESAs first batch public consultation closes | ESAs Mandates & Deliverables | | | 2023-12-08 | ESAs second batch public consultation opens | ESAs Mandates & Deliverables | | | 2024-01-17 | Deadline: ESAs submit first wave draft RTS/ITS to the Commission | ESAs Mandates & Deliverables | Arts. 15, 16(3), 18(4), 28(9)-(10) | | 2024-03-04 | ESAs second batch public consultation closes | ESAs Mandates & Deliverables | | | 2024-05-30 | Delegated Regs. 2024/1502 and 2024/1505 published in OJ | Delegated & Implementing Acts (OJ) | OJ L, 2024/1502 and 2024/1505, 30.5.2024 | | 2024-06-25 | Delegated Regs. 2024/1772, 2024/1773, 2024/1774 published in OJ | Delegated & Implementing Acts (OJ) | OJ L, 2024/1772, 2024/1773, 2024/1774, 25.6.2024 | | 2024-07-17 | Deadline: ESAs submit draft RTS/ITS for incident reporting content and templates | ESAs Mandates & Deliverables | Art. 20 | | 2024-07-17 | Deadline: ESAs submit draft RTS for TLPT (TIBER-EU framework) | ESAs Mandates & Deliverables | Art. 26(11) | | 2024-07-17 | Deadline: ESAs develop guidelines on annual costs and losses from major incidents | ESAs Mandates & Deliverables | Art. 11(11) | | 2024-07-17 | Deadline: ESAs issue guidelines on oversight cooperation and information exchange | ESAs Mandates & Deliverables | Art. 32(7) | | 2024-07-17 | Deadline: ESAs submit draft RTS on subcontracting assessments | ESAs Mandates & Deliverables | Art. 30(5) | | 2024-07-17 | Deadline: ESAs submit draft RTS enabling the conduct of oversight activities | ESAs Mandates & Deliverables | Art. 41(2) | | 2024-07-17 | ESAs publish second batch of policy products (incl. TLPT RTS) | ESAs Mandates & Deliverables | | | 2024-07-17 | Deadline: Commission delegated act on further criteria for critical ICT third-party designation | Commission Mandates & Reviews | Art. 31(6) | | 2024-07-17 | Deadline: Commission delegated act on oversight fees | Commission Mandates & Reviews | Art. 43(2) | | 2024-11-29 | Oversight Forum mandate (JC_24_93) | CTPP Oversight | | | 2024-12-02 | Implementing Reg. 2024/2956 published in OJ (register templates) | Register of Information | Reg. (EU) 2024/2956 | | 2025-01-16 | Lead Overseer applies sub-criterion for CTPP designation (sub-criterion 1.4) | CTPP Oversight | Delegated Reg. (EU) 2024/1502 Art. 7 | | 2025-01-17 | DORA applies | Applicability | Art. 64 | | 2025-01-17 | EU Hub feasibility report due | ESAs Mandates & Deliverables | Art. 21(3) | | 2025-01-17 | ESAs publish feasibility report on EU Hub centralisation (JC 2024 108) | ESAs Mandates & Deliverables | | | 2025-01-17 | Member States notify penalty and criminal-law measures | National Obligations | Art. 53 | | 2025-01-17 | Application date - Guidelines on oversight cooperation and information exchange | Guidelines (Level 3) | | | 2025-02-20 | Delegated Reg. 2025/301 published in OJ (incident reporting RTS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/301, 20.2.2025 | | 2025-02-20 | Implementing Regulation 2025/302 - incident reporting templates (ITS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/302, 20.2.2025 | | 2025-03-06 | Corrigendum (01) to Delegated Reg. 2024/1774 | Corrigendum | | | 2025-05-15 | Corrigendum (02) to Delegated Reg. 2024/1774 | Corrigendum | | | 2025-05-19 | Application date - Guidelines on costs/losses estimation | Guidelines (Level 3) | | | 2025-06-18 | Delegated Reg. 2025/1190 published in OJ (TLPT RTS) | Delegated & Implementing Acts (OJ) | OJ L, 2025/1190, 18.6.2025 | | 2025-07-02 | Delegated Reg. 2025/532 published in OJ (subcontracting assessments) | Delegated & Implementing Acts (OJ) | Reg. (EU) 2025/532 | | 2025-09-11 | Corrigendum to Implementing Reg. 2025/302 (incident templates) | Corrigendum | | | 2025-09-12 | Corrigendum to Delegated Reg. 2025/301 (non-EN) | Corrigendum | | | 2025-09-19 | Corrigendum to Implementing Reg. 2024/2956 (register templates) | Corrigendum | | | 2025-11-18 | First list of designated CTPPs published | CTPP Oversight | | | 2026-01-17 | Commission review on auditors and audit firms due | Commission Mandates & Reviews | Art. 58(3) | | 2028-01-17 | Commission review of DORA due | Commission Mandates & Reviews | Art. 58(1) | **Event details:** - **2022-12-14 - DORA adopted**: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector is adopted by the European Parliament and the Council (date of the act: 14 December 2022). - **2022-12-27 - DORA published in Official Journal**: Regulation (EU) 2022/2554 is published in the Official Journal of the European Union (OJ L 333, 27.12.2022). - **2022-12-27 - Alignment Directive (EU) 2022/2556 published**: Directive (EU) 2022/2556 is published, aligning sectoral directives with DORA; Member States must transpose it by 17 January 2025. - **2023-01-16 - DORA enters into force**: DORA enters into force on the twentieth day following its publication in the Official Journal (27 December 2022 -> 16 January 2023). - **2023-06-19 - ESAs first batch public consultation opens**: First batch of DORA policy products consultation window opens. - **2023-07-17 - Commission PSD2 review report deadline (cyber resilience of payment systems)**: Within the PSD2 review context, the Commission must submit a report to the European Parliament and Council no later than 17 July 2023 assessing the need for increased cyber resilience of payment systems and payment-processing activities. - **2023-09-11 - ESAs first batch public consultation closes**: Closure of first batch consultation window. - **2023-12-08 - ESAs second batch public consultation opens**: Second batch of DORA policy mandates consultation opens. - **2024-01-17 - Deadline: ESAs submit first wave draft RTS/ITS to the Commission**: Deadline for ESAs (through the Joint Committee) to submit several draft RTS/ITS to the Commission, including RTS on ICT risk management, RTS on the simplified ICT risk management framework, RTS on incident classification (materiality thresholds), and draft ITS/RTS related to the register of information and ICT third-party risk policy. - **2024-03-04 - ESAs second batch public consultation closes**: Closure of second batch consultation window. - **2024-05-30 - Delegated Regs. 2024/1502 and 2024/1505 published in OJ**: Delegated Regulations (EU) 2024/1502 (designation criteria for critical ICT third-party service providers; adopted 22 February 2024) and 2024/1505 (oversight fees; adopted 22 February 2024) are published in the Official Journal. - **2024-06-25 - Delegated Regs. 2024/1772, 2024/1773, 2024/1774 published in OJ**: Delegated Regulations (EU) 2024/1772 (incident classification), 2024/1773 (policy content for ICT third-party contractual arrangements supporting critical/important functions) and 2024/1774 (ICT risk management tools/methods and simplified framework) are published in the Official Journal (all adopted 13 March 2024). - **2024-07-17 - Deadline: ESAs submit draft RTS/ITS for incident reporting content and templates**: Deadline for ESAs (through the Joint Committee, in consultation with ENISA and the ECB) to submit to the Commission draft RTS on incident-report content and time limits, and draft ITS on standard forms/templates/procedures for reporting major ICT-related incidents and notifying significant cyber threats. - **2024-07-17 - Deadline: ESAs submit draft RTS for TLPT (TIBER-EU framework)**: Deadline for ESAs (in agreement with the ECB) to submit to the Commission draft RTS specifying criteria and detailed requirements for threat-led penetration testing (TLPT), including methodology phases, internal testers, and cooperation/mutual recognition aspects. - **2024-07-17 - Deadline: ESAs develop guidelines on annual costs and losses from major incidents**: Deadline for ESAs (through the Joint Committee) to develop common guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. - **2024-07-17 - Deadline: ESAs issue guidelines on oversight cooperation and information exchange**: Deadline for ESAs to issue guidelines on cooperation between ESAs and competent authorities under the CTPP oversight framework, including task allocation/execution procedures and information-exchange details needed for follow-up of Lead Overseer recommendations. - **2024-07-17 - Deadline: ESAs submit draft RTS on subcontracting assessments**: Deadline for ESAs (through the Joint Committee) to submit to the Commission draft RTS specifying further which elements a financial entity needs to determine and assess when subcontracting ICT services supporting critical or important functions. - **2024-07-17 - Deadline: ESAs submit draft RTS enabling the conduct of oversight activities**: Deadline for ESAs (through the Joint Committee) to submit to the Commission draft RTS specifying harmonised conditions enabling the conduct of oversight activities for critical ICT third-party service providers (including information requests, reporting, and Joint Examination Team arrangements). - **2024-07-17 - ESAs publish second batch of policy products (incl. TLPT RTS)**: ESAs publish the second batch of DORA policy products, including the TLPT RTS and the draft RTS/ITS for incident reporting. - **2024-07-17 - Deadline: Commission delegated act on further criteria for critical ICT third-party designation**: Deadline for the Commission to adopt a delegated act supplementing DORA by specifying further the criteria for the designation of ICT third-party service providers as critical for financial entities (implemented via Delegated Regulation (EU) 2024/1502 of 22 February 2024; OJ publication 30 May 2024). - **2024-07-17 - Deadline: Commission delegated act on oversight fees**: Deadline for the Commission to adopt a delegated act determining the amount of the oversight fees to be paid by critical ICT third-party service providers and the way those fees are to be paid (implemented via Delegated Regulation (EU) 2024/1505 of 22 February 2024; OJ publication 30 May 2024). - **2024-11-29 - Oversight Forum mandate (JC_24_93)**: Mandate of the Oversight Forum as a Joint Committee Sub-Committee of the European Supervisory Authorities (JC 2024 93, dated 29 November 2024). - **2024-12-02 - Implementing Reg. 2024/2956 published in OJ (register templates)**: Implementing Regulation (EU) 2024/2956 is published, laying down implementing technical standards establishing standard templates for the register of information. - **2025-01-16 - Lead Overseer applies sub-criterion for CTPP designation (sub-criterion 1.4)**: Under Delegated Regulation (EU) 2024/1502, the Lead Overseer applies sub-criterion 1.4 for the criticality assessment of ICT third-party service providers as of 16 January 2025. - **2025-01-17 - DORA applies**: DORA applies from 17 January 2025. - **2025-01-17 - EU Hub feasibility report due**: ESAs joint report assessing the feasibility of further centralisation of incident reporting through a single EU Hub is due to the European Parliament, Council and Commission by 17 January 2025. - **2025-01-17 - ESAs publish feasibility report on EU Hub centralisation (JC 2024 108)**: ESAs publish their joint report on the feasibility of further centralising reporting of major ICT-related incidents through a single EU Hub (DORA Art. 21). - **2025-01-17 - Member States notify penalty and criminal-law measures**: Member States must notify the Commission, ESMA, EBA and EIOPA of laws/regulations implementing the chapter on administrative penalties (and any relevant criminal law provisions) by 17 January 2025. - **2025-01-17 - Application date - Guidelines on oversight cooperation and information exchange**: Joint Guidelines application date for oversight cooperation and information exchange. - **2025-02-20 - Delegated Reg. 2025/301 published in OJ (incident reporting RTS)**: Delegated Regulation (EU) 2025/301 (adopted 23 October 2024) specifies the content and time limits for the initial notification, and intermediate and final reports on, major ICT-related incidents, and the content of voluntary notifications of significant cyber threats. - **2025-02-20 - Implementing Regulation 2025/302 - incident reporting templates (ITS)**: Implementing Regulation (EU) 2025/302 (adopted 23 October 2024) lays down implementing technical standards establishing the standard forms, templates and procedures for reporting major ICT-related incidents and notifying significant cyber threats, including use under transitional arrangements pending any EU Hub implementation (OJ publication 20 February 2025; earlier drafts sometimes used month-level dating). - **2025-03-06 - Corrigendum (01) to Delegated Reg. 2024/1774**: First corrigendum to Delegated Regulation (EU) 2024/1774 (ICT risk management) published. - **2025-05-15 - Corrigendum (02) to Delegated Reg. 2024/1774**: Second corrigendum to Delegated Regulation (EU) 2024/1774 (ICT risk management) published. - **2025-05-19 - Application date - Guidelines on costs/losses estimation**: Application date for the costs/losses Guidelines. - **2025-06-18 - Delegated Reg. 2025/1190 published in OJ (TLPT RTS)**: Delegated Regulation (EU) 2025/1190 (adopted 13 February 2025) specifies RTS on criteria and detailed requirements for threat-led penetration testing (TLPT). - **2025-07-02 - Delegated Reg. 2025/532 published in OJ (subcontracting assessments)**: Delegated Regulation (EU) 2025/532 is published, specifying elements to determine and assess when subcontracting ICT services supporting critical or important functions. - **2025-09-11 - Corrigendum to Implementing Reg. 2025/302 (incident templates)**: Corrigendum to Implementing Regulation (EU) 2025/302 published. - **2025-09-12 - Corrigendum to Delegated Reg. 2025/301 (non-EN)**: Corrigendum to Delegated Regulation (EU) 2025/301 published; OJ note indicates it does not concern the English version. - **2025-09-19 - Corrigendum to Implementing Reg. 2024/2956 (register templates)**: Corrigendum to Implementing Regulation (EU) 2024/2956 published. - **2025-11-18 - First list of designated CTPPs published**: The European Supervisory Authorities publish the first list of designated critical ICT third-party service providers (CTPPs). - **2026-01-17 - Commission review on auditors and audit firms due**: Commission must review and submit a report (and, where appropriate, a legislative proposal) on strengthened digital operational resilience requirements for statutory auditors and audit firms by 17 January 2026. - **2028-01-17 - Commission review of DORA due**: Commission must review DORA and submit a report (and, where appropriate, a legislative proposal) by 17 January 2028. ## EU CRA Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2021-09-15 | CRA announced in State of the Union | Legislative History | SOTEU 2021 | | 2021-09-16 | Commission explainer on the CRA (quotes SOTEU speech) | Legislative History | | | 2022-03-16 | Public consultation | Legislative History | | | 2022-09-15 | Commission proposal published | Legislative History | COM(2022) 454 | | 2023-06-08 | Council general approach | Legislative History | | | 2023-07-19 | Council common position | Legislative History | | | 2023-07-19 | EP ITRE Committee adopts report | Legislative History | | | 2023-09-01 | Parliament enters interinstitutional negotiations | Legislative History | | | 2023-11-30 | Political agreement reached | Legislative History | | | 2023-12-01 | Parliament press release on political agreement | Legislative History | | | 2024-03-12 | Parliament plenary adoption | Legislative History | P9_TA(2024)0130 | | 2024-10-10 | Council formal adoption | Legislative History | | | 2024-10-23 | Act date | Official Publication | Reg. (EU) 2024/2847 | | 2024-11-20 | Published in Official Journal | Official Publication | OJ L 2024/2847 | | 2024-12-05 | Corrigendum: editorial title fix | Corrigendum | | | 2024-12-10 | Entry into force | Applicability | Art. 71(1) | | 2024-12-10 | Delegated powers conferred (5-year period begins) | Delegated & Implementing Acts | Art. 61(2) | | 2025-02-03 | Standardisation request M/606 adopted | Standardisation | C(2025) 618 | | 2025-04-03 | M/606 officially accepted by CEN-CENELEC | Standardisation | M/606 | | 2025-07-02 | Corrigendum: Art. 64(10) cross-reference | Corrigendum | Art. 64(10) | | 2025-07-29 | Delegated Reg. 2025/1535 adopted | Delegated & Implementing Acts | Reg. (EU) 2025/1535 | | 2025-10-03 | Corrigendum: Annex I language fix | Corrigendum | Annex I | | 2025-10-17 | Corrigendum: Art. 67 numbering | Corrigendum | Art. 67 | | 2025-10-29 | Delegated Reg. 2025/1535 published in OJ | Delegated & Implementing Acts | OJ L 2025/1535 | | 2025-11-18 | Delegated Reg. 2025/1535 enters into force | Delegated & Implementing Acts | Reg. (EU) 2025/1535 | | 2025-11-28 | Implementing Reg. 2025/2392 adopted | Delegated & Implementing Acts | Reg. (EU) 2025/2392 | | 2025-12-01 | Implementing Reg. 2025/2392 published in OJ | Delegated & Implementing Acts | OJ L 2025/2392 | | 2025-12-11 | Delegated act on CSIRT notification delays | Delegated & Implementing Acts | Art. 16(2) | | 2025-12-11 | Delegated act record published on EUR-Lex | Delegated & Implementing Acts | C(2025) 8407 | | 2025-12-21 | Implementing Reg. 2025/2392 enters into force | Delegated & Implementing Acts | Reg. (EU) 2025/2392 | | 2026-03-03 | Draft CRA guidance published for feedback | Commission Deliverables | | | 2026-03-31 | Feedback closes on draft CRA guidance | Commission Deliverables | | | 2026-06-11 | Chapter IV applies: notified bodies | Conformity Assessment | Art. 35-51 | | 2026-06-11 | Notified bodies listed on NANDO/SMCS (as they are designated) | Conformity Assessment | | | 2026-09-11 | Vulnerability reporting obligations apply | Vulnerability Reporting | Art. 14 | | 2026-09-11 | CRA reporting deadlines (24h / 72h / 14d / 1 month) | Vulnerability Reporting | | | 2026-09-11 | Open-source software stewards: reporting obligations apply (conditional) | Vulnerability Reporting | Art. 24(3), Art. 14 | | 2026-09-11 | Single Reporting Platform operational by this date | Commission Deliverables | | | 2027-12-11 | CRA applies in full | Applicability | Art. 71(2) | | 2027-12-11 | Legacy products: substantial modification rule | Applicability | | | 2027-12-11 | Economic operators obligations apply (importers, distributors, authorised representatives) | Applicability | Arts. 18-21 | | 2027-12-11 | Open-source software stewards: Article 24 obligations apply | Applicability | Art. 24(1)-(2) | | 2029-12-10 | End of initial 5-year delegation period (unless extended) | Delegated & Implementing Acts | Art. 61(2) | **Event details:** - **2021-09-15 - CRA announced in State of the Union**: President von der Leyen announces the CRA in the State of the Union address: 'including legislation on common standards under a new European Cyber Resilience Act.' - **2021-09-16 - Commission explainer on the CRA (quotes SOTEU speech)**: Commission explainer page published the day after SOTEU highlights the CRA and quotes the speech's CRA passage. - **2022-03-16 - Public consultation**: Commission launches CRA public consultation, open 16 March to 25 May 2022. - **2022-09-15 - Commission proposal published**: Commission presents the CRA proposal COM(2022) 454 final. - **2023-06-08 - Council general approach**: Council reaches its 'general approach' (negotiating mandate) on the CRA at the JHA Council meeting. - **2023-07-19 - Council common position**: Member States agree a common position on security requirements for digital products. - **2023-07-19 - EP ITRE Committee adopts report**: EP ITRE Committee adopts its report/position on the CRA. - **2023-09-01 - Parliament enters interinstitutional negotiations**: Parliament confirms its committee decision to enter interinstitutional (trilogue) negotiations in September 2023. - **2023-11-30 - Political agreement reached**: Council and Parliament reach provisional political agreement on the CRA. - **2023-12-01 - Parliament press release on political agreement**: European Parliament press release on the agreement reached with the Council to boost digital products security. - **2024-03-12 - Parliament plenary adoption**: European Parliament adopts the CRA in plenary: 517 in favour, 12 against, 78 abstentions. - **2024-10-10 - Council formal adoption**: Council formally adopts the Cyber Resilience Act. - **2024-10-23 - Act date**: Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 (Cyber Resilience Act) is signed. - **2024-11-20 - Published in Official Journal**: CRA published in the Official Journal of the European Union (OJ L 2024/2847, 20.11.2024). - **2024-12-05 - Corrigendum: editorial title fix**: First corrigendum: corrects '(EU) No 2019/1020' to '(EU) 2019/1020' in the regulation title. - **2024-12-10 - Entry into force**: CRA enters into force on the 20th day following OJ publication (20 Nov + 20 days = 10 Dec 2024). - **2024-12-10 - Delegated powers conferred (5-year period begins)**: Delegation of power to the Commission is conferred for a period of five years from 10 December 2024, with tacit extensions unless opposed. - **2025-02-03 - Standardisation request M/606 adopted**: Commission adopts CRA standardisation request M/606 containing 41 standards. Accepted by CEN, CENELEC, and ETSI on 3 April 2025. - **2025-04-03 - M/606 officially accepted by CEN-CENELEC**: CEN-CENELEC officially accepted the CRA standardisation request on 3 April 2025. - **2025-07-02 - Corrigendum: Art. 64(10) cross-reference**: Corrigendum fixes Article 64(10): 'paragraphs 3 to 9' corrected to 'paragraphs 2 to 9'. - **2025-07-29 - Delegated Reg. 2025/1535 adopted**: Commission excludes most L-category vehicle products from CRA scope (exception for L1e pedal-designed). OJ publication 29 Oct 2025; enters into force 20 days later. - **2025-10-03 - Corrigendum: Annex I language fix**: Corrigendum fixes FR/HU language wording in Annex I, Part I, paragraph 2, point (c). - **2025-10-17 - Corrigendum: Art. 67 numbering**: Corrigendum fixes numbering reference in Article 67: '69' corrected to '72'. - **2025-10-29 - Delegated Reg. 2025/1535 published in OJ**: Delegated Regulation (EU) 2025/1535 is published in the Official Journal on 29 October 2025. - **2025-11-18 - Delegated Reg. 2025/1535 enters into force**: Delegated Regulation (EU) 2025/1535 enters into force on the twentieth day following its OJ publication. - **2025-11-28 - Implementing Reg. 2025/2392 adopted**: Commission adopts technical descriptions for Annex III/IV product categories (important and critical products). OJ publication 1 Dec 2025; enters into force 20 days later. - **2025-12-01 - Implementing Reg. 2025/2392 published in OJ**: Implementing Regulation (EU) 2025/2392 is published in the Official Journal on 1 December 2025. - **2025-12-11 - Delegated act on CSIRT notification delays**: Commission adopts delegated act specifying terms and conditions for delaying dissemination of vulnerability notifications by CSIRTs under Article 16(2). - **2025-12-11 - Delegated act record published on EUR-Lex**: EUR-Lex record for the Commission delegated act concerning Article 16(2) conditions for CSIRTs delaying dissemination to other CSIRTs. - **2025-12-21 - Implementing Reg. 2025/2392 enters into force**: Implementing Regulation (EU) 2025/2392 enters into force on the twentieth day following its OJ publication. - **2026-03-03 - Draft CRA guidance published for feedback**: Commission publishes draft CRA guidance for stakeholder feedback, clarifying scope, remote data processing, free and open-source software, support periods, and interplay with other EU law. - **2026-03-31 - Feedback closes on draft CRA guidance**: The stakeholder feedback period on the Commission's draft CRA guidance closes on 31 March 2026. - **2026-06-11 - Chapter IV applies: notified bodies**: CRA Chapter IV (Articles 35-51) on notification of conformity assessment bodies begins to apply. - **2026-06-11 - Notified bodies listed on NANDO/SMCS (as they are designated)**: From the Chapter IV applicability date, conformity assessment bodies can be notified under the CRA framework and, once notified, will appear in the Commission's NANDO/SMCS notified bodies list for the CRA. - **2026-09-11 - Vulnerability reporting obligations apply**: Article 14 (vulnerability and incident reporting) applies. Manufacturers must report actively exploited vulnerabilities and severe incidents via ENISA's Single Reporting Platform. - **2026-09-11 - CRA reporting deadlines (24h / 72h / 14d / 1 month)**: From the Article 14 applicability date, incident/vulnerability notifications follow operational time limits (early warning within 24 hours of awareness; full notification within 72 hours; final report timelines depending on case, such as 14 days or 1 month). - **2026-09-11 - Open-source software stewards: reporting obligations apply (conditional)**: Open-source software stewards are subject to Article 14(1) (and, where applicable, Article 14(3) and (8)) to the extent they are involved in development, from the date Article 14 applies. - **2026-09-11 - Single Reporting Platform operational by this date**: Commission states ENISA's Single Reporting Platform (SRP) will be operational by 11 September 2026 to support CRA vulnerability and incident reporting. - **2027-12-11 - CRA applies in full**: General application date: the CRA applies in full from 11 December 2027. - **2027-12-11 - Legacy products: substantial modification rule**: Products placed on the EU market before 11 December 2027 are subject to CRA product requirements only if, from that date, they undergo a substantial modification; reporting obligations still apply from the earlier reporting applicability date. - **2027-12-11 - Economic operators obligations apply (importers, distributors, authorised representatives)**: From the general CRA application date, authorised representatives, importers, and distributors must comply with their CRA obligations; in certain cases (e.g., own-branding or substantial modification) importers/distributors are treated as manufacturers. - **2027-12-11 - Open-source software stewards: Article 24 obligations apply**: Open-source software stewards must have a verifiable cybersecurity policy for secure development and vulnerability handling, and cooperate with market surveillance authorities (subject to CRA scope). - **2029-12-10 - End of initial 5-year delegation period (unless extended)**: The initial five-year period for the Commission's delegated powers runs until 10 December 2029, subject to tacit extensions unless opposed. ## EU Data Act Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2023-11-09 | European Parliament position adopted | Legislative History | | | 2023-11-27 | Council decision adopted | Legislative History | | | 2023-12-13 | Regulation adopted (Data Act) | Legislative History | | | 2023-12-22 | Published in Official Journal | Official Publication | | | 2024-01-11 | Entry into force | Official Publication | | | 2024-01-11 | Reduced switching charges period | Cloud Switching | Art. 29(2) | | 2024-01-11 | Delegated powers conferred | Commission Deliverables | Art. 45(2) | | 2024-09-06 | Commission publishes Data Act FAQs | Commission Deliverables | | | 2025-07-01 | Commission standardisation request (European Trusted Data Framework) | Standardisation | | | 2025-07-07 | CEN and CENELEC accept the standardisation request (Mandate M/614) | Standardisation | | | 2025-09-12 | Data Act applies | Applicability | | | 2025-09-12 | Member States notify penalties rules | Member State Duties | Art. 40(2) | | 2025-09-12 | Model contractual terms and cloud clauses deadline | Commission Deliverables | Art. 41 | | 2025-09-15 | Commission guidance on vehicle data (C/2025/5026) | Commission Deliverables | | | 2025-12-16 | Commission launches Data Act legal helpdesk | Commission Deliverables | | | 2026-01-22 | Data Act FAQs updated (v1.4) | Commission Deliverables | | | 2026-03-01 | Data catalogue technical specification deadline | Standardisation | | | 2026-06-01 | Trusted data transactions standards Part 1 deadline | Standardisation | | | 2026-09-01 | European Trusted Data Framework deliverables deadline | Standardisation | | | 2026-09-12 | Connected product access-by-design obligations | Applicability | | | 2026-11-01 | Trusted data transactions standards Part 2 deadline | Standardisation | | | 2027-01-12 | Switching charges prohibited | Cloud Switching | Art. 29(1) | | 2027-03-01 | Internal data governance quality framework standard deadline | Standardisation | | | 2027-05-01 | Trusted data transactions standards Part 3 deadline | Standardisation | | | 2027-09-12 | Chapter IV extends to older contracts | Applicability | | | 2028-09-12 | Commission evaluation report deadline | Commission Deliverables | Art. 49(1) | **Event details:** - **2023-11-09 - European Parliament position adopted**: The Regulation records the European Parliament position of 9 November 2023 in the legislative history footnote. - **2023-11-27 - Council decision adopted**: The Regulation records the Council decision of 27 November 2023 in the legislative history footnote. - **2023-12-13 - Regulation adopted (Data Act)**: Regulation (EU) 2023/2854 is adopted and signed in Strasbourg. - **2023-12-22 - Published in Official Journal**: Regulation (EU) 2023/2854 is published in the Official Journal (OJ L, 2023/2854, 22.12.2023). - **2024-01-11 - Entry into force**: The Data Act enters into force on the twentieth day following publication in the Official Journal. - **2024-01-11 - Reduced switching charges period**: From 11 January 2024 to 12 January 2027, providers of data processing services may impose reduced switching charges for the switching process. - **2024-01-11 - Delegated powers conferred**: The Commission is conferred the power to adopt delegated acts for an indeterminate period of time from 11 January 2024 for specified delegated powers under the Regulation. - **2024-09-06 - Commission publishes Data Act FAQs**: The Commission publishes Frequently Asked Questions about the Data Act to support implementation. - **2025-07-01 - Commission standardisation request (European Trusted Data Framework)**: Commission Implementing Decision of 1 July 2025 issues a standardisation request to CEN, CENELEC and ETSI in support of the Data Act (C(2025) 4135 final). - **2025-07-07 - CEN and CENELEC accept the standardisation request (Mandate M/614)**: CEN and CENELEC accept the Commission standardisation request on the European Trusted Data Framework (Mandate M/614). - **2025-09-12 - Data Act applies**: The Data Act applies from 12 September 2025. - **2025-09-12 - Member States notify penalties rules**: Member States notify the Commission of penalties rules and measures by 12 September 2025. - **2025-09-12 - Model contractual terms and cloud clauses deadline**: Before 12 September 2025, the Commission develops and recommends non-binding model contractual terms on data access and use and non-binding standard contractual clauses for cloud computing contracts. - **2025-09-15 - Commission guidance on vehicle data (C/2025/5026)**: The Commission publishes guidance on vehicle data accompanying the Data Act (OJ C, 15.9.2025). - **2025-12-16 - Commission launches Data Act legal helpdesk**: The Commission launches a Data Act Legal Helpdesk to support stakeholders with practical implementation questions. - **2026-01-22 - Data Act FAQs updated (v1.4)**: The Commission updates the Data Act FAQs page and publishes FAQs Data Act version 1.4 dated 22 January 2026. - **2026-03-01 - Data catalogue technical specification deadline**: Deadline for adoption of technical specification(s) on a data catalogue implementation framework (Annex I). - **2026-06-01 - Trusted data transactions standards Part 1 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 1: terminology, concepts and mechanisms (Annex I). - **2026-09-01 - European Trusted Data Framework deliverables deadline**: Deadline for adoption of technical specification(s) on semantic assets and technical specification(s) on a maturity model for Common European Data Spaces (Annex I). - **2026-09-12 - Connected product access-by-design obligations**: The obligation resulting from Article 3(1) applies to connected products and related services placed on the market after 12 September 2026. - **2026-11-01 - Trusted data transactions standards Part 2 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 2: trustworthiness requirements (Annex I). - **2027-01-12 - Switching charges prohibited**: From 12 January 2027, providers of data processing services shall not impose any switching charges on the customer for the switching process. - **2027-03-01 - Internal data governance quality framework standard deadline**: Deadline for adoption of the European standard on a quality framework for internal data governance (Annex I). - **2027-05-01 - Trusted data transactions standards Part 3 deadline**: Deadline for adoption of harmonised standards on Trusted Data Transactions Part 3: interoperability requirements (Annex I). - **2027-09-12 - Chapter IV extends to older contracts**: Chapter IV applies from 12 September 2027 to certain contracts concluded on or before 12 September 2025 (indefinite duration or expiring at least 10 years from 11 January 2024). - **2028-09-12 - Commission evaluation report deadline**: By 12 September 2028, the Commission carries out an evaluation of the Regulation and submits a report to the European Parliament and the Council. ## AU Cyber Security Act Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2021-12-02 | SLACI Act 2021 commences (SOCI reforms - tranche 1) | SOCI Act Context | | | 2021-12-15 | SLACIP Bill exposure-draft consultation window | Policy & Consultation | | | 2022-02-04 | SLACIP Bill exposure-draft: final Town Hall held | Policy & Consultation | | | 2022-02-10 | SLACIP Bill introduced and referred to PJCIS | Legislative Process | | | 2022-03-25 | PJCIS advisory report published (SLACIP Bill) | Legislative Process | | | 2022-04-01 | SLACIP Act 2022 made (Federal Register date) | SOCI Act Context | | | 2022-04-02 | SLACIP Act 2022 comes into effect (SOCI reforms - tranche 2) | SOCI Act Context | | | 2022-04-08 | SOCI Application Rules (LIN 22/026) come into effect | SOCI Act Context | | | 2022-07-07 | Telecommunications assets: Cyber Reporting compliance date (Telecommunications Act context) | SOCI Act Context | | | 2022-09-09 | Protected Information guidance (consultation draft v1) | Guidance (Non-binding) | | | 2022-10-05 | RMP Rules consultation window (SOCI reforms) | Policy & Consultation | | | 2022-10-07 | Telecommunications assets: Register compliance date (Telecommunications Act context) | SOCI Act Context | | | 2022-11-03 | Draft Risk Management Program Guidance (consultation draft v2) | Guidance (Non-binding) | | | 2023-02-16 | CIRMP Rules (LIN 23/006) as made (F2023L00112) | SOCI Act Context | | | 2023-02-27 | Australian Cyber Security Strategy consultation window | Policy & Consultation | | | 2023-11-22 | Smart device standards: Impact Analysis published | Policy & Consultation | | | 2023-12-19 | Cyber Security legislative reforms consultation window | Policy & Consultation | | | 2024-10-09 | Minister's second reading speech (House of Representatives) | Legislative Process | | | 2024-11-25 | Minister's second reading speech (Senate) | Legislative Process | | | 2024-11-29 | Cyber Security Act 2024 receives Royal Assent | Cyber Security Act 2024 | | | 2024-11-30 | Act commences: Parts 1, 4, 6 and 7 | Commencement & Application | | | 2024-12-16 | Draft Cyber Security Act Rules consultation window | Policy & Consultation | | | 2025-02-27 | Cyber Security Act Rules are made (dated) | Subordinate Rules (2025) | | | 2025-03-03 | CIRB Rules registered (F2025L00277) | Subordinate Rules (2025) | | | 2025-03-03 | Ransomware Payment Reporting Rules registered (F2025L00278) | Subordinate Rules (2025) | | | 2025-03-04 | Smart Devices Rules registered; Part 1 commences (F2025L00276) | Subordinate Rules (2025) | | | 2025-03-27 | Smart device standards: Supplementary Explanatory Statement registered | Policy & Consultation | | | 2025-04-03 | CIRMP Rules: as-made version end date (superseded) | SOCI Act Context | | | 2025-04-04 | SOCI Application Rules: April 2025 compilation/version date | SOCI Act Context | | | 2025-05-29 | Act commences: Part 3 (ransomware payment reporting) (backstop date) | Commencement & Application | Part 3; s.27 | | 2025-05-29 | Ransomware Payment Reporting Rules commence (F2025L00278) (aligned to Part 3) | Commencement & Application | | | 2025-05-29 | Act commences: Part 5 (Cyber Incident Review Board) (backstop date) | Commencement & Application | | | 2025-05-29 | CIRB Rules commence (F2025L00277) (aligned to Part 5) | Commencement & Application | | | 2025-11-29 | Act commences: Part 2 (smart device security standards framework) (backstop date) | Commencement & Application | | | 2026-01-28 | Compiled Act: replaced authorised version registered | Cyber Security Act 2024 | | | 2026-03-04 | Smart Devices Rules substantive obligations commence (Part 2 and Schedule 1) | Commencement & Application | | | 2027-12-01 | Statutory review can begin (PJCIS) | Statutory Review | s.88 | **Event details:** - **2021-12-02 - SLACI Act 2021 commences (SOCI reforms - tranche 1)**: Home Affairs describes the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI Act) as the first tranche of reforms to the SOCI Act, commencing from 2 December 2021. - **2021-12-15 - SLACIP Bill exposure-draft consultation window**: Home Affairs records an exposure-draft consultation period for the SLACIP Bill and accompanying draft Explanatory Document running from 15 December 2021 until Tuesday 1 February 2022. - **2022-02-04 - SLACIP Bill exposure-draft: final Town Hall held**: Home Affairs notes a final Town Hall was held on 4 February 2022 following the closure of submissions on the SLACIP Bill exposure draft. - **2022-02-10 - SLACIP Bill introduced and referred to PJCIS**: Home Affairs records that the Minister for Home Affairs introduced the SLACIP Bill to Parliament and referred it to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on 10 February 2022. - **2022-03-25 - PJCIS advisory report published (SLACIP Bill)**: Home Affairs notes that the PJCIS published its advisory report on the SLACIP Bill on 25 March 2022. - **2022-04-01 - SLACIP Act 2022 made (Federal Register date)**: The Federal Register of Legislation entry for the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (C2022A00033) shows a date of 1 April 2022 (as-made Act entry). - **2022-04-02 - SLACIP Act 2022 comes into effect (SOCI reforms - tranche 2)**: Home Affairs records that the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act) came into effect on 2 April 2022. - **2022-04-08 - SOCI Application Rules (LIN 22/026) come into effect**: Draft Risk Management Program Guidance states that the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 came into effect on 8 April 2022, outlining asset classes required to comply with Mandatory Cyber Incident Reporting and certain Register reporting requirements. - **2022-07-07 - Telecommunications assets: Cyber Reporting compliance date (Telecommunications Act context)**: Draft Risk Management Program Guidance notes that telecommunications assets comply with Cyber Reporting from 7 July 2022 under the Telecommunications Act 1997. - **2022-09-09 - Protected Information guidance (consultation draft v1)**: Protected Information Guidance Material for industry is marked as a consultation draft (v1) and states it is current "as at 9 September 2022". - **2022-10-05 - RMP Rules consultation window (SOCI reforms)**: Draft Risk Management Program Guidance states the consultation period for the draft risk management program (RMP) rules was 45 days, from 5 October 2022 to 18 November 2022. - **2022-10-07 - Telecommunications assets: Register compliance date (Telecommunications Act context)**: Draft Risk Management Program Guidance notes that telecommunications assets comply with the Register from 7 October 2022 under the Telecommunications Act 1997. - **2022-11-03 - Draft Risk Management Program Guidance (consultation draft v2)**: Draft Risk Management Program Guidance is marked as a consultation draft (v2) and states it is current "as at 03 November 2022". - **2023-02-16 - CIRMP Rules (LIN 23/006) as made (F2023L00112)**: Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023 appear on the Federal Register of Legislation as an as-made version dated 16 February 2023 (F2023L00112). - **2023-02-27 - Australian Cyber Security Strategy consultation window**: Smart Devices Rules Explanatory Statement references the Australian Government consultation on the 2023-2030 Australian Cyber Security Strategy running from 27 February 2023 to 15 April 2023. - **2023-11-22 - Smart device standards: Impact Analysis published**: Impact Analysis Addendum for smart device standards states that the Department of Home Affairs published an Impact Analysis on mandatory security standards and an industry-led voluntary cyber security labelling scheme on 22 November 2023. - **2023-12-19 - Cyber Security legislative reforms consultation window**: Smart Devices Rules Explanatory Statement records that, on 19 December 2023, the Minister released the "Australian Cyber Security Strategy: Cyber Security Legislative Reforms Consultation Paper" and that consultation remained open until 1 March 2024. - **2024-10-09 - Minister's second reading speech (House of Representatives)**: The Act records that the Minister's second reading speech was made in the House of Representatives on 9 October 2024. - **2024-11-25 - Minister's second reading speech (Senate)**: The Act records that the Minister's second reading speech was made in the Senate on 25 November 2024. - **2024-11-29 - Cyber Security Act 2024 receives Royal Assent**: Cyber Security Act 2024 (No. 98, 2024) receives Royal Assent on 29 November 2024. - **2024-11-30 - Act commences: Parts 1, 4, 6 and 7**: Commencement table: Part 1 (and provisions not otherwise covered), Part 4 (coordination of significant cyber security incidents), and Parts 6-7 (regulatory powers and miscellaneous) commence the day after Royal Assent (30 November 2024). - **2024-12-16 - Draft Cyber Security Act Rules consultation window**: Explanatory Statements record that the draft Rules package was published on the Department's website on 16 December 2024 and closed for submissions on 14 February 2025. - **2025-02-27 - Cyber Security Act Rules are made (dated)**: The three Cyber Security Act Rules instruments are dated 27 February 2025 (Smart Devices Rules; Cyber Incident Review Board Rules; Ransomware Payment Reporting Rules). Registration dates follow in early March 2025. - **2025-03-03 - CIRB Rules registered (F2025L00277)**: Cyber Security (Cyber Incident Review Board) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 5. - **2025-03-03 - Ransomware Payment Reporting Rules registered (F2025L00278)**: Cyber Security (Ransomware Payment Reporting) Rules 2025 are registered on 3 March 2025. The instrument commences later of the day after registration and the commencement of Act Part 3. - **2025-03-04 - Smart Devices Rules registered; Part 1 commences (F2025L00276)**: Cyber Security (Security Standards for Smart Devices) Rules 2025 are registered on 4 March 2025. The commencement table provides that Part 1 commences on registration, while Part 2 and Schedule 1 have a delayed commencement (4 March 2026). - **2025-03-27 - Smart device standards: Supplementary Explanatory Statement registered**: The smart device standards Impact Analysis (Supplementary Explanatory Statement) is an authorised version registered on 27 March 2025 in connection with F2025L00276. - **2025-04-03 - CIRMP Rules: as-made version end date (superseded)**: The Federal Register of Legislation page for F2023L00112 shows the as-made version dated 16 February 2023 and indicates it is superseded, with the as-made version running until 3 April 2025. - **2025-04-04 - SOCI Application Rules: April 2025 compilation/version date**: The Federal Register metadata for the SOCI Application Rules references an April 2025 compilation (F2025C00404) and links to a 4 April 2025 version in the legislation history/amendment history. - **2025-05-29 - Act commences: Part 3 (ransomware payment reporting) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 3. Part 3 imposes the 72-hour ransomware payment reporting obligation for reporting business entities; the 2025 Rules specify (among other details) the $3 million turnover threshold and report content requirements. - **2025-05-29 - Ransomware Payment Reporting Rules commence (F2025L00278) (aligned to Part 3)**: Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 3; the backstop commencement date for Part 3 is 29 May 2025. - **2025-05-29 - Act commences: Part 5 (Cyber Incident Review Board) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 6 months of Royal Assent. The published commencement table includes 29 May 2025 as the backstop date for Part 5. - **2025-05-29 - CIRB Rules commence (F2025L00277) (aligned to Part 5)**: Commencement clause: the whole instrument commences later of the day after registration and the commencement of Act Part 5; the backstop commencement date for Part 5 is 29 May 2025. - **2025-11-29 - Act commences: Part 2 (smart device security standards framework) (backstop date)**: Commencement table provides for commencement by proclamation, with an automatic commencement if not commenced within 12 months of Royal Assent. The published commencement table includes 29 November 2025 as the backstop date for Part 2 (security standards for smart devices). - **2026-01-28 - Compiled Act: replaced authorised version registered**: The Act text indicates a replaced authorised version was registered on 28 January 2026 (compiled version reference). - **2026-03-04 - Smart Devices Rules substantive obligations commence (Part 2 and Schedule 1)**: Commencement table: Part 2 and Schedule 1 of the Smart Devices Rules commence on 4 March 2026 (12-month delayed commencement). This is when the mandatory security standards, statement-of-compliance requirements (including 5-year retention period), and defined support-period rules take effect for covered products. - **2027-12-01 - Statutory review can begin (PJCIS)**: The Parliamentary Joint Committee on Intelligence and Security may review the operation, effectiveness and implications of the Act, so long as it begins the review as soon as practicable after 1 December 2027. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/regulatory-universal-timelines