EU financial regulation calendar: key deadlines for 2025 and 2026
A forward-looking timeline of EU financial regulation implementation dates, supervisory milestones, and consultation periods. Updated for 2025 and 2026.
How to use this calendar
A compliance calendar is only useful if it tells you what to do with a date, not just what the date is. This article is structured around that distinction. Each entry states the deadline, identifies who it affects, and notes the practical implication, the action that a compliance professional, fintech founder, or boutique investor should be taking now.
The calendar covers EU financial regulation: MiCA, DORA, AIFMD II, EMIR 3, PSD3, and the EU AI Act as it applies to financial services. It does not cover every RTS consultation or minor technical standard. It covers the deadlines that carry real operational or legal consequences for firms in scope.
Dates marked as confirmed are drawn from published regulations and official supervisory body communications. Dates marked as expected reflect announced intentions that had not yet been codified at time of publication. The distinction matters: expect the expected dates to shift.
2025: the foundation year
January 2025 — DORA applies in full
DORA, the Digital Operational Resilience Act, became enforceable on 17 January 2025. ICT risk management frameworks, incident reporting obligations, digital operational resilience testing, and third-party ICT risk management requirements all applied from this date across banks, investment firms, insurers, crypto-asset service providers, and their critical ICT third-party providers.
Who is affected: The full scope of regulated financial entities in the EU, and any ICT service provider classified as critical under the DORA oversight framework.
Practical implication: 2025 was the grace year. Supervisors focused on education and remediation rather than enforcement. That window has closed. In 2026, regulators in France, Spain, and other member states are conducting active examinations and firms should expect audit activity to increase significantly.
February 2025 — EU AI Act: prohibited practices in force
From 2 February 2025, the EU AI Act’s prohibitions on unacceptable-risk AI systems became enforceable. These prohibitions cover AI systems used for social scoring, subliminal manipulation, real-time biometric identification in public spaces, and similar high-harm applications.
Who is affected: Any firm developing or deploying AI systems in or for the EU market.
Practical implication: The prohibitions are clear and non-negotiable. If a firm has not already confirmed that none of its AI systems fall into prohibited categories, that assessment is overdue.
April 2025 — DORA: first information register submissions
National competent authorities were required to submit their first DORA information registers to the European Supervisory Authorities by 30 April 2025. This submission included data on in-scope entities’ ICT third-party arrangements.
Practical implication: Firms that submitted incomplete or inaccurate data to their NCA ahead of this deadline are now in a supervisory record that will be cross-referenced against future audit findings.
June 2024 to July 2026 — MiCA transitional period for CASPs
Crypto-asset service providers that were operating in compliance with applicable national law before 30 December 2024 can continue operating under transitional arrangements until 1 July 2026, or until they are granted or refused MiCA authorisation, whichever is sooner. Member states have discretion to shorten or opt out of this transitional window: Spain reduced its period to 12 months, France applied the full 18-month period.
Who is affected: Crypto exchanges, wallet providers, and other CASPs operating in EU jurisdictions.
Practical implication: The 1 July 2026 deadline is the hard outer limit. Any CASP without an in-progress authorisation application is running out of runway.
August 2025 — EU AI Act: GPAI obligations apply
From 2 August 2025, obligations for providers of general-purpose AI models became enforceable. Governance infrastructure and conformity assessment systems were also required to be operational.
Practical implication: For financial services firms using GPAI in customer-facing or decision-making systems, documentation of model capabilities, training data, and systemic risk assessments should already be in place.
2026: the enforcement year
16 April 2026 — AIFMD II transposition deadline
Member states were required to transpose AIFMD II into national law by 16 April 2026. AIFMD II introduces enhanced disclosure requirements under Articles 23 and 24, expanded Annex IV supervisory reporting including delegation data, new liquidity management tool obligations for open-ended funds, changes to depositary arrangements, and a new loan origination regime for AIFs.
Who is affected: EU-authorised alternative investment fund managers and, in relevant respects, non-EU AIFMs marketing funds in the EU.
Practical implication: The directive is transposed at member state level, meaning the specific implementation varies by jurisdiction. Managers operating across multiple EU member states need to track national implementation separately. The enhanced Annex IV reporting templates are not due until April 2027, but the underlying data collection obligations apply from now.
Note: the European Commission announced in October 2025 that it would not adopt certain non-essential Level 2 acts under AIFMD before 1 October 2027. The RTS for open-ended loan-originating AIFs is among those deferred. Managers of such funds should monitor national-level interim guidance.
1 July 2026 — MiCA: CASP transitional period expires
The outer limit of the MiCA transitional period for crypto-asset service providers. CASPs operating without MiCA authorisation after this date are operating illegally in the EU, regardless of the national framework they were previously licensed under.
Who is affected: All crypto-asset service providers operating in the EU.
Practical implication: Authorisation timelines vary by member state. Firms that have not already engaged with their national competent authority are unlikely to complete the process before the deadline. Stablecoin issuers were already subject to MiCA requirements from June 2024 and should have been compliant for over a year at this point.
25 June 2026 — EMIR 3 active account requirement
The Directive component of EMIR 3 is required to be transposed by 25 June 2026. ESMA expects that reporting by entities subject to the active account requirement will begin by July 2026, with submissions required to include backlog data covering compliance with the active account requirement from 25 June 2025 onwards.
Who is affected: EU counterparties that clear OTC derivatives through non-EU central counterparties, particularly those using LCH and Eurex Clearing for interest rate and credit derivatives.
Practical implication: The active account requirement means maintaining operationally active clearing accounts at EU CCPs, not merely nominal ones. Clearing arrangements, collateral management, and governance documentation should be updated now. The backlog data requirement means the compliance record effectively runs from June 2025.
2 August 2026 — EU AI Act: high-risk obligations and transparency rules
The most significant EU AI Act deadline for most financial services firms. High-risk AI systems in the financial sector must comply with the full set of requirements: risk management systems, data governance, technical documentation, human oversight mechanisms, and registration in the EU AI database. Transparency obligations under Article 50 also apply from this date to all AI systems, including disclosure requirements for AI-generated content and chatbot interactions.
Who is affected: Financial institutions using AI in credit scoring, fraud detection, insurance underwriting, customer-facing advisory systems, and other Annex III high-risk categories. Equally relevant for any firm deploying generative AI or chatbot tools in a professional context.
Practical implication: The Digital Omnibus proposal currently in trilogue negotiations would defer some high-risk obligations to December 2027 if harmonised standards are not ready in time. However, this deferral is not yet law. The safe planning assumption is August 2026 as the operative deadline. Article 50 transparency obligations are not subject to the Omnibus deferral and apply regardless.
Note: the Commission missed its own February 2026 deadline for publishing classification guidelines under Article 6. Final guidance was expected in March or April 2026. Firms uncertain about whether their systems qualify as high-risk should not wait for clarification before beginning compliance preparation.
Q2 2026 (expected) — PSD3 and PSR enter into force
Political agreement on PSD3 and the Payment Services Regulation was reached on 27 November 2025. Both instruments are expected to enter into force between the end of Q1 and the beginning of Q2 2026, after which a 21-month implementation period begins.
Who is affected: Payment service providers operating in the EU, including banks, e-money institutions, and embedded finance providers.
Practical implication: Entry into force starts the compliance clock. The 21-month window sounds generous; it is not for firms that need to rebuild fraud prevention infrastructure, renegotiate third-party contracts, and update open banking integrations simultaneously. A gap analysis against the current PSD2 framework should begin now. Key changes include stronger fraud liability requirements, open banking improvements, and enhanced fee transparency.
Q2 2026 (expected) — FiDA finalisation
The Financial Data Access Regulation, which would create a framework for open finance by enabling consumer data sharing across banking, insurance, and investment products, was expected to reach institutional agreement during the Cypriot EU Council presidency, which runs from 1 January to 30 June 2026.
Who is affected: Banks, insurers, investment firms, and any fintech operating in financial data aggregation or analysis.
Practical implication: FiDA is not yet finalised. When it is, it will follow the standard pattern of a transition period before obligations apply. The relevant preparation now is understanding what categories of financial data will be in scope and which products may require consent infrastructure upgrades.
Throughout 2026 — DORA enforcement intensifies
With 2025 serving as the initial supervisory education phase, 2026 is the year regulators across member states are expected to move from guidance to examination and, where necessary, enforcement. France and Spain have been most active in publishing updated guidelines and initiating IT-focused supervisory examinations.
Who is affected: All DORA in-scope entities: banks, investment firms, insurers, payment institutions, crypto-asset service providers, critical ICT third-party providers.
Practical implication: ICT risk management frameworks that exist only as documentation are the primary audit risk. Supervisors are examining whether resilience frameworks are operationally embedded, not merely drafted. Third-party contracts should have been updated to reflect DORA’s requirements; firms that deferred vendor renegotiations are exposed.
2027 and beyond: forward horizon
16 April 2027 — AIFMD II: enhanced Annex IV reporting templates
ESMA’s new RTS on supervisory reporting, which will reshape the Annex IV templates including delegation data, are due by this date. The underlying reporting obligation applies from April 2026, but the final template format follows a year later.
2 August 2027 — EU AI Act: full applicability
The AI Act becomes fully applicable to all remaining obligations. This includes legacy GPAI systems placed on the market before August 2025, and AI systems embedded in regulated products under Annex I. If the Digital Omnibus passes, Annex III standalone high-risk system obligations may be deferred to December 2027 rather than August 2026.
Q4 2026 (expected) — ESMA greenwashing guidance
ESMA is expected to publish supervisory material on greenwashing risks in sustainable investment funds, with concrete examples of misleading fund names, ESG marketing, and disclosure practices. Relevant for asset managers with ESG-labelled strategies.
What this calendar cannot tell you
A deadline list is the floor, not the ceiling. Most of the obligations above require six to eighteen months of preparation to meet properly, which means the useful planning date is not the deadline itself but the point at which implementation work needs to start to be completable in time.
The calendar also cannot tell you what changes between now and publication. EU regulatory timelines shift: consultation periods extend, Digital Omnibus negotiations alter implementation sequences, and national transposition varies by jurisdiction. The dates above reflect the best available information as of April 2026, but forward-looking dates should be treated as working assumptions rather than fixed facts.
The alternative to active monitoring is discovering a deadline after it has passed. That discovery typically arrives via a supervisory letter, a client question you cannot answer, or a competitor who understood the landscape before you did.
For compliance professionals and fintech founders who need to track EU regulatory developments as they happen rather than after they have consolidated into published timelines, the horizon-scanning problem is structural: official publications are infrequent, secondary commentary is uneven in quality, and the volume of consultation papers, technical standards, and supervisory communications makes manual tracking impractical at scale. That is the problem Forseti is being built to solve. Forseti, Citium’s EU regulatory intelligence platform, is in development and will monitor EU financial regulation continuously, tracking implementation guidance, supervisory publications, and enforcement developments as they happen. If you want to be kept informed ahead of launch, get in touch.
For the broader architecture of EU financial regulation and who it affects, the EU financial regulation overview sets the context. For MiCA specifically, including the transitional period mechanics described above, the MiCA explainer covers the obligations in detail. For DORA, the DORA compliance checklist maps the specific requirements firms are now expected to have embedded.