Contents
Legal monitoring

Legal Horizon Monitoring: The most important regulatory developments over the next 24 months – Part 1

Picture of Dr. Thomas Altenbach
Dr. Thomas Altenbach
Blog post banner Top regulatory developments in the next 24 months

Executive Summary

In just the first 19 days of February 2026, around 200 regulatory changes were published at European and national level – approximately 80 of them with direct relevance to businesses. This is not an exceptional month. This is the new normal.

What distinguishes 2026 from previous years: The waves of regulation are not arriving one after another, but simultaneously. AI Act, Cyber Resilience Act, new Product Liability Directive, CBAM, Pay Transparency Directive, ISO revision – companies have to move on multiple fronts at the same time. It is not the individual obligation that is the real risk, but the confluence of them.

For companies, the question is no longer whether their own legal register exists. The crucial question is: Is its structure capable of this cultivation – and can the organisation demonstrate that it has systematically captured, assessed, and implemented relevant developments?
This report provides a Structured outlook on regulatory developments over the next 24 months. It outlines the key areas of action, shows which changes will be particularly relevant – and what companies should specifically prepare for.

The environment: Regulation as a permanent state

Regulation used to be an exceptional event for a long time. A new law, a new decree – and then years of calm. This logic no longer applies.

What has changed structurally: Laws are created on more than four levels simultaneously – EU regulations, national implementation laws, state law, technical regulations and industry standards. Added to this are site-specific regulations. Each of these levels has its own rhythm. And all of them together create a network of dependencies that changes daily. In addition, there are clarifications by courts at national and EU level.

For businesses, this means the question is no longer „What's valid today?“, but „What's valid tomorrow – and the month after?“.“

Level

Examples

Frequency of change

EU Regulations

GDPR, EUDR, NIS2, AI Act, CRA

High

National laws

LkSG, HinSchG, Producer Liability Act

Medium to high

Regional law

Building regulations, emission control

Middle

Technical Standards

ISO 9001:2026, ISO 14001, ISO 50001

Cyclical

Industry standards

IATF 16949, BaFin requirements

Variable

The most important regulatory areas 2026–2027

Field 1: ISO Revision 2026 – New Requirements for the Legal Register

The ISO 9001 and ISO 14001, the most widely used management system standards in Germany, will be revised in 2026. The revision is not a cosmetic update – it will change the substantive assessment criteria in audits.

What's changing:

  • Climate aspects are explicitly included in the corporate environment. The legal register must actively capture relevant legal areas (Climate Protection Act, Energy Efficiency Act, CO₂ pricing).
  • Quality culture, ethical behaviour, and supply chain resilience become sharper in terms of content and more strongly linked to ESG requirements.
  • Process transparency and traceability werden stärker gewichtet. Auditoren werden künftig nicht nur fragen: „Haben Sie das Gesetz gesehen?“ – sondern: „Können Sie dokumentieren, wie Sie es bewertet und umgesetzt haben?“
  • Excel-based legal register we're hitting a structural limit here: daily changes, ongoing proof obligations, and risk assessments can no longer be scaled manually.

What companies should prepare for now:
Whoever wants to run their ISO certification according to the new standard should consider the scope of their Land registers expand already today – especially to include the areas of energy, climate and Supply chain. The transition period is running – but the first audits according to the new standard are coming sooner than many expect.

Field 2: Governance & Liability – Management in the Spotlight

Several recent legal developments are independently pointing in the same direction: liability is shifting to management level – not just when a specific rule is broken, but already when the organisational structure was insufficient.

Three relevant developments:

  1. CJEU, 5 December 2023 (C-807/21):Fines under Article 83 GDPR can be imposed directly on legal entities without the need to identify an individual acting person. The organisational unit is at the centre of responsibility.
  2. BGH, 11 February 2025 (KZR 74/23) & OLG Frankfurt, 21 October 2025:The recoverability of fines from managing directors has been affirmed at first instance. Final clarification at a European level is still pending – the direction is clear.
  3. 38 NIS2UmsuCG: The responsibility of management for Information Security is expressly laid down by law. Delegation is not possible – ultimate responsibility remains.

The common denominator: Individual misconduct is no longer the sole focus of evaluation; instead, the quality of organisational structures is. Section 130 of the Administrative Offences Act (OWiG) requires that supervisory measures be appropriate – the legal register is a central element of this structural response.

What companies should prepare for now:
Check whether your legal register is robust as a governance tool – not just as a document repository. In an emergency, can you demonstrate that changes have been identified, assessed, and implemented?

Field 3: Information Security – NIS2 and the Cyber Resilience Act

Information security will no longer be an IT issue in 2026 – it will be a leadership issue with tangible liability consequences. Two sets of regulations will shape the next 24 months.

NIS2:
§ 38 of the NIS2UmsuCG regulates the personal responsibility of management. Training is compulsory, and liability is non-delegable. Auditors are increasingly checking whether the legal register reflects the relevant IT security requirements – and whether changes have been identified promptly.

Cyber Resilience Act (CRA) – the next wave:
Ab September 2026 erste CRA-Meldepflichten greifen verbindlich. Aktiv ausgenutzte Schwachstellen und schwerwiegende Sicherheitsvorfälle müssen der EU-Behörde ENISA oft innerhalb von 24 Stunden gemeldet werden. Ab December 2027 all new products with digital elements – i.e. connected hardware, software, IoT devices – must meet the full CRA requirements.

What this means in concrete terms:

  • Manufacturers and importers of connected products must document security requirements during the development phase.
  • Security updates must be provided throughout the entire product lifecycle – for some product categories, up to five years.
  • Vulnerability management becomes a permanent duty, not a one-off measure.
  • This generates permanent process costs and documentation requirements that must be structurally mapped in the legal register.

What companies should prepare for now:
Clarify whether your products fall under the CRA. If so, start building the required documentation and reporting processes now – December 2027 is closer than it appears. Furthermore, ensure your legal register not only lists NIS2-relevant requirements but also documents responsibilities, measures, and the status of implementation.

What this means for compliance officers:

Field 4: AI Compliance – The EU AI Act Becomes Operational

Ab August 2026 central duties of EU AI Act binding – also for small and medium-sized enterprises. What was previously perceived as an abstract regulatory project is becoming operational.

From when does what apply?

  • Since February 2025: AI competency of all employees working with AI systems Working is already mandatory. Documentation and proof of training are expected.
  • Ab August 2026Prohibitions for unacceptable AI risks apply in full. Governance and transparency obligations for General Purpose AI (GPAI) take effect.
  • Ab August 2027Full obligations for high-risk AI systems.

Who is affected:
The AI Act does not only affect AI providers – but all companies that use AI systems classified as „high-risk“. These include, among others:

  • AI-powered HR decisions (recruiting, performance appraisal)
  • AI in lending and credit scoring
  • AI systems in safety-critical production processes
  • AI-powered decisions impacting fundamental rights

What this means for compliance:
Organisations must document risk classifications for their AI systems, establish governance structures and maintain records of training. Compliance costs for high-risk AI are estimated at 10–20% of AI investment. The legal register must reflect AI Act requirements as a separate area of law – with assigned responsibilities and implementation status.

What companies should prepare for now:
Inventory your AI systems and assess their risk class. Start by building governance documentation before audit pressure arises. AI competency training is already mandatory today – check if you can prove it.

Field 5: New Product Liability Directive – Implementation by December 2026

The EU Product Liability Directive (Directive 2024/2853/EU) fully replaces the Product Liability Act of 1985. National implementation must be completed by 9 December 2026 This will be implemented. This is one of the most profound shifts in product law in decades.

What is fundamentally changing:

  • Software, AI systems and digital services are considered products – and therefore relevant to liability, even if they do not cause physical damage.
  • Data loss is considered compensable damage – this is new and affects all businesses offering digital products or services.
  • Evidential relief for victims: In the case of „damage typically caused by a defect“, there is a presumption of causality. Companies must actively prove that their product was not defective.
  • Extended scope of liability: Alongside manufacturers, importers, authorised representatives and – under certain conditions – online marketplaces are now also liable.
  • Statute of limitations extended Claims can now be made for up to 25 years if damage only manifests late.

What this means for small and medium-sized enterprises:
Many medium-sized companies underestimate their involvement because they don't see themselves as „traditional product manufacturers“. However, those who integrate software into products, offer digital services, or supply networked components are directly affected.

What companies should prepare for now:
Check which of your products and services fall under the new directive. Systematically document product safety processes, test protocols, and risk analyses – because in the event of a dispute, the burden of proof increasingly lies with the company, not with the injured party.

Field 6: Supply Chain & Product Compliance – EUDR and LkSG

Two sets of regulations will be the focus of attention over the next 24 months: the EU Deforestation Regulation (EUDR) and the Supply Chain Due Diligence Act (LkSG).

What the EUDR means
Companies placing products on the market that are linked to certain raw materials (soya, beef, palm oil, timber, rubber, cocoa, coffee) must demonstrate due diligence. This affects not only direct importers, but also many small and medium-sized processing companies that have these raw materials in their supply chain without explicitly knowing it.

A specific example: A manufacturing company that processes natural rubber seals falls under the EUDR – without this typically being recorded in the legal register, because the link between the product description and the legal requirement is not manually established.

What companies should prepare for now:

  • Review your product descriptions and supply chains for EUDR relevance.
  • Ensure your legal register systematically links the materials used to the relevant regulations.

Field 7: CBAM – Carbon Border Adjustment Mechanism with full cost weighting from 2026

Since 1 January 2026 is CBAM, the EU's Carbon Border Adjustment Mechanism, fully in effect. Importers of certain product groups must now acquire actual CO₂ certificates – the transition period with pure reporting obligations has ended.

Affected product groups (as of 2026):
Steel and aluminium, cement, fertilisers, electricity, hydrogen and selected chemical intermediates. The EU plans to gradually extend the scope to downstream products from 2028.

What this means in concrete terms:

  • Costs can quickly reach the five to six-figure range, depending on the import volume and CO₂ intensity.
  • Increased reporting and documentation obligations across the entire supply chain – suppliers must provide proof of the CO₂ footprint of their products.
  • The legal register must treat CBAM as a separate compliance issue – with clear lines of responsibility between procurement, finance and legal.

What companies should prepare for now:
Check if your import flows fall under CBAM. Clarify which suppliers can provide you with the necessary CO₂ data – and which cannot. This is also a supplier qualification question.

Field 8: EU Pay Transparency Directive – Implementation deadline 7 June 2026

Bye 7 June 2026 Does Germany have to EU Pay Transparency Directive to be transposed into national law. The existing Pay Transparency Act (EntgTranspG) will be significantly tightened.

What's changing:

  • Companies with 100 or more employees must provide structured information on pay gaps and give information upon request.
  • Reporting obligations on company-wide gender pay gaps are being extended.
  • Reversal of the burden of proof: Where a pay gap has been demonstrated, the employer must prove that the difference is objectively justified.
  • Employee complaints are simplified.

What this means for the land register:
The overlap between employment law, data protection, and compliance becomes particularly complex here. Responsibilities are distributed between HR, Legal, and the Data Protection Officer. If the legal register does not map this intersection, blind spots will arise.

What companies should prepare for now:
Begin the analysis of your pay structures now, not just after implementation. Clarify who is responsible for reporting obligations internally, and document the responsibility in the legal register.

Field 9: Data Act – Data Access as a New Compliance Obligation

The EU Data Act has been in full effect since September 2025. From September 2026 Does the obligation for „access by design“ also apply to new products launched on the market?.

What the Data Act requires
Anyone offering networked products or connected digital services must provide users and – under certain conditions – third parties with structured access to generated data. This applies to:

  • Manufacturers of connected machines and devices (IoT)
  • Digital services and platform providers
  • Companies providing cloud-based services

What this means in concrete terms:

  • Contracts with users and third parties need to be adapted.
  • Technical interfaces for data access must be set up and documented.
  • In Germany, violations can be penalised with fines of up to €500,000.

What companies should prepare for now:
Clarify which of your products and services generate data – and whether you have already granted the necessary data access rights. Integrate the Data Act as a separate legal area into your legal register, particularly regarding the overlaps with the GDPR.

Field 10: ESG & Sustainability Reporting

The CSRD is rolling out gradually and is bringing with it significant indirect requirements. While the EU Omnibus Package has introduced some relief (threshold: from 1,000 employees and >€50 million in turnover), this should not be misunderstood as a free pass.

What will be relevant in the next 24 months:

  • Companies that act as suppliers to large corporations are brought within the scope of the CSRD due to supply chain obligations, even if they themselves are not subject to reporting.
  • The first CSRD reports from large companies will be published in 2026, making supply chain transparency visible – with direct pressure on medium-sized suppliers.
  • Transition periods expire in 2026 and 2027. Anyone who starts only then will have structurally too little time.

What companies should prepare for now:
Clarify early on whether and through which supply chain interdependencies ESG reporting obligations will apply to you. This is not a question of size – but of supplier structure.

Are you preparing your existing legal register for these changes today?

I'd be happy to show you how an AI-powered legal cadastre already reflects these developments – and where there might be structural gaps in your setup.

I'm Blog post Part 2 I will show when what applies, who is particularly affected, and what companies should now prepare concretely.

About the author
More topics at a glance
Legal monitoring
Legal monitoring