Ten regulatory fields. Ten action areas. Some already in force, some on the verge – but all within the same timeframe.
Who Part 1 Anyone who has read it knows the individual parts. What isn't yet visible: how they come together – and what that means for an organisation that lacks an overall view.
Because that is the real risk. Not the law you know. But the gap that arises when the AI Act, the Cyber Resilience Act, and the new Product Liability Directive share the same calendar – and no one had the convergence in sight.
Part 2 shows: When what applies. Who is particularly affected. And what companies should now concretely prepare for.
Industry Spotlight: Who is particularly affected?
Mechanical Engineering & Production
ISO revision, CRA (connected machines), new product liability directive and Data Act (machine data) are hitting this sector from four directions simultaneously. Added to this are product-related compliance requirements and – when international supply chains – CBAM.
Chemistry & Materials Processing
The EUDR, REACH, CBAM and sector-specific hazardous substance regulations make the legal register particularly complex. Linking the raw materials used to the associated regulations is hardly manageable without systematic monitoring.
Software and technology companies
The EU AI Act, CRA, Data Act, and new Product Liability Directive (software as a product) are creating the highest need for new compliance here. Many of these companies currently lack a structured legal register – this will change in 2026.
Food & Agriculture
The EU Deforestation Regulation (EUDR) comes into effect here immediately. New EU labelling requirements and the EU Packaging Regulation (from August 2026) are being added. Raw material supply chains are often long and difficult to document.
Energy & Utilities
The German Energy Efficiency Act, ISO 50001 revision, NIS2 (Critical Infrastructure) and CBAM (Electricity Generation) are creating a dense regulatory framework. ISO audits at municipal utilities and energy suppliers are now regularly and specifically checking the legal register.
All labour-intensive companies with 100 or more employees
The Pay Transparency Directive applies across industries. The implementation deadline (7 June 2026) is tight – and the overlap with GDPR, labour law, and HR processes makes compliance responsibility complex.
The concurrency trap: the real risk
It is tempting to treat regulatory developments as individual topics. The AI Act Here, ISO revision there, CBAM when purchasing, NIS2 in IT. This separation is understandable – but it doesn't reflect reality.
What's structurally new by 2026: Several profound regulatory changes are coming into effect simultaneously. They affect different departments and have different deadlines, but the same consequences if overlooked: executive liability, fines, and reputational damage.
A company that its IT Security according to NIS2 A company that has set up, but overlooked that its connected devices fall under the CRA, has a loophole. CBAM correctly reports, but does not map any responsibility for the new product liability directive in the land register, has another. Both gaps do not arise from negligence – but from a lack of a holistic view.
That is precisely the difference between a living land registry and a thematic list: the Property register Establishes the connection – between legal areas, departments, deadlines, and responsibilities.
What companies should prepare specifically
Immediate: Check monitoring structure
The ISO revision 2026, CBAM and the Product Liability Directive make it clear: quarterly PDF updates are no longer sufficient. Those who need to prove in the next audit that legal changes have been recognised and assessed promptly require a near-real-time information process.
Test questions:
- How quickly do you learn about a relevant change in legislation?
- Who checks if a change applies to your company?
- How is this assessment documented?
Medium term: Expand the scope of the legal register
The following legal areas are not yet fully covered in many existing legal registers:
- EU AI Act (AI Governance, Risk Classification)
- Cyber Resilience Act (Vulnerability Management, Reporting Obligations)
- Data Act (Data Access Rights, Contract Adjustments)
- CBAM (CO₂ documentation in the supply chain)
- New Product Liability Directive (Software as a product)
- Pay transparency (HR compliance interface)
Structural: Ensure documentation and traceability
This is the dimension most often underestimated in audits. Auditors don't just ask, „Do you have the law?“ – they ask, „Can you prove you've seen, assessed, and implemented it?“
This doesn't require a perfect state of compliance, but a robust process: change detected → assessed → assigned → implemented → documented.
Conclusion: The Right Time
There is a moment when companies are particularly open to the topic of a legal register: directly after an audit where a discrepancy was identified because a change in legislation had not been documented.
Don't wait for this moment.
The regulatory developments of the next 24 months are known. The revision cycles are foreseeable. The requirements for documentation and evidence will not decrease. And 2026 will show for the first time what it means when multiple waves of regulation hit simultaneously – without an overall overview.
He who acts now has the choice. He who waits no longer does.
You wish to know how your existing legal register will be set up for the next 24 months?
I'd be happy to show you how an AI-powered legal cadastre already reflects these developments – and where there might be structural gaps in your setup.