The EU AI Act does not arrive on a single date. It applies in stages between 2024 and 2027, and each stage switches on a different set of obligations for the organizations that build or use AI systems in Europe.
Two of those stages are already live. The next one, the high-risk regime, lands on 2 August 2026, which makes the remaining months the window most compliance teams are working against right now.
NIS2 is the EU Network and Information Systems Directive 2. It came into force on October 17, 2024 after a two-year transposition window, and it requires roughly 160,000 European organizations to implement cybersecurity risk-management measures that include workforce training. Management bodies are personally accountable for approving and following that training.
If you run security inside an essential or important entity, the training question is no longer abstract. Auditors and national competent authorities now expect documented evidence that staff and leadership have been trained, that the content reflects current threats, and that management is involved rather than observing from a distance.
