EU law — precise, sourced, to the point

Could a dismissed employee claim discrimination based on age, religion, disability, or sexual orientation — and what would that cost your organisation?

Under Directive 2000/78/EC, enforceable since 2 December 2003, any employer in the EU that discriminates in hiring, promotion, or dismissal on grounds of religion, disability, age, or sexual orientation faces sanctions that Member States must make effective, proportionate, and dissuasive [Art. 17] — Legal and HR must act first.

If a contamination incident hits our supply chain tomorrow, can we actually trace every ingredient back to its source — and what happens if we cannot?

Every food and feed business operator in the EU must be able to identify suppliers and recipients of all products at all times — failure to maintain traceability triggers immediate withdrawal obligations and Member State penalties that are required to be effective, proportionate and dissuasive [Art. 18, Art. 17(2)].

Could our distribution agreement or pricing practice trigger a Commission dawn raid — and what does a 10% turnover fine actually mean for our balance sheet?

Any undertaking operating in the EU internal market faces fines of up to 10% of total annual turnover if the Commission or a national competition authority finds an infringement of Articles 101 or 102 TFEU — the compliance obligation is permanent and enforceable without prior notification.

Does our planned acquisition trigger an EU merger filing — and what happens if we close before clearance?

If the merging parties exceed EUR 5 billion combined worldwide turnover and EUR 250 million each in the EU, they must notify the European Commission before closing — gun-jumping fines reach 10 % of group turnover [Art. 14(2)].

Could our marketing, dark patterns or review practices expose us to fines of 4% of turnover under the EU's unfair commercial practices blacklist?

Any trader making commercial communications to EU consumers may use environmental, sustainability-label or durability claims only under strict conditions — greenwashing is expressly an unfair commercial practice since the Empowering Consumers Directive (EU) 2024/825; Member States transpose the new rules by 27 March 2026 and apply them from 27 September 2026 [Art. 6, Art. 7 Directive 2005/29/EC; as amended by (EU) 2024/825 Art. 1].

Our machinery carries CE marking under Directive 2006/42/EC — what exactly must we prove to market surveillance authorities if they challenge our conformity today, and what changes when the new Machinery Regulation takes over?

Any manufacturer placing machinery on the EU market must hold a complete technical file, an EC declaration of conformity and a valid CE marking under Directive 2006/42/EC [Art. 5], with penalties set by each Member State that must be effective, proportionate and dissuasive [Art. 23] — and all products first placed on the market from 20 January 2027 must instead comply with the replacement Regulation (EU) 2023/1230.

Our products contain batteries — do we still need to comply with the old Battery Directive, or has the new Batteries Regulation taken over?

Directive 2006/66/EC was repealed on 18 August 2025 by Regulation (EU) 2023/1542, but its legacy obligations on collection rates, recycling efficiencies and substance bans shaped national transposition laws that remain enforceable until fully superseded — compliance teams should verify alignment with the successor Regulation now.

Can our marketing team legally say our product 'boosts immunity' or 'reduces cholesterol' on EU labels and ads?

Every health claim on food labels or advertising in the EU must be pre-authorised by the Commission and listed in the Community Register since 1 July 2007 — unauthorised claims trigger enforcement by national authorities, including product withdrawal and injunctions [Art. 10].

Are we actually meeting the EU waste recycling targets — and what does the new textile EPR obligation mean for our supply chain?

Any company generating, handling or placing products on the EU market must comply with binding municipal waste recycling targets rising to 60 % by 2030 and 65 % by 2035 [Art. 11(2)], plus mandatory textile EPR schemes by 17 April 2028 [Art. 22a] — non-compliance triggers Member State penalties that must be effective, proportionate and dissuasive [Art. 36].

Are our chemical labels compliant — and what happens if an inspector finds they are not?

Any manufacturer, importer or downstream user placing a substance or mixture on the EU market must classify, label and package it under the CLP Regulation — non-compliance triggers Member-State penalties that must be effective, proportionate and dissuasive, and enforcement authorities can pull non-conforming products from the market [Art. 47].

Can I still sell my energy-related product in the EU if I have not completed the ecodesign conformity assessment required by the applicable implementing measure?

Any manufacturer or importer placing energy-related products on the EU market without CE marking and conformity to the applicable implementing measure risks market prohibition and national penalties — your compliance team must verify product-specific implementing regulations immediately.

Does our insurer hold enough capital to survive a 1-in-200-year loss — and what happens to our licence if it does not?

Every EU insurer and reinsurer must continuously cover its Solvency Capital Requirement (99.5 % VaR) or face a recovery plan within six months and, if the Minimum Capital Requirement is breached, licence withdrawal — enforced by national supervisors since 1 January 2016 [Art. 138, Art. 139].

Which buildings in my portfolio still fail the nearly zero-energy standard, and what happens if I sell or rent one without a valid energy performance certificate?

Since 31 December 2020 every new building in the EU must meet the nearly zero-energy standard [Art. 9], and every sale or rental requires a valid energy performance certificate — Member States must impose effective, proportionate and dissuasive penalties for non-compliance [Art. 27].

Can a customer return our product bought online after 14 days — and what happens if our withdrawal notice is defective?

Any trader supplying goods or services to EU consumers must provide comprehensive pre-contractual information — the scope of the Consumer Rights Directive has been materially extended by three subsequent amending acts: Package Travel Directive (EU) 2015/2302 (residual application to certain travel services), Distance Marketing of Consumer Financial Services Directive (EU) 2023/2673 (new Chapter on distance financial services contracts) and Empowering Consumers Directive (EU) 2024/825 (greenwashing prohibitions, reparability, harmonised guarantee labels — applicable from 27 September 2026) [Art. 5, Art. 6 Directive 2011/83/EU; as amended by (EU) 2015/2302, (EU) 2023/2673, (EU) 2024/825].

Are we legally responsible for every old laptop and server our customers throw away — and what happens if our WEEE registration is missing?

Any producer placing electrical or electronic equipment on the EU market must register, finance take-back, and hit 65 % collection targets under Directive 2012/19/EU — non-compliance triggers national penalties and potential market access bans, with your compliance team needing to act first.

Does our bank's governance, capital planning and bonus structure survive the next SREP cycle — and what happens if it does not?

Credit institutions and investment firms operating in the EU must permanently meet CRD IV governance, ICAAP, capital-buffer and remuneration requirements — breaches can trigger administrative penalties of up to 10 % of annual net turnover, and the compliance function should verify alignment ahead of each annual SREP review.

Which of our above-threshold purchases require a full EU-wide tender — and what happens if we skip the procedure?

Any contracting authority awarding supply or service contracts worth EUR 140,000 or more (EUR 216,000 for sub-central bodies) without the procedures mandated by Directive 2014/24/EU risks having the contract declared ineffective and facing damages claims from excluded competitors under the Remedies Directive 89/665/EEC.

Does our next infrastructure contract in energy, water, transport or postal services need to follow EU procurement rules — and what happens if we skip the tender?

Any contracting entity operating in water, energy, transport or postal services must run a compliant procurement procedure for contracts above EUR 432,000 (supplies/services) or EUR 5,404,000 (works), with contract annulment and damages as the remedies if the procedure is flawed [Art. 15].

If a national market surveillance authority opens our lift technical file tomorrow, do we have what Directive 2014/33/EU demands — or are we facing withdrawal, recall and penalties?

Directive 2014/33/EU has applied since 20 April 2016, and any lift placed on the EU market without a complete EU declaration of conformity, CE marking and 10-year technical file (Art. 7(2)–(3), Art. 8(2)–(3)) can be withdrawn, recalled and sanctioned under nationally set effective, proportionate and dissuasive penalties (Art. 43) — the installer and manufacturer must verify the dossier first.

If our bank or investment firm is failing, who bears the losses first — and can the resolution authority seize our shareholders' and creditors' money overnight?

Yes — since 1 January 2016 resolution authorities can bail in shareholders and unsecured creditors up to 8 % of total liabilities before any public funds are used, with administrative fines of up to 10 % of annual net turnover for institutions that fail to maintain recovery plans or meet MREL [Art. 111(2)(d)].

Are our investment services compliant with MiFID II — and what happens at the next supervisory audit if they are not?

Investment firms, banks offering investment services, and market operators face fines of up to EUR 5 million or 10 % of annual turnover if they breach MiFID II's investor-protection, product-governance, or market-structure rules — compliance and legal teams must verify ongoing adherence now.

Which MAR controls do we need before our next earnings release — and what are auditors most likely to find missing?

MAR has been directly applicable across the EU since 3 July 2016, with insider lists, ad-hoc disclosure and PDMR notifications enforceable today and fines up to EUR 15 million or 15% of group turnover for insider dealing or market manipulation under [Art. 30 Abs. 2]; legal counsel owns immediate scope confirmation.

Will my e-signatures and qualified trust services still hold up after 21 May 2026 — and what does it cost if my QTSP misses the new conformity report?

From 21 May 2026, every pre-2024 qualified trust service provider must hold a fresh conformity assessment under Article 24, and any infringement of eIDAS exposes the legal entity to administrative fines of at least EUR 5 million or 1 % of worldwide annual turnover — Compliance and Legal must close the audit gap first.

Is our customer due diligence programme robust enough to survive an AML supervisory inspection — and what happens if it is not?

Obliged entities that fail to implement risk-based CDD, suspicious-transaction reporting and beneficial-ownership verification face administrative fines of up to EUR 5 million or 10 % of annual turnover [Art. 59(3)], and compliance officers must act now because these obligations are permanently enforceable.

Does my payment checkout actually comply with Strong Customer Authentication — and what happens to my business if a regulator finds it does not?

Any entity providing payment services in the EU must apply Strong Customer Authentication since 14 September 2019, and national competent authorities can impose effective, proportionate and dissuasive penalties for non-compliance — including public disclosure of sanctions [Art. 97, Art. 103].

Our supplier in another EU Member State just filed for insolvency — can we still recover assets and lodge claims across borders, or are we locked out?

Cross-border insolvency proceedings are automatically recognised across the EU since 26 June 2017, but foreign creditors must lodge claims within a minimum of 30 days after publication or risk losing their ranking [Art. 55(6)].

Do we need a single safety certificate before our trains can run on EU tracks — and what happens if our safety management system fails an audit?

Every railway undertaking needs a single safety certificate from the EU Agency for Railways or the national safety authority before accessing any EU rail infrastructure — operating without one means immediate exclusion from the network and potential national penalties [Art. 10, Art. 30].

A competitor just hired our lead engineer — can we actually stop them from exploiting our proprietary processes across the EU?

Since 9 June 2018, any business in the EU can seek injunctions, seizure of infringing goods, and full damages for trade secret misappropriation — but only if legal counsel can demonstrate that reasonable protective steps were already in place [Art. 2(1)(c), Art. 4, Art. 12].

Are our public sector websites and apps actually compliant with EU accessibility rules — and what happens when a citizen files a complaint?

Every public sector website and mobile application in the EU must already meet harmonised accessibility requirements under EN 301 549 — non-compliance exposes the body to enforcement proceedings under national law and mandatory corrective action via the feedback and complaint mechanism [Art. 9].

Can we defend our current data processing if a supervisory authority knocks tomorrow — and what does the next breach actually cost?

Every organisation processing EU personal data faces a permanently enforceable 72-hour breach-notification duty, and a single violation of core principles can trigger fines up to EUR 20 million or 4 % of global annual turnover — your DPO or legal counsel must act first.

Which of our financial benchmarks need an authorised administrator — and what happens if we keep using an unregistered one?

Any administrator providing a critical, significant or EU Climate benchmark in the Union must be authorised or registered with the national competent authority or ESMA; non-compliance exposes legal persons to fines of up to EUR 1 million or 10 % of annual turnover, whichever is higher [Art. 34, Art. 42(2)].

Can I still sell my medical device in the EU if it only has an old MDD certificate — and what happens when those certificates expire?

Legacy MDD/AIMDD certificates expire on 31 December 2027 for class III and IIb implantable devices or 31 December 2028 for all others — after that, placing a non-MDR-certified device on the market is unlawful and Member States must impose effective, proportionate and dissuasive penalties [Art. 113].

Does my IVD still have a valid CE mark — and what happens when the IVDR transition window closes?

IVD manufacturers that fail to transition legacy devices to the IVDR face removal from the EU market — Class D devices by 31 December 2027, Class C by 31 December 2028, Class B by 31 December 2029 — with penalties set by each Member State.

Do we need an approved prospectus before we can offer these securities to investors, and what happens if we get it wrong?

Any issuer offering securities to the EU public or seeking regulated-market admission must first obtain competent-authority approval of a prospectus — non-compliance exposes legal persons to administrative sanctions of at least EUR 5 million or 3 % of annual turnover, with the new EU Follow-on and EU Growth prospectus regimes applying from 5 March 2026.

Do our AML controls already cover crypto exchanges, art dealers, and the new beneficial ownership registers — or are we exposed to sanctions right now?

Since 10 January 2020, every obliged entity — including virtual currency exchange platforms and custodian wallet providers — must apply full customer due diligence; breaches can trigger fines of up to EUR 5 million or 10 % of annual turnover, and your MLRO should verify coverage immediately [Art. 1].

Can we actually label our food products as 'organic' in the EU, and what happens if our certification lapses or our supply chain is non-compliant?

Any operator placing organic products on the EU market must hold a valid certificate issued under Regulation (EU) 2018/848 — without it, the organic claim must be removed immediately, and Member States impose penalties under national law that can include withdrawal of the certificate and a ban on marketing [Art. 35, Art. 42].

Do our vehicles still meet EU type-approval requirements — and what happens if market surveillance finds they don't?

Regulation (EU) 2018/858 has been fully applicable since 1 September 2020 — the Commission can impose administrative fines of up to EUR 30,000 per non-compliant vehicle, system or component, and your compliance or homologation team should verify conformity of production now [Art. 85(1)].

Can a customer demand a refund or free fix when my SaaS product, app, or digital download does not work as promised — and what happens if our terms say otherwise?

Since 1 January 2022, any trader supplying digital content or digital services in the EU must ensure conformity with both contractual and objective quality standards — non-compliant terms are void, consumers can demand repair, price reduction, or contract termination, and your legal team must act first to align contracts with the mandatory rules.

Does our platform need upload filters — and what happens if a rightholder claims we are not doing enough to keep infringing content off?

Any online content-sharing service provider that stores and gives the public access to large amounts of user-uploaded copyright-protected works must obtain licences or demonstrate best efforts to prevent infringement — failure exposes the platform to direct liability for unauthorised communication to the public, with sanctions set by each Member State's transposition since 7 June 2021 [Art. 17].

Do our consumer products and digital services meet the new EU accessibility requirements that became enforceable on 28 June 2025 — and what happens if they do not?

Every manufacturer, importer and service provider placing consumer hardware, self-service terminals, e-commerce platforms or banking services on the EU market must comply with Annex I accessibility requirements since 28 June 2025, with Member States required to impose effective, proportionate and dissuasive penalties for non-compliance [Art. 30].

Our company is sliding toward insolvency — can we restructure early enough to keep operating, and what does the new EU framework actually require from us?

Member States must offer viable enterprises access to preventive restructuring before insolvency, with a stay of up to 12 months and a cram-down mechanism — the legal team must ensure the national transposition (deadline: 17 July 2021, with electronic-means provisions phased to 17 July 2026) is reflected in internal crisis protocols.

Can I form a subsidiary or register a branch in another EU Member State entirely online — and will a director disqualified in one country be flagged across the Union?

Since 1 August 2021, every Member State must offer fully online company formation within 5 to 10 working days and cross-border director disqualification checks via BRIS [Art. 13g, Art. 13i of Directive 2017/1132 as amended] — legal counsel should verify that the target Member State's portal is operational before initiating any cross-border expansion.

Do we need a whistleblower reporting channel, and what happens if an employee reports a compliance breach before we have one?

Every private-sector entity with 50 or more workers must operate a secure internal reporting channel under Directive (EU) 2019/1937 — the transposition deadline has passed in all Member States, and failure to protect a reporting person exposes the organisation to effective, proportionate and dissuasive penalties set by national law [Art. 23].

We want to move our subsidiary's registered office to another EU Member State or split it cross-border — what procedural requirements can block the operation, and what happens to dissenting shareholders?

Since 31 January 2023, all Member States must provide harmonised procedures for cross-border conversions, mergers and divisions — legal counsel must secure the pre-operation certificate from the departure Member State authority or the operation cannot proceed [Art. 86m].

Are our ESG fund disclosures actually compliant with SFDR — and what happens at the next audit if they are not?

Every financial market participant and financial adviser in the EU must already publish sustainability risk policies, principal adverse impact statements and product-level ESG disclosures — non-compliance risks supervisory sanctions from national competent authorities and reputational damage that can trigger investor outflows overnight.

Can we legally irrigate our fields with treated waste water — and what do we need before turning on the tap?

Since 26 June 2023 any reclamation facility supplying treated urban waste water for agricultural irrigation must hold a permit under Regulation (EU) 2020/741 — operating without one exposes the operator to Member-State penalties that must be effective, proportionate and dissuasive [Art. 15].

Which of our revenues, CapEx, and OpEx actually qualify as taxonomy-aligned — and what happens to our reporting if we get the classification wrong?

Large undertakings subject to CSRD must disclose taxonomy-aligned turnover, CapEx and OpEx — since 1 January 2022 for climate change mitigation and adaptation, since 1 January 2023 for the four remaining environmental objectives (water, circular economy, pollution, biodiversity); after Omnibus I (EU) 2026/470 the CSRD scope narrows going forward to undertakings with more than 1,000 employees and more than EUR 450 million net turnover [Art. 8, Art. 27(2); penalties Art. 22].

Does my multinational group have to publicly disclose how much tax it pays in every country — and what happens if the first report is late?

Groups with consolidated revenue above EUR 750 million must publish a country-by-country income tax report for financial years starting on or after 22 June 2024; penalties are set by each Member State under the Directive 2013/34/EU enforcement framework, and the statutory auditor must flag non-compliance in the audit report [Art. 48f].

Is my company still in scope of CSRD after Stop-the-Clock and Omnibus — and from which financial year must we report?

Public-interest entities with more than 500 employees still report from financial year 2024; for other undertakings, Stop-the-Clock shifted CSRD reporting to financial years 2027/2028 and Omnibus I limits the scope to undertakings with more than 1,000 employees and more than EUR 450 million net turnover [32022L2464; 32025L0794; 32026L0470].

Does our organisation fall under NIS 2, and what happens if we miss the 24-hour incident notification window?

Any medium-sized or larger entity in 18 critical sectors must comply since 18 October 2024 — essential entities face fines up to EUR 10 million or 2 % of global turnover, and the CISO must file the first incident alert within 24 hours [Art. 23(4)].

Are we charging our roaming customers correctly under the recast Roaming Regulation — and what happens if our wholesale agreements or retail transparency fall short?

Since 1 July 2022, every EU mobile operator must offer roam-like-at-home at domestic prices, respect declining wholesale caps that reach EUR 1.00/GB by 2027 [Art. 11], and meet strict quality-of-service and transparency rules — with Member States required to impose effective, proportionate and dissuasive penalties for non-compliance [Art. 19].

Do we need to register as a data intermediary or data altruism organisation before we can legally broker data in the EU?

Any entity providing data intermediation services in the EU must notify the competent authority under the Data Governance Act, applicable since 24 September 2023 — non-compliance exposes providers to Member-State penalties and potential service prohibition [Art. 11, Art. 14].

Does our platform need a compliance officer, risk assessment and advertising repository under the DSA — and what happens if we miss the obligations?

Any intermediary service offered to EU users must comply with the DSA since 17 February 2024, with fines up to 6% of worldwide annual turnover — and platforms reaching 45 million monthly active users face additional VLOP obligations enforced directly by the European Commission.

Can our ICT infrastructure survive a major cyber incident without disrupting client services — and what happens to us if we cannot prove it to the regulator?

Since 17 January 2025 every EU financial entity must operate a fully documented ICT risk management framework, report major ICT-related incidents to the competent authority and run regular resilience testing — non-compliance triggers administrative penalties and remedial measures under national law, and the CISO or CTO should be leading the gap assessment now.

Do our imports of steel, aluminium or cement from outside the EU now carry a carbon price — and what happens if we ignore the new border mechanism?

From 1 January 2026, every importer of CBAM goods (cement, iron/steel, aluminium, fertilisers, electricity, hydrogen) must hold authorised CBAM declarant status, buy CBAM certificates matching the EU ETS price, and surrender them by 30 September each year — failure to surrender triggers the EU ETS excess-emissions penalty per missing certificate, and unauthorised importers face three to five times that amount [Art. 26].

Are the products we sell to consumers in the EU still compliant now that the new General Product Safety Regulation applies — and what happens if a recall goes wrong?

Since 13 December 2024 every consumer product on the EU market must meet the GPSR's general safety requirement — non-compliant manufacturers, importers, and online marketplaces face penalties set by each Member State under Article 44, and must offer consumers at least two free remedies in any recall [Art. 37]; Regulation (EU) 2024/2748 additionally inserts an emergency-procedures chapter applicable from 29 May 2026 when an Internal Market Emergency Mode is activated [Art. 5 GPSR as amended by (EU) 2024/2748].

Do we need a MiCA licence before we can keep operating our crypto exchange or custody service in the EU — and what happens if we miss the deadline?

Every crypto-asset service provider in the EU must hold a MiCA authorisation by 1 July 2026 at the latest — operating without it exposes the entity to fines of up to EUR 5 million or 12.5 % of annual turnover and an immediate cease-and-desist order [Art. 59, Art. 111].

Do my supply chains for coffee, soya, palm oil or wood pass the EU deforestation cut-off — and what happens at customs if they don't?

Any operator placing cattle, cocoa, coffee, oil palm, rubber, soya or wood products on the EU market must file a due diligence statement proving deforestation-free origin by 30 December 2026 — non-compliance risks fines of at least 4 % of annual EU-wide turnover and a market ban [Art. 25(2)].

Our machines have CE marking under the old Machinery Directive — do we need to re-certify everything before January 2027?

Any machinery or safety component placed on the EU market from 20 January 2027 must comply with the new Machinery Regulation (EU) 2023/1230 — non-compliant products face market prohibition, withdrawal or recall enforced by national authorities, and Member States must have penalty regimes in place by 20 October 2026 [Art. 50]; Regulation (EU) 2024/2748 additionally inserts an 'Emergency procedures' chapter applicable from 29 May 2026 when an Internal Market Emergency Mode is activated [Machinery Regulation as amended by (EU) 2024/2748 Art. 6].

Do our batteries need a digital passport and carbon footprint declaration before we can keep selling them in the EU?

Any company placing EV, industrial (>2 kWh) or LMT batteries on the EU market must issue a battery passport by 18 February 2027 — and carbon footprint declarations are already due for EV batteries since February 2025, with non-compliant products barred from the market.

Our IoT devices generate massive amounts of data — who actually owns it, and what happens if we refuse to share it with customers or third parties after September 2025?

From 12 September 2025, any manufacturer or service provider of connected products in the EU must grant users access to product data on request — penalties are set by Member States and, for personal data infringements under Chapters II, III and V, can reach up to EUR 20 million or 4% of global turnover under the GDPR enforcement channel [Art. 40(4)].

Do our buildings meet the new EU zero-emission standards — and what happens if we miss the 2030 renovation deadline?

Every new building in the EU must be zero-emission from 1 January 2030, and the worst-performing 16% of non-residential buildings must be renovated by the same date — Member States must transpose effective, proportionate and dissuasive penalties by 29 May 2026 [Art. 34].

Does our supply chain expose us to personal liability for human rights or environmental harm — and what does the CSDDD actually require before 2028?

Companies with more than 3,000 employees and EUR 900 million turnover must conduct mandatory human rights and environmental due diligence across their entire chain of activities from 26 July 2028, or face fines of at least 5% of net worldwide turnover [Art. 27(4)] and civil liability claims [Art. 29].

If our AI-powered product injures someone after a software update, who pays — and can we still rely on the old Product Liability Directive defences?

From 9 December 2026, any manufacturer, importer or even fulfilment service provider placing a product — including standalone software and AI systems — on the EU market faces strict no-fault civil liability with no financial ceiling, and courts can presume both defectiveness and causation where the claimant faces technical complexity [Art. 10(4)].

What duties does eIDAS-2 place on my company — accepting the EUDI Wallet, registering as a relying party, or penalty risk as a trust service provider?

eIDAS-2 distinguishes three addressee groups: trust service providers face EU-level minimum maximum administrative fines of EUR 5 million or 1 % of worldwide annual turnover [Art. 16(2)]; private relying parties in twelve regulated sectors (e.g. banking, health, telecom) must accept the EUDI Wallet within 36 months of entry into force of the implementing acts, only upon voluntary user request [Art. 5f(2)]; relying parties register in their Member State of establishment [Art. 5b].

Does our supply chain depend on a single-country source for lithium, cobalt or rare earths — and what happens when the EU starts enforcing diversification?

Any large company (>500 employees, >EUR 150 million turnover) using strategic raw materials in batteries, chips, wind turbines or similar technologies must complete a supply-chain risk assessment by 24 May 2025 [Art. 24], and Member States must lay down penalty rules by 24 November 2025 [Art. 47] — procurement teams that still depend on a single third-country source for more than 65% of any strategic material face mandatory mitigation action [Art. 5(1)(b)].

Does my business need a full KYC programme by July 2027 — and what happens if we are caught without one?

Every credit institution, financial institution, crypto-asset service provider, real-estate agent, lawyer and auditor in the EU must apply directly binding customer due diligence, beneficial-ownership and suspicious-transaction rules from 10 July 2027 — with administrative sanctions under the companion Directive (EU) 2024/1640 reaching up to EUR 10 million or 10 % of annual turnover for the most serious breaches.

Which of our AI projects must we halt immediately, and what does our compliance team need to deliver before the high-risk deadline hits?

Providers placing high-risk AI systems on the EU market must achieve full conformity by 2 August 2026 — failure to comply exposes them to fines of up to EUR 15 million or 3 % of global annual turnover, while prohibited AI practices already carry penalties of up to EUR 35 million or 7 %.

Which of our products will need a Digital Product Passport before they can be sold in the EU — and what happens if we miss the deadline?

Any manufacturer, importer or distributor placing physical goods on the EU market must comply with product-specific ecodesign requirements once the Commission adopts delegated acts (first possible from 19 July 2025 onward) — non-compliant products face market withdrawal and fines set by Member States, plus potential exclusion from public procurement [Art. 74].

Which of our connected products need a cybersecurity overhaul before the Cyber Resilience Act kicks in — and what happens if we miss the deadline?

Any product with digital elements sold in the EU must meet mandatory cybersecurity-by-design requirements by 11 December 2027 — non-compliance exposes manufacturers to fines of up to EUR 15 million or 2.5% of global turnover; Regulation (EU) 2025/327 (EHDS) amends CRA via Art. 104 so that EHR systems demonstrate conformity through the EHDS conformity procedure (Chapter III EHDS) rather than the standard CRA pathway [Art. 32(5a) CRA, inserted by (EU) 2025/327 Art. 104 (EU) 2025/327 paragraph 3].

We deferred our EUDR rollout once already — what counts as live now and what bites first?

Regulation (EU) 2024/3234 pushed the EUDR date of application to 30 December 2025 for operators and traders and to 30 June 2026 for micro and small undertakings — non-SME companies are therefore in full live mode and Compliance owns due diligence statements as the first failure point.