2026 and 2027 already contain deadlines that will affect how software gets built and released in regulated sectors. Teams in finance, healthcare, payments, enterprise data, and connected products will run into new reporting duties, tighter documentation, security obligations, API work, payment-message changes, and approval steps.

The EU calendar is the densest. The UK is moving through targeted data and payments rules rather than one cross-sector AI statute. In the US, the practical dates are still coming more from states and sector regulators than from one national AI law. The impact is shared across product, engineering, data, security, and compliance.

The dates below are the ones most likely to create real delivery work across the EU, UK, and US.

2026

January 1, 2026 — California training-data transparency

California starts the year with a documentation deadline. AB 2013 requires developers of generative AI systems or services made publicly available to Californians to post website documentation about the data used to train those systems by January 1, 2026, and again before each substantial modification. The law also sets out the substance of that documentation. For public-facing model products, this makes training-data documentation part of release work.

February 5, 2026 — UK Data (Use and Access) Act commencement

The UK’s Data (Use and Access) Act moves from policy into operations here. The ICO states that most of the remaining data-protection provisions came into force on February 5, 2026. For software teams with UK exposure, that reaches complaint handling, privacy operations, internal process design, and the way customer-facing data workflows are documented and owned.

June 19, 2026 — UK complaints-procedure requirement

A second UK date follows a few months later. The ICO states that the requirement for organisations to have a complaints procedure is due to commence on June 19, 2026. This is operational work. Someone has to own the process, the evidence trail, and the customer path when an issue is raised.

June 30, 2026 — Colorado high-risk AI consumer-protection requirements

Colorado remains one of the main US dates to watch. The Colorado General Assembly states that SB25B-004 extends the effective date of the requirements in SB24-205 to June 30, 2026. The underlying law deals with consumer protections in interactions with AI systems. For teams that may fall inside scope, June 2026 is a delivery date for governance, documentation, assessment, and disclosure work.

August 2, 2026 — EU AI Act general application

The biggest EU date in 2026 is August 2. The European Commission states that the AI Act entered into force on August 1, 2024 and will be fully applicable on August 2, 2026, with an extended transition until August 2, 2027 for high-risk AI systems embedded into regulated products. For software teams, this is where classification, supplier due diligence, technical documentation, logging, human oversight, and internal approval paths become much harder to postpone.

September 11, 2026 — EU Cyber Resilience Act reporting obligations

The Cyber Resilience Act starts creating reporting pressure before the full regime is live. The Commission states that reporting obligations apply from September 11, 2026, while the main obligations apply later. This pushes companies to tighten incident intake, vulnerability handling, evidence capture, and internal escalation in advance.

December 9, 2026 — EU Product Liability Directive transposition deadline

December brings another EU date that software firms should not ignore. EUR-Lex states that the revised Product Liability Directive must be transposed by December 9, 2026, and applies to products placed on the market or put into service from that date. For firms shipping software into products or connected environments, traceability and evidence retention get more important here.

2027

January 1, 2027 — US healthcare API requirements

The US healthcare side starts 2027 with a hard delivery date. CMS states that impacted payers have compliance dates generally beginning January 1, 2027 for the API development and enhancement requirements in the Interoperability and Prior Authorization final rule. CMS also lists January 1, 2027 as the implementation date for the Patient Access API additions, Provider Access API, Payer-to-Payer API, and Prior Authorization API requirements. For payers and healthtech vendors, this is a major architecture and workflow deadline.

January 9, 2027 — Instant payments receiving requirement outside the euro area

For payment service providers outside the euro area, 2027 starts with instant payments. The European Commission’s payments timeline states that the third phase of the Instant Payments Regulation lands in 2027 for providers outside the euro area, including the ability to receive instant euro payments. For banks, PSPs, and fintech infrastructure providers, this is work around payment flows, verification, fraud controls, and vendor readiness.

July 9, 2027 — Instant payments sending requirement outside the euro area

The second instant-payments milestone follows in July 2027, when providers outside the euro area must also support sending instant euro payments. This extends the same operational pressure into outbound flows, customer journeys, reconciliation, exception handling, and testing across bank and vendor dependencies.

July 10, 2027 — EU AML package application date

The AML package follows one day later. EUR-Lex states that the new anti-money laundering regulation applies from July 10, 2027, with later timing only for football clubs and agents. For transaction monitoring, onboarding, case management, KYC, sanctions, and internal controls, this is one of the dates that pushes data quality and rule traceability into the center of delivery planning.

August 2, 2027 — EU AI Act for regulated-product high-risk AI

The AI Act has another key date in 2027. The Commission states that high-risk AI systems embedded into regulated products have an extended transition until August 2, 2027, while the Act is otherwise fully applicable from August 2, 2026 with some exceptions. This is the part of the timeline that matters most for medical, industrial, mobility, and other product-heavy environments where AI sits inside a broader regulated system.

November 2027 — UK CHAPS purpose-code expansion

The UK payments calendar also has a clear 2027 date. The Bank of England states that from November 2027 it is expanding mandatory Purpose Code requirements to all CHAPS payments. For firms working on bank connectivity, treasury systems, payment initiation, reporting, or ISO 20022 handling, this creates a defined implementation milestone. The change is technical, but the operational consequences are real.

December 11, 2027 — EU Cyber Resilience Act main obligations

The Cyber Resilience Act closes out the 2027 list. The Commission states that the CRA’s main obligations apply from December 11, 2027. By then, this is no longer only about reporting severe incidents. It is about the full requirement set for products with digital elements placed on the EU market, including how they are designed, documented, maintained, and supported over their lifecycle.

What this means for delivery

These dates affect roadmaps, staffing, vendor work, and the order in which work gets done. The teams that usually handle software development and implementation better start with the parts that are hardest to bolt on later: documentation, approval paths, audit trails, API and message standards, incident reporting, and clear ownership around high-risk changes.

That is also where many teams get stuck. The issue is usually not awareness but getting the work into the delivery process early enough, with the right technical scope, ownership, and sequence.

Blocshop works with teams that need to turn regulatory pressure into delivery plans that can actually hold up in production. That includes the technical groundwork around architecture, data flows, controls, integrations, documentation, and implementation.

If these 2026 and 2027 deadlines are already on your roadmap, now is the time to turn them into concrete implementation work before they start creating pressure on delivery.