2026-06-07·5 min read·sota.io Team

EU AI Act Sector-Specific Compliance Stack Finale: Master Guide for All High-Risk AI Verticals 2026

Post #5 (Finale) in the sota.io EU AI Act Sector-Specific Developer Series (Part 2)

EU AI Act Sector-Specific Compliance Stack Finale 2026 — Master Guide for All High-Risk AI Verticals

The EU AI Act's August 2, 2026 deadline applies across every industry. But the path to compliance is not uniform — it runs through nine distinct Annex III obligation chains, each shaped by a different combination of sector law, data category, and deployment context. In this finale, we consolidate everything from both parts of this series into a single compliance architecture: universal foundations, sector-specific overlays, EU-native toolchain, and a 35-step master checklist that covers every high-risk AI vertical simultaneously.

The Nine Sectors: What This Series Covered

Across two parts of the EU AI Act Sector-Specific Developer Series, we analyzed nine high-risk AI verticals in depth:

Part 1 — Core Verticals (posts #1562–#1566):

EdTech (Annex III Point 3): AI literacy systems, student assessment, Annex III scope, GDPR Art.22 introduction
HR-Tech (Annex III Point 4): CV screening, worker monitoring, emotional AI prohibition under Art.5, bias testing
FinTech / Credit Scoring (Annex III Point 5(b)): credit risk models, DORA intersection, Art.9 for financial AI
HealthTech / Clinical AI (Annex III Point 5(a)): clinical decision support outside MDR/IVDR scope, patient safety obligations
GovTech / Public Sector (Annex III Points 5/6/7/8): FRIA under Art.27, public procurement, democratic process AI

Part 2 — Deep-Dive Verticals (posts #1572–#1576):

InsurTech (Annex III Point 5(c)): life and health underwriting AI, DORA + IDD + Solvency II triple burden, fraud detection carve-out
LegalTech (Annex III Point 8): administration of justice AI, justice system independence, CJEU-alignment requirements
Transport & Mobility (Annex III Point 2): autonomous vehicles, traffic management, NIS2 critical infrastructure, GSR 2019/2144
EdTech Deep-Dive (Annex III Point 3 + GDPR Art.22): student profiling, automated admissions, minor data protection, GDPR Double-Lock

The diversity across these verticals is real — but so is the underlying structure they share.

Layer 1: The Universal Compliance Foundation

Regardless of sector, every high-risk AI system under the EU AI Act must fulfill the same six core Articles. These are non-negotiable across all nine verticals and form the foundation of any sector-specific compliance architecture.

Art.9 — Risk Management System

Every high-risk AI system must implement a continuous risk management process. Not a one-time audit. Not a PDF checklist. A living system that identifies, evaluates, and mitigates residual risks throughout the entire lifecycle.

Universal requirements:

Risk identification that covers both intended use and reasonably foreseeable misuse
Risk evaluation against severity, probability, and reversibility of potential harm
Residual risk acceptance with documented rationale
Post-market monitoring hooks that feed back into risk re-evaluation
Continuous update when use context, training data, or deployment environment changes

What differs by sector:

The risk taxonomy (financial exclusion risk ≠ patient safety risk ≠ judicial fairness risk)
The severity baseline (errors in traffic management = safety risk, not just business risk)
The reversibility threshold (insurance denial more reversible than criminal sentencing)

Art.10 — Data and Data Governance

Training, validation, and testing datasets for high-risk AI must meet documented governance standards across all sectors. But the governance requirements layer with sector-specific data categories in ways that create very different compliance burdens.

Universal requirements:

Dataset design must address the intended purpose
Known biases must be identified, assessed, and documented
Relevant characteristics of the population the system affects must be represented
Data collection practices must comply with applicable law (GDPR, national law)
Data governance process must be documented in the technical file

Sector-specific data complexity:

Healthcare AI touches Art.9 GDPR special categories by design
EdTech AI processes children's data requiring Art.8 GDPR age verification
HR-Tech AI must audit for proxy discrimination in seemingly neutral features
LegalTech AI must handle legally privileged materials and court records with jurisdiction-specific protections

Art.13 — Transparency and Information to Deployers

High-risk AI systems must provide deployers with sufficient information to understand, interpret, and correctly use the system's outputs. This is the foundation of the HITL obligation under Art.14.

Universal requirements:

Instructions for use that cover the system's purpose, performance characteristics, and limitations
Information on the training data sources and any known data gaps
Human oversight guidance explaining where and why human review is required
Accuracy metrics and confidence indicator documentation
Warning about risk of over-reliance and automation bias

What differs:

Transport AI must document safety-critical edge cases and failure modes with regulatory precision
LegalTech AI must explain legal reasoning boundaries and the system's inability to exercise judicial discretion
InsurTech AI must disclose model factors and their directional effect on underwriting outcomes
EdTech AI must document age-appropriate explanation formats when minors are system subjects

Art.14 — Human Oversight Measures

Every high-risk AI system must be designed to allow natural persons to fully understand, monitor, and override the system's decisions. This Article is the EU AI Act's most operationally demanding requirement — and the most frequently violated in practice.

Universal requirements:

Pre-deployment: oversight tools must be built into the system, not bolted on later
Operational: persons responsible for oversight must have appropriate competence
Intervention: physical and/or software stop mechanisms must be available to override, interrupt, or revert outputs
Fatigue management: the system must not present outputs in a way that degrades the reviewer's ability to maintain meaningful oversight over time

Automation bias is the central problem. Research consistently shows that human reviewers become less critical of AI outputs when volume is high, when outputs carry confidence scores, or when the system's historical accuracy is high. UI design choices that maximize throughput erode HITL meaningfulness. Art.14 compliance requires designing AGAINST this tendency.

Sector-specific HITL stakes:

Transport: safety-critical systems may require zero-override UI to prevent humans from interfering at the wrong moment (the opposite challenge)
Justice AI: judicial discretion cannot be delegated to AI; every output must carry explicit "advisory only" framing
Insurance underwriting: regulatory guidance in multiple member states requires documented human review steps before adverse decisions are issued

Art.17 — Quality Management System

High-risk AI providers must establish, document, and maintain a QMS that covers the entire development-through-deployment cycle. This is the AI equivalent of ISO 9001 applied to AI development.

Universal QMS components:

Overall strategy (risk appetite, governance structure, responsible roles)
Design specifications and design controls
Data management procedures
Post-market monitoring plan (see Art.72)
Incident reporting procedures (see Art.73)
Corrective action and CAPA processes
Audit trail mechanisms

Sector-specific QMS extensions:

FinTech/InsurTech providers under DORA must integrate their AI QMS with ICT risk management framework requirements
Healthcare AI providers must align QMS with MDR/IVDR quality management when the same system crosses device and AI Act scope
GovTech providers building for public procurement must often demonstrate QMS compliance as part of tender evaluation criteria

Art.26 — Obligations of Deployers

Deployers — organizations that put high-risk AI into use — have independent obligations under the AI Act that cannot be transferred to providers. This is critical in B2B AI contexts where a developer sells AI to a school, hospital, bank, or government agency.

Universal deployer obligations:

Verify the provider has completed registration under Art.49 before deployment
Implement the provider's human oversight measures as documented
Monitor AI system operation and report serious incidents to the provider
Maintain logs required by Art.12 for the duration specified (typically 10 years for high-risk systems)
Conduct a Fundamental Rights Impact Assessment (FRIA) under Art.27 when required

Deployer vs. provider overlap: Many of the organizations in these sectors ARE the developers and deployers simultaneously — an InsurTech building its own underwriting model, a LegalTech platform integrating its own case prediction engine. In this case, all provider AND deployer obligations apply to the same entity. This is the most common scenario across all nine verticals.

Layer 2: Sector-Specific Obligation Overlays

On top of the universal foundation, each sector carries a distinct regulatory stack that modifies and amplifies specific AI Act obligations.

Annex III Obligation Map by Sector

Sector	Annex III Point	Primary Sector Law	Key Intersection
EdTech (student assessment)	Point 3	GDPR Art.8/9/22	Automated decisions on minors require Art.22(2) lawful basis + Art.22(3) safeguards
HR-Tech (recruitment/worker monitoring)	Point 4	GDPR, Working Time Directive, national labor law	Proxy discrimination in "neutral" features; emotional AI prohibited under Art.5
FinTech (credit scoring, creditworthiness)	Point 5(b)	DORA, CRD/CRR, Consumer Credit Directive	ICT risk integration; model governance as part of DORA TPRM
HealthTech (clinical decision support)	Point 5(a)	MDR/IVDR (if device), GDPR Art.9, national clinical governance	Double conformity when system is also a medical device
GovTech (benefits, services, law enforcement)	Points 1/5/6/7	Charter of Fundamental Rights, national administrative law	FRIA mandatory (Art.27); public body deployers cannot waive oversight
InsurTech (life/health underwriting)	Point 5(c)	DORA, IDD, Solvency II	ICT risk frameworks must cover AI; IDD product governance applies to AI-driven distribution
LegalTech (justice, admin of justice)	Point 8	Judicial independence principles, national court rules	AI cannot exercise judicial discretion; every output must preserve judicial primacy
Transport (critical infrastructure AI)	Point 2	NIS2, GSR 2019/2144, ALKS Regulation	Safety-critical = highest Art.9 severity rating; NIS2 incident reporting overlaps Art.73
EdTech Deep-Dive (profiling + GDPR Art.22)	Point 3	GDPR Art.8, Art.9, Art.22, CJEU case law	Art.22 Double-Lock with Art.14; minor data = Art.9 special category if behavioral profiling implies health inference

The Sector-Specific Multipliers

Three factors amplify compliance complexity in specific sectors:

Vulnerable group multiplier (Art.9 severity boost): When AI systems affect vulnerable populations — minors (EdTech), social benefit recipients (GovTech), defendants (LegalTech), patients (HealthTech) — the severity evaluation under Art.9 must be calibrated upward. The same probability of error produces greater harm when the affected population has limited means to contest or recover from incorrect AI outputs.

Multi-regulation burden multiplier: FinTech, InsurTech, and HealthTech providers do not just face the AI Act — they face concurrent obligations under DORA, Solvency II/IDD, and MDR/IVDR respectively. In each case, the AI QMS under Art.17 must integrate with the existing regulatory compliance framework, not operate in parallel. Fragmented compliance is both inefficient and likely to produce gaps that auditors from multiple regulators can find.

Automated decision chain multiplier: When AI outputs feed directly into legally consequential decisions — loan denial, insurance rejection, school admission, criminal sentencing recommendation — the GDPR Art.22 automated decision-making framework applies alongside the AI Act. The "Double-Lock" created by Art.22 (GDPR) and Art.14 (AI Act) means both data protection law AND product safety law independently prohibit fully automated significant decisions without human review and explanation rights. Neither can be waived by the other.

Layer 3: The EU-Native Compliance Toolchain

Building high-risk AI for the EU market on non-EU infrastructure creates a structurally difficult compliance problem: you are obligated to maintain logs, technical documentation, and incident reports for EU regulators, potentially subject to CLOUD Act access requests that undermine data sovereignty guarantees. For most sectors, EU-native infrastructure is not just a procurement preference — it is a defensible compliance posture.

Risk Management Infrastructure (Art.9)

EU-native options:

Merantix Momentum (DE): AI governance platform with EU-only data residency, Art.9 risk workflow support
Fraunhofer IAIS (DE): Research-grade AI risk assessment frameworks, sector certifications for healthcare and automotive
DataGuard (DE): Integrated GDPR + AI Act risk management, DPA network across DE/AT/CH
OpenBAO (EU community fork of HashiCorp Vault): secret management for AI model keys, available on EU infrastructure

What to avoid: Governance platforms that store risk assessments and mitigation documentation in US-headquartered cloud services. Under Art.9, your risk management system IS your audit trail. If a national competent authority (NCA) requests access, CLOUD Act jurisdiction over your risk system creates a legal paradox.

Data Governance Infrastructure (Art.10)

EU-native options:

DataGalaxy (FR): Data catalog with EU hosting, lineage tracking for training/validation datasets
Soda.io (BE): Data quality monitoring, EU-headquartered, relevant for detecting distribution shift in training data
OpenMetadata (EU deployable): Self-hosted data catalog with full sovereignty
Castor (NL): B2B data catalog focused on EU compliance documentation

Key requirement: Art.10 compliance requires provable documentation that training data was sourced legally and processed in accordance with applicable law. This means your data governance toolchain must produce audit-ready records, not just operational dashboards.

HITL and Oversight Infrastructure (Art.14)

UI design requirements:

Review queues must not present scores in a way that creates anchoring bias before the reviewer reads the underlying case
Override rates must be tracked and reported; declining override rates without corresponding accuracy improvement signal automation bias
Review workload caps are not specified in the regulation but are implied by the "meaningful oversight" standard — 500 AI decisions per reviewer per hour cannot constitute meaningful oversight

EU-native HITL tooling:

Custom internal tooling is frequently the right choice for Art.14 compliance — commercial HITL platforms often prioritize throughput over oversight quality
Label Studio (EU deployable, open source): annotation and review interfaces that can be configured to de-emphasize AI scores during initial human review
Encord (UK/EU): human-in-the-loop annotation platform with audit trail support

Technical Documentation and QMS Infrastructure (Art.11/Art.17)

EU-native options:

Confluence / Notion (EU-hosted): Acceptable if hosted in EU data centers with EU-only access; verify DPA terms
GitLab (EU deployable): Self-hosted version control for AI technical documentation alongside code
Nextcloud (DE): Document management with EU-only hosting, suitable for technical file storage
Cerbos (UK/EU): Policy-as-code for AI access controls — relevant for Art.26 deployer monitoring

Key principle: Art.11 requires technical documentation to be maintained for 10 years after the last AI system of a given type is placed on the market. Your documentation system must support long-term retention, versioning, and access controls that allow regulator review without exposing all internal systems.

Incident Reporting Infrastructure (Art.73)

Universal requirements:

Incident detection: automated monitoring to identify when serious incidents occur
Incident classification: triage to determine whether an incident meets the Art.73 serious incident threshold
Reporting workflow: submission pipeline to the relevant NCA within statutory timeframes
Evidence preservation: logs, outputs, and audit trails at the time of the incident

Art.73 Serious Incident Timelines (verified):

Initial notification to NCA: 2 days after awareness of serious incident
Intermediate report: 10 days after initial notification
Final report: 15 days after initial notification (or longer for complex cases requiring independent investigation)

Sector-specific incident interaction:

Transport AI incidents may simultaneously trigger NIS2 major incident reporting (ENISA)
FinTech/InsurTech AI incidents may simultaneously trigger DORA major incident reporting (relevant financial regulator)
Healthcare AI incidents involving devices also trigger MDR/IVDR adverse event reporting (national competent authority for medical devices)

Multi-regulation incident reporters need a single incident management pipeline that routes to multiple NCAs concurrently and maintains separate evidence packages per reporting obligation.

EU-Native Hosting Infrastructure

The infrastructure question is not separate from compliance — it IS compliance. Art.26 deployer obligations, Art.12 log retention, and Art.17 QMS documentation all require that underlying infrastructure supports EU regulatory access and resists CLOUD Act exposure.

EU-native PaaS options:

sota.io: EU-hosted PaaS (no US parent, GDPR-compliant, EU data residency), suitable for deploying AI model endpoints, API layers, and compliance tooling
Hetzner Cloud (DE): IaaS with EU-only ownership, strong price/performance for AI workloads
Scaleway (FR): AI-focused cloud with GPU instances, EU-only jurisdiction
OVHcloud (FR): Enterprise-grade EU cloud with sovereign cloud tier
IONOS (DE): Business cloud with German DPA compliance as a design point

Infrastructure compliance matrix:

Requirement	US Cloud (AWS EU/GCP EU)	EU-Native Cloud
CLOUD Act exposure	YES — US parent subject to USG orders	NO — no US parent, no US jurisdiction
GDPR international transfer	Chapter V transfers required	No transfer — EU to EU processing
NCA audit cooperation	Possible US-parent legal friction	No friction — EU jurisdiction throughout
AI Act Art.12 log access	CLOUD Act may interfere with regulator access	Clean EU jurisdiction for NCA requests
Technical file hosting	DPA addendum required, sovereignty gap	No gap — EU law applies end-to-end

For sectors with the most regulatory scrutiny — HealthTech, FinTech under DORA, GovTech with public procurement requirements — EU-native infrastructure is the path of least legal friction.

Layer 4: Cross-Sector Compliance Patterns

Across nine verticals, several compliance engineering patterns recur. Building these patterns correctly once and reusing them across verticals is the most efficient path to Aug 2026 compliance.

Pattern 1: The Three-Documentation Stack

Every high-risk AI system requires three types of documentation that serve different audiences and different regulatory obligations:

Technical documentation (Art.11): Designed for regulator review. Contains the full technical specification, training data description, performance validation results, and risk assessment. Not a marketing document. Typically 50–200 pages for complex models.
Instructions for use (Art.13): Designed for deployers. Explains the system's purpose, how to interpret outputs, what the HITL obligations are, and what errors to watch for. Shorter, practical, maintained alongside model updates.
Transparency disclosure (Art.50 / Art.13): Designed for end users (or their subjects). Explains in plain language that AI is being used, what it does, and what rights the subject has. For systems affecting natural persons directly — underwriting, credit scoring, educational assessment, judicial recommendations — this disclosure must be proactive, not buried in terms of service.

All three must be current with the deployed model version. An Art.11 technical file that describes a model from six months ago is not compliant documentation for today's deployed system.

Pattern 2: The HITL Audit Loop

Meaningful human oversight under Art.14 requires more than UI controls — it requires an audit loop that measures whether oversight is actually happening:

Track override rates by reviewer, time period, decision type, and AI confidence band
Flag automation bias signals: if override rates drop as model confidence scores increase, reviewers may be substituting model confidence for independent judgment
Conduct periodic HITL effectiveness reviews: sample completed reviews and assess whether the reviewer's rationale reflects genuine analysis or rubber-stamping
Document HITL design decisions: justify UI choices that present or withhold AI scores during review
Update HITL design when bias signals appear: this feeds back into Art.9 risk management as an identified risk requiring mitigation

Pattern 3: The Bias Lifecycle

Art.10 data governance addresses training-time bias. But high-risk AI systems can develop deployment-time bias through feedback loops, population shift, and selective labeling. A complete bias governance program covers:

Pre-training audit: dataset composition analysis against relevant protected characteristics
Validation audit: performance metrics disaggregated by sub-group (gender, age, geography, language, socio-economic proxy)
Deployment monitoring: ongoing comparison of output distributions against validation-time distributions
Feedback loop control: if AI outputs influence future training data (common in recommendation and scoring systems), document the feedback loop and its potential for compounding bias
Remediation protocol: defined process for addressing discovered bias, including model rollback, output suppression, or human-in-the-loop escalation

For EdTech AI affecting minors, healthcare AI affecting patients, and LegalTech AI affecting defendants, bias governance is not optional. These are the populations for whom Art.9 severity multipliers apply.

Pattern 4: The Multi-Regulation Incident Router

For sectors operating under AI Act + DORA + NIS2 + MDR/IVDR simultaneously, incident management is a multi-destination problem:

Incident Detected
       │
       ▼
Severity Triage
       │
       ├── Meets AI Act Art.73 threshold?  → NCA notification (2/10/15-day cadence)
       │
       ├── Meets DORA major incident threshold?  → Financial regulator notification
       │
       ├── Meets NIS2 significant incident threshold?  → CSIRT/ENISA notification (24h initial)
       │
       └── Meets MDR/IVDR adverse event threshold?  → Medical device NCA notification

Each notification goes to a different authority, on a different timeline, with different information requirements. Build the router once. Populate it from a single incident record. Maintain separate evidence packages per reporting chain.

The Master 35-Step Pre-August 2026 Checklist

Foundation (Universal — All Sectors)

Risk Management (Art.9)

1. Document AI system intended purpose and reasonably foreseeable misuse scenarios
2. Classify system risk level against Annex III criteria with documented rationale
3. Assign Art.9 severity ratings (reversibility, breadth, magnitude) for each identified risk
4. Document residual risk acceptance decisions with authorized signatory

Data Governance (Art.10)

5. Document training, validation, and testing dataset sources and collection processes
6. Conduct and document bias audit against protected characteristics relevant to affected population
7. Implement data governance logging sufficient to reconstruct dataset composition at time of training
8. Verify GDPR compliance for personal data in datasets (lawful basis, minimization, consent/contract basis)

Technical Documentation (Art.11)

9. Complete technical file covering all components specified in Annex IV
10. Document model architecture, hyperparameters, and training configuration
11. Document performance metrics on representative test set, disaggregated by relevant sub-groups
12. Version-control technical documentation with model version correspondence

HITL and Transparency (Art.13 + Art.14)

13. Produce instructions for use covering system purpose, output interpretation, and HITL obligations
14. Design HITL UI that enables meaningful review (not just token approval)
15. Implement override mechanisms and document override rate tracking
16. Train personnel responsible for oversight with documented competence assessment

QMS (Art.17)

17. Establish QMS policy covering AI development-through-deployment lifecycle
18. Define corrective action and CAPA procedures
19. Integrate post-market monitoring plan (Art.72) into QMS
20. Assign QMS ownership role with documented authority

Registration and Conformity (Art.43 + Art.49 + Art.51)

21. Complete conformity assessment procedure appropriate to system risk level
22. Issue EU Declaration of Conformity (Art.47) with authorized signatory
23. Affix CE marking (Art.49) once conformity assessment is complete
24. Register system in EU AI database (Art.51) before deployment

Incident Readiness (Art.73)

25. Define serious incident classification criteria with documented thresholds
26. Build incident detection and reporting pipeline with 2-day initial notification capability
27. Test incident reporting pipeline end-to-end before deployment

Sector-Specific Overlays

EdTech + EdTech Deep-Dive (Annex III Point 3)

28. Establish GDPR Art.22 lawful basis for any automated decisions affecting minors
29. Implement Art.22(3) safeguards: right to human review, right to contest, right to explanation
30. Apply Art.9 GDPR assessment if behavioral profiling could infer health or religious categories

FinTech / InsurTech / HealthTech (Multi-Regulation)

31. Map AI QMS (Art.17) to existing DORA ICT risk framework or MDR QMS, eliminating duplication
32. Build multi-destination incident reporting router with sector-specific notification workflows

Transport (Annex III Point 2)

33. Apply NIS2 critical infrastructure security requirements to AI system hosting and access controls
34. Complete GSR/ALKS safety validation documentation where applicable to autonomous function

LegalTech / GovTech (Art.26 + Art.27)

35. Complete Fundamental Rights Impact Assessment (FRIA) if public body deployer; document FRIA findings in technical file

The Infrastructure Decision: EU-Native from Day One

Compliance toolchains built on US-headquartered cloud infrastructure carry a structural compliance overhang that grows with each regulatory cycle. CLOUD Act exposure does not disappear with contractual data residency addenda — it persists at the legal-entity layer regardless of where data is physically stored.

For high-risk AI systems where:

Regulators will audit technical documentation and logs (Art.11, Art.12)
Incident reports will trigger NCA access to system evidence (Art.73)
Fundamental rights assessments reference system architecture (Art.27)
Deployer contracts require demonstrating sovereignty to public sector clients (CADA Level 3/4)

EU-native infrastructure eliminates a risk category that EU cloud addenda can only partially mitigate. sota.io provides EU-hosted, GDPR-compliant deployment infrastructure for AI application layers — no US parent, no CLOUD Act exposure, EU data residency by design.

Deploy your compliance toolchain on infrastructure that shares your regulatory jurisdiction from day one. The alternative is managing sovereignty exceptions for the lifetime of your AI system's operation.

Series Complete: What We Covered

This two-part series delivered sector-specific EU AI Act compliance architecture for every major high-risk AI vertical:

Post	Sector	Key Contribution
#1/5 Part 1 (EdTech)	Educational AI	Annex III Point 3 scope, AI literacy obligations
#2/5 Part 1 (HR-Tech)	Recruitment/Worker AI	Point 4 bias testing, emotional AI prohibition
#3/5 Part 1 (FinTech)	Credit Scoring AI	Point 5(b), DORA model governance integration
#4/5 Part 1 (HealthTech)	Clinical AI	Point 5(a), MDR/IVDR double conformity
#5/5 Part 1 (GovTech)	Public Sector AI	Points 1/5/6/7/8, FRIA, procurement AI rules
#1/5 Part 2 (InsurTech)	Insurance AI	Point 5(c), IDD distribution, Solvency II
#2/5 Part 2 (LegalTech)	Justice AI	Point 8, judicial independence, CJEU alignment
#3/5 Part 2 (Transport)	Infrastructure AI	Point 2, NIS2, GSR/ALKS safety chain
#4/5 Part 2 (EdTech Deep-Dive)	Student Profiling	GDPR Art.22 Double-Lock, minor data protection
#5/5 Part 2 (This Post)	All Sectors	Master checklist, EU toolchain, compliance architecture

The August 2, 2026 deadline applies to all of these. The compliance work is the same regardless of whether you start in January or July — but the lead time shrinks every week. The sectors that start now build systematic compliance programs. Those that start in July build fire drills.

Related reading:

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Join the waitlist View pricing