What does the 2026 European compliance landscape look like?
Companies face severe fines, increased regulatory scrutiny and significant compliance obligations under a raft of European Union (EU) and national legislation that has either recently come into force or which will take effect in 2026. Chief among these are duties to check the cyber resilience of third-party IT providers, improve supply chain due diligence and identify, prevent and remediate any actual or potential harm, and provide better protections for whistleblowers.
Through its Digital Operational Resilience Act (DORA), the EU is trying to push financial services firms to take greater control of – and accountability for – IT risks to protect the sector as a whole from potential cyberattacks. Previously, financial institutions were mandated to manage the main categories of operational risk primarily through the allocation of capital rather than through any other kind of operational resilience, such as the level of technology preparedness.
The rules, which came into effect on January 17, 2025, set strict requirements on information and communication technology (ICT) risk-management, incident reporting, operational resilience testing, and information and intelligence sharing with regulators. Crucially, the legislation also makes financial services firms responsible for the risk monitoring of “critical” third-party IT suppliers.
But because the rules have significant financial penalties attached, rather than creating a push for better compliance, firms have instead tried to push responsibility back onto third-party IT vendors by tightening up contract terms if they want to retain business. And for those financial firms with muscle, the signs are that tech services suppliers are buckling under the pressure. As a result, DORA may put tech providers under enormous regulatory scrutiny.
The implications of DORA
Industry experts have suggested that many firms in the financial sector were slow to meet DORA’s requirements before the legislation took effect, which may have also prompted them to try to offload as much of the compliance work as possible – as well as the costs – onto the IT firms they work with. The main way they have done this is by renegotiating contracts with IT outsourcers so that the tech services they provide are categorized as “critical or important”, even if they are not, thereby passing some of the compliance “burden” onto their third parties who are then obligated to provide more assurance. Firms are also using DORA as an opportunity to renegotiate vendor relationships more broadly, demanding enhanced transparency, data-sharing capabilities, and resilience reporting.
While tightening contractual clauses may appear to enhance compliance, it does not absolve firms of their responsibility: under DORA, boards ultimately remain accountable for their level of IT resilience and capability to report incidents within the necessary timeframe. Furthermore, pushing DORA’s compliance requirements back on to IT services providers could backfire. Not only could such a heavy-handed approach lead to strained relationships, but it could inadvertently put financial firms at greater risk of non-compliance because they will be even more reliant on the suppliers for assurance, while their lack of in-house expertise also gives them reduced internal preparedness.
DORA’s scope is broad and almost all financial entities operating inside the EU are in scope, including banks, lenders, fintechs, trading venues, crowdfunders, crypto entities, investment firms, insurers, credit rating agencies and payments providers. Non-compliance can result in financial penalties up to 2% of their total annual worldwide turnover, or 1% of daily global turnover, as well as the removal of authorizations to conduct regulated business. For individuals, penalties can reach up to €1 million. Critical third-party ICT providers face even higher fines of up to €5 million (or €500,000 for individuals) if they fail to meet DORA’s standards.
Supply chain due diligence comes to the forefront
Supply chain due diligence is also set to become a bigger issue in 2026 as both national and EU-wide rules become increasingly embedded in operations and regulators take a keener interest in enforcing them.
The German Supply Chain Due Diligence Act entered force January 1, 2023 and allows prosecutors to impose fines of up to 2% of a firms’ global turnover if they fail to identify and prevent human rights and environmental impacts in their supply chains. It applies to companies with a registered office or principal place of business in Germany, as well as foreign companies with a branch office there. It applies to companies with 1,000 workers or more.
Although the act does not give rise to any new liability under civil law, it is expected to prompt non-governmental organizations to more readily file lawsuits for alleged human rights violations in German courts. During 2023, in its first year, just 30 complaints were brought under the legislation (and 22 of these were dismissed). In 2025, 75 cases were brought foward.
Contrast this with France’s similar Duty of Viigilance Law, which came into effect in 2019. As of May 2025, just 16 claims have been filed, irrespective of whether either piece of legislation has sanctioned many companies, both have compelled large corporations to prioritize human rights and environmental considerations within their supply chains in a way they had not done so before.
Top 10 Compliance Trends: Preparing for 2026’s New Rules of Risk
Explore expert predictions for the year ahead in compliance. This NAVEX webinar covers AI regulation, enforcement updates, and emerging global standards shaping the next era of ethics and risk …
New human rights regulations
EU-wide rules on identifying, preventing and mitigating actual and potential adverse environmental and human rights impacts will also take effect in 2026 as the deadline for member states to transpose the EU Corporate Sustainability Due Diligence Directive (CSDDD) into national law comes into effect in July. The rules apply to large companies (those with 5,000 employees initially, reducing to those with 1,000 or more employees and revenues over €450 million after three years).
Penalties for non-compliance can be tough. The maximum limit of financial penalties member states need to provide for must be at least 5% of the net worldwide turnover of the company in the financial year preceding that of the decision to impose the fine. If a financial penalty is imposed, the decision relating to the infringement will be included in a public statement, and this will remain available for at least five years – effectively “naming and shaming” the company.
Additionally, where damage is caused jointly by a company and its subsidiary, or by the company and its direct or indirect business partner, those entities will be held jointly and severally liable. The CSDDD also introduces a civil liability regime which requires member states to ensure that a company can be held liable for damage caused to people or companies if it intentionally or negligently failed to comply with its obligations. If companies hadn’t already had supply chain due diligence on their compliance radars already, that will need to change in 2026.
Whistleblowing rules mature in the United Kingdom and EU
Whistleblowing has long been recognized as a powerful mechanism for employees and third parties to speak up about wrongdoing, but the level of protection they can expect often remains problematic. And so it goes with United Kingdom plans to encourage whistleblowing.
In September 2025 the U.K.’s third “failure to prevent” offense came into effect under the Economic Crime and Corporate Transparency Act (ECCTA). Two similar offenses – the failure to prevent bribery and tax evasion – are already in force under different legislation, namely the Bribery Act 2010 and the Criminal Finances Act 2017. Each requires corporates to police themselves, their employees and the third parties with whom they do business. Together, these laws are aimed at expanding the scope of corporate liability.
The U.K. government hopes the new offense – in tandem with the two existing ones – will put a renewed focus on the need to support whistleblowing as employees raise the alarm over suspected illegal business activity.
However, the key problem with ECCTA is that while whistleblowing is encouraged, disclosure is not incentivized and employee protections are not being improved. Other obstacles may also bar success. For instance, there has historically been relatively little transparency in the U.K. around the outcome of whistleblower reports, partly due to the fact that U.K. authorities – unlike the United States – do not offer financial rewards in exchange for information, which means there is little fanfare about the role whistleblowers may have played in a company and its executives being brought to book.
Not that there is a great track record of successful prosecutions. Since the Bribery Act came into effect in July 2011, there has only been an average of 10 prosecutions a year and only 10 deferred prosecution agreements (DPAs) up to early 2025 for “failure to prevent bribery.” In addition, the first charges under the Criminal Finances Act were only brought almost eight years after failure to prevent tax evasion became an offense (and the case is ongoing).
Furthermore, the level of protection – as well as incentive – for employees to come forward is lacking. The Office of the Whistleblower Bill, which will create the independent authority meant to improve protections, has stalled and is still a long way from becoming a reality. Under its current form, the bill would widen the number of entities that can receive a whistleblowing report and introduce a criminal offense for those causing detriment to whistleblowers with a proposed maximum sentence of a fine or 18 months’ imprisonment. It is due to have its second reading in spring 2026.
Meanwhile, talk of financially incentivizing whistleblowing has had a mixed reception: the Serious Fraud Office (SFO), the U.K.’s main anti-corruption enforcement agency, the Financial Conduct Authority (FCA) and the U.K.’s tax authority, HMRC, are supportive, but few others are, and many experts believe such a concept would need legislative change. As such, there are concerns that the three “failure to prevent” offenses may prove ineffective if whistleblower protection isn’t improved as well.
The EU is also reviewing whether its Whistleblower Protection Directive is effective. In August 2025 the European Commission launched a call for evidence to evaluate how well the directive has been implemented across all EU member states since its adoption in 2019. Specifically, it will assess whether:
- The directive has strengthened whistleblower protection and encouraged reporting
- he benefits are proportionate to the costs; if it still meets today’s challenges and future needs
- If is it aligned with other EU and international policy developments
- Whether it has achieved more than member states could have done individually
The evaluation is due to be completed by the end of 2026 – five years after the directive was meant to be transposed into national law. There has long been some criticism – and concern – that some member states were slow to pass legislation, and that in some countries there is still confusion about what the term “whistleblower” actually means, which doesn’t bode well for the level of protection people might receive.
There is little doubt that 2026 will create several significant compliance challenges to companies operating in the EU and U.K., and across a range of operational areas. DORA requires in-scope organizations not only to look at their own operational resilience and reporting processes, but those of major IT service suppliers, while requirements under supply chain due diligence rules – both at national and EU level – will also require much deeper probing of third-party relationships, too. Meanwhile, the U.K.’s latest focus on corporate fraud will prompt companies to review their whistleblower hotlines and the measures they have in place to protect those who speak up as the EU also considers how its own whistleblower protection rules can be beefed up and improved.
2026 prediction
Through 2026 compliance teams will need to reassess how well-prepared their organizations are to respond to these new duties, as well as how their organizations can leverage the upsides of what these regulations are meant to create – namely, better cyber resilience, robust supply chain management and more open workplace environments where people can feel safe about raising governance concerns without reprisals. Regulatory enforcement may not take place immediately – but scrutiny will.
This article is part of our 2026 Top 10 Risk & Compliance Trends eBook. Check out the full eBook for more expert predictions for the year ahead.
Top 10 Risk & Compliance Trends for 2026
Stay ahead of AI regulation, cultural pressure, and global governance change with insights that prepare you for what’s next.
