The Regulatory Stack in 2026
European database teams now operate under an unprecedented stack of overlapping regulations. Understanding which apply to your organization — and which controls satisfy multiple regulations simultaneously — is essential for efficient compliance.
GDPR: Year Eight, Higher Stakes
GDPR (Regulation EU 2016/679) is no longer new, but enforcement is accelerating:
Trend 1: Fines are getting bigger. The trajectory is clear — from six-figure fines in 2018-2019 to penalties exceeding 1 billion EUR. Irish and Luxembourg DPAs, which oversee many tech companies' EU headquarters, have issued the largest penalties.
Trend 2: Technical implementation matters. Early GDPR enforcement focused on policy and documentation. Recent enforcement actions increasingly examine technical controls: Was encryption actually in place? Were access controls effective? Could the organization actually execute a deletion request? The gap between policy and implementation is where penalties occur.
Trend 3: Cross-border enforcement is improving. The one-stop-shop mechanism (Article 56) initially created bottlenecks. Recent cooperation improvements between DPAs and the European Data Protection Board mean faster decisions and more coordinated enforcement.
What this means for database teams: Having a GDPR privacy policy is not enough. You need demonstrable technical controls — encryption, access control, deletion capability, audit trails — that work reliably and can be evidenced during an investigation.
DORA: Enforcement Begins
DORA (Regulation EU 2022/2554) has been applicable since January 17, 2025. The Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) finalized in late 2024 define the specific requirements:
ICT Risk Management (Articles 5-16): Financial entities must have formal ICT risk management frameworks with documented procedures for identification, protection, detection, response, and recovery.
Incident Reporting (Articles 17-19): Major ICT incidents must be reported to competent authorities within strict timelines. Initial notification within 4 hours, intermediate report within 72 hours, final report within one month.
Resilience Testing (Articles 24-25): Regular testing of ICT systems including vulnerability assessments and, for significant entities, threat-led penetration testing (TLPT).
Third-Party Risk (Articles 28-30): A register of all ICT third-party arrangements, concentration risk assessment, and contractual requirements for critical ICT service providers.
What this means for database teams: If you work in financial services, your database infrastructure is an ICT system subject to DORA. You need automated health monitoring, documented incident response procedures, tested backup and recovery processes, and an inventory of third-party dependencies (including your cloud database provider).
NIS2: Broader Cybersecurity Obligations
NIS2 (Directive EU 2022/2555) replaced the original NIS Directive and significantly expands scope:
Who it covers: Essential entities (energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemical manufacturing, food, manufacturing of medical devices, computer and electronics, and others).
What it requires: Cybersecurity risk management measures including access control policies, encryption, vulnerability handling, incident reporting, business continuity, and supply chain security.
Penalties: Up to 10 million EUR or 2% of worldwide annual turnover for essential entities.
What this means for database teams: NIS2's cybersecurity measures directly translate to database security: access control, encryption, logging, vulnerability management, and incident reporting. If your organization falls under NIS2 scope, your database security practices will be audited against these requirements.
EU AI Act: The New Variable
The EU AI Act (Regulation EU 2024/1689) introduces a risk-based framework for artificial intelligence. For database teams, the relevant provisions are:
Data governance (Article 10): High-risk AI systems must be trained on data that is relevant, representative, and free from errors. The database storing training data must support data quality assessment and documentation.
Data provenance: Organizations must document where training data came from, how it was collected, and what processing was applied. This is a database-level lineage and metadata challenge.
Right to explanation: Some AI decisions must be explainable. If your database feeds an AI system that makes decisions about people (credit scoring, insurance pricing, hiring), you may need to trace which data influenced which decision.
Bias detection: Training datasets must be examined for biases. This requires the ability to query and analyze training data by demographic categories — a database operation that itself raises GDPR concerns.
What this means for database teams: If your organization develops or deploys high-risk AI systems, the databases storing training data need enhanced metadata, lineage tracking, and the ability to selectively remove data points (e.g., if someone exercises their GDPR right to erasure and their data was used for training).
The Overlap Problem
The challenge for database teams is not any single regulation — it is the overlap between regulations that each have their own terminology, requirements, and enforcement bodies.
| Control | GDPR | DORA | NIS2 | AI Act | |---------|------|------|------|--------| | Access control | Art. 32 | Art. 9(4)(c) | Art. 21(2)(i) | Art. 10 | | Encryption | Art. 32(1)(a) | Art. 9(4)(d) | Art. 21(2)(h) | — | | Audit trail | Art. 5(2) | Art. 12 | Art. 21(2)(g) | Art. 12 | | Incident reporting | Art. 33/34 | Art. 17-19 | Art. 23 | — | | Risk assessment | Art. 35 (DPIA) | Art. 6-8 | Art. 21(1) | Art. 9 | | Documentation | Art. 30 | Art. 28(3) | Art. 21(1) | Art. 11 |
The good news: the same technical implementation often satisfies multiple requirements. An immutable audit trail satisfies GDPR accountability, DORA logging, NIS2 monitoring, and AI Act documentation simultaneously.
Practical Recommendations for 2026
1. Build a shared control framework. Rather than implementing GDPR controls, DORA controls, and NIS2 controls separately, identify the shared controls and implement them once. Access control, encryption, audit logging, and incident reporting are required by all of them.
2. Automate evidence collection. Manual compliance evidence is not sustainable across four regulations. Automate security checks, access reviews, and configuration assessments so you can produce evidence on demand during any audit.
3. Document everything. The common thread across all EU regulations is documentation. What data do you hold? Who can access it? What changes were made? What incidents occurred? If you cannot answer these questions from your database's own records, you have a gap.
4. Plan for cross-regulation audits. Financial entities may face GDPR audits from their DPA, DORA audits from their financial regulator, and NIS2 audits from their cybersecurity authority — potentially in the same year. Having a unified evidence base makes this manageable.
5. Watch the Data Act. The Data Act (Regulation EU 2023/2854), applicable from September 2025, introduces B2B and B2G data sharing obligations that may affect how database access is structured. If your business generates IoT data or provides cloud services, this regulation will affect your database architecture.
What This Means for Technology Choices
The regulatory environment favors databases that are transparent (open source), portable (no vendor lock-in), and extensible (can add compliance controls without modifying core code). It also favors in-EU hosting, especially for public sector and financial services.
This does not mean you must use PostgreSQL — but it does mean that closed-source, US-only-hosted, non-extensible database choices will face increasing friction in the EU regulatory environment. Choose your database technology with a 5-year regulatory horizon in mind, not just today's feature requirements.