What happens next
CIOs should treat August 2 as a hard deadline regardless of what happens in May, Shah said. “I believe CIOs are in a tough spot right now. They should be prepared, irrespective of the regulatory limbo, and treat this summer as a hard deadline. If it gets delayed, then it’s a bonus and if not, then it would be a regulatory risk.”
If lawmakers fail to land a deal before August 2, the high-risk obligations apply as drafted, regardless of whether harmonised standards or national enforcement authorities are ready. Patchy readiness across member states does not reduce the risk for businesses, said Enza Iannopollo, vice president and principal analyst at Forrester.
“It’s obvious that if the authorities responsible for enforcing the rules are not in place, there won’t be enforcement, despite the deadlines,” she said. “But Member States can accelerate that process and put those authorities in place rather quickly. Some countries have already named them. The risk is that businesses lose track of developments across each Member State and find themselves exposed to regulatory scrutiny and fines.”