Skip to content

AI Governance Framework Updates

The AI governance landscape is moving fast. This page tracks the dates, amendments, and revisions that actually affect compliance programs, grouped by framework. For the full framework guides, see the frameworks overview.

How we use this page

Entries are written as dated, load-bearing facts that change how you should run your program. If an update just adds a new sample document or reference, we do not track it here — we update the framework guide directly.

EU AI Act

  • 2024-07-12 — EU AI Act published in the Official Journal of the European Union.
  • 2024-08-01 — Regulation entered into force; the phased application timeline begins.
  • 2025-02-02 — Prohibited AI practices (Article 5) and AI literacy (Article 4) apply.
  • 2025-08-02 — General-purpose AI (GPAI) obligations begin to apply for new models.
  • 2026-06-29 — Digital Omnibus on AI adopted (European Parliament 16 June, Council 29 June 2026); adopted but not yet in force (it enters into force on the third day after Official Journal publication). On entry into force it defers the high-risk deadlines and adds new Article 5 prohibitions.
  • 2026-12-02(on Omnibus entry into force) New Article 5 NCII/CSAM prohibitions apply; legacy synthetic-content systems must meet Article 50(2) marking.
  • 2027-12-02(deferred from 2 August 2026 by the Omnibus) Standalone Annex III / Article 6(2) high-risk obligations apply.
  • 2028-08-02(deferred from 2 August 2027 by the Omnibus) Annex I / Article 6(1) product-safety high-risk obligations apply.

See the EU AI Act guide and the How to comply with the EU AI Act step-by-step.

ISO/IEC 42001

  • 2023-12 — ISO/IEC 42001:2023 published — first certifiable international management system standard for AI.
  • 2024 onwards — early accredited certification bodies begin offering ISO 42001 audits under IAF signatory schemes.
  • ISO/IEC 42006 (requirements for bodies providing audit and certification of AIMS) is in development and will govern ISO 42001 accreditation.

See the ISO 42001 guide and the How to comply with ISO 42001 step-by-step.

NIST AI RMF

  • 2023-01-26 — AI Risk Management Framework 1.0 (NIST.AI.100-1) published.
  • 2023 — AI RMF Playbook published with categories and subcategories.
  • 2024-07 — NIST AI 600-1 Generative AI Profile published as the first cross-sectoral companion to AI RMF 1.0.

See the NIST AI RMF guide and the How to comply with NIST AI RMF step-by-step.

OWASP Top 10 for LLM / Agentic

  • 2023-08 — OWASP Top 10 for LLM Applications v1.0 published.
  • 2024-11-18 — OWASP Top 10 for LLM Applications 2025 (v2.0) released by the OWASP GenAI Security project.
  • 2025 onwards — OWASP Top 10 for Agentic Applications work published and iterated.

See the OWASP for AI hub, the OWASP Top 10 for LLM, and the OWASP Top 10 for Agentic.

GDPR and EU data-protection guidance on AI

  • 2018-05-25 — GDPR enters into application.
  • 2023–2025 — EDPB and national DPAs publish opinions on AI and training data; AI systems processing personal data must comply with GDPR in parallel with the EU AI Act. See EU AI Act vs GDPR.

NIS2

  • 2023-01-16 — NIS2 Directive (EU) 2022/2555 entered into force.
  • 2024-10-17 — Member State transposition deadline. National laws now apply to essential and important entities.

See the NIS2 guide.

DORA

  • 2023-01-16 — DORA (Regulation (EU) 2022/2554) entered into force.
  • 2025-01-17 — DORA applies to financial entities in the EU.

See the DORA guide.

How to track framework changes in Modulos

Modulos tracks framework versions and notifies projects when regulatory updates affect them, so you can assess impact before deadlines.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. Confirm dates and obligations with official sources and qualified counsel.