Four Regulators. One Incident. Eighteen Months Too Late.

Brussels Has Promised to Make Europe’s Overlapping Cyber Rules Report Once and Share Many. The Single Front Door Arrives in 2028. The NIS2 Audit, the AI Act High-Risk Deadline, and Live DORA Supervision All Arrive This Summer.

There is a date eight days from now that most boards have not put on a slide. On the thirtieth of June the first compliance audit under NIS2 falls due — the deadline that quietly moved from the end of 2025 to the middle of 2026, which is exactly why it slipped off so many calendars. Five weeks after that, on the second of August, the high-risk obligations of the EU AI Act become applicable. Underneath both, DORA has left its grace period behind: 2026 is the year it moved from text to supervision, from “we have a regulation” to “show me proof.” Three regimes, three clocks, one summer.

And here is the part the boardroom should read twice. Brussels has already conceded that this tangle is unworkable. The Digital Omnibus, tabled last November, promises a single front door for incident reporting — report once to one portal, and let it fan out to the authorities that NIS2, DORA, GDPR, eIDAS and the rest each demand. It is the right idea. It is also, by the text’s own timetable, eighteen months away from entry into force — extendable to twenty-four if the portal is not yet trustworthy enough to carry the traffic. The relief is real. It arrives in 2028. The cliff is this summer. No enterprise gets to wait for the bridge.

Three Clocks, One Incident, No Common Form

Picture a single material breach at a European financial entity on a Tuesday morning. Under DORA, the major-ICT-incident clock starts almost immediately: an initial notification to the financial supervisor within hours of classifying the incident, an intermediate report inside seventy-two hours, a final report inside a month. Under NIS2, a separate clock starts: an early warning to the national CSIRT within twenty-four hours, a fuller notification within seventy-two, a final report at one month. If personal data is in scope — it almost always is — GDPR starts a third clock: notify the data-protection authority within seventy-two hours of becoming aware. Same incident. Three authorities. Three templates. Three thresholds for what even counts as reportable. Overlapping, but never identical.

The enterprises that handle this badly will assemble each notification from scratch, under pressure, on the day — three teams reading three rulebooks while the clock that matters is the tightest one in the room. The enterprises that handle it well will have decided, long before Tuesday, that this is one event with one classification that dispatches three filings. The difference between those two postures is not legal sophistication. It is architecture.

The Cliff Is Real. It Is Also Moving.

The instinct is to treat this as a deadline-management problem: line up the dates, staff the projects, clear the cliff. That instinct underestimates the harder feature of the moment, which is that the cliff itself keeps shifting. On the seventh of May, EU lawmakers reached political agreement to split the AI Act’s high-risk obligations in two: the Annex III systems — recruitment, biometrics, critical-infrastructure use cases — still fall due on the second of August 2026, but the high-risk systems embedded in regulated products under Annex I were pushed out a full year, to August 2027, to wait for standards that do not yet exist. The NIS2 audit date moved by six months. The Digital Omnibus is, as of now, a proposal that will rewrite parts of GDPR and the AI Act before either has fully bedded in.

Meanwhile the directive that started all of this is not even uniformly law. As of this spring the Commission had escalated infringement proceedings against seven member states to the Court of Justice for failing to transpose NIS2 on time — which means the same European rule lands as subtly different national statutes, on different timelines, with the first administrative penalties already issued in some jurisdictions and the ink not yet dry in others. The target is converging and shifting at the same time. You are being asked to hit a deadline that is simultaneously moving, fragmenting, and promising to simplify itself after you have already complied. Regulatory instability is no longer the weather around the cliff. It is the cliff.

Why This Is an Architecture Problem, Not a Compliance Problem

The losing move is the obvious one: stand up a project per regulator. A NIS2 workstream here, a DORA programme there, an AI Act task force, a GDPR function that has existed since 2018 and barely talks to any of them. Four binders, four owners, four evidence trails — and, on the day of an incident or an audit, four versions of the truth that do not reconcile. This is how an enterprise ends up reporting the same event late to one authority, twice to another, and inconsistently to a third, then discovering during the NIS2 audit that the asset inventory its DORA register depends on says something different from what its GDPR records of processing claim.

The winning move treats the overlap as the asset it actually is. NIS2, DORA, the AI Act and GDPR do not ask for four different things at the foundation. They ask, in four dialects, for the same primitives: a current inventory of systems and dependencies, the ability to detect and classify an incident, immutable logging and evidence, a governed register of third parties, and a named human who owns the risk. Build those once, as a shared control plane, and map them many-to-many onto each regime’s specific obligations. The regulation becomes a reporting view over a single substrate rather than four substrates pretending to coordinate. This — a cross-cutting concern that no single product team owns and only an architecture function can hold — is precisely the problem enterprise architecture exists to solve. It is the discipline’s home turf, and most organisations are about to discover whether they actually have it.

RCS-D — The Regulatory Convergence Stress Diagnostic

RCS-D scores one thing: whether an enterprise can absorb a single incident — or a single audit, or a single moved deadline — across multiple overlapping EU regimes without fracturing into parallel, duplicative, contradictory responses. It is not a maturity model for any one regulation; the market is drowning in those. It measures the seams between them, because the seams are where accountability evaporates and where this summer will do its damage. Score each axis from one to five.

Axis 1 — Obligation Overlap Mapping (OOM)

Has the enterprise mapped which single real-world events trigger which regimes, where the obligations overlap, and — more importantly — where they diverge on timeline, template and reporting threshold? A five has one matrix on which any incident type can be traced to every clock it starts. A one has each regulator living in its own binder, and nobody who can say, on demand, which three filings a given breach actually requires.

Axis 2 — Reporting-Clock Reconciliation (RCR)

When one incident starts several clocks — DORA in hours, NIS2 at twenty-four and seventy-two, GDPR at seventy-two — is there a single classification-and-dispatch process that fires the right notifications to the right authorities against the tightest deadline in the set? A five classifies once and dispatches automatically. A one assembles every notification from scratch on the day, discovering the four-hour clock at hour five.

Axis 3 — Shared-Control Coverage (SCC)

Do the controls that satisfy NIS2, DORA, the AI Act and GDPR derive from one control library mapped many-to-many onto each obligation — or are they re-implemented per regime, drifting apart until the evidence one regulator sees contradicts the evidence another sees? A five has a single control plane and a coverage map. A one has four implementations of “asset inventory” that disagree.

Axis 4 — Evidence and Audit Readiness (EAR)

On the day a supervisor says “show me proof” — the NIS2 audit on the thirtieth of June, the DORA Register of Information, the AI Act high-risk technical file — can the enterprise produce reconciled, current evidence from a single source of record? Or does it reconstruct the truth per request, hoping the reconstructions match? A five exports evidence; a one rebuilds it. DORA’s supervisory cycle has already made clear that “we have the policy” is not an answer to “where is the register.”

Axis 5 — Regulatory-Change Absorption (RCA)

When a deadline moves or a text changes — the AI Act split on the seventh of May, the Omnibus reshaping GDPR, PSD3 pulling DORA in by reference — can the enterprise re-map without re-doing? Is there a named owner who tracks the instability and re-points existing controls onto the new obligation, or does every amendment trigger an organisation-wide fire drill? This is the axis almost everyone fails, because almost everyone built for a fixed target. In a year when the rules move faster than the projects, it is the axis that decides whether you are governing the change or being dragged by it.

How to Read the Composite

Score each axis one to five and add them. Twenty-five is a convergence-ready posture: one incident produces one classification, reconciled clocks, shared controls, a single evidence source, and a change absorbed without panic. Twenty to twenty-four means one weak seam — usually change absorption — and a summer you will clear with effort. Thirteen to nineteen is exposed: you will, with near certainty, report late to one authority, twice to another, or inconsistently across all three, and an auditor will find the gap before you do. Below thirteen is four binders and no control plane — every incident is a fire drill, every audit a reconstruction, and the Digital Omnibus’s single front door, when it finally arrives in 2028, will simply expose how little was ever connected behind your own. Any single axis below three is a board-level finding to raise before the thirtieth of June, not after.

The Collision Edition 36 Saw Coming

Hawk Nest called this collision early. Edition 36 — Regulatory Collision — argued that Europe’s digital rulebook was being written faster than enterprises could absorb it, and that the danger was never any single regulation but the interference pattern between them. RCS-D is the instrument for that pattern. It does not compete with your NIS2 consultant, your DORA programme or your AI Act counsel; it sits above them and measures whether the four of them add up to one coherent response or four expensive ones. The collision Edition 36 forecast is no longer a forecast. It has a date, and the date is the thirtieth of June.

The Bet on the Control Plane

Every enterprise operating in Europe has already made a bet on how it will meet this summer, whether or not anyone named it out loud. The bet is visible in the org chart. If four different functions own four different regulators and meet only at the audit, the bet is that the cliff can be cleared one binder at a time — and that bet loses the first time a single incident starts three clocks at once. If one architecture function owns the control plane and the regulators are reporting views over it, the bet is that convergence is an engineering problem with an engineering answer, and that bet is the only one that scales as the rules keep moving.

Brussels will eventually build the single front door. It will not arrive in time to help you on the thirtieth of June, or the second of August, or the next time a supervisor asks to see the register. The question for the boardroom is not whether Europe’s rules will converge — they are converging, on dates already in the calendar. It is whether anything behind your own front door has converged to meet them. Score the five axes before the audit does.

Hawk Nest Newsletter is written by Paulo Falcao. For twenty-five years, helping organisations turn complex technology challenges into measurable business outcomes — payments systems, enterprise architecture, AI, technology. The intersection of strategy and architecture, converted into reliable, revenue-generating reality. RCS-D joins the IP portfolio next to SIRM, AVAEM, SHAD, ACAM, SAVED, GAIA-D, AGCR-D, AASI, SSV, ATOM, PVC, and PACT-D.