For manufacturers, suppliers, distributors, and service providers, these upcoming sustainability laws and regulatory changes will influence everyday decisions from product design and packaging to sourcing, reporting, and market access.
This article looks at the key EU regulations coming into force in 2026, helping companies understand what is changing and when they need to be ready.
Table of Contents:
- CBAM Emissions Trading from January 1, 2026
- Cyber Risk Management Requirements Under NIS2
- Pay Transparency Reporting Obligations
- New Obligations for Lenders and Credit Intermediaries
- AI Act compliance for high-risk AI systems
- EU Packaging Rules and New Obligations
- Digital resilience under CRA
- Stricter Rules for Environmental Advertising
- New Product Liability EU Rules
- Deforestation Compliance Under the EUDR
- EU Right to Repair Rules for Manufacturers
- Overview of EU Regulatory Changes Taking Effect in 2026
CBAM Emissions trading from January 1, 2026
From January 1, 2026, the Carbon Border Adjustment Mechanism (CBAM) will move into its final phase. From this point, companies importing certain CO₂-intensive goods into the EU will no longer only report emissions. They will also have to pay for them.
CBAM is designed to stop companies from moving production to countries with weaker climate rules. Importers will have to buy emission certificates to cover the emissions created when the goods are produced.
The EU has made some adjustments to CBAM under its second omnibus package to make the system easier to manage, especially for smaller importers and companies with limited exposure. These changes include clearer reporting rules, streamlined administrative procedures, and some flexibility in how data can be submitted.
However, these simplifications do not remove the core obligations. From 2026, affected companies will still face direct financial costs linked to the carbon content of imported goods. They will also need robust internal processes to track emissions data, work closely with non-EU suppliers, and ensure full regulatory compliance. For many businesses, this means higher import costs, more administrative work, and the need to prepare well in advance.
Cyber risk management requirements under NIS2
The NIS 2 directive brings cybersecurity rules to many more companies. Businesses will need to put basic cyber risk management measures in place, set clear security procedures, and report serious IT incidents within set deadlines.
The rules now also cover digital service providers that were previously outside the scope. Cloud service providers, data centers, and online marketplaces will all be required to strengthen their cybersecurity measures to better protect their systems and services.
Pay transparency reporting obligations
The EU Pay Transparency Directive requires employers to be more open about pay.
Job advertisements will need to show a salary or a salary range, so candidates know what pay to expect from the start.
Employees will also be able to ask for information on average pay for similar roles, with data split by gender. Companies will have to report their gender pay gap and act if differences are found.
New obligations for lenders and credit intermediaries
The revised Consumer Credit Directive (CCD II) sets common rules for consumer credit across the EU. Its goal is to create clearer and more consistent standards while strengthening protection for consumers.
When B2Bs can be affected
B2B companies may fall under the rules if they:
- Offer or arrange credit for buyers, even if lending is not the company’s main activity
- Provide or support Buy Now Pay Later, instalment payments
- Run online platforms or marketplaces that help arrange or broker buyer’s credit
- Target sole traders or micro-entrepreneurs who may be treated like consumers under national law
In these cases, the obligations can apply even if the company itself is a B2B platform or service provider.
AI Act compliance for high-risk AI systems
Under the current plan, the main rules of the AI Act are set to apply from August 2, 2026.
The regulation mainly focuses on high-risk AI systems, such as those used for hiring, credit checks, healthcare, and safety. Companies that provide these systems will need to control risks, use high-quality training data, and keep clear technical records.
Transparency is a key requirement. AI-generated content must be clearly labelled, users must know when they are interacting with AI, and the system’s functioning must be understandable. Human oversight will also be required so that important decisions are not fully automated.
On November 19, the EU Commission suggested delaying the start of these rules under the Digital Omnibus initiative. Until a final decision is taken, companies should continue preparing based on the current timeline.
EU packaging rules and new obligations
The new EU packaging regulation will apply from August 12, 2026, although it has already been in force since February 11, 2025. From that date, the rules will apply to the full life cycle of packaging, including how it is designed, used, collected, and recycled.
The regulation affects many types of businesses, such as manufacturers, retailers, online stores, importers, and distributors. Companies will need to make sure their packaging meets new requirements on sustainability and waste reduction, which may require changes to packaging materials, product design, and internal processes.
A detailed RFQ process can help companies identify the most effective approach to comply with the new packaging rules by comparing materials, solutions, and regulatory expertise from different suppliers.
Digital resilience under CRA
The first obligations under the Cyber Resilience Act (CRA) will apply from September 11, 2026. From that point, manufacturers must report serious cybersecurity incidents and vulnerabilities that are actively being exploited.
Although the CRA has been in force since December 2024, these reporting duties are the first practical requirements for companies.
The regulation sets mandatory cybersecurity rules for most products with digital features that connect to networks or process data. The goal is to make products sold in the EU more secure. Any company putting these products on the EU market will need to manage cybersecurity risks properly.
From June 11, 2026, approved assessment organisations will be able to operate as CRA Notified Bodies. This is an important step ahead of the CE marking requirements that will apply from 2027.
Stricter rules for environmental advertising
Stricter rules for environmental and “green” advertising are expected to apply from September 27, 2026. From then on, companies will only be allowed to make environmental claims if they can clearly prove them. Vague or unverified sustainability statements will no longer be allowed.
Under the Empowering Consumers for the Green Transition Directive (EmpCo), sustainability labels and seals will also be more strictly controlled. These labels must be based on recognised certification systems or be issued by public authorities, with the goal of making environmental claims clearer and more reliable.
How B2Bs are affected
These new rules mainly target consumer-facing communication, but B2B companies can also be affected. Any sustainability claims used in public-facing materials, such as websites, marketing content, or product information that may reach consumers, will need to be clearly proven. Purely internal or contractual B2B communication is usually outside scope, but broad or unverified green claims in external communication will no longer be allowed.
New Product Liability EU Rules
The new Product Liability Directive will apply to products placed on the market or put into use after December 9, 2026. It covers both traditional products and digital resilience products, including items such as robots and smart home systems.
The directive modernises liability rules to protect consumers when products cause harm and requires non-EU manufacturers to appoint an EU-based economic operator so claims can be handled locally.
How B2Bs are affected
- Manufacturers, including B2B producers, can be held liable if their products cause damage
- Non-EU B2B manufacturers must appoint an EU-based economic operator if they sell products in the EU
- Importers and distributors may face increased responsibility if they place products on the EU market
Deforestation compliance under the EUDR
Under the current rules, the EU Deforestation Regulation (EUDR) is set to apply from December 30, 2025. However, the EU Parliament and the Council have provisionally agreed to delay its start until December 30, 2026. Small and micro enterprises would be affected even later, from June 30, 2027. A final decision on the postponement is expected in 2025.
The EUDR applies to companies that import, sell, or export certain raw materials and related products, including cocoa, palm oil, coffee, soya, beef, wood, rubber, and products made from them, making supply chain compliance a key requirement for affected businesses.
Companies placing these goods on the EU market must be able to show that they are not linked to deforestation after December 31, 2020, and that they were produced in line with the laws of the country where they originate.
EU Right to Repair Rules for Manufacturers
The “Right to Repair” Directive requires manufacturers of certain products to offer repair services at a reasonable price and within a reasonable time, even after the warranty has expired. This is meant to make repairs a practical option for buyers, rather than replacing products.
To support this approach, buyers who choose repair instead of replacement during the period of liability for defects will benefit from an extended warranty. The main goal of the directive is to help products last longer, reduce waste, and encourage more sustainable use of goods across the EU.
Overview of EU Regulatory Changes Taking Effect in 2026
The table below gives an overview of the key EU regulations covered in this article, sorted by their expected application dates.
Conclusion
New regulations are always a challenge for businesses. When multiple rules are set to apply within a short timeframe, the pressure increases even further. As requirements become more complex and timelines tighter, having the right partners in place can make compliance less disruptive and easier to manage.
For more ideas on navigating EU regulations and preparing your business for upcoming compliance requirements, europages Inside Business offers helpful tools and inspiration.
