Data Compliance Timeline — Every Deadline That Affects Your AI Training Data
The regulatory landscape for AI training data and financial compliance is accelerating. Multiple regulations are creating mandatory requirements for how financial institutions source, document, and govern the data they use for testing, training, and analytics.
This timeline tracks every deadline that matters — with a countdown showing exactly how much time you have left to prepare.
In Force
DORA — Digital Operational Resilience Act
Enforcement: January 17, 2025
✓ In force
Articles 24-25 require ICT resilience testing with “advanced testing tools.” Financial entities must test systems with realistic but safe data. Born-Synthetic data satisfies both requirements — realistic enough for meaningful testing, safe by construction.
Who’s affected: Banks, insurers, investment firms, payment processors, crypto-asset service providers in the EU.
In Force
PCI DSS 4.0 — Requirement 6.5.4
Mandatory: March 31, 2025
✓ In force
Prohibits the use of real payment account numbers (PANs) in test and development environments. Organizations must use synthetic or test data for all non-production environments.
Who’s affected: Any organization that processes, stores, or transmits credit card data — merchants, processors, fintech platforms, banks.
In Force
California AB 2013 — AI Training Data Transparency
Effective: January 1, 2026
✓ In force
Requires AI developers to disclose training data sources on their website. Born-Synthetic data with a Certificate of Sovereign Origin provides transparent, auditable documentation of data provenance.
Who’s affected: AI developers operating in California or deploying AI systems to California users.
Upcoming
EU AI Act — Article 10 Data Governance (High-Risk AI)
Enforcement: August 2, 2026
Requires documented data governance for training, validation, and testing datasets used in high-risk AI systems. Financial AI (credit scoring, insurance pricing, fraud detection) is classified as high-risk. Training data must be “relevant, sufficiently representative, and to the best extent possible, free of errors.”
Who’s affected: Any organization deploying high-risk AI in the EU — banks, insurers, fintechs, RegTech providers, credit agencies.
2026
EU AI Act — Full Enforcement (All Obligations)
Full enforcement: August 2, 2027
All remaining EU AI Act obligations enter enforcement, including transparency requirements for general-purpose AI, conformity assessments, and ongoing monitoring obligations.
Who’s affected: All AI providers and deployers operating in the EU.
2027
Solvency II — Digital Operational Resilience Review
Expected: Q1 2027
The European Insurance and Occupational Pensions Authority (EIOPA) is expected to align Solvency II resilience testing requirements with DORA standards, including explicit guidance on synthetic data for stress testing.
Who’s affected: Insurance and reinsurance companies in the EU.
Active
GDPR — Article 25: Data Protection by Design
In force since: May 25, 2018
✓ Active since 2018 — enforcement intensifying
Requires data protection “by design and by default” for all processing activities. GDPR enforcement has generated over €4.5 billion in cumulative fines. Born-Synthetic data achieves data protection by design literally — by never processing personal data.
Who’s affected: Any organization processing personal data of EU residents.
Active
NIS2 — Network and Information Security Directive
Transposition deadline: October 17, 2024
✓ Being transposed across EU member states
Expands cybersecurity obligations to financial entities, including requirements for resilience testing. Synthetic data enables testing without exposing real customer data to additional attack surfaces.
Who’s affected: Essential and important entities in the financial sector across all EU member states.
Why This Matters for Your Data Strategy
Every regulation on this timeline shares a common thread: they require financial institutions to demonstrate how they source, govern, and document the data used in testing and AI training.
Born-Synthetic data — generated from mathematical distributions with zero connection to real individuals — provides a compliance foundation that works across all of these frameworks:
- GDPR: Not personal data by construction. No processing obligations.
- EU AI Act: Fully documentable provenance via Certificate of Sovereign Origin.
- DORA: Realistic testing data that’s safe by design.
- PCI DSS 4.0: No real financial data in any environment.
The regulatory pressure is not temporary. These frameworks will intensify, not relax. The organizations that build their data infrastructure on compliant-by-construction foundations now will avoid the scramble when enforcement accelerates.
Q: Which regulation should financial institutions prioritize?
A: For AI teams, the EU AI Act Article 10 (August 2026) is the most urgent upcoming deadline. For compliance teams, DORA and PCI DSS 4.0 are already in force. For data protection teams, GDPR enforcement is intensifying. Born-Synthetic data provides a single data strategy that satisfies all of these simultaneously.
Q: Do these regulations apply outside the EU?
A: GDPR and EU AI Act apply to any organization offering services to EU residents, regardless of where the organization is headquartered. PCI DSS 4.0 is global. DORA applies to financial entities operating in the EU. Most global financial institutions are affected by multiple overlapping frameworks.
Q: How much time do we have to prepare for EU AI Act Article 10?
A: Article 10 enforcement for high-risk AI systems begins August 2, 2026. Organizations should already be documenting their data governance practices. Retroactively documenting data provenance is significantly harder than building with documentable data sources from the start.
Q: Are there penalties for non-compliance with multiple regulations?
A: Yes, and penalties can stack. An organization found non-compliant with both GDPR and EU AI Act faces separate penalty regimes — potentially up to 4% of global turnover under each framework. Regulators are increasingly coordinating enforcement across frameworks.
