The New Compliance Reality

by | Jun 2, 2026

ECTM INSIGHT | REGULATORY STRATEGY
June 2026 | Eurocentrum Consultants

The New Compliance Reality

When AI, Customs, Cybersecurity and Data Protection Start Colliding

For years, it was possible to treat the major compliance disciplines as parallel tracks. Customs sat with the trade team.

Data protection sat with legal. Cybersecurity sat with IT. AI governance - to the extent anyone worried about it at all - sat with the innovation team, or with nobody in particular.

That separation is becoming harder to maintain.

Across the EU and UK, regulatory developments in 2025 and 2026 are converging on a common expectation: that organisations understand their data, their technology, their supply chains, and their decision-making processes well enough to explain them to a regulator - any regulator, on any given day.

This is not a prediction about where regulation is heading. It is a description of where it already is.

Observation One: Compliance Is Becoming Interconnected

Look at the current EU and UK regulatory landscape and something becomes visible that was not obvious even three years ago.

The major frameworks being implemented or enforced in 2025-2026 - the EU AI Act, GDPR, NIS2, the Cyber Resilience Act, the EU Customs Data Hub, and the expanding sanctions architecture - were each designed for a distinct purpose, by distinct policy communities, in distinct institutional settings.

Yet the operational requirements they generate are remarkably similar.

Every one of these frameworks expects organisations to demonstrate governance - who is responsible, at what level, with what authority.

Every one requires documentation - evidence of decisions made, risks assessed, controls applied.

Every one demands accountability - a named person or function that a regulator can hold responsible.

And every one is moving, at varying speeds, toward a model in which data quality and auditability are not optional extras but core compliance obligations.

“The question is no longer whether your AI system complies with the AI Act and your customs processes comply with the Union Customs Code. The question is whether your organisation has the institutional architecture to satisfy both - simultaneously, sustainably, and under scrutiny.”

Consider a practical example. A mid-sized manufacturer exports dual-use components to multiple markets while operating AI-driven procurement tools, storing supplier data in cloud systems covered by data localisation rules, and managing logistics through a customs intermediary.

Five years ago, these were five separate compliance conversations. Today, they are one conversation about organisational control - and a regulator in any one of those areas may now ask questions that reach across all of them.

Observation Two: Enforcement Is Becoming More Integrated

It is not only the regulatory frameworks themselves that are converging. The enforcement architecture is following suit.

Customs authorities across the EU are implementing data-driven risk profiling at a pace that would have been unrecognisable a decade ago.

The EU Customs Data Hub - the digital backbone of the Union Customs Code reform - is not merely an administrative modernisation.

It is a surveillance upgrade. Customs authorities will have access to richer, more granular data about trade flows, counterparties, and supply chain structures than they have ever had before.

At the same time, data protection authorities are coordinating more closely across jurisdictions, sharing intelligence and, in some cases, joint enforcement actions.

The Article 60 cooperation mechanism under GDPR, once a procedural formality, is being used with increasing sophistication.

AI governance bodies - now being established under the AI Act - are being designed from the outset with cross-border coordination in mind.

Sanctions enforcement has undergone perhaps the most dramatic shift. What was once a relatively specialist area - relevant primarily to financial institutions and defence exporters - is now a mainstream compliance obligation for anyone in a supply chain that touches Russia, Belarus, Iran, or a growing list of designated entities.

The EU’s successive sanctions packages have created a compliance burden that falls on logistics companies, freight forwarders, component manufacturers, and software providers who would not previously have considered themselves sanctions-exposed.

The enforcement shift in one sentence The question regulators are increasingly asking is not “Are you compliant with Regulation X?” It is “Can you demonstrate control across your interconnected regulatory obligations?” That is a fundamentally different question - and it requires a fundamentally different answer.

The practical implication is significant. An organisation that manages each regulatory obligation in a separate silo - separate teams, separate systems, separate audit trails - is not only operationally inefficient.

It is increasingly at risk. A customs audit that reveals a gap in supply chain documentation may now trigger questions from a data regulator about how that data was managed.

A cybersecurity incident that affects an AI system may trigger both NIS2 notification obligations and AI Act incident reporting requirements.

The walls between disciplines are not just thinning. In some areas, they have already come down.

Observation Three: Operational Teams Are Carrying More Responsibility

There is a structural shift underway in how compliance responsibility is distributed inside organisations - and it is moving in one direction.

Historically, compliance was largely a specialist function. Trade compliance managers handled export controls. Data protection officers handled GDPR.

Information security teams handled cybersecurity. Legal teams handled sanctions screening.

That model worked reasonably well when the frameworks were relatively contained and the interactions between them were limited.

It is no longer an adequate model.

Today, logistics coordinators are making decisions that carry sanctions exposure - choices about routing, carriers, and intermediaries that can bring a company into contact with designated entities.

Procurement teams are operating supply chain due diligence obligations under the EU Corporate Sustainability Due Diligence Directive and, increasingly, under the expectations embedded in customs authorisation frameworks.

IT departments are deploying AI tools - sometimes without formal procurement processes - that create obligations under the AI Act’s transparency and high-risk system provisions.

Business unit managers are authorising data transfers that have GDPR implications they may not fully understand.

“Responsibility is moving closer to operations. That shift changes the skills organisations need - and it changes the support those teams require from compliance specialists who understand how the frameworks interact.”

The World Customs Organisation’s Authorised Economic Operator framework has for two decades recognised that compliance is not a back-office function - it is an operational one.

The most effective AEO holders embed compliance thinking into logistics, procurement, and finance workflows rather than managing it as a parallel bureaucracy.

That model is exactly what the converging regulatory landscape now demands across all disciplines, not just customs.

The WTO’s Trade Facilitation Agreement, fully in force since 2017, similarly established that predictability and transparency in trade procedures require organisational capability, not merely legal knowledge.

The organisations that have built genuine trade facilitation capability - documented procedures, trained staff, auditable processes - are finding that the same organisational architecture transfers directly to the broader compliance convergence challenge.

What This Means in Practice

None of this suggests that the individual frameworks have lost their distinctiveness.

The AI Act has specific requirements for high-risk AI systems that require specialist expertise.

The Union Customs Code has technical classification and valuation rules that require trained practitioners.

GDPR has data subject rights and transfer mechanisms that require legal knowledge.

These disciplines remain distinct, and the expertise required to navigate them remains specialist.

What is changing is the strategic context in which that expertise operates.

Senior leaders in legal, compliance, and operations are increasingly being asked not just “Are we compliant?” but “Do we have the institutional capability to stay compliant across interconnected obligations as those obligations continue to evolve?”

Those are different questions, and they require different answers - answers that reach across functions, not just down into them.

The most significant regulatory trend of 2026 may not be any individual law.

It may be the convergence of multiple regimes into a single underlying expectation: that organisations must understand their data, their technology, their supply chains, and their decision-making processes well enough to explain them coherently to any regulator who asks.

The early-mover advantage Organisations that build that cross-functional capability now - governance structures, documentation disciplines, shared accountability frameworks, trained operational teams - will find compliance progressively easier, more efficient, and more resilient as the regulatory landscape continues to integrate. Those that continue to treat each regulation as a separate project are likely to find the cost of that approach rising with each passing year.

The frameworks are converging. The enforcement architecture is integrating. Responsibility is distributing.

The organisations that recognise this pattern early and build accordingly will find themselves in a structurally stronger position - not just for compliance, but for the credibility, efficiency, and trust that genuine institutional control creates.

How Eurocentrum Consultants Can Help

Eurocentrum Consultants works with organisations navigating the intersection of EU customs reform, export controls, sanctions compliance, and trade strategy.

As the regulatory landscape continues to integrate, we help compliance, legal, and operations teams build the cross-functional capability that the new compliance reality demands.

Whether you are mapping your obligations across multiple frameworks, reviewing your internal governance architecture, or preparing for the operational demands of EU Customs reform, we offer practical, experience-based guidance grounded in decades of Brussels advisory practice.

To discuss your organisation’s compliance landscape, visit eurocentrumconsultants.com or contact us directly.

Published by Eurocentrum Consultants in partnership with Grayston & Company, Brussels.