The turn of the year traditionally marks the starting point for new regulatory requirements in the field of Governance, Risk, and Compliance. While 2025 was heavily characterized by the final implementation of major EU frameworks such as DORA and NIS 2, the year 2026 is defined by expansion and technological deepening. For companies in the DACH region (Germany, Austria, Switzerland), January 1, 2026, specifically means: Grace periods are over, new reporting standards in the crypto sector take effect, and sustainability reporting reaches the next escalation level regarding the breadth of affected companies.
Key Takeaways
- In Switzerland, the automatic exchange of information on crypto-assets (CARF) enters into force on January 1, 2026.
- The CSRD reporting obligation expands to large, non-capital-market-oriented companies starting with the 2026 financial year.
- For DORA and NIS 2, the implementation phase ends; from 2026 onwards, supervisory authorities will focus on auditing and sanctioning.
- The EU AI Act approaches decisive deadlines, making 2026 the central year for AI governance implementation.
Switzerland: Transparency Push via CARF and Expanded AEOI
A central focus at the start of 2026 lies on Switzerland. On January 1, 2026, the Federal Council enacts the Crypto-Asset Reporting Framework (CARF) as well as amendments to the Common Reporting Standard (AIA/AEOI). This is a decisive step for tax transparency in the realm of digital assets.
The CARF framework obliges Swiss crypto service providers to record transaction data of their clients and information on held crypto-assets. This data must be reported to the Federal Tax Administration (FTA), which in turn exchanges it with partner states. The goal is to close tax loopholes that existed due to the previous non-recording of crypto-assets in the classic AEOI. For GRC managers at Swiss financial institutions and crypto service providers, this means that due diligence processes and KYC procedures (Know Your Customer) must be fully adapted to the new asset classes and reporting standards by the January 2026 deadline.
In parallel, amendments to the AEOI Act come into force, implementing recommendations of the Global Forum on Transparency and Exchange of Information for Tax Purposes. This affects, among other things, more precise due diligence obligations for Non-Reporting Financial Institutions.
CSRD: The Second Wave Rolls In
At the European level, January 1, 2026, is a crucial date for the Corporate Sustainability Reporting Directive (CSRD). While previously primarily capital-market-oriented companies were subject to reporting obligations, the obligation for large limited liability companies that are not capital-market-oriented begins with the 2026 financial year.
Companies fall under this second wave if they exceed at least two of the three following criteria: more than 250 employees, more than 50 million euros in net turnover, or more than 25 million euros in balance sheet total (taking into account inflation-related threshold adjustments). For compliance departments in these companies, the start of the 2026 financial year means that data collection for the report to be published in 2027 must now be operational. The time for preparation is over; from now on, ESG data must be recorded in an audit-proof manner. This requires functioning Internal Control Systems (ICS) for sustainability information.
DORA and NIS 2: From Project Mode to Regular Operations
Both the Digital Operational Resilience Act (DORA) and the NIS 2 Directive formally entered into force before 2026. Nevertheless, January 2026 marks a watershed moment. The phase of “Day 1 Compliance,” which was often still characterized by transitional solutions, is over.
From 2026 onwards, it is expected that national supervisory authorities – such as BaFin in Germany or FMA in Austria – will intensify their auditing activities. For DORA, this means that ICT third-party risk management must not only exist on paper, but contractual adjustments with IT service providers must be concluded. Registers of information relationships must be current and complete. GRC experts should use the year 2026 to test the processes implemented in the previous year for their operational effectiveness (e.g., through TLPT – Threat Led Penetration Testing), as real sanctions now loom.
Outlook: Supply Chain Acts and CSDDD
In Germany, the Supply Chain Due Diligence Act (LkSG) remains relevant, but the focus is increasingly shifting towards harmonization with the European Corporate Sustainability Due Diligence Directive (CSDDD). Although the national implementation laws of the CSDDD will only fully enter into force later, companies must strategically align their risk analyses with the more far-reaching requirements of the EU Directive from 2026 onwards to avoid double work. In particular, the climate transition plans, which are part of the CSDDD, require a lead time that should begin in January 2026.
FAQ
Who does the new CARF law in Switzerland affect starting January 2026?
It primarily affects Crypto-Asset Service Providers (CASPs/VASPs) resident in Switzerland. They must record client data and transactions and report them to the tax authorities.
Does my company have to create a CSRD report starting in 2026?
If your company is not capital-market-oriented but meets two of the three criteria (Balance sheet > 25m EUR, Turnover > 50m EUR, > 250 employees), the duty to collect data begins for the financial year 2026. The report itself will then appear in 2027.
What changes in 2026 regarding DORA?
Regulatorily, nothing new changes, but the grace period is over. From 2026, the first in-depth audits by supervisory authorities are expected to take place, and processes must be “lived and tested.”
What role does the EU AI Act play in January 2026?
The AI Act is already in force, but many obligations for high-risk AI systems only become strictly effective in mid-2026. January 2026 is therefore the starting signal for the final implementation phase of these requirements.
Related posts
EU AI Act: The Strategic Final Sprint for High-Risk AI Systems
It is January 2026. The initial dust surrounding the enactment of the EU AI Regulation (EU AI Act) has settled. The bans on unacceptable risks have been effective for almost a year, and the rules for General Purpose AI (GPAI) have been in force since August 2025. However, for most enterprises, the most critical phase<a href="https://zazoon.com/eu-ai-act-the-strategic-final-sprint-for-high-risk-ai-systems/">Continue reading <span class="sr-only">"EU AI Act: The Strategic Final Sprint for High-Risk AI Systems"</span></a>
The Mozambique Affair of Credit Suisse: A Cautionary Tale of Compliance Failure and the Need for Robust GRC
What is the Mozambique Affair? The so-called Mozambique Affair involving Credit Suisse is one of the most serious financial scandals in recent years. At its core are hidden loans worth billions of dollars, dubious offshore transactions, and extensive allegations of corruption. This scandal vividly demonstrates how inadequate compliance and governance structures can not only bring<a href="https://zazoon.com/the-mozambique-affair-of-credit-suisse-a-cautionary-tale-of-compliance-failure-and-the-need-for-robust-grc/">Continue reading <span class="sr-only">"The Mozambique Affair of Credit Suisse: A Cautionary Tale of Compliance Failure and the Need for Robust GRC"</span></a>