Seed Round: $0.25/FRAC — Listing at $1.00 (300% ROI) — Buy Now
← Blog
#compliance#eu-ai-act#cnsa-2.0

The AI and cryptography compliance deadlines coming in 2026-2027 (and how to prepare)

Several AI-transparency and post-quantum-cryptography obligations land in 2026 and 2027. A plain-English map of the key dates and the one capability — verifiable, tamper-evident records — that helps w

Two regulatory currents are arriving at once, and both land on dates worth putting in a calendar. The first is AI transparency and governance; the second is the migration to post-quantum cryptography. They come from different regulators for different reasons, but they share a practical requirement that is easy to miss until an auditor asks for it: the ability to produce records that can be independently verified as authentic and unaltered.

On the AI side, the EU AI Act phases in through 2026. Its transparency obligations under Article 50 — marking AI-generated content in a machine-readable way and disclosing deepfakes — become applicable in August 2026, with a short grace window after. High-risk-system obligations, including logging, traceability, and data governance, phase in across the same period and into 2027. The common thread is documentation you can stand behind: what a system did, what data trained it, and proof that the record was not edited after the fact. An internal log the operator can silently change is not evidence; a signed, timestamped record is.

On the cryptography side, the clock is set by NIST and, in the United States, by CNSA 2.0. NIST finalized the post-quantum standards (ML-KEM, ML-DSA) in 2024, and CNSA 2.0 expects new national-security systems to be on post-quantum algorithms by 2027, with broad migration running to the early 2030s. For vendors selling into government or regulated enterprise, this turns into a procurement question sooner than the final deadline: can you disclose your cryptographic inventory and show a credible migration path? Increasingly the answer takes the form of a signed cryptographic bill of materials, not a slide.

The useful observation is that most of these obligations are satisfied by the same underlying capability: a verifiable, tamper-evident record. Whether it is a provenance mark on AI content, a logged and signed model decision, a dataset provenance entry, or a sealed cryptographic inventory, the compliance value comes from the same properties — integrity, non-repudiation, and an independently checkable timestamp. Building that capability once, and applying it across your AI and cryptography obligations, is far cheaper than reconstructing evidence under audit pressure. And because these records are meant to hold up for years, signing them with a post-quantum scheme (ML-DSA, FIPS 204) keeps them verifiable across the very transition the cryptography deadlines are about — resistant to known classical and quantum attacks per NIST, not unbreakable. Be honest about scope: a signed record proves what was declared and that it has not changed, not that the underlying decision was correct or the data lawfully obtained — those remain separate governance duties. But it is the load-bearing piece most of these deadlines quietly depend on, and the one worth building before the date, not after.

Try it yourself — live, free, verifiable in 30 seconds:

Create verifiable compliance records

Get honest updates on post-quantum crypto & verifiable AI. No spam, unsubscribe anytime.

FRACTAL AI S.A.S. · Honest claim: resistant to all known classical & quantum attacks per NIST FIPS 203/204 — not “unbreakable”.