What this signal means

A new regulation just landed on a sector: the EU AI Act on anyone shipping AI features, DORA on financial firms and their IT suppliers, CSRD on mid-size companies that never wrote a sustainability report, NIS2 on operators of anything deemed essential. Unlike every other signal in this library, this one doesn't fire for a single company. It fires for a market.

Each in-scope company now has the same to-do list and the same non-negotiable date, written into law, with fines attached for missing it.

Why it matters for sales

Regulation is the only force that makes thousands of companies buy the same thing at the same time. There's no need to create urgency; parliament did that. There's no budget objection that survives a statutory penalty. And the scope criteria are published, so your addressable list isn't a guess, it's in the legislation: these sectors, above this headcount, by this date.

The window has a rhythm worth respecting. Gap assessments and consultant engagements start 12 to 24 months out. Tooling and vendor selection happen in the middle. The final stretch is implementation, when evaluation is over. Selling early means shaping requirements; selling late means fighting over stragglers. And after the deadline, the first enforcement actions reliably reopen wallets sector-wide. Individual companies' own compliance milestones, like earns GDPR compliance, tell you who's already moving.

How to act on it

Segment the in-scope list by deadline and visible readiness, then write to the obligation, not the trend.

A cybersecurity vendor selling into DORA might message a mid-size insurer's CISO: "DORA's ICT incident reporting rules apply to you from January, and the 24-hour initial notification window is the part that breaks manual processes. We've built the classification-and-reporting workflow against the regulatory technical standards, three insurers your size are live on it. Worth comparing against your current incident runbook before the board asks for the readiness report?"

Citing the specific article, deadline, and entity type does the qualification for them. Generic "are you ready for [regulation]" mail gets deleted; mail that demonstrates you've read the law gets forwarded to whoever owns the problem.

Who should track this signal

Cybersecurity vendors & MSSPs

DORA and NIS2 turned security controls into legal obligations for banks, insurers, utilities, and their suppliers. Incident reporting within 24 hours, resilience testing, board accountability. Map the in-scope entities in your territory and sell against the article numbers.

13 more signals for security & compliance

ESG & sustainability reporting software

CSRD obligates thousands of companies to produce audited sustainability reports on a phased timetable. Each company's first reporting year is public information, which means your prospect list comes with deadlines attached. Work it in deadline order.

13 more signals for security & compliance

Regulatory consultancies & Big 4 competitors

Every major regulation triggers a gap-assessment wave: what applies to us, what do we lack, what will it cost. That engagement lands 12 to 18 months before the deadline. Publish the readiness framework early and the assessments come to you.

13 more signals for security & compliance

AI governance & model documentation tooling

The EU AI Act gives providers of high-risk systems concrete duties: risk management, logging, technical documentation, conformity assessment. Companies with AI in hiring, credit, or medical products know they're in scope and are budgeting now.

13 more signals for security & compliance

Compliance training providers

New regulations create training mandates: staff must be trained, and the training must be evidenced. It's the fastest line item to approve in any compliance budget, and it renews annually. Sector-specific content beats generic every time.

9 more signals for training & enablement

Specialist law firms

In the first year of a major regulation, interpretation is the product: what counts as an 'essential entity', which AI systems are 'high-risk'. Firms that publish clear guidance early become the default counsel for the whole implementation wave.

8 more signals for legal & privacy

Frequently Asked Questions

Related signals

Earns GDPR Compliance

A company publicizes GDPR compliance — it's entering the EU market or its product just got serious about personal data.

Company

Earns ISO 27001

A company gets ISO 27001 certified — the ticket to enterprise and public-sector deals across Europe, the UK, and Asia.

Company

Gains Regulatory Approval

A company wins the license or clearance it's been waiting on — FDA, FCA, a banking charter — and go-to-market starts today.

Company

Track this signal automatically

Clearcue watches for impacted by a new regulation and every other signal in this library — and hands you the people behind them.