What's coming but not yet binding — proposed rules, enacted-but-not-in-force rules, and phase-in deadlines. Forward-looking dates move; confirm against the primary source before acting.
| Date | When | In | Regulator | Rule / milestone | Type |
|---|---|---|---|---|---|
| 2025-03-07 | 489d ago | US | HHS_OCR | HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information Proposed rule (NPRM) — not yet final. | Proposed |
| 2026-12-31 | in 175d | UK | UK_NHS | UK Cyber Security and Resilience Bill — health/NHS as operators of essential services FORTHCOMING (proposed): the UK Cyber Security and Resilience Bill reforms the NIS regime and reaches the health sector — NHS trusts and health providers already designated as operators of essential se | Proposed |
| 2027-03-26 | in 260d | EU | EU_EHDS | Regulation (EU) 2025/327 — European Health Data Space (EHDS) General application — EHR-system requirements, secure processing environments begin to apply. | Phase-in |
| 2029-03-26 | in 991d | EU | EU_EHDS | Regulation (EU) 2025/327 — European Health Data Space (EHDS) Priority health-data exchange (patient summaries, ePrescriptions) + most secondary-use rules apply. | Phase-in |
Knowing which rules bind you is step one. WSquare Advisory builds the operating capability behind compliance — the continuity, third-party, and recovery disciplines these regimes expect. If that's your challenge, let's talk.
Start a Conversation →