Insights

Home | Insights | Future-Proofing Compliance in Grant Management: What Funders Need to Know for 2025–2027

Future-Proofing Compliance in Grant Management: What Funders Need to Know for 2025–2027

Future-proofing grant management systems

Compliance, particularly in the Public Sector, is no longer a background task. For funders in the UK and EU, regulations around artificial intelligence, data, procurement, accessibility, and cybersecurity are reshaping how grant management systems (GMS) must be designed, delivered, and governed. Choosing the right system today is about future-proofing for tomorrow’s obligations.

Artificial Intelligence Act (EU)

The EU’s AI Act is the world’s first major legal framework for AI. Prohibited AI practices have been banned since February 2025. Obligations for general-purpose AI models take effect in August 2025, and duties for high-risk AI systems (such as tools used in funding decisions) apply from August 2026.

Impact on grantmakers: any AI-supported scoring, triage or monitoring must be explainable, logged, and overseen by people. Human-in-the-loop review and auditable decision trails will become standard.

Data Act (EU)

The EU Data Act, applicable from September 2025, strengthens rights around data portability, access, and cloud switching.

Impact on grantmakers: systems must allow secure data export, support contractually defined exit strategies, and avoid vendor lock-in.

UK Procurement Act 2023

In force since February 2025, this act reforms how public bodies procure and manage contracts. A new regime of notices and transparency duties now applies across the grant lifecycle.

Impact on grantmakers: GMS solutions must generate audit-ready data and align to standardised notice requirements.

Accessibility

Accessibility has moved up the compliance agenda.

WCAG 2.2 standards are expected of all UK public sector digital services.

The European Accessibility Act (EAA) becomes enforceable in June 2025, requiring consumer-facing platforms to meet accessibility requirements.

Impact on grantmakers: public portals must be designed inclusively, with accessibility testing and statements embedded.

Cybersecurity & Resilience

NIS2 Directive: enforced nationally from October 2024, applies to many public and research funders.

Cyber Resilience Act (CRA): phased requirements from September 2026 (vulnerability disclosure) and December 2027 (full obligations for digital products).

Impact on grantmakers: expect stricter due diligence on software suppliers, requirements for SBOMs (software bills of materials), and stronger incident reporting.

Identity & Trust

The eIDAS 2.0 regulation requires EU Member States to make the EU Digital Identity Wallet (EUDI) available by the end of 2026, enabling strong, portable digital identities.

Impact on grantmakers: GMS platforms should plan to support secure login via EUDI and other government/enterprise identity providers.

How to Prepare: A Buyer’s Checklist for Grant Management Systems (2025–2027)

When evaluating grant management systems, funders should ensure their platform offers:

Feb 2025 – EU AI Act (Prohibited AI practices banned): Ensure any AI-assisted functions in grant assessment or reporting comply with new restrictions.

Feb 2025 – UK Procurement Act 2023 (Transparency obligations in force): Systems must generate audit-ready exports, aligned with the new notice and transparency regime.

Jun 2025 – European Accessibility Act (EAA): Public-facing portals must comply with accessibility standards; design inclusively (WCAG 2.2 AA).

Aug 2025 – EU AI Act (GPAI obligations): Prepare for controls around general-purpose AI models; ensure explainability and logging.

Sep 2025 – EU Data Act (Applicable): Guarantee secure data portability and cloud exit strategies; avoid vendor lock-in.

Aug 2026 – EU AI Act (High-risk system duties): Implement human-in-the-loop governance, risk management, and full decision audit trails.

Sep 2026 – Cyber Resilience Act (Early obligations): Plan for vulnerability disclosure processes and supplier due diligence.

End 2026 – EU Digital Identity Wallet (EUDI): Prepare for strong, portable identity verification; support government and enterprise IdPs.

Dec 2027 – Cyber Resilience Act (Full obligations): Meet secure-by-design requirements, software bills of materials (SBOMs), and full CRA compliance.

At AIMS, compliance isn’t an add-on. We embed configurable workflows, strong audit trails, accessibility, and integration flexibility so funders can adapt with confidence. Future-proofing your GMS means aligning with both today’s needs and tomorrow’s rules.

Want to discuss how AIMS can support compliance in your sector? Get in touch.
Back to all insights

Latest Insights

Grantmaking 101: Standardisation vs Flexibility in Grantmaking

Grantmaking 101: What is a shared grant management service?

How Manual Grant Processes Slow Teams Down
 
Cyber Essentials certificate Amtivo ISO 27001 Certified
General Enquiries
 
© AIMS Software Ltd 2026
Web design by Creatomatic
This website uses cookies
This site uses cookies to enhance your browsing experience. We use necessary cookies to make sure that our website works. We’d also like to set analytics cookies that help us make improvements by measuring how you use the site. By clicking “Allow All”, you agree to the storing of cookies on your device to enhance site navigation, analyse site usage, and assist in our marketing efforts.
Privacy Policy >Cookie Policy >
These cookies are required for basic functionalities such as accessing secure areas of the website, remembering previous actions and facilitating the proper display of the website. Necessary cookies are often exempt from requiring user consent as they do not collect personal data and are crucial for the website to perform its core functions.
A “preferences” cookie is used to remember user preferences and settings on a website. These cookies enhance the user experience by allowing the website to remember choices such as language preferences, font size, layout customization, and other similar settings. Preference cookies are not strictly necessary for the basic functioning of the website but contribute to a more personalised and convenient browsing experience for users.
A “statistics” cookie typically refers to cookies that are used to collect anonymous data about how visitors interact with a website. These cookies help website owners understand how users navigate their site, which pages are most frequently visited, how long users spend on each page, and similar metrics. The data collected by statistics cookies is aggregated and anonymized, meaning it does not contain personally identifiable information (PII).
Marketing cookies are used to track user behaviour across websites, allowing advertisers to deliver targeted advertisements based on the user’s interests and preferences. These cookies collect data such as browsing history and interactions with ads to create user profiles. While essential for effective online advertising, obtaining user consent is crucial to comply with privacy regulations.