|
Weekly Briefing
CyberEyeQ
Actionable Regulatory Intelligence
|
April 23, 2026
Issue #18
|
|
|
This week: The COPPA amended rule achieved full compliance as of April 22, the EU Digital Omnibus trilogue targets April 28 for a political deal, Colorado's AI Act enforcement window opens June 30, the SEC reports its lowest enforcement activity in 20 years, and Nebraska and Maine enact the first chatbot disclosure and unlicensed therapy bans.
|
|
At a Glance
| › | COPPA compliance achieved — The FTC's amended COPPA Rule entered full enforcement on April 22, requiring written security programs, data retention policies, and biometric identifier protections. |
| › | EU Omnibus trilogue in five days — The Digital Omnibus political trilogue convenes April 28. Parliament voted 569 in favor; key disputes remain on watermarking deadlines and AI Office scope. |
| › | Colorado AI Act enforcement window opens — Colorado's SB 24-205 takes effect June 30 (68 days out) with risk management policies, bias audits, and consumer disclosure requirements. $20K per violation per consumer. |
| › | Nebraska and Maine ban unlicensed AI therapy — Nebraska signed LB 525 (April 14) requiring disclosure to minors; Maine passed LD 2082 (April 13) prohibiting unlicensed AI from providing therapy. |
| › | FinCEN AML overhaul proposed — The joint OCC/FDIC/NCUA/FinCEN rule replaces rules-based with effectiveness-based compliance and introduces an innovation safe harbor for AI/ML. Comments due June 9. |
| › | SEC enforcement at 20-year low — FY2025 enforcement actions totaled 456 (down from 20-year average ~600), with actual monetary relief ~$2.7B. |
|
|
Critical Actions
Items requiring immediate attention this week.
| CRITICALEU · AI Governance | Due: April 28, 2026 (5 days) |
EU Digital Omnibus Trilogue — Political Agreement Deadline The trilogue convenes for final political negotiations. Parliament passed the directive with 569 votes. Key issues: Annex III standalone deadline Dec 2, 2027 vs Aug 2, 2028 for embedded; watermarking requirements; AI Office scope; new prohibition on non-consensual AI intimate imagery. Action: Finalize your AI governance compliance roadmap for January 2028 (Annex III standalone) and August 2028 (embedded systems). Monitor trilogue press releases. |
|
| CRITICALUS State (CO) · AI Governance | Due: June 30, 2026 (68 days) |
Colorado AI Act (SB 24-205) — Enforcement Window Opens Colorado's AI governance law takes effect June 30. Covered entities must implement risk management policies, conduct bias audits, perform impact assessments, and disclose AI use. Up to $20,000 per violation per consumer. NIST AI RMF and ISO 42001 provide safe harbors. Action: Audit AI deployments for Colorado consumer impact. Map systems against high-risk thresholds. Develop written risk management and bias audit documentation. |
|
| HIGHUS Federal · Financial | Due: June 9, 2026 (47 days) |
FinCEN AML/CFT Program Reform — Comment Period Open FinCEN, OCC, FDIC, and NCUA jointly proposed the most significant AML overhaul in decades. Shifts from rules-based to effectiveness-based approach with innovation safe harbor for AI/ML. Comments due June 9. Action: Assess your AML/CFT program against the proposed effectiveness standard. Prepare comment letters. Document AI/ML alignment with the safe harbor. |
|
|
|
Enforcement Watch
Recent fines, penalties, and enforcement actions.
SEC FY2025 Enforcement at 20-Year Low 456 enforcement actions, ~$2.7B in actual monetary relief. | 456 actions |
|
Germany Issues First NIS2 Fine Cloud provider fined €850,000 for failure to implement risk management under Germany's BSI Act. | €850K |
|
4chan Accruing Ofcom Penalties Daily penalties of £800/day since April 2 for Online Safety Act age verification non-compliance. | £800/day |
|
Reddit Appeals ICO GDPR Fine Reddit appealed the UK ICO fine. Appeal outcome pending. | £14.47M |
|
|
|
Deadline Watch
Upcoming compliance deadlines — next 30–90 days.
| EU Digital Omnibus — Political Trilogue EU · AI system providers, deployers |
| EUDAMED Mandatory Use Begins EU · Medical device manufacturers |
| SEC Reg S-P Breach Notification (Smaller Entity) US Federal · Smaller entities with breach |
| FinCEN AML/CFT NPRM — Comment Deadline US Federal · Banks, financial institutions |
| UK Cyber Resilience Act — Conformity Body Notification UK · Notifying authorities, manufacturers |
| Basel III Endgame Re-Proposal — Comment Deadline US Federal · Category I/II banks (GSIBs) |
| Colorado AI Act Enforcement Begins US State (CO) · High-risk AI system deployers |
| EU Digital Omnibus — Embedded AI Products Deadline EU · Manufacturers of embedded AI systems |
| EU Digital Omnibus — Standalone AI Implementation Deadline EU · Standalone AI system providers |
|
|
Around the World
Global regulatory developments at a glance.
| 🇪🇺 | European Union Digital Omnibus trilogue targets April 28 for political agreement on AI Act deadline extensions, watermarking requirements, and new prohibitions. UK Cyber Resilience Act conformity body notification deadline June 11. EDPB transparency enforcement active. |
|
| 🇺🇸 | United States COPPA full compliance April 22. Colorado AI Act enforcement June 30. FinCEN AML overhaul with AI/ML safe harbor, comments due June 9. Nebraska LB 525 and Maine LD 2082 restrict AI in mental health. White House AI Policy Framework emphasizes federal preemption; DOJ AI Litigation Task Force operational. |
|
| 🇬🇧 | United Kingdom Cyber Security and Resilience Bill cleared Commons Report Stage, heads to Lords. ICO Reddit GDPR fine appeal (£14.47M) pending. FCA published consultation on UK crypto regulatory framework. |
|
| 🇨🇳 | China No new major AI regulation announcements this week; focus remains on July 15 effective date for Anthropomorphic AI Interaction Services. |
|
|
Deep Dive
Extended analysis on this week's most critical developments.
US Federal · Financial Regulation
FinCEN's Effectiveness-Based AML Revolution
FinCEN, OCC, FDIC, and NCUA jointly released the most significant anti-money laundering reform in decades on April 7. The proposed rule shifts US AML compliance from a rules-based framework to an effectiveness-based standard. Key changes: (1) Risk-Based Program Design; (2) Real-World Effectiveness Testing; (3) Innovation Safe Harbor for AI/ML. Comments due June 9, finalization expected late 2026 or Q1 2027.
EU · AI Governance
EU Digital Omnibus Pre-Trilogue Analysis
The Digital Omnibus cleared Parliament with 569 votes and enters final trilogue April 28. Key issues: Annex III deadlines (standalone Dec 2, 2027; embedded Aug 2, 2028), watermarking for generative AI, EU AI Office scope. A new prohibition on non-consensual AI intimate imagery is included. Compliance teams should begin mapping AI systems against Annex III and plan for December 2027.
|
|
What to Do This Week
Your compliance checklist.
1 | Ensure COPPA compliance is locked in April 22 deadline passed. Verify security program, data retention policies, and biometric protections are operational. |
2 | Prepare EU Digital Omnibus post-trilogue analysis Monitor April 28 trilogue outcome. Map AI systems against finalized Annex III deadlines. |
3 | Assess Colorado AI Act exposure by May 15 Begin risk management and bias audit documentation for June 30 enforcement. |
4 | Begin FinCEN AML comment preparation Coordinate with compliance and legal teams. Deadline June 9. |
5 | Monitor Nebraska/Maine therapy AI implications Assess impact of unlicensed therapy bans if you provide AI-assisted mental health tools. |
|
|
|
CyberEyeQ
Actionable Regulatory Intelligence
WebsiteContact Us
This newsletter is for informational purposes only and does not constitute legal advice.
Always consult qualified legal counsel for compliance decisions.
You're receiving this because you subscribed to CyberEyeQ.
Unsubscribe · Manage Preferences
|
|
|
