|
Weekly Briefing
CyberEyeQ
Actionable Regulatory Intelligence
|
April 9, 2026
Issue #16
|
|
|
This week: Six compliance deadlines land in the next 30 days, regulators levied over $130M in fines, and US states enacted 19 new AI laws in a single week.
|
|
At a Glance
|
›
|
NYDFS cyber certification due Tuesday — April 15 deadline for Part 500 annual attestation covering all 2025 amendments; CEO/CISO personal liability attaches.
|
|
›
|
China bans algorithmic price discrimination — New platform pricing rules take effect April 10, requiring transparent pricing and 7-day advance notice for fee changes.
|
|
›
|
COPPA enforcement expands April 22 — FTC's amended rule adds biometrics, mandatory security programs, and penalties exceeding $53,000 per violation.
|
|
›
|
EU AI Act trilogue targets April 28 — Second Digital Omnibus trilogue aims for political agreement on compliance timelines and new prohibition categories.
|
|
›
|
UK mandates MFA on all cloud services — Cyber Essentials v3.3 takes effect April 26; missing MFA on any cloud service is an automatic certification failure.
|
|
›
|
$130M+ in enforcement actions this week — CNIL fines Free Mobile €42M, FinCEN penalizes Canaccord $80M, and ICO hits Reddit for £14.47M.
|
|
|
Critical Actions
Items requiring immediate attention this week.
|
Urgent
|
NYDFS Part 500 Annual Certification — April 15
File your annual compliance certification covering all 2025 amendments through the NYDFS portal. This is the first certification cycle under the fully amended Part 500. CEO and CISO must personally attest. Late or inaccurate filings carry personal liability and potential enforcement action.
|
|
|
Urgent
|
China Platform Pricing Rules — Effective Tomorrow (April 10)
New rules ban algorithmic price discrimination based on user data (“big data price gouging”). Platforms must display transparent pricing, provide 7-day advance notice for fee changes, and allow users to opt out of personalized pricing. Penalties include fines up to 5% of annual revenue.
|
|
|
Action
|
COPPA Amended Rule Enforcement — April 22
The FTC’s updated Children’s Online Privacy Protection Act rules take effect, adding biometric data to the definition of personal information, requiring comprehensive security programs, and introducing mandatory data retention limits. Penalties exceed $53,000 per violation. Operators targeting children under 13 must update privacy policies and consent mechanisms.
|
|
|
Action
|
UK Cyber Essentials v3.3 — April 26
Updated Cyber Essentials certification requirements mandate multi-factor authentication on all cloud services. Missing MFA on any single cloud service is an automatic certification failure. Organizations seeking or renewing certification must audit all cloud service accounts and enable MFA before the deadline.
|
|
|
|
Enforcement Watch
|
€42M
|
CNIL → Free Mobile (France)
GDPR violations for tracking users without consent and failing to honor opt-out requests. CNIL found systematic non-compliance with cookie consent requirements across mobile and web properties.
|
|
|
$80M
|
FinCEN → Canaccord Genuity
Record AML penalty for willful violations of Bank Secrecy Act reporting requirements. FinCEN cited failure to file suspicious activity reports on thousands of transactions over multiple years.
|
|
|
£14.5M
|
ICO → Reddit (UK)
Age-appropriate design code violations and failure to implement adequate age verification mechanisms. ICO found Reddit did not take sufficient steps to protect children accessing the platform.
|
|
|
|
Deadline Watch
Upcoming compliance dates on the horizon.
| Date |
Regulation |
Action Required |
| Apr 10 |
China Platform Pricing Rules |
Compliance required for all platforms |
| Apr 15 |
NYDFS Part 500 |
Annual certification filing |
| Apr 22 |
COPPA Amended Rule |
Updated privacy policies and consent |
| Apr 26 |
UK Cyber Essentials v3.3 |
MFA on all cloud services |
| Apr 28 |
EU Digital Omnibus Trilogue |
Monitor for political agreement |
| May 28 |
EUDAMED Registration |
Medical device mandatory registration |
| Jul 1 |
MiCA Grandfathering Expiry |
Full licensing required for CASPs |
|
|
Around the World
|
🇪🇺 EU Digital Omnibus: Second trilogue session targets April 28 political agreement on simplified compliance timelines for SMEs and updated prohibition categories under the AI Act framework.
|
|
🇬🇧 UK Cyber Essentials v3.3: NCSC publishes updated certification requirements mandating MFA across all cloud services, with automatic failure for non-compliance effective April 26.
|
|
🇨🇳 China Platform Economy: SAMR pricing transparency rules effective April 10 ban algorithmic price discrimination and require platforms to display base prices before personalization.
|
|
🇺🇸 US State AI Laws: 19 new AI-related laws enacted across states in a single week, creating an increasingly complex patchwork of requirements for bias auditing, transparency, and automated decision-making.
|
|
🇪🇺 MiCA Transition: Grandfathering period for existing crypto-asset service providers expires July 1. CASPs must obtain full MiCA authorization or cease operations.
|
|
|
Deep Dive
|
NYDFS Part 500: The First Full-Amendment Certification
|
|
The April 15 NYDFS Part 500 certification is the first annual attestation cycle incorporating all amendments that took effect throughout 2025. Unlike previous years where organizations could certify against the original 2017 requirements, this year’s filing demands compliance with enhanced provisions covering:
| • Expanded CISO reporting requirements with board-level accountability |
| • 72-hour incident notification obligations (reduced from previous thresholds) |
| • Mandatory penetration testing and vulnerability scanning schedules |
| • Enhanced access privilege management and MFA requirements |
| • Business continuity and disaster recovery (BCDR) planning mandates |
The personal liability dimension makes this certification materially different from standard compliance filings. Both the CEO and CISO must sign the attestation, and the NYDFS has signaled willingness to pursue individual enforcement actions for inaccurate certifications. Organizations should ensure their certification accurately reflects their compliance posture rather than aspirational targets.
|
|
The 19-Law Week: US States Build Patchwork AI Regulatory Framework
|
|
In the most significant burst of US state-level AI legislation to date, 19 new laws were enacted across multiple states in a single week. This acceleration reflects growing state-level impatience with the absence of comprehensive federal AI legislation and creates substantial compliance complexity for organizations operating nationally.
Key themes across the new laws include mandatory bias auditing for automated decision-making systems, transparency requirements for AI-generated content, consumer disclosure obligations when interacting with AI systems, and sector-specific restrictions in healthcare, employment, and financial services.
The compliance challenge is significant: unlike the EU’s unified AI Act approach, the US patchwork means organizations must navigate potentially conflicting requirements across jurisdictions. Companies should begin mapping which state laws apply to their operations and identifying gaps in their current AI governance frameworks.
|
|
|
What to Do This Week
|
1
|
File NYDFS Part 500 certification by April 15 — Verify all 2025 amendment requirements are met, obtain CEO/CISO sign-off, and submit through the NYDFS portal.
|
|
2
|
Audit China-facing platform pricing — Review algorithmic pricing practices for compliance with new transparency rules effective April 10.
|
|
3
|
Update COPPA compliance program — Review biometric data collection practices, update privacy policies, and verify consent mechanisms ahead of April 22 enforcement.
|
|
4
|
Enable MFA on all cloud services — Audit cloud service accounts for MFA compliance ahead of UK Cyber Essentials v3.3 effective April 26.
|
|
5
|
Map US state AI law exposure — Identify which of the 19 new state AI laws apply to your operations and begin gap analysis against current AI governance frameworks.
|
|
|
CyberEyeQ
Actionable Regulatory Intelligence • Published Weekly
|
© 2026 CyberEyeQ. All rights reserved.
|
|
