Issue #26 · The July 1 cliff has passed — a dense July deadline cluster is next
This week brought the year's biggest wave of new rules: at least nine distinct regimes across all eight domains we track reached their effective date on July 1. And the calendar barely lets up — a dense cluster of July deadlines is already bearing down.
At a Glance
July 1 mega-cliff arrives — Connecticut, Utah, Arkansas, Tennessee, Vietnam and China all saw new regimes take legal effect on 1 July.
ESMA now supervises ESG ratings — Regulation (EU) 2024/3005 begins to apply today, 2 July, putting ESG-rating providers under direct ESMA authorisation for the first time.
US AI cyber deadline lands today — The first 30-day agency deadline under June's Executive Order on Advanced AI Innovation and Security falls today.
Two new US state privacy laws live — Utah's Digital Choice Act (social-graph portability) and Arkansas's teen-COPPA statute both took effect 1 July.
China mandates annual data-risk audits — The finalized Network Data Security Risk Assessment Measures take effect 20 August for important-data processors.
COVID-19 EUA pathway ends — HHS formally terminated the emergency-use-authorization declarations, sunsetting device authorizations from 26 December 2026.
Critical Actions
UK Buy Now Pay Later enters the FCA perimeter in 13 days
United Kingdom · Financial · Due: 15 Jul
From 15 July the FCA regulates previously-exempt BNPL agreements. The temporary-permissions regime that bridged the transition closed on 1 July, so firms need FCA authorisation or TPR cover to keep lending.
Action: Confirm your BNPL products are covered by FCA authorisation or the temporary-permissions regime before 15 July.
China's Anthropomorphic AI Interaction Measures take effect 15 July
China · AI / Privacy · Due: 15 Jul
The CAC's interim measures for AI-companion services impose AI-identity disclosure, addiction-prevention and minor-safeguard duties on providers of human-like AI chat services.
Action: If you offer AI-companion or human-like chat features to Chinese users, implement AI-identity disclosure and minor safeguards before 15 July.
EU AI Act transparency duties and GPAI enforcement go live 2 August
European Union · AI Governance · Due: 2 Aug
Article 50 requires disclosure that content is AI-generated and that users are interacting with AI. The AI Office simultaneously gains GPAI enforcement powers, with fines up to 3% of global turnover or €15M.
Action: Inventory every AI touchpoint and AI-generated or deep-fake output that will need a label before 2 August.
Enforcement Watch
Ofcom fines AVS Group £1M over inadequate age checks — Ofcom's Online Safety Act campaign against adult sites lacking "highly effective" age assurance continues. AVS Group (18 sites) drew a £1M fine plus £50k for ignoring an information notice, with roughly 76 sites still under investigation. Maximum penalties reach £18M or 10% of global revenue. (£1M)
Australia moves to double under-16 social-media penalties — The Albanese Government will raise maximum civil penalties for systemic under-16-ban breaches to roughly A$99M and expand the eSafety Commissioner's evidence-gathering powers; five platforms are under investigation. (A$99M)
HHS OCR's HIPAA risk-analysis settlement streak continues — Four ransomware-related risk-analysis settlements this spring keep previewing the still-unfinalized HIPAA Security Rule overhaul. Risk-analysis failures remain OCR's leading enforcement theme for healthcare entities. (4 settlements)
China's outbound-investment Order 837 adds a new penalty regime — Now in force, State Council Order 837 introduces a national-security review for outbound deals, with penalties from confiscation of gains to fines of 0.1%–1% of the investment, forced divestiture and up to three-year bans. (0.1–1%)
Deadline Watch
Date | Development | Jurisdiction | Affected |
|---|---|---|---|
Jul 04 | EO 14390 transnational-cybercrime action plan due | United States | Federal agencies |
Jul 07 | South Korea Network Act Amendment effective | South Korea | Large online platforms |
Jul 10 | EU AMLA delivers first AML technical standards | European Union | Financial institutions |
Jul 15 | FCA BNPL go-live · CAC Anthropomorphic AI Measures | UK / China | Lenders, AI providers |
Jul 18 | GENIUS Act stablecoin AML/CFT rule due | United States | Stablecoin issuers |
Jul 28 | FedRAMP "Ready" designation sunsets to Legacy | United States | Cloud service providers |
Aug 01 | California DROP go-live · CT profiling impact assessment | United States | Data brokers, controllers |
Aug 02 | EU AI Act Art 50 + GPAI enforcement · CA SB 942 | EU / US | AI providers |
Aug 20 | China Network Data Security Risk Assessment Measures | China | Important-data processors |
Sep 11 | Korea PIPA amendment · EU CRA Art 14 reporting | Korea / EU | Controllers, product makers |
Around the World
Vietnam — The Law on Cybersecurity 2025 (No. 116/2025/QH15) is now in force, applying extraterritorially with 24-hour / 6-hour content-takedown duties, data localization and AI-deepfake prohibitions.
China — The finalized Network Data Security Risk Assessment Measures (CAC, MIIT, MPS) take effect 20 August, making annual risk assessments mandatory for important-data processors.
Australia — Canberra tightened its under-16 ban to target addictive design features and announced plans to roughly double maximum penalties to A$99M.
United Kingdom — Ofcom's statutory age-assurance effectiveness report is due by end of July, and the government's under-16 social-media ban plan is advancing toward legislation.
European Union — The Commission's recommended 30 June deadline for Member States' age-verification implementation plans lapsed as it presses for its "mini-wallet" age-check app in every country by 31 December 2026.
Deep Dive — ESMA Takes the Wheel on ESG Ratings: What Providers and Users Must Do Now (European Union · Financial)
For years, ESG ratings — the scores that shape trillions in sustainable-investment flows — operated in a supervisory vacuum. That ends today. Regulation (EU) 2024/3005, the EU ESG Ratings Regulation, begins to apply on 2 July 2026, bringing ESG-rating providers under the direct authorisation and ongoing supervision of the European Securities and Markets Authority (ESMA) for the first time. Providers operating in the EU must be authorised, separate their rating activities from consulting, audit and banking lines to manage conflicts of interest, and disclose their methodologies and data sources.
The practical shock is the timeline. EU-based providers must notify ESMA of their intent to continue operating by 2 August 2026 and secure authorisation by 2 November 2026; third-country providers face an equivalence, endorsement or recognition path. For the asset managers, banks and corporates that consume these ratings, the regulation reshapes diligence: from November, only ratings from ESMA-supervised or recognised providers will carry regulatory credibility, and new methodology-transparency requirements mean users can finally interrogate how a score was built. That creates an immediate governance question most firms have not answered — who owns ESG-rating-provider due diligence, and what happens to a portfolio built on ratings from a provider that fails to secure authorisation? Here's what organizations need to do…
🔒 This analysis continues for CyberEyeQ Pro subscribers. Contact Us →
Recommendations (Pro):
Map every ESG rating your firm relies on to its provider and confirm each provider's EU authorisation status. — Owner: Head of Sustainable Investment / Risk · Timeline: By 2 Aug 2026
If you are an in-scope provider, file your ESMA notification of intent to continue operating. — Owner: Legal / Compliance · Timeline: By 2 Aug 2026
Separate rating activities from any consulting, audit or banking lines to satisfy conflict-of-interest rules. — Owner: Compliance / COO · Timeline: Before 2 Nov 2026
Add an authorisation-status clause and methodology-disclosure requirement to ESG-data vendor contracts. — Owner: Procurement / Legal · Timeline: Next contract cycle
Brief investment committees on transition risk from providers that may not secure authorisation by November. — Owner: CIO / Risk · Timeline: Q3 2026
Regulatory Frontline — Why July 1 Became the Busiest Compliance Day of 2026 (Global · Cross-Domain)
If 1 July felt like a wall, that's because it was. In a single day, at least nine distinct regimes across all eight domains we track reached their effective date: Connecticut's CTDPA overhaul and first-in-nation LLM-training disclosure, Tennessee's ban on AI posing as a therapist, Utah's Digital Choice Act, Arkansas's teen-COPPA law, Vietnam's unified Cybersecurity Law, China's outbound-investment Order 837, the National Energy Administration's first energy-data regime, and China's GB/T portability and audit standards. The clustering is not coincidence — mid-year effective dates have become the default drafting convention across US states, the EU and Asia, and 2026's pipeline was unusually full of minors'-privacy, AI-transparency and data-security bills all maturing at once. The result is a compounding load: a mid-sized US retailer with a Chinese supply chain and an AI chatbot now sits inside Connecticut's 35,000-consumer threshold, Vietnam's extraterritorial takedown duties and Tennessee's marketing restrictions simultaneously — three unrelated regimes, one date. And there is no respite: the next fortnight brings AMLA standards (10 July), the UK BNPL regime (15 July), China's Anthropomorphic AI Measures (15 July) and the GENIUS Act stablecoin rule (18 July), before the EU AI Act's core transparency duties land on 2 August.
What to Do This Week
Re-baseline your EU AI Act programme against the 2 August transparency and GPAI-enforcement dates — and the Digital Omnibus's deferred high-risk timelines. — AI Act Article 50 + GPAI enforcement apply 2 Aug; high-risk dates slip to Dec 2027 / Aug 2028.
Re-test whether Connecticut's lowered 35,000-consumer threshold pulled you into CTDPA scope, and switch off targeted ads and data sales for known 13–17 users. — CTDPA overhaul live since 1 Jul; profiling impact-assessment duty begins 1 Aug.
Map your FedRAMP Rev5 packages to the new Certification Class model, and note that "FedRAMP Ready" sunsets 28 July. — CR26 took effect 1 Jul; mandatory adoption 1 Jan 2027.
Screen China-nexus M&A, licensing and personnel-based tech transfers against Order 837's outbound national-security review before signing. (Pro) — Order 837 in force; penalties up to 1% of investment plus forced divestiture.
If you provide or rely on ESG ratings in the EU, start the ESMA authorisation and provider-diligence workstream now. (Pro) — Notify ESMA by 2 Aug; authorisation by 2 Nov.
CyberEyeQ — Actionable Regulatory Intelligence. This newsletter is for informational purposes only and does not constitute legal advice. Questions or tips: [email protected]