Weekly Briefing |
CyberEyeQ
Actionable Regulatory Intelligence
June 11, 2026 Issue #23 |
Canada tables an under-16 social media ban, CISA starts a three-day patch clock for federal agencies, Brussels publishes its AI-labelling playbook — and a dozen compliance deadlines land in the next five weeks. |
At a Glance
› | Canada proposes under-16 social ban — Bill C-34 tabled June 10: minimum age 16, age verification for upload-enabled porn sites, AI-chatbot safety duties, and a new Digital Safety Commission. |
› | CISA mandates 3-day vulnerability fixes — BOD 26-04 sets risk-based remediation clocks for federal agencies — including FedRAMP-hosted cloud systems. |
› | EU publishes AI-labelling Code of Practice — Final voluntary Code (June 10) operationalises AI Act Article 50 ahead of the August 2 go-live. |
› | EDPB standardises breach reporting — Common Article 33 notification template adopted at the 120th plenary; consultation open to August 5. |
› | CRA Chapter IV now applies — EU Member States had to designate conformity-assessment notifying authorities by June 11. |
› | MiCA grace period ends July 1 — Unlicensed crypto-asset service providers must stop serving EU clients; France's AMF cutoff is June 30. |
Critical Actions
Items requiring immediate attention this week.
High US · Financial | Due: Jun 18 |
File Basel III “Endgame, Take Two” comment letters The tri-agency capital re-proposal comment window closes in seven days — the last formal opportunity to shape the largest US bank-capital rewrite since 2013. Action: Submit comment letters to the Fed, OCC and FDIC by June 18. |
High UK · Privacy | Due: Jun 19 |
Stand up your UK complaints-handling procedure The Data (Use and Access) Act 2025 duty to operate a data-protection complaints procedure takes effect June 19 — with no SME exemption. Action: Deploy a complaints intake channel, acknowledgment workflow and response tracking before June 19. |
Critical EU · Financial | Due: Jul 1 |
Prepare for the MiCA hard stop The EU-wide transitional regime for crypto-asset service providers ends July 1 with no further grace period; France's AMF set June 30. Action: Confirm CASP licence status or execute an orderly EU client exit plan before July 1. |
Enforcement Watch
Recent fines, penalties, and enforcement actions.
FTC finalises Illuminate Education order Final approval June 5 over a breach affecting 10.1 million students — deletion, retention-schedule and security-program mandates. | Order |
CNIL penalises IQVIA over health-data warehouses May 26 fine for breaching CNIL authorisation conditions; six months to remediate or €10,000/day. | €5M |
California's record CCPA settlement with GM/OnStar First enforcement of the data-minimization rule; precise geolocation data sold to brokers without adequate notice. | $12.75M |
UK Ofcom escalates Online Safety Act enforcement Actions against YoungTek Solutions and 4chan continue as the age-assurance enforcement push widens. | Ongoing |
Deadline Watch
Upcoming compliance deadlines — next 30–90 days.
Jun 13 | Japan PSA stablecoin framework takes full effect Japan · Crypto & payments firms |
Jun 18 | Basel III Endgame re-proposal comments close US · Banks & holding companies |
Jun 19 | UK DUAA complaints-handling duty in force UK · All data controllers |
Jun 23 | EU AI Act high-risk classification consultation closes EU · AI providers & deployers |
Jun 27 | Australian search engines must deploy age assurance Australia · Search & platform operators |
Jun 30 | NIS2 first audit deadline · FedRAMP CR26 finalization EU / US · Cloud & essential entities |
Jul 1 | MiCA hard stop · NE/CT/CO/LA age-verification laws · China outbound-investment regs EU / US / China · Crypto, platforms, tech exporters |
Jul 15 | China Anthropomorphic AI Interim Measures take effect China · AI companion-service providers |
Jul 18 | GENIUS Act statutory deadline for federal stablecoin rules US · Stablecoin issuers & banks |
Aug 2 | EU AI Act Article 50 transparency duties + GPAI enforcement EU · GenAI providers & deployers |
Around the World
Global regulatory developments at a glance.
🇨🇦 | Canada Bill C-34 (Safe Social Media Act) tabled June 10; the OPC's privacy-preserving age-assurance consultation runs to August 4 — together they sketch Canada's full child-safety regime. |
🇨🇳 | China The CAC/NDRC/MIIT Implementation Opinions emerge as China's first dedicated AI-agent governance framework, with mandatory filing and recall mechanisms; the Qinglang AI-misuse campaign remains in active enforcement ahead of the July 1/15 compliance wall. |
🇬🇧 | United Kingdom The Cyber Security and Resilience Bill completed its Commons stages June 10 and heads to the Lords; ministers separately gave Apple and Google three months to build device-level nude-image detection for children or face legislation. |
🇯🇵 | Japan The Payment Services Act stablecoin framework takes full effect June 13, completing Japan's licensing regime for fiat-backed stablecoins. |
Deep Dive
Extended analysis on this week's most critical development.
Canada · Age Verification & Online Safety
The Government of Canada introduced Bill C-34, the Safe Social Media Act, in the House of Commons on June 10 — the most consequential child-safety bill in the country's history and the clearest sign yet that the Australian model of an under-16 social media minimum age is going global. The bill would enact a Digital Safety Act and create a new regulator, the Digital Safety Commission of Canada. Its centrepiece is a 16-year minimum age for social media accounts, with exemptions for services that demonstrate sufficient child-safety safeguards. Pornography sites that permit user uploads face mandatory age verification with no exemption pathway — and in a first for national legislation, public-facing AI chatbots would carry statutory safety duties, including mandatory responses when users express suicidal ideation. Enforcement runs through compliance orders and administrative monetary penalties. (Canada.ca release · C-34 first reading)
C-34 succeeds the framework first proposed in the lapsed Online Harms Act (Bill C-63) — but it is narrower and more operational, concentrating on age assurance, design duties and chatbot safety rather than policing categories of content. The timing is the tell: the Office of the Privacy Commissioner is consulting on privacy-preserving age assurance until August 4, and its draft guidance is effectively the privacy baseline any platform responding to C-34 must meet. Platforms that wait for royal assent to start scoping will be behind — the bill's designated-service criteria, exemption tests and Commission rulemaking powers will define compliance economics, and second-reading debate begins within weeks. Here's what organizations need to do…
🔒 This analysis continues for CyberEyeQ Pro subscribers.
Unlock actionable recommendations, responsible parties, and timelines.
1 | Map C-34 scoping criteria against your product surface — designated social services, AI chatbots, upload-enabled adult sites Owner: Product / Legal · Timeline: Before second-reading debate |
2 | Benchmark your age-assurance stack against the OPC draft guidance (minimal collection, input deletion, proportionality) Owner: Privacy Engineering · Timeline: Comment by August 4 |
3 | Model exemption economics: can child-safety safeguards qualify your service for the under-16 exemption? Owner: Trust & Safety · Timeline: Q3 2026 |
4 | Add C-34 to board risk reporting alongside the Australian and UK regimes as a single age-assurance program Owner: CCO · Timeline: Next board cycle |
European Union · AI Governance
Brussels hands AI companies a labelling playbook — 52 days before the rules bite
On June 10 the European Commission published the final voluntary Code of Practice on marking and labelling AI-generated content — the practical bridge to the AI Act's Article 50 transparency obligations, which apply from August 2, 2026. The Code specifies machine-readable marking for audio, image, video and text outputs and proposes standard icons for labelling deepfakes and AI-altered content. The strategic question for providers is whether to sign: the Code is voluntary, but signing offers a presumption-of-conformity pathway, while declining means documenting an alternative Article 50 route alone. Note the interplay with the Digital Omnibus — most high-risk obligations slip to 2027–2028, but Article 50 arrives on schedule, and the marking grace period for pre-August-2026 systems was cut from six months to three, landing December 2, 2026. (Commission publication)
What to Do This Week
Your compliance checklist. Free subscribers see top 3 — contact us for full access.
1 | Map your product surface against Bill C-34's scoping criteria Designated social services, upload-enabled adult sites, public-facing chatbots. Owner: Product/Legal · Before second reading |
2 | File Basel III Endgame comment letters by June 18 Owner: Treasury/Regulatory Affairs · 7 days |
3 | Deploy your UK DUAA complaints-handling procedure before June 19 Owner: DPO · 8 days |
4 | Review generative-AI pipelines against the EU marking Code; decide sign-or-alternative by August 2 Owner: AI Governance Lead · By July 15 |
5 | Federal CSPs: map CONMON and vulnerability feeds to BOD 26-04's four risk criteria Owner: FedRAMP Program Lead · Before August 9 |
🔒 Items 4 and 5 are for Pro subscribers. Contact Us →
CyberEyeQ Actionable Regulatory Intelligence This newsletter is for informational purposes only and does not constitute legal advice. You're receiving this because you subscribed to CyberEyeQ. |