See Why HubSpot Chose Mintlify for Docs
HubSpot switched to Mintlify and saw 3x faster builds with 50% fewer eng resources. Beautiful, AI-native documentation that scales with your product — no custom infrastructure required.
Executive summary: The European Parliament voted to postpone the AI Act's high-risk obligations to 2027-2028, even as the UK moved to ban under-16s from social media and a dense corridor of compliance deadlines opened across the US, EU and China. More than a dozen obligations land between June 18 and July 18 - from the close of Basel III comments today to MiCA's crypto hard stop and two new China privacy standards on July 1.
At a Glance
EU delays its AI rules - Parliament approved the Digital Omnibus 423-57; the AI Act's high-risk obligations slip to December 2027 and August 2028, but the August 2 transparency duties and a new ban on "nudifier" apps stand.
UK moves to ban under-16s - The Government set out plans to bar under-16s from social media, with a bill expected before Christmas, default-off livestreaming/stranger contact, and a minimum age of 18 for AI "companion" chatbots.
A wall of July 1 deadlines - MiCA's crypto transition, the EU ESG Ratings Regulation, three US state age laws, Connecticut and Tennessee AI rules, and two China PIPL standards all take effect within two weeks.
Basel III comments close today - The US tri-agency capital re-proposal - which would cut common-equity-tier-1 requirements by roughly $87.7bn - closes for comment June 18.
HIPAA ransomware settlements hit $1.165M - OCR's Risk Analysis Initiative resolved four ransomware cases affecting ~427,000 people, reinforcing that an unremediated vulnerability is itself the violation.
FedRAMP rewrites its rulebook - CR26 finalizes by end of June, retiring the FIPS-199 Low/Moderate/High impact levels for Certification Classes A-D and renaming "authorizations" as "certifications."
Critical Actions
1. File Basel III "Endgame" comments before today's close - due Jun 18 (US - Financial)
The Federal Reserve / OCC / FDIC re-proposal closes for comment today. On net it would lower CET1 capital requirements across the banking system by roughly $87.7bn - a sharp reversal from the 2023 proposal - and the notice poses more than 200 questions to commenters.
Action: Submit any final comment letters to the Fed, OCC and FDIC before close of business June 18.
2. Stand up a UK data-protection complaints procedure by Friday - due Jun 19 (UK - Privacy)
Section 103 of the Data (Use and Access) Act 2025 takes effect June 19, giving individuals a statutory right to complain directly to a controller. You must offer an accessible (including electronic) complaints route, acknowledge within 30 days, and advise the outcome without undue delay. There is no SME exemption.
Action: Deploy an electronic complaints form, a 30-day acknowledgement SLA and an outcome-notification workflow before June 19.
3. Execute your MiCA hard-stop plan - no further grace period - due Jul 1 (EU - Financial)
ESMA confirms the EU-wide MiCA transitional period for crypto-asset service providers ends July 1 with no extensions. Unauthorised CASPs must wind down and stop serving EU clients; authorised CASPs should complete client migration first.
Action: Confirm CASP licence status or execute an orderly EU client wind-down before July 1.
Enforcement Watch
OCR settles four HIPAA ransomware investigations ($1.165M) - HHS Office for Civil Rights resolved four Security Rule cases on April 23 tied to ransomware attacks exposing the ePHI of ~427,000 individuals; entities accepted two-year corrective action plans. These are OCR's 11th and 12th Risk Analysis Initiative actions.
FTC finalizes data-security order against Illuminate Education (conduct order) - Final approval came June 8 over a breach that exposed personal data of ~10 million students. The ed-tech provider must build a comprehensive information-security program and limit data collection and retention.
California CPPA and AG land back-to-back privacy penalties ($3.85M) - The CPPA fined PlayOn Sports $1.1M over a defective opt-out involving student data, while the California AG reached a $2.75M settlement with Disney DTC/ABC. The CPPA reports 100+ active investigations with no cure period.
Ofcom scales Online Safety Act age-assurance enforcement (fines up to £18M) - Ofcom's enforcement of "highly effective" age assurance for adult content has produced investigations into 90+ platforms and six fines as of early 2026, with penalties reaching £18m or 10% of global turnover.
Deadline Watch
Date | Deadline | Jurisdiction |
|---|---|---|
Jun 18 | Basel III Endgame re-proposal comments close | US |
Jun 19 | UK DUAA complaints duty in force; MHRA device call for evidence closes | UK |
Jun 23 | SEC-CFTC joint Form PF amendments comments close | US |
Jun 30 | First NIS2 cloud-provider audit deadline; FedRAMP CR26 finalization (~end June) | EU / US |
Jul 1 | MiCA transition ends; CT SB 1295 & TN SB 1580; NE/CT/LA age laws; China GB/T 46903 & 46901 | EU / US / China |
Jul 2 | EU ESG Ratings Regulation applies; White House frontier-AI EO deliverables; FTC X Corp. comment closes | EU / US |
Jul 15 | UK FCA Buy Now Pay Later regime; China AI Anthropomorphic Interaction Measures | UK / China |
Jul 18 | GENIUS Act statutory deadline for stablecoin implementing rules | US |
Jul 28 | FedRAMP "Ready" designation retires | US |
Sep 11 | EU Cyber Resilience Act incident & vulnerability reporting begins | EU |
Around the World
European Union - Parliament approved the AI Act Digital Omnibus, delaying high-risk obligations to 2027-2028 while keeping the August 2 transparency duties. The NIS2 Cooperation Group also adopted common incident-reporting templates to cut cross-border burden.
China - Two TC260 standards underpinning the PIPL - GB/T 46903 (compliance audits) and GB/T 46901 (data portability) - take effect July 1, with the CAC-led AI Anthropomorphic Interaction Services Measures following July 15.
United Kingdom - The Cyber Security and Resilience Bill cleared its Commons stages and moved to the Lords, bringing managed service providers and data centres into scope. The under-16 social media plan layers onto the existing Online Safety Act regime.
United States - A wave of state AI and age-verification laws take effect July 1 (Connecticut, Tennessee, Nebraska, Louisiana), Colorado enacted the first device-level age-attestation law, and FedRAMP's CR26 rewrite finalizes by end of June.
International - The FATF plenary - the last under the Mexican presidency - met this week, and FDIS voting on the revised ISO/IEC 27017 cloud-controls standard closed June 2, moving it toward publication later this year.
Deep Dive: Brussels hits pause on the AI Act - but not on everything
European Union - AI Governance
On June 16 the European Parliament approved the Digital Omnibus amendments to the EU AI Act by 423 votes to 57, with 174 abstentions. The package postpones the Act's most demanding obligations: stand-alone high-risk systems under Annex III - biometrics, critical infrastructure, education, employment and migration - now apply from December 2, 2027, and AI embedded in regulated products under Annex I from August 2, 2028. Machine-readable watermarking and labelling of AI content also slips to December 2, 2026. In exchange, the text adds an EU-wide ban on AI "nudifier" apps that generate child sexual abuse material and non-consensual intimate imagery, effective the same December date.
The temptation is to read this as breathing room. It is not - at least not yet. The file still needs formal Council adoption and Official Journal publication before any new date is legally fixed, so compliance teams that reallocate budget on the strength of a Parliament vote are betting on a step that has not happened. More importantly, the Article 50 transparency duties - chatbot "you're talking to AI" notices and labelling of AI-generated images, audio and video - are explicitly carved out of the delay and still apply from August 2, 2026, just 45 days away. The Commission's voluntary Code of Practice on marking and labelling, published June 10, is the operational playbook for meeting them. So the real message of the Omnibus is not "relax" but "re-sequence": the deepfake-labelling and transparency work is now the near-term priority, while high-risk conformity work has a longer - but still finite, and still moving - runway.
🔒 Recommendations continue for CyberEyeQ Pro subscribers. Contact Us
Confirm Article 50 disclosure and deepfake-labelling flows are live before August 2, 2026, mapped to the June 10 Code of Practice. (Owner: Product + Legal; Timeline: before Aug 2, 2026)
Freeze any budget reallocation away from high-risk conformity work until the Council formally adopts the Omnibus and the new dates publish in the Official Journal. (Owner: Compliance lead; Timeline: until Council adoption)
Re-baseline your Annex III / Annex I exposure against the new Dec 2027 and Aug 2028 dates, and document the dependency on watermarking by Dec 2, 2026. (Owner: Compliance + Eng; Timeline: Q3 2026)
Track the Scientific Panel and Advisory Forum guidance on GPAI systemic-risk classification ahead of the August 2 general-application date. (Owner: Policy / GRC; Timeline: ongoing)
Review consumer-facing image/video generation features against the new nudifier ban to avoid prohibited functionality at launch. (Owner: Product + Trust & Safety; Timeline: before Dec 2, 2026)
Regulatory Frontline: Why every regulator picked the same fortnight
This week's signature is not a single rule but a calendar pile-up. Within the two weeks around July 1, crypto-asset firms lose MiCA grandfathering, ESG raters come under EU authorisation, US banks absorb a re-proposed capital framework, Connecticut and Tennessee switch on new AI-disclosure and AI-therapist rules, four US states begin age verification, and China brings two PIPL implementing standards into force - with companion-AI rules and the GENIUS Act stablecoin deadline close behind. The clustering is partly an accident of mid-year effective dates and one-year statutory clocks, but it is also a pattern worth planning around: regulators increasingly favour clean quarter-boundary start dates, which means compliance teams should expect recurring January 1 and July 1 surges and staff their calendars accordingly rather than treating each deadline as a one-off fire drill.
What to Do This Week
Submit Basel III Endgame comment letters before close of business June 18. (US - Financial - due today)
Deploy a UK data-protection complaints procedure - electronic form, 30-day acknowledgement, outcome tracking - before June 19. (UK - Privacy - due Jun 19)
Confirm MiCA CASP licence status or execute an orderly EU client wind-down before July 1. (EU - Financial - due Jul 1)
[Pro] Update privacy notices and ADMT/opt-out flows for Connecticut SB 1295, and refresh China PIPL audit programs to GB/T 46903, before July 1. (US / China - Privacy - due Jul 1)
[Pro] Map FedRAMP Rev5 artifacts to CR26 Certification Classes A-D and lock the Rev5-vs-20x path before the end-June finalization. (US - Cloud security - due ~Jun 30)
CyberEyeQ - Actionable Regulatory Intelligence
This newsletter is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for compliance decisions.
cybereyeq.com - [email protected]