The AI Act's final signoff lands June 29 as a June 30 deadline wall holds
Executive summary: The Council of the EU is expected to formally adopt the AI Act Digital Omnibus on June 29, the last step before the delayed high-risk dates are fixed in the Official Journal. But there is no breathing room this week: the first NIS2 compliance audits and FedRAMP's CR26 rewrite both land June 30, and a dense July 1 wall switches on China's outbound-investment regime, its first energy-sector data rules, two PIPL standards, Vietnam's unified cybersecurity law, and new AI and privacy laws in Connecticut and Tennessee. Meanwhile the EU's top court quietly cracked the country-of-origin shield, letting member states age-check pornographic sites established in other EU countries.
At a Glance
EU AI Act delay nears finality - The Council of the EU is expected to formally adopt the Digital Omnibus on June 29, fixing the AI Act's high-risk deferral to December 2027 and August 2028 and clearing the way for Official Journal publication in July.
Twin deadlines land June 30 - The first NIS2 compliance audits fall due in transposed member states the same day FedRAMP's CR26 rewrite finalizes, retiring impact levels for Certification Classes A-D.
A July 1 wall spans three continents - China's Order 837 outbound-investment regime, its first energy-sector data rules, two PIPL standards, Vietnam's cybersecurity law, and Connecticut and Tennessee AI/privacy laws all take effect at once.
Court cracks country-of-origin shield - The CJEU ruled June 16 that a member state may impose age verification on pornographic services established in other EU countries, narrowing a core single-market protection.
Illinois leads on frontier AI - Illinois has sent the nation's first frontier-model audit bill to the governor's desk, pushing third-party audits of the largest AI systems toward law.
China builds out its July rulebook - Beyond July 1, Order No. 24 network-data risk-assessment measures take effect August 20 and human-like AI service rules begin July 15.
Critical Actions
1. Complete your first NIS2 compliance audit by June 30 - due Jun 30 (EU - Cyber / Cloud)
In member states that have transposed NIS2, most essential and important entities - including cloud platforms, data centres and managed-service providers - face their first formal compliance audit deadline on June 30. Obligations and audit mechanics vary by member state, so the controlling date is national, not EU-wide.
Action: Confirm your transposition status by member state and close any open registration, governance and incident-reporting gaps before June 30.
2. Clear China outbound-investment and FCA BNPL registration before July 1 - due Jul 1 (China / UK - Financial)
China's State Council Regulations on Outbound Investment (Order No. 837) take effect July 1, adding a national-security review and full-process supervision to Chinese outbound deals. The same day, the UK FCA's temporary-permissions window for Buy Now Pay Later firms closes ahead of the regime going live July 15.
Action: Map outbound-investment exposure to the Order 837 review and register for the FCA BNPL temporary-permissions regime before July 1.
3. Connecticut SB 1295 and Tennessee SB 1580 take effect July 1 - due Jul 1 (US - Privacy / AI)
Connecticut's CTDPA overhaul (SB 1295 / Public Act 25-113) drops the applicability threshold to 35,000 residents, adds categorical minors' protections and a first-in-nation LLM-training disclosure. Tennessee's SB 1580 bars AI systems from posing as licensed mental-health professionals, with per-violation penalties and a private right of action.
Action: Refresh Connecticut privacy notices, minors and opt-out flows, and confirm no product markets AI as a mental-health professional in Tennessee, before July 1.
Enforcement Watch
OCR settles four HIPAA ransomware investigations - HHS Office for Civil Rights resolved four Security Rule cases tied to ransomware attacks affecting roughly 427,000 individuals, with two-year corrective action plans. Risk analysis remains the most-cited deficiency - an unremediated vulnerability is itself the violation. ($1.165M)
SEC and CFTC rescind the enforcement settlement gag rule - The CFTC joined the SEC in dropping the long-standing policy that barred settling defendants from publicly denying the agency's allegations. The shift changes settlement dynamics and public-messaging risk for firms resolving enforcement actions. (Policy shift)
Ofcom age-assurance enforcement widens after CJEU ruling - Ofcom's Online Safety Act enforcement of highly effective age assurance has produced investigations into 90-plus platforms and several fines, and the June 16 CJEU ruling expands member states' reach over services established elsewhere in the EU. Penalties can reach the greater of 18 million pounds or 10% of global turnover. (Up to 18M GBP)
Deadline Watch
Date | Deadline | Jurisdiction |
|---|---|---|
Jun 29 | EU Council expected to adopt the AI Act Digital Omnibus | EU |
Jun 30 | First NIS2 compliance audit; FedRAMP CR26 finalization | EU / US |
Jul 1 | China Order 837, NEA energy data, GB/T 46901/46903; CT SB 1295; TN SB 1580; NE LB 383; Vietnam Cybersecurity Law; FCA TPR window closes | China / US / Vietnam / UK |
Jul 2 | White House June-2 AI executive order - agency deliverables due | US |
Jul 4 | EO 14390 anti-TCO cybercrime action plan due | US |
Jul 15 | China AI Anthropomorphic Interaction Services; FCA BNPL regime live | China / UK |
Jul 18 | Canada Bill C-16 Protecting Victims Act effective | Canada |
Jul 22 | FSB AI sound-practices consultation closes | International |
Jul 28 | FedRAMP 'Ready' designation retires | US |
Aug 2 | EU AI Act GPAI duties and Article 50 transparency apply | EU |
Aug 20 | China Order No. 24 network-data risk-assessment measures effective | China |
Sep 11 | EU CRA reporting begins; Korea PIPA revenue-based fines effective | EU / Korea |
Around the World
European Union - The Council is expected to adopt the AI Act Digital Omnibus on June 29, fixing the high-risk delay to 2027-2028 while the August 2 transparency duties hold. The CJEU separately narrowed the country-of-origin shield for age verification.
China - A July 1 cluster switches on the Order 837 outbound-investment regime, the first energy-sector data security measures, and two PIPL standards (GB/T 46901 portability, GB/T 46903 audits). Human-like AI service rules follow July 15 and Order No. 24 risk assessments August 20.
United States - Connecticut, Tennessee and Nebraska laws take effect July 1, federal AI executive-order deliverables fall due July 2 and 4, and Illinois sent the first-in-nation frontier-model audit bill to the governor.
Vietnam - The Law on Cybersecurity 2025 (No. 116/2025/QH15) takes full effect July 1, consolidating three prior laws and reaffirming data-localisation plus an in-country presence mandate with extraterritorial reach.
UK, Canada & Korea - The UK DUAA complaints duty is now in force and the FCA BNPL regime goes live July 15; Canada's Bill C-16 takes effect July 18; and Korea's revenue-based PIPA fines begin September 11.
Deep Dive
Brussels is about to make the AI Act delay official
European Union - AI Governance
On June 29 the Council of the EU is expected to formally adopt the Digital Omnibus on AI - the last institutional step after the European Parliament's 423-57 vote on June 16. Adoption clears the way for signature and Official Journal publication, anticipated in July, which is the moment the new dates become legally fixed. The package pushes the AI Act's most demanding obligations back: standalone high-risk systems under Annex III now apply from December 2, 2027, AI embedded in regulated products under Annex I from August 2, 2028, and machine-readable watermarking of AI content to December 2, 2026.
For two weeks the delay has been real in politics but not yet in law, and that gap matters. Compliance teams that reallocated budget on the strength of the Parliament vote were betting on a step - Council adoption and OJ publication - that had not happened. June 29 is when that bet starts to settle. But the re-sequencing message from last month still holds: the Article 50 transparency duties - chatbot disclosure and labelling of AI-generated media - are explicitly carved out of the delay and still apply from August 2, 2026, just 38 days away, alongside the GPAI obligations the new enforcement scaffolding is being built to police. So the Omnibus does not buy quiet; it tells you what to do first. Here is how to sequence the next five weeks.
🔒 Recommendations continue for CyberEyeQ Pro subscribers. Contact Us
Confirm Article 50 disclosure and deepfake-labelling flows are live before August 2, mapped to the June 10 Code of Practice. - Owner: Product + Legal - Timeline: Before Aug 2, 2026
Hold any budget shift away from high-risk conformity work until the Council formally adopts the Omnibus and the dates publish in the Official Journal. - Owner: Compliance lead - Timeline: Until OJ publication
Re-baseline Annex III and Annex I exposure against the Dec 2027 and Aug 2028 dates, documenting the watermarking dependency by Dec 2, 2026. - Owner: Compliance + Eng - Timeline: Q3 2026
Track the Scientific Panel and AI Office enforcement guidance ahead of the August 2 GPAI general-application date. - Owner: Policy / GRC - Timeline: Ongoing
Stand up a watching brief on the Council text in case any date or scope shifts between adoption and OJ publication. - Owner: Legal - Timeline: Jun 29 - July
The country-of-origin shield is starting to crack
European Union - Regulatory Frontline
On June 16 the Court of Justice of the EU ruled (Joined Cases C-188/24 and C-190/24) that a member state may require age verification of pornographic services established in other EU countries - a meaningful narrowing of the country-of-origin principle that has long let online services answer mainly to their home regulator. Paired with the same court's willingness to let national child-protection rules reach across borders, the decision signals a broader trend: on minors, data and online safety, the single market's home-state deference is giving way to destination-state control. Compliance teams that have relied on a single lead regulator should expect more host-state obligations - age assurance, content rules, and reporting - to apply wherever their users are, not just where they are incorporated.
What to Do This Week
Confirm NIS2 transposition status by member state and close registration, governance and reporting gaps before the June 30 audit deadline. - EU - Cyber/Cloud - due Jun 30
Map China outbound-investment exposure to Order 837 and register for the FCA BNPL temporary-permissions regime before July 1. - China / UK - Financial - due Jul 1
Refresh Connecticut SB 1295 privacy notices and minors/opt-out flows, and confirm no AI mental-health impersonation under Tennessee SB 1580, before July 1. - US - Privacy/AI - due Jul 1
Map FedRAMP Rev5 artifacts to CR26 Certification Classes A-D and lock the transition path before the end-June finalization. [Pro] - US - Cloud - due ~Jun 30
Re-baseline the EU AI Act high-risk roadmap once the Council adopts the Omnibus June 29, while keeping Article 50 transparency work on track for August 2. [Pro] - EU - AI - due ongoing
CyberEyeQ - Actionable Regulatory Intelligence
This newsletter is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for compliance decisions.
cybereyeq.com - [email protected]