Weekly Briefing |
CyberEyeQ
Actionable Regulatory Intelligence
June 3, 2026 Issue #23 |
A US AI law just passed that every employer needs to read. The EU Commission adopted a sweeping cloud sovereignty act today. And SEC Regulation S-P just hit its smaller-entity deadline. Seven major compliance clocks are now running in the next 90 days. |
At a Glance
› | SEC Reg S-P deadline was today — Smaller broker-dealers, RIAs, investment companies, and transfer agents hit the final Regulation S-P compliance date. Written incident-response programmes are now required; enforcement scrutiny begins immediately. |
› | Connecticut AI law signed — Governor Lamont signed SB 5 on May 29, the broadest US AI statute to date. Employer disclosure obligations for automated hiring tools take effect October 1, 2026 — 120 days away — with no headcount or revenue threshold. |
› | EU MiCA hard cutoff in 33 days — Unauthorised crypto-asset service providers must cease EU operations by July 1, 2026. No grandfathering extensions remain; AMF France has issued explicit reminders. |
› | EU Commission adopts CADA today — The Cloud and AI Development Act entered the EU legislative pipeline today. Its four-level cloud sovereignty framework could reshape cloud procurement strategy across European public sector and critical infrastructure. |
› | EU NIS2 first audit in 27 days — June 30 is the NIS2 first mandatory compliance audit milestone. Essential and important entities — including cloud providers — face active enforcement in under four weeks. |
› | China companion AI rules in 42 days — The Anthropomorphic AI Interim Measures take effect July 15. AI companion apps, emotional chatbots, and virtual care services accessible from China must complete Algorithm Filing and Security Assessment before that date. |
Critical Actions
Items requiring immediate attention this week.
CRITICAL United States · Financial / Cybersecurity | Due: June 3, 2026 — TODAY |
SEC Regulation S-P: Smaller-Entity Compliance Deadline Has Arrived Covered smaller institutions — RIAs under $1.5B AUM, smaller broker-dealers, investment companies, transfer agents, and funding portals — hit the final S-P compliance deadline today. Requirements: written IRP, safeguarding procedures, 30-day PII breach notification, 72-hour downstream service-provider reporting. The SEC's Division of Examinations flagged this as a 2026 examination priority. Enforcement begins now. Action: Confirm board approval of written IRP is documented and dated; verify 30-day notification workflow is tested; audit third-party service agreements for 72-hour breach-reporting clauses. |
HIGH Australia · Privacy / Age Verification | Due: June 5 — 2 days |
Australia Children's Online Privacy Code Consultation Closes in 2 Days The OAIC consultation closes June 5 — the last opportunity to shape final code requirements before December 10, 2026 registration obligations. Requirements will cover age verification thresholds, data minimisation, and default privacy settings for services accessible to Australian children. Action: Submit feedback via the OAIC consultation portal by June 5. Document your review decision either way. |
HIGH European Union · Privacy | Due: June 9 — 6 days |
EDPB Harmonised DPIA Template Consultation Closes June 9 The EDPB's first harmonised DPIA template consultation closes June 9. All EU supervisory authorities will align national DPIA templates to this standard post-consultation. Pre-defined fields cover necessity and proportionality, risk descriptions, and DPO consultation records. Voluntary now — but sets the standard controllers will be measured against. Action: Review the EDPB DPIA template and file your submission or documented no-comment decision via the EDPB consultation portal before June 9. |
Enforcement Watch
Recent fines, penalties, and enforcement actions.
Dutch DPA fines Yango (Yandex) — SCCs insufficient for Russia data transfers The Dutch DPA fined the Yango taxi app €100M for transferring Finnish and Norwegian user data to Russia without adequate safeguards beyond SCCs. Co-investigated with Dutch, Norwegian, and Finnish DPAs. Formal conclusion: Standard Contractual Clauses are legally insufficient for Russia-bound transfers given absence of GDPR adequacy and Russian state surveillance laws. Every controller with active Russian data flows must treat this as binding legal precedent. | €100M |
California CPPA/AG fines General Motors — first CCPA data minimization enforcement California's first CCPA action targeting data minimization and purpose limitation: GM sold driving behaviour and location data to Consumer Reporting Agencies without adequate consent. GM must cease such sales for five years and delete Covered Driving Data within 180 days. Largest CCPA fine to date. Connected-vehicle, IoT, and telematics operators are on direct notice. | $12.75M |
NYDFS fines Delta Dental — MOVEit Part 500 violation NYDFS announced a $2.25M consent order against Delta Dental for Part 500 violations from the May 2023 MOVEit zero-day. First 2026 NYDFS cybersecurity action. Third-party risk management, MFA, and timely breach reporting remain the three most-cited Part 500 deficiencies. | $2.25M |
Deadline Watch
Upcoming compliance deadlines — next 30–90 days.
JUN 5 | Australia Children's Privacy Code consultation closes Australia · Digital services, children's platforms |
JUN 10 | Washington SSB 5886 digital likeness law takes effect US-Washington · AI content generators, synthetic media platforms |
JUN 19 | UK DUAA complaint-handling SLA obligations take effect United Kingdom · All UK data controllers |
JUN 30 | EU NIS2 first compliance audit milestone European Union · Essential/important entities, cloud providers |
JUL 1 | EU MiCA CASP transitional period ends — hard cutoff European Union · All crypto-asset service providers |
JUL 15 | China Anthropomorphic AI Interim Measures take effect China · AI companion, chatbot, virtual care service operators |
JUL 18 | GENIUS Act implementing regulations due (OCC, FDIC, Treasury) United States · Stablecoin issuers, payment firms |
AUG 2 | EU AI Act GPAI enforcement authority fully activates European Union · General-purpose AI model providers (fines up to €15M/3% revenue) |
Around the World
Global regulatory developments at a glance.
🇧🇷 | Brazil ANPD formally constituted as a fully independent regulatory agency via Decree 12.881/2026 and Resolution No. 33 (April 2026). Brazil's data protection authority now operates with structural independence comparable to EU supervisory authorities. Intensified enforcement posture expected for H2 2026 across all sectors processing Brazilian personal data. |
🇨🇳 | China CAC's four-month Qinglang 2026 enforcement campaign (launched April 30) is in month two, targeting AI fraud, deepfakes, and AIGC labelling failures. Simultaneously, CITSC added nine domestic AI chips to the Xinchuang government procurement certification list for the first time — AI chip localisation is now accelerating at the hardware layer. |
🇰🇷 | South Korea Amended PIPA (signed March 10, 2026) introduces fines up to 10% of annual revenue for qualifying violations, personal CEO liability, and a new 72-hour breach notification deadline, effective September 11, 2026. Multinationals processing Korean personal data at scale should assign C-suite compliance ownership now. |
🇻🇳 | Vietnam Vietnam's new Cybersecurity Law 2025 enters force July 1, 2026 — 28 days away. Sweeping data localisation, security assessment, and incident reporting requirements apply to domestic and foreign digital platforms serving Vietnamese users. Foreign platforms with Vietnamese user bases should confirm localisation posture before the deadline. |
Deep Dive
Extended analysis on this week's most critical development.
UNITED STATES · AI GOVERNANCE
Connecticut SB5: America's Most Comprehensive AI Law Just Took Effect
Until May 29, 2026, most US AI legislation fell into one of two categories: narrow bills targeting specific applications — deepfakes, hiring tools — or broad frameworks that never made it out of committee. Connecticut Governor Ned Lamont changed that calculation when he signed SB 5 (now Public Act No. 26-15) into law. It is the first US statute to simultaneously regulate automated employment decisions, frontier AI safety, AI companion services for minors, and AI-generated content provenance in a single, cross-sector act. There is no revenue or headcount threshold — a startup using an AI-powered hiring tool faces the same October 1 disclosure obligations as a Fortune 500 firm.
The law cascades across four compliance dates. October 1, 2026 (120 days) is the most broadly applicable: employer disclosure obligations for Automated Employment Decision Technology (AEDT) and the AI-use-is-not-a-defense amendment to Connecticut's anti-discrimination statutes. Any employer using algorithmic tools to screen résumés, score interviews, rank applicants, or inform promotion decisions affecting Connecticut employees or applicants must implement notice and non-discrimination safeguards. The frontier developer provisions — targeting ≥$500M revenue companies using ≥10²⁶ FLOP training runs — add whistleblower protections October 1, anonymous catastrophic-risk reporting channels January 1, 2027, and ultimately form part of what is becoming a de facto national compliance architecture alongside Illinois SB 315 (passed both chambers, awaiting Governor Pritzker's signature) and Colorado SB 26-189. Here is what compliance teams consistently miss: the October 1 date is not when you start building your AEDT inventory. It is when that inventory must be operationally complete, vendor-assessed, and disclosed. 120 days is not enough time to work backward from a standing start.
🔒 This analysis continues for CyberEyeQ Pro subscribers.
Unlock the 5-step compliance programme, AEDT vendor procurement checklist, and a Connecticut/Illinois/Colorado jurisdiction comparison.
EUROPEAN UNION · CLOUD SECURITY — BREAKING TODAY
EU CADA: Cloud Sovereignty Enters the Legislative Pipeline
The European Commission formally adopted the Cloud and AI Development Act today (June 3, 2026) as part of the European Technological Sovereignty Package. Council and Parliament negotiations are now open — final adoption is not expected until 2027. But organisations with European cloud strategy should begin reading the proposal text now, not when the final text is agreed. The CADA's four-level cloud sovereignty framework would create a legislative basis for reinstating the very data localisation requirements that were stripped from the March 2024 EUCS High-level certification draft after pushback. If CADA sovereignty provisions survive negotiations intact, cloud procurement for EU public sector and critical infrastructure operators could face mandatory localisation requirements for sensitive workloads. That changes vendor shortlists, contract structures, and data residency architecture — decisions that take 12 to 24 months to implement. Starting that assessment when CADA is adopted will already be too late.
🔒 CyberEyeQ Pro: What the four sovereignty levels mean for your cloud contracts.
How CADA interacts with the June 30 NIS2 audit deadline, and which cloud providers are positioned to qualify at each level.
What to Do This Week
Your compliance checklist. Free subscribers see top 3 — contact us for full access.
1 | Confirm SEC Regulation S-P compliance documentation is dated today or earlier Board-approved written IRP, tested 30-day notification workflow, audited vendor contracts with 72-hour breach-reporting clauses. Enforcement scrutiny begins now. |
2 | File your Australia OAIC Children's Privacy Code consultation response by June 5 Two days remaining. If your services reach Australian users under 18, this is your last window to shape final code requirements before December 2026 registration obligations. |
3 | Begin your AEDT inventory for Connecticut SB5 compliance October 1, 2026 is 120 days away — but assessment, vendor engagement, and disclosure implementation require the full window. Start the AI hiring tool audit now, before the pipeline is too short to close gaps. |
🔒 Items 4 and 5 for Pro subscribers: EU MiCA exit-or-authorise action plan, and NIS2 first-audit readiness checklist for cloud-dependent essential entities. Contact Us →
CyberEyeQ Actionable Regulatory Intelligence This newsletter is for informational purposes only and does not constitute legal advice. You're receiving this because you subscribed to CyberEyeQ. |