At a Glance
EU AI Act deadlines extended 12–24 months — Omnibus provisional agreement pushes high-risk AI compliance to Dec 2027 (standalone) or Aug 2028 (product-embedded).
EUDAMED mandatory in 7 days — EU medical device operators must hold an SRN before May 28 or face market access blocks.
Meta faces 6% revenue DSA fine — EC preliminary finding: Instagram/Facebook age checks fail to block under-13 users. Fine could exceed $3B.
CIRCIA final rule stalled — CISA missed May 2026 deadline; 300,000 critical infrastructure entities in compliance limbo.
UK BNPL regime starts July 15 — TPR registration window closes July 1.
China confirms national AI omnibus law — State Council 2026 plan calls for comprehensive AI statute.
Critical Actions
🚨 CRITICAL — EUDAMED Mandatory Registration — Due May 28, 2026
All EU economic operators must hold a Single Registration Number (SRN) before May 28 or face market access blocks. New devices must be UDI-registered before first placement.
Action: Verify SRN status for every EU supply chain entity now.
🔴 HIGH — NERC CIP-003-11 Effective May 26, 2026
FERC Order No. 918 extends mandatory cybersecurity controls to low-impact BES Cyber Systems.
Action: Confirm security management controls and incident response procedures before Tuesday.
🔴 HIGH — UK BNPL TPR Registration Closes July 1
FCA regime in force July 15. Unregistered DPC lenders cannot operate after July 15.
Action: Initiate FCA TPR registration now.
Enforcement Watch
CNIL fines Iliad/Free €42M — 24M customer breach; data retention and monitoring failures (GDPR cumulative fines now €7.1B+)
DORA live enforcement — First compulsion payments issued; ~50% of in-scope financial entities non-compliant; up to 2% global turnover
Meta DSA preliminary breach — EC finds Instagram/Facebook age checks ineffective for under-13s; up to 6% global revenue
NIS2 infringement — EC reasoned opinions against 19 Member States; CJEU referrals possible; up to €10M or 2% global revenue
Deadline Watch
May 26 — NERC CIP-003-11 in force + HIPAA Claims Attachments Rule (US)
May 28 — EUDAMED Mandatory — SRN + UDI Required (EU)
Jun 1 — China GB 46864-2025 Electronic Product Data Sanitization effective
Jun 18 — US Basel III Endgame comment deadline
Jul 1 — UK BNPL TPR closes + MiCA CASP transitional expires + NE/CO/CT state laws effective
Jul 15 — UK BNPL in force + China Anthropomorphic AI Measures effective
Around the World
🇨🇳 China — State Council confirms comprehensive national AI law in drafting. Qinglang 2026 deepfake enforcement active with quarterly algorithmic audit requirements.
🇬🇧 UK — Cyber Security and Resilience Bill featured in May 2026 King’s Speech. Managed IT providers: assess 24-hr notification obligations now.
🇸🇬 Singapore — FATF/APG mutual evaluation published May 2026. AML/CFT oversight strong; enforcement rates flagged as low.
🇺🇸 US — Historic SEC–CFTC MOU (March 2026) reshaping cross-market oversight. Dually-registered firms: review the six MOU focus areas.
Deep Dive: The EU AI Act Omnibus — What the Reprieve Really Means
When the European Parliament and Council reached a provisional political agreement on May 7, 2026 to simplify the EU AI Act through the Digital Omnibus package, headlines led with “deadlines extended.” That framing, while accurate, obscures both the magnitude of the change and the critical new obligations it introduces.
The EU AI Act’s original compliance architecture had high-risk AI systems in Annex III — covering recruitment tools, credit scoring, and biometric systems — facing an August 2026 deadline. That deadline is now pushed to December 2, 2027 (a 16-month extension). For AI systems embedded in regulated products (Annex I: medical devices, machinery), the deadline moves to August 2, 2028. However, three obligations have NOT moved: transparency and AI content marking obligations land on December 2, 2026; the new prohibition on non-consensual AI intimate imagery also activates December 2, 2026; and formal adoption must complete before August 2, 2026. Organisations that use the deadline extension as a reason to defer engagement risk being unprepared for the December wave.
🔒 This analysis continues for CyberEyeQ Pro subscribers. Contact [email protected] to unlock compliance sequencing by AI system type, SME carve-out mechanics, and sandbox timeline.
DORA Enters Live Enforcement — Half the Market Is Not Ready
As of mid-2026, the informal supervisory tolerance period has ended. NCAs are actively cross-checking Register of Information (RoI) data and issuing the first compulsion payments. Only approximately 50% of in-scope financial entities are fully compliant. The highest-risk cohort: financial entities whose ICT third-party service provider relationships are not yet fully mapped in the RoI. NCAs can impose fines up to 2% of total annual global turnover or €10M; responsible individuals face up to €1M personally.
🔒 Pro subscribers receive the RoI completeness checklist and NCA enforcement action tracker for Q2 2026. Contact [email protected]
What to Do This Week
Verify EUDAMED SRN status for all EU device supply chain entities — Deadline May 28, 7 days. No SRN = no market placement from Thursday.
NERC CIP-003-11: Low-impact BES operators confirm controls before Tuesday May 26.
UK BNPL lenders: Initiate FCA TPR registration now — window closes July 1.
🔒 DORA RoI completeness gap-check (Pro)
🔒 EU AI Act Omnibus: reset compliance roadmap milestones (Pro)
CyberEyeQ — Actionable Regulatory Intelligence | [email protected]