At a Glance
EUDAMED live today — EU medical device database mandatory as of May 28; SRN registration required before placing any new device on the EU market. Legacy device deadline is November 28.
EU AI Act Omnibus agreed — High-risk AI deadlines shifted to Dec 2027 / Aug 2028 for Annex III/I systems; GPAI and Article 50 transparency obligations stay fixed at August 2, 2026.
NIS2 audit clock: 33 days — June 30 marks the EU's first NIS2 compliance audit deadline; 21 of 27 Member States enforcing, Germany's BSI issued 47 formal notices in Q4 2025.
CMMC Phase 2: 1% ready — Only 1,042 of 76,598 DoD contractors certified with 166 days until mandatory C3PAO assessments begin November 10.
China confirms comprehensive AI law — State Council's 2026 legislative plan confirms a unified AI statute is in development, consolidating China's patchwork of sectoral AI rules.
Colorado scraps its AI law — Governor Polis signed SB 26-189 on May 14, replacing the risk-management framework with a disclosure-only ADM regime effective January 1, 2027.
Critical Actions
🔴 NIS2 First Compliance Audit Deadline — June 30, 2026 (33 Days) | EU · Cybersecurity
The European Commission's first mandatory NIS2 audit cycle closes June 30. 21 of 27 Member States are in active enforcement mode — Germany, France, and the Netherlands have already issued formal notices and remediation orders. Essential entities face fines up to €10M or 2% of global turnover; important entities up to €7M or 1.4%.
Action: Confirm entity classification (essential vs. important), validate incident reporting meets ≤24-hour initial notification, and register with your national competent authority.
🔴 CMMC Phase 2 — Schedule Your C3PAO Now (166 Days to November 10) | US · Cloud Security
Only ~1.4% of the 76,598 organizations requiring CMMC Level 2 certification have completed it. C3PAO assessment backlogs are running 6–12 months. Any DoD contractor handling CUI in a cloud environment must be certified before November 10, 2026 — and that requirement flows down through the entire supply chain.
Action: Contact a C3PAO for a readiness assessment immediately. Audit cloud environments and subcontractor chain for inherited CUI obligations.
🔴 UK DUAA Mandatory Complaint-Handling — June 19, 2026 (22 Days) | UK · Privacy
The Data (Use and Access) Act 2025 requires all UK data controllers to have an operational, published complaints procedure by June 19. Requirements include electronic submission, 30-day acknowledgement, and mandatory ICO escalation information. No grace period.
Action: Implement or update your complaints procedure and publish it before June 19. Applies to all organisations handling UK personal data.
Enforcement Watch
GM CCPA Settlement — $12.75M (California AG) — General Motors fined for collecting and selling telematics/behavioral data from connected vehicles without adequate consumer consent or purpose limitation. Sets the new benchmark for connected-product data pipelines across all industries.
Delta Dental — $2.25M (NYDFS) — Six-month delay in notifying NYDFS of a covered cybersecurity event. NYDFS was clear: the 72-hour notification clock starts at first determination, not after forensic certainty. First 2026 NYDFS enforcement action.
Kick Online Entertainment — £800,000 (Ofcom, UK) — First fine under the UK Online Safety Act's age assurance framework. Ofcom has opened investigations into 90+ services and expanded scope to generative AI platforms.
SEC Rescinds No-Deny Settlement Policy — Rule 202.5(e) rescinded May 18; defendants may now publicly deny allegations post-settlement. Most significant shift in SEC enforcement mechanics since 1972.
Deadline Watch
May 29 — ICO ADM Guidance Consultation Closes (UK · All orgs using automated decision-making)
Jun 3 — EU AI Act Article 50 Transparency Guidelines Consultation Closes (EU · All AI deployers with EU users)
Jun 18 — US Basel III Endgame Re-Proposal Comment Deadline (US · Large banks)
Jun 19 — UK DUAA Mandatory Complaint-Handling Procedures (UK · All data controllers)
Jun 30 — NIS2 First Audit Deadline + FedRAMP CR26 Final Publication (EU/US · Cloud/MSP providers, EU essential & important entities)
Around the World
🇺🇸 United States — The SEC proposed sweeping filer-status reforms and rescinded its no-deny settlement policy on May 18–19. The FTC issued its first comprehensive Section 5 AI enforcement policy, targeting AI-washing, unlawful training data collection, and ADM without documentation. Colorado replaced its AI risk-management law with a disclosure-only regime effective January 2027.
🇨🇳 China — State Council confirmed a comprehensive AI statute is in development — a qualitative shift from guidance-based rulemaking to formal statute. Anthropomorphic AI Interim Measures (companion AI, virtual friends) take effect July 15. The Qinglang 2026 enforcement campaign targets deepfake fraud and AIGC labeling violations.
🇦🇺 Australia — IoT device cybersecurity standards are now mandatory from March 4 under the Cyber Security Act 2024. Ransomware payment reporting (72-hour window) live for organizations above AUD 3M annual turnover. OAIC's children's online privacy code consultation closes June 5.
🇰🇷 South Korea — The AI Basic Act — the world's second comprehensive AI framework after the EU AI Act — has been in force since January 22, 2026. Companies offering high-impact AI in healthcare, energy, and public services must confirm classification mapping is complete.
Deep Dive: EU AI Act Omnibus — What the Political Agreement Actually Changes
European Union · AI Governance
In the early hours of May 7, 2026, Council and Parliament negotiators reached a provisional political agreement amending Regulation (EU) 2024/1689. The so-called "AI Omnibus" restructures the core timeline for high-risk AI compliance, adds a new prohibited practice covering AI-generated CSAM and non-consensual intimate imagery, and extends SME exemptions to small mid-cap companies. Formal adoption is expected before August 2, 2026.
The deal pushes two major deadlines: stand-alone Annex III high-risk AI systems now face obligations from December 2, 2027 instead of August 2026. High-risk AI embedded in Annex I regulated products gets until August 2, 2028. But here is what many compliance teams are missing: the August 2, 2026 date for GPAI obligations and Article 50 transparency requirements is unchanged. If you deploy a general-purpose AI model to EU users, or operate any conversational or interactive AI system, that clock has not moved by a single day.
The risk isn't a window of relief — it's a compliance divergence. Organisations that interpreted the Omnibus as a general pause risk building programs calibrated to the wrong timeline. Meanwhile, the Article 50 transparency consultation closes June 3 and the GPAI Code of Practice signatory status is already being weighed by the AI Office in enforcement posture decisions. The compliance calendar hasn't shrunk. It has split — and not every team has updated their roadmap to reflect which half still applies to them.
🔒 This analysis continues for CyberEyeQ Pro subscribers. Unlock the 5-step compliance sequencing guide — including how to prioritise GPAI documentation vs. high-risk classification work before August 2. Contact Us →
What to Do This Week
Verify EUDAMED SRN registration — mandatory from today. EU medical device manufacturers, authorised representatives, and importers: confirm your Single Registration Number is live before placing any new device on market.
Start your NIS2 gap assessment — June 30 is 33 days away. Confirm entity classification, validate ≤24-hour incident reporting, and register with your national competent authority.
Contact a C3PAO this week — CMMC backlog is 6–12 months. DoD contractors handling CUI in cloud environments: with only 1.4% certified and 166 days to Phase 2, scheduling a readiness assessment is no longer optional.
🔒 Item 4 for Pro subscribers: Re-scope your Colorado AI compliance program from SB 24-205 to the new SB 26-189 disclosure framework effective January 2027.
🔒 Item 5 for Pro subscribers: Submit to EU Article 50 consultation before June 3 — signatory engagement may be considered in future enforcement posture.
CyberEyeQ — Actionable Regulatory Intelligence | cybereyeq.com | [email protected]
This newsletter is for informational purposes only and does not constitute legal advice.