The Pentagon hits pause on CMMC — and three regulators start writing cheques
The Department of War suspended CMMC Phase II with immediate effect on Monday, cancelling the November C3PAO assessment mandate that 120,000 defence suppliers had been budgeting for. In the same week, Ofcom issued its largest age-assurance fine yet, the ICO took £370,000 off two nuisance-call operators, and the Commission asked the Court of Justice to start charging four member states daily penalties over NIS2. Enforcement stopped being theoretical this week.
At a Glance
▸ CMMC Phase II suspended — The Department of War cancelled the 10 November C3PAO assessment mandate on 13 July and opened a 60-day reform review; Phase I self-assessments and DFARS 252.204-7012 survive untouched.
▸ Ofcom's first £630k age-check fine — The regulator fined fapello.com's provider £600,000 for failing to deploy highly effective age assurance, plus £30,000 for ignoring a statutory information request.
▸ UK starts overseeing the hyperscalers — AWS, Google Cloud, Microsoft and Oracle became designated Critical Third Parties on 13 July, putting the Bank of England, PRA and FCA directly over their resilience.
▸ Four states referred to CJEU over NIS2 — The Commission asked the Court to impose a lump sum plus daily penalties on Ireland, Spain, France and the Netherlands, 20 months past the transposition deadline.
▸ California DROP deletions start 1 August — Registered data brokers must process DROP deletion requests every 45 days from 1 August, at $200 per day per request they miss.
▸ China's companion-AI rules now in force — CAC Order No. 21 took effect 15 July for services simulating continuous emotional interaction, with fines to ¥200,000 where life or health safety is endangered.
Critical Actions
Stop your CMMC C3PAO spend and re-read your contracts
United States · Cybersecurity · Effective: 13 Jul 2026
The Department of War announced on 13 July the immediate suspension of CMMC Phase II requirements, scheduled to take effect 10 November 2026. Under implementing memorandum 26-P-1023, programme managers may now designate only Level 1 (Self) or Level 2 (Self) assessments; Level 2 (C3PAO) and Level 3 (DIBCAC) designations are prohibited during the suspension, no waivers will be granted, and contracting officers must amend active solicitations to remove those requirements and modify existing contracts before the next option exercise. Note the limits: 32 CFR Part 170 has not been rescinded and no Federal Register notice has been published, so this is acquisition discretion over clause insertion — not a repeal.
Action: Pause discretionary C3PAO engagement spend, then check every active solicitation and contract for Level 2 (C3PAO) designations that contracting officers must now strip out — but keep your NIST SP 800-171 Rev 2 self-assessment and DFARS 252.204-7012 obligations running unchanged.
Build your DROP deletion pipeline before 1 August
California · Privacy · Due: 1 Aug 2026
Under the Delete Act (Cal. Civ. Code § 1798.99.80 et seq.) and its DROP implementing regulations, CalPrivacy's guidance states that registered data brokers must access the Delete Request and Opt-out Platform and begin processing consumer deletion requests beginning 1 August 2026, and must do so at least once every 45 days thereafter. The mechanics are non-trivial to build late: download consumer deletion lists, standardise and hash your own consumer records, match, delete, and report each request's status back into DROP within 45 days. CalPrivacy sets the penalty at $200 per day, per deletion request not deleted as required, plus investigation and administrative costs. More than 300,000 Californians had signed up for DROP as of 2 June — the first cycle will not be a token volume.
Action: Confirm your DROP account and hashing pipeline work end-to-end in the sandbox this week, and diarise the 45-day reporting cycle from 1 August.
Submit the EU transparency Code signatory form by Wednesday
European Union · AI Governance · Due: 22 Jul 2026, 18:00 CEST
Providers and deployers of generative AI systems subject to Article 50(2) and/or Article 50(4) must submit the completed signatory form by 22 July 2026, 18:00 CEST to appear in the initial-signatories list, which the AI Office will publish ahead of the marking and labelling obligations applying on 2 August 2026. Signing remains possible after the window, but inclusion in that first list does not.
Action: Decide sign or no-sign on Sections 1 and 2 and email the form to the AI Office before Wednesday 18:00 CEST.
Enforcement Watch
Ofcom fines fapello.com provider £630,000 (£630,000) — On 9 July Ofcom fined the provider £600,000 for failing to deploy highly effective age assurance and £30,000 for failing to respond to a statutory information request — its largest age-assurance penalty to date under the Online Safety Act. The same day it opened an investigation into Bit Hive (eporner.com) and expanded its kemono.cr investigation.
ICO fines two home-improvement marketers £370,000 (£370,000) — On 8 July the ICO fined Thermotech Wall and Loft Surveys Ltd £240,000 and Jacksons Marketing Ltd £130,000 under PECR. TWLS made 575,000 calls in six months to numbers registered with the Telephone Preference Service, using robo-call software that played voice-actor recordings to simulate live UK agents. The same director links both firms.
Commission refers four member states to the CJEU over NIS2 (Lump sum + daily penalties) — On 8 July the Commission referred Ireland, Spain, France and the Netherlands to the Court of Justice for failing to notify NIS2 transposition measures, more than 20 months past the 17 October 2024 deadline, and asked the Court to impose a lump sum plus daily penalties until complete transposition is notified.
FTC settles with RentGrow for $2.25M ($2.25 million) — On 9 July the FTC announced a proposed settlement with the tenant-screening consumer reporting agency over alleged FCRA and FTC Act violations: duplicate criminal- and eviction-case entries that overstated applicants' records, incomplete source disclosure, and misleading dispute outcomes. The order requires an overhauled accuracy programme.
Deadline Watch
Date | Development | Jurisdiction | Who's affected |
|---|---|---|---|
Jul 17 | Member States must identify critical entities under the CER Directive | European Union | Critical infrastructure |
Jul 18 | CAC distributed digital identity consultation closes | China | Identity and platform operators |
Jul 18 | GENIUS Act stablecoin final-rule statutory deadline | United States | Stablecoin issuers |
Jul 22 | EU Transparency Code of Practice signatory form due, 18:00 CEST | European Union | GenAI providers, deployers |
Jul 28 | FedRAMP Ready designation retires | United States | Cloud service providers |
Jul 31 | FTC comment window on AI accuracy policy statement closes | United States | AI providers |
Aug 01 | California DROP deletion processing begins | US-California | Registered data brokers |
Aug 02 | EU AI Act Article 50 + GPAI penalty powers apply | European Union | GenAI and GPAI providers |
Aug 02 | CAC consultation on Internet Information Services rewrite closes | China | Platforms, AI services |
Aug 05 | EDPB common breach-notification template consultation closes | European Union | All GDPR controllers |
Aug 14 | CMMC reform RFI responses close | United States | Defence suppliers |
Aug 15 | Dutch Cyberbeveiligingswet brings NIS2 into force | Netherlands | Dutch essential entities |
Aug 20 | CAC Order No. 24 network data risk assessments take effect | China | Important-data processors |
Sep 11 | EU Cyber Resilience Act vulnerability + incident reporting begins | European Union | Product manufacturers |
Nov 28 | EUDAMED device registration deadline | European Union | Device manufacturers |
Around the World
🇺🇸 United States — Hawaiʻi moved first on companion AI. Governor Green signed SB 3001 as Act 248 on 14 July, effective on approval with no transition window: operators of AI companions must disclose non-human status, run disclaimers and hourly break reminders for known minors, and adopt a crisis protocol referring self-harm prompts to crisis services. Violations are unfair or deceptive acts under HRS §480-2, enforced by the Attorney General — the Act expressly creates no private right of action. HB 2137 was signed the same day as Act 247, making unconsented realistic AI digital imitations unlawful with damages up to $25,000 per advertisement.
🇬🇧 United Kingdom — Deferred payment credit became regulated consumer credit on 15 July under S.I. 2025/859. The temporary-permissions window (15 May–1 July) is closed, and firms holding neither full authorisation nor a registered temporary permission are now lending unlawfully. Affordability checks, the Consumer Duty, section 75 protection and Ombudsman access all attach to agreements entered from 15 July; earlier agreements stay unregulated. Firms on temporary permissions have until 15 January 2027 to apply for full authorisation.
🇨🇳 China — CAC Order No. 21 took effect 15 July, and its scope is narrower than commonly reported: it binds services simulating a natural person's personality in continuous emotional interaction — companionship, emotional care, support — while intelligent customer service, Q&A, work assistants and education services sit expressly out of scope absent that continuous emotional element. Separately, CAC's draft Provisions on interoperability of distributed digital identity close for comment on 18 July, carrying a China data-localisation duty for important data and personal information and a guardian-consent gate for under-14 users.
🇪🇺 European Union — The Digital Omnibus on AI was signed as a final act on 8 July; the procedure file now reads "procedure completed, awaiting publication in Official Journal", so the registry stays at enacted, not in force. It defers stand-alone high-risk duties to 2 December 2027 and product-embedded high-risk to 2 August 2028. Separately, we are correcting our own record: the EUDAMED registration deadline is 28 November 2026, not 27 November, and it is not confined to legacy devices — it covers any device whose first sales unit was placed on the EU market before 28 May 2026 and for which further units are placed on or after that date.
Deep Dive
The Pentagon Suspended CMMC Phase II. Read the Memo Before You Cancel Anything.
United States · Defence Supply Chain
For three years the Defence Industrial Base has been building toward a single date: 10 November 2026, when CMMC Phase II would have required Certified Third-Party Assessor Organization assessments for Level 2 contracts. On 13 July 2026 the Department of War suspended it — immediately, and without a Federal Register notice.
The scale of what was cancelled explains the relief now audible across the supply chain. The Department's own framing puts the estimated cost per certification at $593,800 for firms needing a third-party assessment, against roughly $388,600 for firms eligible to self-assess, across more than 120,000 small businesses in the DIB — served by roughly 100 approved assessors. That arithmetic was the problem: a hundred assessors cannot certify a hundred thousand companies in a November. The suspension covers the transition to Phase II "as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts", and a CMMC Reform Task Force reports to the DoW CIO within 60 days — roughly mid-September.
But read the memo before you cancel anything. Three things explicitly survive. Phase I self-assessment requirements, live since November 2025, remain "firmly in place". The Department will continue enforcing NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. And every contractor and subcontractor remains contractually bound by DFARS clause 252.204-7012 to safeguard covered defence information. Under implementing memorandum 26-P-1023, programme managers may designate only Level 1 (Self) or Level 2 (Self); Level 2 (C3PAO) and Level 3 (DIBCAC) designations are prohibited during the suspension, no waivers will be granted, and contracting officers must amend active solicitations and modify existing contracts before the next option exercise.
Here is the trap. 32 CFR Part 170 has not been rescinded and no Federal Register notice has been published. This is an exercise of acquisition discretion over which clauses go into contracts — not a repeal of the rule. The underlying regulation still exists, the Task Force reports in September, and a separate reform RFI closes 14 August. A supplier that reads "suspended" as "cancelled", stands down its Rev 2 evidence programme and lets its System Security Plan rot will discover the difference at the next option exercise — or when the Task Force reports and the clause insertion resumes on a compressed timetable. The false comfort here is worth more than the fine…
🔒 This analysis continues for CyberEyeQ Pro subscribers. Contact Us →
Inventory every active solicitation and contract for Level 2 (C3PAO) or Level 3 (DIBCAC) designations, and open the conversation with your contracting officer — the memo puts the amendment duty on them, but nobody will chase it for you. (Owner: Contracts / Capture · Timeline: Within 2 weeks)
Pause discretionary C3PAO engagement spend but do not terminate assessor relationships; re-scope to readiness work that retains value if the mandate returns in FY27. (Owner: CISO + Procurement · Timeline: Immediately)
Keep the NIST SP 800-171 Rev 2 self-assessment, SPRS score and System Security Plan current — this is the surviving enforcement baseline, and DFARS 252.204-7012 never moved. (Owner: CISO · Timeline: Continuous)
File a response to the CMMC reform RFI by 14 August if third-party assessment cost or assessor capacity materially affects your bid economics — the Task Force reports in roughly mid-September. (Owner: Government Affairs · Timeline: By 14 August 2026)
Track the Rev 2 → Rev 3 question separately: the DoD had scheduled a CMMC amendment for the NIST SP 800-171 Rev 3 transition (RIN 0790-AM01), and the suspension does not resolve which baseline emerges from the review. (Owner: CISO + Compliance · Timeline: Watch to mid-September)
Regulatory Frontline
Britain Just Put Four American Cloud Companies Under Its Financial Regulators
United Kingdom · Cloud & Operational Resilience
On 10 July HM Treasury made its first designations under the FSMA 2023 Critical Third Parties regime, naming Amazon Web Services EMEA SARL, Google Cloud EMEA Limited, Microsoft Ireland Operations Ltd and Oracle Corporation UK Limited. Three days later, on 13 July, The Critical Third Parties (Designation) Regulations 2026 (S.I. 2026/777) came into effect and the Bank of England, PRA and FCA jointly began oversight. Designated CTPs must identify and manage risks to critical services, undergo resilience testing, run regular self-assessments, and report major incidents — with oversight limited to the resilience of services provided to UK financial firms. The regime complements rather than replaces firms' own outsourcing and operational-resilience obligations, and runs alongside the EU's DORA CTPP oversight under the January 2026 UK–EU Memorandum of Understanding. The quiet significance is jurisdictional: for the first time UK financial regulators can look directly at a hyperscaler's resilience rather than at their supervised firms' contracts with one. If you are a UK financial firm, the practical question this week is not whether your cloud provider is now supervised — it is whether your own concentration-risk register, exit plans and incident-reporting paths still make sense now that the regulator is reading the same evidence from the other end.
What to Do This Week
Check every active DoD solicitation for Level 2 (C3PAO) designations. Contracting officers must strip them out under memorandum 26-P-1023, but the amendment will not chase itself — and your Rev 2 self-assessment and DFARS 252.204-7012 duties are unchanged.
Test your DROP deletion pipeline in the sandbox before 1 August. Download, hash, match, delete and report-back must work end to end; the penalty is $200 per day per missed request.
Email the EU transparency Code signatory form to the AI Office before 22 July, 18:00 CEST. After that you can still sign, but not into the initial list published ahead of the 2 August Article 50 duties.
🔒 Reconcile your UK cloud concentration-risk register against the new CTP designations. AWS, Google, Microsoft and Oracle came under Bank of England, PRA and FCA oversight on 13 July.
🔒 Determine whether any of your services fall inside CAC Order No. 21's "continuous emotional interaction" scope. In force since 15 July; customer service, Q&A and work assistants are expressly outside it.
CyberEyeQ — Actionable Regulatory Intelligence