🎙️ Episode 22 is live
CIRCIA Still Missing · EU AI Transparency August 2 · CT Neural Data · ~9 min
This week: CIRCIA's final rule remains unpublished past its own May 2026 target — 300,000 critical infrastructure entities in compliance limbo, $500K/day penalties once the rule lands. EU AI Act Article 50 transparency obligations still hit August 2, 2026 — deepfake labelling and AI-interaction disclosure were NOT moved by the Omnibus. China confirms comprehensive national AI law in drafting. Connecticut passes the first US law classifying neural data as sensitive personal information, effective July 1. Plus: NERC CIP-003-11 (May 26) and EUDAMED mandatory modules (May 28).
Top Stories
1. CIRCIA Final Rule Still Missing
CISA missed its own May 2026 publication target. ~300,000 critical infrastructure entities remain in compliance limbo. Core requirements unchanged (72-hour incident reporting, 24-hour ransomware payment reporting), but implementation timelines cannot be finalized. $500K/day penalties apply immediately once published. Action: Design compliance programs to the proposed rule now.
2. EU AI Act: What August 2, 2026 Still Means
The Omnibus extended Annex III to December 2027 and Annex I to August 2028 — but Article 50(1) transparency obligations (deepfake labelling, AI-interaction disclosure, biometric/emotion notices) are still live August 2, 2026. Consultation on draft guidelines closes June 3. Action: Map every EU-facing AI surface against Article 50(1) and file a consultation response before June 3.
3. Connecticut Pioneers Neural Data Protection
CT SB 5 awaits governor signature. Effective July 1: neural data (BCI, EEG) classified as sensitive requiring opt-in consent. Minors ages 13-17 get blanket ban on targeted advertising and data sale. Bill also covers frontier AI supply chains, chatbot transparency, employment AI use, content provenance.
4. China's Two-Track AI Governance
State Council (May 17): confirms comprehensive national AI law in drafting — a single statute to replace CAC's current patchwork. No timeline yet. CAC Anthropomorphic AI Interactive Services rules (July 15): mandatory AI identity disclosure, emotional dependency prohibitions for China-facing conversational AI.
5. Two Sector Deadlines in 7 Days
May 26 — NERC CIP-003-11: Mandatory cybersecurity controls extended to low-impact BES Cyber Systems for the first time. May 28 — EUDAMED: Four mandatory modules go live; non-compliant MedTech manufacturers risk supply-chain disruption.
Upcoming Deadlines
May 26 — NERC CIP-003-11 (US Energy) · May 28 — EUDAMED modules (EU MedTech) · June 3 — EU AI Act Article 50 consultation closes · July 1 — CT neural data + AI bill · July 15 — CAC Anthropomorphic AI rules (China) · August 2 — EU AI Act Article 50(1) transparency live