🎙️ Episode 23 is live
EU AI Act Omnibus Rewrites Deadlines; EUDAMED Live Today; CMMC at 1% · ~8 min listen
This Week's Top Stories
🔴 EU AI Act Omnibus: Deadlines Split, GPAI Unchanged at Aug 2
The May 7 political agreement shifts Annex III high-risk AI to December 2, 2027 and Annex I regulated-product AI to August 2, 2028 — but GPAI and Article 50 transparency obligations remain fixed at August 2, 2026. Treating the Omnibus as a blanket pause is a compliance risk. The Article 50 consultation closes June 3.
🔴 EUDAMED Now Mandatory — Effective Today, May 28
The EU medical device database (EUDAMED) is mandatory as of today. New devices need a live Single Registration Number (SRN) and UDI module entry before market placement. No grace period. Legacy device deadline: November 28, 2026.
🔴 NIS2 First Audit Deadline — 33 Days to June 30
Essential entities face fines up to €10M or 2% of global turnover. Germany's BSI issued 47 formal notices in Q4 2025. Action: confirm entity classification, validate 24-hour incident reporting, register with your national authority.
🔴 CMMC Phase 2: Only 1% Certified, 166 Days to November 10
Just 1,042 of 76,598 DoD contractors have completed Level 2 certification. C3PAO backlogs run 6–12 months. Contact a C3PAO this week — organizations that haven't started are already at risk of missing November 10.
🌐 Colorado Scraps AI Law; China Confirms Unified AI Statute
Colorado's SB 26-189 (signed May 14) replaces the SB 24-205 risk-management framework with a disclosure-only ADM regime effective January 1, 2027. China's State Council confirmed a comprehensive AI law is in development. China's Anthropomorphic AI Interim Measures take effect July 15.
Enforcement Watch
California AG (CCPA): GM fined $12.75M for collecting and selling telematics/behavioral data from connected vehicles without adequate consent
NYDFS: Delta Dental fined $2.25M for 6-month delay in notifying NYDFS of a cybersecurity breach
Ofcom (UK): Kick Online Entertainment fined £800,000 — first UK Online Safety Act age assurance enforcement action
SEC: Rescinded 54-year-old "no-deny" settlement policy — defendants may now publicly contest allegations post-settlement
Compliance Deadlines This Week
May 28 (TODAY): EUDAMED mandatory — verify SRN registration before placing new devices on market
May 29: ICO ADM guidance consultation closes (23:59 GMT)
Jun 3: EU AI Act Article 50 transparency guidelines consultation closes
Jun 19: UK DUAA mandatory complaint-handling procedures live
Jun 30: NIS2 first audit + FedRAMP CR26 final publication
Aug 2: EU AI Act GPAI + Article 50 obligations in force (unchanged by Omnibus)
Nov 10: CMMC Phase 2 mandatory — contact a C3PAO now
CyberEyeQ — Actionable Regulatory Intelligence. Subscribe for weekly briefings | [email protected]