Episode 24: EUDAMED Live; NIS2 Audit in 33 Days; CMMC at 1% Ready

EUDAMED Live; NIS2 Audit in 33 Days; CMMC at 1% Ready · ~8 min listen

Listen on the web  ·  Direct MP3  ·  Apple Podcasts

EUDAMED is now mandatory (May 28) — The EU medical device database requires an active Single Registration Number (SRN) for any new device placed on market. Legacy device deadline: November 28, 2026.

NIS2 first audit deadline: June 30 (33 days) — Essential entities face fines up to €10M or 2% of global turnover. Germany, France, and the Netherlands are in active enforcement. Germany BSI issued 47 formal notices in Q4 2025.

CMMC Phase 2: 1% certified, 166 days to go — Only 1,042 of 76,598 required DoD contractors have completed Level 2 certification. C3PAO assessment backlogs run 6–12 months; mandatory assessments begin November 10.

EU AI Act Omnibus agreement (May 7) — High-risk Annex III AI pushed to December 2, 2027; Annex I to August 2, 2028. Not moved: GPAI obligations and Article 50 transparency requirements remain at August 2, 2026.

Colorado scraps its AI law — Governor Polis signed SB 26-189 (May 14) replacing the risk-management framework of SB 24-205 with a disclosure-only ADM regime effective January 1, 2027.

UK DUAA complaint-handling: June 19 (22 days) — All UK data controllers must have a published, operational complaints procedure. Electronic submission, 30-day acknowledgement, ICO escalation info required. No grace period.

California AG fined GM $12.75M for selling telematics/behavioral data without consent. NYDFS penalized Delta Dental $2.25M for a 6-month breach notification delay. Ofcom fined Kick Online Entertainment £800,000 — first fine under the UK Online Safety Act age-check framework. SEC rescinded its 54-year-old "no-deny" settlement policy effective May 18.

1. Verify EUDAMED SRN registration immediately.
2. Start NIS2 gap assessment — confirm entity classification and incident reporting ≤24h.
3. Contact a C3PAO for CMMC Level 2 readiness assessment this week.
4. Re-scope Colorado AI compliance from SB 24-205 to SB 26-189 (new ADM definition).
5. Publish UK DUAA complaints procedure before June 19.

Subscribe to our RSS feed: https://cybereyeq.github.io/podcast/feed.xml