Brussels reached political agreement May 7 on the EU AI Act Digital Omnibus — Annex III high-risk obligations slip to December 2, 2027 while GPAI enforcement powers still go live August 2, 2026 and nudification apps face an EU-wide ban. California's AG secured a record $12.75 million CCPA penalty against GM/OnStar for selling driver telemetry. Connecticut passed two omnibus bills (SB 5 — AI; SB 4 — privacy/data brokers) and Colorado passed SB 26-189 to replace its stayed AI Act before the June 30 trigger. China issued the world's first horizontal regulation for autonomous AI agents. CMS froze new hospice and home-health enrollments nationwide for six months. Luxembourg's NIS2 law went live May 10, bringing the EU to roughly 23 of 27 transposed states.
At a Glance
EU AI Act postponed — Council/Parliament political agreement May 7; Annex III moves to Dec 2, 2027; nudification apps banned EU-wide.
$12.75M CCPA record — CA AG fined GM/OnStar for selling driver geolocation; ~4.6× the prior Disney/ABC record.
Two states pass AI laws — Connecticut SB 5 (May 1) and Colorado SB 26-189 (May 9) await governor signatures; CT also passed SB 4 privacy.
China regulates AI agents — CAC/NDRC/MIIT Implementation Opinions May 8; mandatory digital-ID registration; 70% smart-terminal adoption target by 2027.
CMS freezes hospice/HHA enrollment — Nationwide six-month moratorium effective May 13 under the Anti-Fraud Task Force.
Luxembourg NIS2 live; CIRCIA slips — EU tally now ~23 of 27 transposed; CISA May-target window closed without publication.
FedRAMP CR26 preview — Public preview launched May 4; final by end of June, in force early July, baseline through Dec 31, 2028.
Critical Actions
🔴 CRITICAL — FTC Take It Down Act §3 takedown obligations effective May 19 (5 days)
US Federal · Privacy / Age Safety
Covered platforms (services where user-generated content is a primary purpose) must operationalize a notice-and-takedown process for non-consensual intimate imagery and remove valid-request content plus known identical copies within 48 hours. The FTC enforces under Section 5.
Action: Trust & Safety leads — confirm intake form is live, deduplication/hash-matching pipeline is operational, and 48-hour SLA telemetry feeds your audit log. Brief executives this week. FTC TIDA guidance
🔴 HIGH — EUDAMED four-module mandatory use, May 28 (14 days)
EU · Healthcare / MedTech
Actor registration, UDI/Devices, Notified Bodies & Certificates, and Vigilance modules become mandatory across the EU MDR/IVDR perimeter on May 28. Manufacturers, importers, and authorised representatives that have not completed registration risk supply-chain disruption.
Action: MedTech regulatory affairs — verify SRN issuance, complete UDI submissions for legacy and new devices, validate vigilance reporting flow before May 28. EU Commission EUDAMED
🟠 HIGH — China Drug Administration Law Implementing Regs effective May 15 (Tomorrow)
China · Healthcare / Life Sciences
China's revised Drug Administration Law Implementing Regulations (2026 Revision, State Council) take effect tomorrow. Pharma manufacturers and importers with China nexus should treat May 15 as the operational pivot.
Action: China pharma compliance — confirm registration dossiers, ICH-Q9 quality risk management, and import licensing documentation all reflect the 2026 revisions. Morgan Lewis briefing
Enforcement Watch
California AG v. GM/OnStar — $12.75M CCPA settlement (May 8, 2026). Largest CCPA penalty to date, ~4.6× the prior Disney/ABC record. GM sold precise geolocation plus hard-braking, hard-acceleration, speed, seatbelt and trip-duration telemetry from hundreds of thousands of California drivers to data brokers (LexisNexis, Verisk) without adequate notice or consent. 5-year ban on selling driving data to consumer reporting agencies or brokers; 180-day deletion of retained data absent affirmative express consent. CA OAG release
CMS hospice/HHA enrollment moratorium (May 13, 2026). Anti-Fraud Task Force: nationwide six-month moratorium on new Medicare enrollments for hospice agencies and home health agencies; most majority-ownership changes also paused. Existing providers and current patients unaffected. May be extended in six-month increments. CMS release
UK FCA bans adviser Frank Breuer — £755,000 fine (May 12, 2026). Lifetime ban for uninsured DB pension-transfer advice. Highest-profile UK financial-adviser enforcement of Q2. FCA press release
CAC cites ByteDance CapCut, Maoxiang, Dreamina AI (Apr 28–29). Three ByteDance services cited for breaching the Cybersecurity Law, 2023 Generative-AI Interim Measures, and the September 2025 Synthetic-Content Labeling Measures. Outcome: regulatory interviews, formal warnings, rectification orders, personnel accountability. Qinglang 2026 enforcement signal. China Daily
Deadline Watch — Next 60 Days
May 15 (1 day) — China Drug Administration Law Implementing Regulations effective
May 19 (5 days) — FTC Take It Down Act §3 takedown obligations
May 26 (12 days) — NERC CIP-003-11 (Cyber Security for Low-Impact BES)
May 28 (14 days) — EUDAMED four-module mandatory use
Jun 1 (18 days) — China GB 46864-2025 Data Security Technology
Jun 9 (26 days) — FinCEN/OFAC GENIUS Act NPRM — comment deadline
Jun 18 (35 days) — Basel III Endgame re-proposal — comment deadline
Jun 25 (42 days) — EDPB Guidelines 1/2026 (scientific research) consultation
Jun 30 (47 days) — Colorado AI Act SB 24-205 stayed effective date
Jul 1 (48 days) — Multi-jurisdiction state-law wave (CT, CO, NE, LA, TN, US HIPAA Security 2026, KR Network Act, VN Cyber Law 2025)
Around the World
European Union. Council and Parliament agreed May 7 on the AI Act Digital Omnibus, postponing high-risk obligations. EDPB 119th plenary May 11; 2026 CEF on Articles 12–14 transparency under way with 25 DPAs. ECON adopted PSD3/PSR final compromise texts May 5. Luxembourg NIS2 live May 10.
United States. California AG record $12.75M CCPA settlement vs. GM/OnStar. Connecticut SB 5 (AI) and SB 4 (privacy/data brokers) passed; Colorado SB 26-189 passed to replace SB 24-205; Iowa chatbot disclosure signed. CMS nationwide six-month hospice/HHA enrollment moratorium May 13. CIRCIA final rule slips past May target. FedRAMP CR26 preview live May 4. PA AG sued Character.AI May 5.
China. CAC/NDRC/MIIT Implementation Opinions on AI Agents May 8 (tiered risk, digital-ID registration, 70% adoption target by 2027). State Council 2026 Legislative Work Plan May 12 commits to accelerating comprehensive AI Law. CAC cited ByteDance CapCut/Maoxiang/Dreamina AI for AI-content labeling failures. Drug Administration Law Implementing Regs effective May 15.
United Kingdom. Ofcom's promised May 2026 statement on platform responses is the dominant near-term trigger. FCA fined Frank Breuer £755K with lifetime ban May 12. Cyber Security and Resilience Bill in Public Bill Committee — brings managed and cloud providers into direct scope. DPA AI Code (SI 2026/425) effective May 12.
Deep Dive #1 — EU AI Act Postponement: What the May 7 Political Agreement Means for Your Roadmap
European Union · AI Governance
On May 7, 2026 the Council of the EU and the European Parliament reached political agreement on the AI Act Digital Omnibus (proposal originally adopted by the Commission on November 19, 2025). The agreement delays the headline high-risk AI obligations to give technical standards time to mature and prevent enforcement against standards that do not yet exist. The updated timeline now reads:
August 2, 2026 — GPAI enforcement powers begin (Commission supervision, documentation requests, evaluations; fines up to €15M / 3% global turnover, €7.5M / 1.5% for SMEs); Article 50 transparency obligations apply; governance, notified bodies, and AI Office competence over GPAI-based systems operationalize.
December 2, 2026 — Content marking obligations for synthetic-content providers apply.
December 2, 2027 — High-risk AI obligations for Article 6(2)/Annex III systems apply (was August 2, 2026). Covers biometrics, critical infrastructure, education, employment, migration, asylum, border.
August 2, 2028 — High-risk obligations for AI integrated into Annex I regulated products apply (was August 2, 2027). Covers lifts, toys, medical devices, machinery.
The agreement also includes an EU-wide ban on AI systems whose primary purpose is to generate non-consensual intimate images ("nudification apps") — the most concrete consumer-protection deliverable for European citizens in this round. Final adoption by Council and Parliament will follow.
This is the moment when EU AI Act compliance stops being a single 2026 milestone and becomes a four-track program. Track 1 — GPAI enforcement (Aug 2, 2026): still binding and 80 days away. GPAI providers should confirm Code of Practice signatory status; signatories receive enforcement mitigation and Commission-focused monitoring rather than open-ended fact-finding. Track 2 — Content marking (Dec 2, 2026): a discrete deliverable for any organisation generating synthetic media. Track 3 — Annex III stand-alone (Dec 2, 2027): the additional 16 months should be reinvested in Article 9 risk management, Article 10 data quality, Article 13 transparency packaging, and Article 14 human-oversight design — not deferred. Track 4 — Annex I embedded products (Aug 2, 2028): alignment with parallel sectoral conformity-assessment cycles.
The risk inside this welcome flexibility is de-prioritisation: governance teams that put AI Act work on hold to free 2026 capacity for other regulations will discover in late 2027 that the watermarking obligation already passed and the Annex III evidence base was never built.
The rest of this analysis — the 14-step Annex III readiness checklist with named owners and timelines, plus the GPAI Code-of-Practice gap analysis — continues for CyberEyeQ Pro subscribers. Contact us →
Deep Dive #2 — China's First Horizontal Regime for Autonomous AI Agents
China · AI Governance / Cybersecurity / Privacy
On May 8, 2026 the Cyberspace Administration of China, jointly with the National Development and Reform Commission and the Ministry of Industry and Information Technology, issued Implementation Opinions on Standardized Application and Innovative Development of Intelligent Agents (AI Agents) — China's (and the world's) first horizontal regime aimed specifically at autonomous LLM-orchestrated systems that take actions on behalf of users.
The Opinions impose a tiered risk regime: high-risk sectors (healthcare, public safety, critical infrastructure) face mandatory standards, government filing, and product-recall mechanisms; low-risk sectors operate under self-regulation. The Opinions mandate human-in-the-loop oversight and retention of final decision-making by the user, prohibit algorithms designed to addict or exploit users, and announce a forthcoming national registration platform that will assign digital IDs to AI agents for traceability. The document sets a 70% adoption target for AI agents in smart terminals by 2027 and lists 19 priority application scenarios.
Read against the May 12 State Council 2026 Legislative Work Plan, the picture is of a regulator moving from one-off normative documents to a layered horizontal architecture: labels at the content layer, registration at the agent layer, and a forthcoming statute at the apex. Multinational platforms with a China nexus should expect the registration platform to roll out in tandem with the Cybersecurity Label Management Measures (effective July 1, 2026) and the GB 46864-2025 data-security standard (effective June 1, 2026). Treat the AI-agent regime as a four-quarter compliance build: Q2 inventory, Q3 mapping to high-risk-sector taxonomy, Q4 registration readiness, 2027 Q1 reporting cadence.
Regulatory Frontline — The State Law Wave Snaps Back
Three weeks ago the White House National AI Legislative Framework (March 20) and EO 14365's DOJ AI Litigation Task Force (operational since January) put state AI laws on notice. This week the states answered: Connecticut passed SB 5 (AI omnibus) on May 1, Colorado passed SB 26-189 on May 9 to repeal and replace SB 24-205 before its June 30 trigger, Iowa signed a chatbot-disclosure law in early May, and Connecticut also passed SB 4 — a one-stop data-broker deletion regime, surveillance-pricing ban, and explicit-consent regime for genetic data.
The pattern is defensive specialization, not consolidation: CT SB 5 covers AEDP, AI companion chatbots, synthetic media, social-media safety for under-18s, and frontier-model whistleblower protections — six distinct AI use-cases under a single Act, all enforced by the AG with private rights of action narrowly tailored to child-protection. Colorado SB 26-189 narrows the deployer perimeter, removes federal-banking-style exemptions, and concentrates enforcement in the AG's office. The drafting style — state-AG-anchored, deceptive-trade-practice framing — is explicitly engineered to survive federal-preemption litigation under EO 14365.
Companies should now track state-level signature risk separately from state-level compliance risk. The compliance clock for CT SB 5 starts October 1, 2026 (general); January 1, 2027 (AI companion chatbots); October 1, 2027 (AEDP and synthetic-media provenance). The preemption litigation clock starts the day each Governor signs. Expect DOJ to file in the strongest preemption posture jurisdiction (likely Colorado, which lacks federal-banking exemption carve-outs) within 60–90 days of signature.
What to Do This Week
Platform Trust & Safety — Confirm Take It Down §3 notice-and-takedown is operational and 48-hour SLA is instrumented. May 19 is hard.
MedTech Regulatory Affairs — Validate EUDAMED SRN, UDI submissions, and vigilance reporting before May 28.
AI Governance / EU teams — Rebuild EU AI Act roadmap on the four-track timeline (Aug 2 2026 / Dec 2 2026 / Dec 2 2027 / Aug 2 2028). Do not pause Annex III work.
[Pro] CT SB 5 / CO SB 26-189 readiness checklist — six AI use-cases, named owners, signature-date triggers.
[Pro] China AI Agents Implementation Opinions — high-risk sector mapping and registration-platform pre-build.
Items 4–5 are for CyberEyeQ Pro subscribers. Contact us →
This newsletter is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for compliance decisions.
— The CyberEyeQ team