🎙️ Episode 28 is live
July 1 mega-cliff passes; EU AI Act next · ~8 min listen
CyberEyeQ Weekly Podcast — Episode 28
Date: July 2, 2026 · Duration: ~8 minutes · Hosts: Alex & Sarah
July 1 mega-cliff passes; EU AI Act next. Your weekly briefing on the regulatory stories that matter for compliance teams — sourced from CyberEyeQ Weekly Briefing Issue #26.
This Week's Top 5 Stories
July 1 mega-cliff arrives (cross-domain). At least nine distinct regimes across all eight tracked domains took legal effect on 1 July — Connecticut's CTDPA overhaul and first-in-nation LLM-training disclosure, Tennessee's AI-therapist impersonation ban, Utah's Digital Choice Act, Arkansas's teen-COPPA statute, Vietnam's unified Cybersecurity Law, and China's outbound-investment Order 837, energy-data regime and GB/T portability/audit standards. CT PA 25-113 · Utah HB 418 · Arkansas HB 1717
UK Buy Now Pay Later enters the FCA perimeter (due 15 Jul). From 15 July the Financial Conduct Authority regulates previously-exempt BNPL agreements; the temporary-permissions regime that bridged the transition closed on 1 July. Firms need FCA authorisation or TPR cover to keep lending. fca.org.uk (PS26/1)
China's Anthropomorphic AI Interaction Measures take effect (15 Jul). The Cyberspace Administration of China's interim measures for AI-companion services impose AI-identity disclosure, addiction-prevention and minor-safeguard duties on providers of human-like AI chat services. cac.gov.cn
EU AI Act transparency duties and GPAI enforcement go live (2 Aug). Article 50 requires disclosure that content is AI-generated and that users are interacting with AI; the AI Office simultaneously gains general-purpose-AI enforcement powers, with fines up to 3% of global turnover or €15M. digital-strategy.ec.europa.eu
ESMA now supervises ESG ratings (applies today, 2 Jul). Regulation (EU) 2024/3005 brings ESG-rating providers under direct ESMA authorisation for the first time. In-scope providers must notify ESMA by 2 Aug and secure authorisation by 2 Nov; from November only ratings from ESMA-supervised or recognised providers carry regulatory credibility. esma.europa.eu
Compliance Action Items
Deadline | Action |
|---|---|
Jul 15 | Confirm your BNPL products are covered by FCA authorisation or the temporary-permissions regime (UK · Financial). |
Jul 15 | If you offer AI-companion or human-like chat features to Chinese users, implement AI-identity disclosure and minor safeguards (China · AI/Privacy). |
Aug 01 | Re-test whether Connecticut's lowered 35,000-consumer threshold pulled you into CTDPA scope; switch off targeted ads and data sales for known 13–17 users ahead of the profiling impact-assessment duty (US · Privacy). |
Aug 02 | Inventory every AI touchpoint and AI-generated or deep-fake output that will need an Article 50 label; re-baseline your EU AI Act programme (EU · AI). |
Aug 02 / Nov 02 | If you provide or rely on ESG ratings in the EU, start the ESMA authorisation and provider-diligence workstream — notify by 2 Aug, authorise by 2 Nov (EU · Financial). |
Primary Sources
UK FCA BNPL regime (PS26/1) — fca.org.uk
China Anthropomorphic AI Interaction Measures — cac.gov.cn
EU AI Act (Article 50 / GPAI enforcement) — digital-strategy.ec.europa.eu
EU ESG Ratings Regulation (EU) 2024/3005 — esma.europa.eu · finance.ec.europa.eu
US Advanced-AI Executive Order (30-day cyber deadline) — whitehouse.gov
China Network Data Security Risk Assessment Measures (eff 20 Aug) — cac.gov.cn
HHS COVID-19 EUA termination — hhs.gov
Ofcom AVS Group age-check fine — ofcom.org.uk
For the full brief with all sources and Pro recommendations, subscribe to the CyberEyeQ newsletter at cybereyeq.com.
Full Transcript
Alex: Welcome to the CyberEyeQ Weekly Podcast, your concise briefing on the latest in global regulatory intelligence. I'm Alex, and joining me as always is our lead analyst, Sarah.
Sarah: Good to be here, Alex.
Alex: Sarah, it feels like we just passed a major compliance hurdle. The July first "mega-cliff" you called it, is behind us. What exactly happened on that date, and what's next?
Sarah: You're right, Alex. July first was indeed a significant date. At least nine distinct regulatory regimes across all eight domains we track reached their effective date. We saw new laws come into force in Connecticut, Utah, Arkansas, Tennessee, Vietnam, and China. This included Connecticut's Data Privacy Act overhaul, Utah's Digital Choice Act, and Arkansas's teen-Children's Online Privacy Protection Act statute, among others. But the calendar barely lets up; a dense cluster of July deadlines is already bearing down.
Alex: That sounds like a lot for companies to navigate. Let's dive into some of the most critical actions listeners should be aware of. First, what's happening with Buy Now Pay Later in the United Kingdom?
Sarah: From July fifteenth, the Financial Conduct Authority, or FCA, will regulate previously-exempt Buy Now Pay Later agreements. The temporary-permissions regime that bridged this transition closed on July first. So, firms need to ensure they have full Financial Conduct Authority authorization or temporary-permissions regime cover to continue lending.
Alex: So the action item there is clear: confirm your Buy Now Pay Later products are covered by Financial Conduct Authority authorization or the temporary-permissions regime before July fifteenth. What about China's Artificial Intelligence regulations?
Sarah: China's Cyberspace Administration of China, or CAC, Anthropomorphic Artificial Intelligence Interaction Measures take effect on July fifteenth. These interim measures for Artificial Intelligence companion services impose Artificial Intelligence-identity disclosure, addiction-prevention, and minor-safeguard duties on providers of human-like Artificial Intelligence chat services.
Alex: So, if you offer Artificial Intelligence-companion or human-like chat features to Chinese users, you need to implement Artificial Intelligence-identity disclosure and minor safeguards before July fifteenth. Now, let's talk about the European Union Artificial Intelligence Act. What's the latest there?
Sarah: The European Union Artificial Intelligence Act has crucial transparency duties and General Purpose Artificial Intelligence enforcement powers going live on August second. Specifically, Article fifty requires disclosure that content is Artificial Intelligence-generated and that users are interacting with Artificial Intelligence. Simultaneously, the Artificial Intelligence Office gains General Purpose Artificial Intelligence enforcement powers, with potential fines up to three percent of global turnover or fifteen million euros.
Alex: That's a significant date. So, the action is to inventory every Artificial Intelligence touchpoint and Artificial Intelligence-generated or deep-fake output that will need a label before August second. Shifting gears to financial regulations, the European Securities and Markets Authority, or ESMA, is now supervising Environmental, Social, and Governance ratings. Can you explain this new development?
Sarah: Absolutely, Alex. For years, Environmental, Social, and Governance ratings, which shape trillions in sustainable-investment flows, operated in a supervisory vacuum. That ends today, July second. Regulation EU two thousand twenty-four slash three thousand five, the EU Environmental, Social, and Governance Ratings Regulation, begins to apply, bringing Environmental, Social, and Governance rating providers under the direct authorization and ongoing supervision of the European Securities and Markets Authority for the first time.
Alex: What does this mean for providers operating in the European Union?
Sarah: Providers must be authorized, separate their rating activities from consulting, audit, and banking lines to manage conflicts of interest, and disclose their methodologies and data sources. The practical timeline is quite tight: EU-based providers must notify the European Securities and Markets Authority of their intent to continue operating by August second, two thousand twenty-six, and secure full authorization by November second, two thousand twenty-six. Third-country providers face an equivalence, endorsement, or recognition path.
Alex: And for the asset managers, banks, and corporations that actually use these ratings, how does this change their diligence?
Sarah: This regulation fundamentally reshapes diligence. From November, only ratings from European Securities and Markets Authority-supervised or recognized providers will carry regulatory credibility. The new methodology-transparency requirements mean users can finally interrogate how a score was built. This creates an immediate governance question most firms haven't answered: who owns Environmental, Social, and Governance-rating-provider due diligence, and what happens to a portfolio built on ratings from a provider that fails to secure authorization?
Alex: That's a critical point. So, the recommended actions here include mapping every Environmental, Social, and Governance rating your firm relies on to its provider and confirming each provider's EU authorization status, ideally by August second. If you're an in-scope provider, filing your European Securities and Markets Authority notification of intent to continue operating by August second. Separating rating activities from any consulting, audit, or banking lines before November second. Adding an authorization-status clause and methodology-disclosure requirement to Environmental, Social, and Governance-data vendor contracts in the next cycle. And briefing investment committees on transition risk from providers that may not secure authorization by November.
Sarah: Precisely, Alex. It's a comprehensive shift.
Alex: Let's turn to enforcement. What's caught your eye on the enforcement watch this week?
Sarah: We've seen Ofcom fine AVS Group one million pounds over inadequate age checks, plus an additional fifty thousand pounds for ignoring an information notice as part of their Online Safety Act campaign. Roughly seventy-six sites are still under investigation. Also, Australia is moving to double under-sixteen social media penalties to roughly ninety-nine million Australian dollars for systemic breaches, with five platforms currently under investigation. The Department of Health and Human Services Office for Civil Rights, or HHS OCR, continues its Health Insurance Portability and Accountability Act, or HIPAA, risk-analysis settlement streak, which remains their leading enforcement theme for healthcare entities. And China's outbound-investment Order eight hundred thirty-seven is now in force, adding a new penalty regime with fines from zero point one percent to one percent of the investment, forced divestiture, and up to three-year bans.
Alex: That's a broad range of enforcement actions. Looking ahead, what other key deadlines should our listeners mark on their calendars for July and August?
Sarah: Today, July second, is the first thirty-day agency deadline under June's Executive Order on Advanced Artificial Intelligence Innovation and Security in the United States. July seventh sees the South Korea Network Act Amendment become effective for large online platforms. On July tenth, the European Union Anti-Money Laundering Authority, or AMLA, delivers its first Anti-Money Laundering technical standards. July eighteenth is the due date for the GENIUS Act stablecoin Anti-Money Laundering and Countering the Financing of Terrorism rule in the United States. And on July twenty-eighth, the Federal Risk and Authorization Management Program, or FedRAMP, "Ready" designation sunsets to Legacy.
Alex: And beyond that?
Sarah: August first brings California's Data Rights Opt-out Portal, or DROP, go-live and Connecticut's profiling impact assessment. August second, as we discussed, is the big one for the European Union Artificial Intelligence Act's Article fifty and General Purpose Artificial Intelligence enforcement. Then on August twentieth, China's Network Data Security Risk Assessment Measures take effect for important-data processors, making annual risk assessments mandatory.
Alex: Globally, what else is making headlines?
Sarah: Vietnam's Law on Cybersecurity two thousand twenty-five is now in force, applying extraterritorially with twenty-four-hour or six-hour content-takedown duties, data localization, and Artificial Intelligence-deepfake prohibitions. In the United Kingdom, Ofcom's statutory age-assurance effectiveness report is due by the end of July. Also, the Department of Health and Human Services formally terminated the COVID-nineteen Emergency Use Authorization declarations, sunsetting device authorizations from December twenty-sixth, two thousand twenty-six.
Alex: Given all these moving pieces, Sarah, what are the top three actions you recommend our listeners take this week?
Sarah: First, re-baseline your European Union Artificial Intelligence Act program against the August second transparency and General Purpose Artificial Intelligence enforcement dates. Second, re-test whether Connecticut's lowered thirty-five thousand consumer threshold pulled you into Connecticut Data Privacy Act scope, and switch off targeted ads and data sales for known thirteen to seventeen-year-old users. Third, if you provide or rely on Environmental, Social, and Governance ratings in the European Union, start the European Securities and Markets Authority authorization and provider-diligence workstream now.
CyberEyeQ — Actionable Regulatory Intelligence. This podcast is for informational purposes only and does not constitute legal advice. Always consult qualified counsel for compliance decisions.