This website uses cookies

Read our Privacy policy and Terms of use for more information.

🎙️ Episode 30 is live

Pentagon suspends CMMC Phase II; regulators start fining · ~8 min listen

The Department of War suspended CMMC Phase II with immediate effect on 13 July, cancelling the 10 November C3PAO assessment mandate that 120,000 defence suppliers had been budgeting for — but Phase I self-assessments and DFARS 252.204-7012 survive untouched. In the same week Ofcom issued its largest age-assurance fine yet, HM Treasury put AWS, Google, Microsoft and Oracle under UK financial supervision, and the Commission asked the Court of Justice to start charging four member states daily penalties over NIS2. Enforcement stopped being theoretical this week.

Top 5 Stories

  1. CMMC Phase II suspended; Phase I and DFARS survive. Under implementing memorandum 26-P-1023, programme managers may designate only Level 1 (Self) or Level 2 (Self); Level 2 (C3PAO) and Level 3 (DIBCAC) designations are prohibited during the suspension, with no waivers. Contracting officers must amend active solicitations. This is acquisition discretion over which clauses go into contracts — not a repeal of the underlying rule. A 60-day reform review is open, with an RFI closing 14 August.

  2. Ofcom's largest age-assurance fine yet — £630,000. £600,000 for failing to deploy highly effective age assurance under the Online Safety Act, plus £30,000 for ignoring a statutory information request.

  3. UK designates four hyperscalers as Critical Third Parties. HM Treasury made its first FSMA 2023 CTP designations on 10 July — AWS EMEA SARL, Google Cloud EMEA, Microsoft Ireland Operations and Oracle Corporation UK. Oversight by the Bank of England, PRA and FCA began 13 July. For the first time UK regulators can look directly at a hyperscaler's resilience rather than at their supervised firms' contracts with one.

  4. Commission refers Ireland, Spain, France and the Netherlands to the CJEU over NIS2. On 8 July, for failing to notify transposition measures more than 20 months past the 17 October 2024 deadline. The Commission asked the Court to impose a lump sum plus daily penalties until full transposition is notified.

  5. California DROP deletions start 1 August. Registered data brokers must process deletion requests from 1 August and at least once every 45 days thereafter. The penalty is $200 per day, per missed request. More than 300,000 Californians had signed up as of 2 June — the first cycle will not be a token volume.

Deadlines

  • Jul 22 — EU Transparency Code signatory form due to the AI Office, 18:00 CEST, to appear in the initial-signatories list

  • Aug 01 — California DROP deletion processing begins; 45-day cycle starts

  • Aug 02 — EU AI Act Art. 50 marking and labelling obligations apply

  • Aug 14 — CMMC reform Request for Information closes

  • Live since Jul 13 — UK Critical Third Parties oversight of AWS, Google, Microsoft, Oracle

  • Live since Jul 15 — CAC Order No. 21 binds continuous-emotional-interaction AI services

CyberEyeQ — Actionable Regulatory Intelligence. This episode is for informational purposes only and does not constitute legal advice.

Keep Reading