The EU Omnibus deferred Annex III to December 2027 but pulled synthetic-content transparency forward to December 2026. The SEC moved to rescind its 2024 climate rules. The CMA opened an SMS investigation into Microsoft. California secured a $12.75m CCPA settlement against GM. OFAC sustained secondary-sanctions pressure through UAE and Hong Kong. The Pay Transparency Directive arrives on 7 June, mostly untransposed.
Council, Parliament and Commission reached a provisional agreement to simplify the AI Act. Annex III (use-based) high-risk obligations move from 2 August 2026 to 2 December 2027. But the grace period for labelling AI-generated content was cut from six months to three, landing a new deadline of 2 December 2026.
Final monetary penalty for UK GDPR Article 5(1)(f) and 32(1) breaches following the 2022 Cl0p ransomware attack. Attacker dwelled from September 2020; monitoring covered 5% of the IT estate; Windows Server 2003 still in production. A public benchmark for cyber-hygiene expectations.
AG Bonta, several DAs, and the CPPA settled with General Motors over allegations that OnStar and Smart Driver collected and sold California driver telematics and location data to Verisk and LexisNexis for insurance scoring between 2020 and 2024. An order of magnitude above the previous CCPA high; data minimisation is now the lead theory.
Governor Polis signed SB 189, pushing the Colorado AI Act's effective date from 30 June 2026 to 1 January 2027 and narrowing it. The duty of care against algorithmic discrimination and deployer risk-management duties were dropped in favour of disclosure and transparency around automated decision-making.
The CMA launched a strategic market status investigation under the DMCC Act 2024 covering productivity software, OS, database, and security. Theories of harm: bundling, interoperability constraints, default settings. Statutory designation decision due by 14 February 2027; conduct-requirement breach exposure is up to 10% of global turnover.
The European Commission released draft guidelines on how to classify high-risk AI systems and opened a public consultation running until 23 June 2026. This is a consultation window: in-house teams whose use cases are borderline should consider responding.
Second of two in-force tranches under the 20th package. 14 May added named payment agents to the transaction ban; 24 May added a sectoral prohibition on dealing with Russia-established CASPs. Treasury and trade-finance teams need a sweep against both lists; circumvention via third countries is an explicit enforcement target.
The SEC issued a proposed rulemaking to rescind the climate-related disclosure rules adopted in March 2024, citing lack of statutory authority. Federal mandatory climate disclosure is effectively done for US issuers. California SB 253/261 and EU CSRD become the binding regimes for Global 2000 GCs.
The Texas Responsible Artificial Intelligence Governance Act has been in force since 1 January. It reaches any developer or deployer doing business in Texas or serving Texas residents, and prohibits intentional use of AI for defined restricted purposes.
Trackers now record more than 500 attorney sanction cases tied to AI hallucinations, and over 1,300 matters globally where courts have flagged fabricated content. The April Oregon penalty of $110,000 (for 23 fabricated citations and eight invented quotations) remains the high-water mark.
No dated developments for this region this month.
02 — Regulatory radar
AI
EUThe AI Act delay moved one deadline closer, not further
On 7 May the Council, Parliament and Commission agreed the Digital Omnibus. Annex III high-risk obligations now apply from 2 December 2027, sixteen months later than the original date. But the synthetic-content transparency grace shortened from six months to three, pulling that deadline forward to 2 December 2026. The labelling work you have to hit this year got more urgent, not less.
The Omnibus defers heavy high-risk (Annex III) obligations to December 2027 but cuts the synthetic-content transparency grace period from six months to three, setting a nearer deadline of 2 December 2026.
Previously
Annex III high-risk obligations applied from 2 August 2026; the synthetic-content transparency grace was six months, putting that deadline in early March 2027.
Net change
Heavy classification and conformity-assessment work has 16 extra months to run. The disclosure-and-labelling deadline you actually have to hit this year moved earlier, by about three months.
Impacted
Any team deploying generative or customer-facing AI into the EU, plus procurement teams buying AI-enabled vendor tooling.
Exposure
Up to 7% of global annual turnover (or €35m, whichever is higher) for prohibited-AI breaches; up to 3% for high-risk and transparency breaches.
Enforcement
EU AI Office plus designated national authorities. The Office's enforcement capacity is ramping through 2026; member-state regimes (Germany's BNetzA in particular) are where early action is likely to surface.
Move
Confirm AI-content labelling is live in EU-facing products before December. Re-baseline the heavy high-risk classification workstream against the new December 2027 date — and don't read "delay" as relief on transparency.
Berlin chose its existing telecoms regulator. The Bundesnetzagentur is now Germany's lead AI Act market-surveillance authority and the single point of contact for the EU AI Office, with the BfDI handling data-protection-relevant high-risk systems. If you operate in Germany, your AI Act regulator is known, with twenty-five years of cross-sector market-surveillance experience behind it.
Germany's government adopted the draft AI Market Surveillance and Innovation Promotion Act (KI-MIG), making the Bundesnetzagentur (BNetzA) the default market surveillance authority and single point of contact for the EU AI Office, with the BfDI covering data-protection-relevant high-risk systems.
Previously
No designated German AI authority. The market expected either a new agency or distributed sector regulators.
Net change
A single, established federal regulator now owns AI Act enforcement in Germany. Telecoms-and-postal regulator BNetzA brings a track record of cross-sector market surveillance — your AI Act point of contact in Germany is now known.
Impacted
Any business deploying AI into Germany — your AI Act point of contact, complaints route, and enforcement run through BNetzA rather than a new agency.
Exposure
AI Act penalty regime applies (up to 7% of global turnover for prohibited-AI breaches). KI-MIG adds German procedural rules on cooperation with BNetzA.
Enforcement
BNetzA has 25+ years of telecoms market-surveillance experience and active enforcement teams. Early German enforcement under the AI Act is more likely to be procedural (cooperation, documentation requests) than headline fines.
Move
If you operate in Germany, map your high-risk and GPAI use cases to BNetzA's regime now. The 2 August 2026 application date still stands for the obligations the Omnibus did not defer.
Actions
Policy updateVendor / procurement review
UKUK stays principles-based — SRA Risk Outlook stands; ICO guidance under DUAA review
The SRA's November 2023 Risk Outlook is still the operative AI supervision benchmark for UK-regulated firms. What landed in May is on the data side: the ICO's AI guidance is now formally under review against the Data (Use and Access) Act 2025, with Section 103 (the standalone complaints duty) commencing 19 June. The framework hasn't changed; the data-protection enforcement posture has tightened.
The SRA's November 2023 Risk Outlook on AI in the legal market remains the operative supervisory benchmark for UK-regulated firms — and the ICO's AI and data-protection guidance is now under review following the Data (Use and Access) Act 2025, with the next staged commencement (Section 103 complaints duty) on 19 June 2026.
Previously
Prior to DUAA, the ICO's 2023 AI guidance set the data-protection floor; the SRA Risk Outlook published in late 2023 set supervisory expectations. Neither was being actively re-opened.
Net change
The May 2026 development is on the data side — the ICO guidance is now formally under review against the new DUAA framework. The SRA Risk Outlook remains the standing AI supervision benchmark for regulated firms.
Impacted
UK-regulated firms and in-house teams using AI on client or personal data — there is no AI statute, but SRA conduct duties and UK GDPR still bite.
Exposure
UK GDPR penalties up to £17.5m or 4% of global turnover (higher). SRA sanctions on individuals and firms for conduct breaches (fines, restrictions, strike-off).
Enforcement
ICO has an active AI enforcement track; SRA has signalled supervisory focus on AI in the legal market through 2026.
Move
Document the line between casual tool use (public chatbots) and formally adopted systems. Stand up a discrete data-protection complaints workflow with a documented SLA before 19 June, and train front-line teams to route complaints distinctly from DSRs.
FRANCEFrance's CNIL: standing GDPR-for-AI recommendations + 2026 workplace and health focus
Life sciences & MedTechTechnology & SaaSFinancial servicesPublic sector
The CNIL's GDPR-for-AI recommendations were finalised in February 2025 and remain France's operative standard. What landed in May is the 2026 work programme: workplace AI and health AI are now under direct supervisory focus, with sector-specific guidance expected later this year. The data-protection lens on AI in France just got more targeted.
The CNIL's GDPR-for-AI development recommendations (finalised February 2025) remain the operative French standard; its 2026 work programme now extends supervisory focus to AI in the workplace and in health, with sector-specific guidance expected later this year.
Previously
The CNIL had been the most active EU DPA on AI through 2024–25, with recommendations finalised on 7 February 2025 covering lawful basis, data minimisation and subject rights during AI development.
Net change
The May 2026 development is the 2026 work programme, not the underlying recommendations. Workplace and health AI move from general guidance to direct supervisory priority — sector-specific outputs are expected through the year.
Impacted
Any organisation training or deploying AI on personal data touching France — particularly the workplace and health use cases flagged for 2026.
Exposure
GDPR penalties up to €20m or 4% of global turnover (higher), plus CNIL's record of treating algorithmic and HR-tech enforcement seriously.
Enforcement
CNIL is among the most active EU DPAs on AI; expect both formal sanctions and structured corrective notices through 2026.
Move
If you train or fine-tune models on personal data, align design, dataset and training documentation to the CNIL recommendations. Watch for the workplace-AI guidance landing this year; in HR-tech, expect CNIL to move before the AI Act bites.
Actions
Policy updateContracts to re-paperTraining / awareness
US — STATESUS state AI laws diverge by regulatory model and timing
Colorado pushed its AI Act to 1 January 2027 and traded the duty-of-care for a disclosure regime. Texas TRAIGA runs live on a restricted-purposes model. Connecticut's online-safety provisions hit chatbots and automated hiring from 1 October 2026. Three states, three different compliance regimes for what is commercially the same software.
Colorado retreated from a risk/duty-of-care model to a disclosure model and pushed its date to January 2027; Texas runs live on a restricted-purposes model; Connecticut's online-safety bill targets chatbots and automated employment decisions from October 2026.
Previously
States were broadly aligning on a risk-management duty-of-care template inspired by the EU AI Act, with Colorado the lead case.
Net change
The states are diverging on model as well as timing. Duty-of-care, restricted-purposes, and disclosure-only are three different compliance regimes with three different shapes of evidence required.
Impacted
Multi-state employers and any team whose AI tooling touches consumers across state lines. There is no single US template to copy; both the regulatory models and the effective dates differ.
Exposure
Varies by state. Texas TRAIGA: state AG enforcement, civil penalties. Colorado (revised): AG enforcement, disclosure-focused remedies. Connecticut: pending. Multi-state class actions remain a tail risk in employment-AI contexts.
Enforcement
State AGs are the primary enforcement vector; expect coordinated multi-state probes on high-profile vendors before in-house deployers see sanctions.
Move
Map each AI use case against each state where you operate. Design to the strictest live obligation in your footprint, not the average. Re-check the position quarterly — Colorado just proved these statutes move.
UK — ICOICO fines South Staffordshire Water £963,900 over legacy IT and monitoring gaps
Energy & utilitiesPublic sectorFinancial services
The ICO fined South Staffordshire Water £963,900 on 7 May for UK GDPR Article 5(1)(f) and 32(1) failures following the 2022 Cl0p ransomware exfiltration of 633,887 customer and employee records. The penalty narrative is about controls: attacker dwell time from September 2020, monitoring covering 5% of the IT estate, Windows Server 2003 still in production. The ICO's bar for cyber hygiene at regulated firms is now publicly enforceable — and your board paper for next year's cyber budget just wrote itself.
Final monetary penalty notice issued under UK GDPR Articles 5(1)(f) and 32(1) following the 2022 Cl0p ransomware exfiltration of 633,887 customer/employee records. Investigators found dwell time from September 2020, only 5% SIEM coverage of the IT estate, and unsupported software (including Windows Server 2003) still in production.
Previously
The ICO had signalled intent to fine in December 2025; the public penalty notice and headline figure had not yet been issued.
Net change
The ICO is publicly enforcing on legacy IT and monitoring gaps. The penalty narrative focuses on the controls that allowed the breach, with the breach itself secondary to the story.
Impacted
Critical-infrastructure operators, utilities, regulated industries, and any controller running unsupported OS or partial SIEM coverage; CISOs, DPOs and accountable executives.
Exposure
Up to 4% of global turnover or £17.5m under UK GDPR (whichever is higher). A 40% early-settlement discount was applied here.
Enforcement
ICO — active, and explicitly framing this case as a benchmark for cyber-hygiene expectations across regulated sectors.
Move
Inventory unsupported software and SIEM coverage against the ICO's findings. Front-load remediation for any control gap that maps to the penalty narrative — and use this as the board story for next year's cyber budget.
California's AG and CPPA secured a $12.75m CCPA settlement against General Motors over OnStar selling driver telematics to Verisk and LexisNexis for insurance scoring. The previous CCPA high was Sephora at $1.2m; this is an order of magnitude bigger. Data minimisation and purpose limitation are now the lead enforcement theories, and the connected-product flows to data brokers (loyalty programmes, fleet telematics, connected appliances) are squarely in scope.
AG Bonta, several district attorneys, and the CPPA announced a settlement with General Motors over allegations that OnStar and Smart Driver collected and sold California driver telematics and location data to Verisk and LexisNexis for insurance scoring between 2020 and 2024. Settlement includes a five-year ban on selling driving data to consumer reporting agencies and data brokers.
Previously
The largest prior CCPA penalty was Sephora's $1.2m in 2022; data minimisation had never been the lead theory.
Net change
Data minimisation and purpose limitation are now active CCPA enforcement theories, and connected-vehicle telematics is squarely in scope. The penalty quantum is an order of magnitude above prior CCPA actions.
Impacted
Auto OEMs, connected-device manufacturers, insurers, and any business selling behavioural data to data brokers or credit/insurance scoring vendors.
Exposure
$12.75m civil penalty plus a five-year sales prohibition; CCPA penalty regime continues — $2,500 per violation (up to $7,500 intentional) without statutory cap.
Enforcement
California AG and CPPA jointly led — appetite high, with the CPPA reporting more than 100 active investigations.
Move
Audit connected-product data flows to downstream brokers and insurers. Tighten purpose-limitation clauses in vendor agreements, and review CCPA notices for any data-broker or scoring-vendor onward use.
Actions
Policy updateVendor / procurement reviewContracts to re-paper
Sanctions & export controls
EU — SANCTIONSEU 20th Russia package: payment-agent and Russia-domiciled CASP bans in force
The 20th sanctions package, adopted 23 April, hit in two May tranches. From 14 May, transactions with four named payment agents (Arneis, Asia Import Group, GPAgent, Platejka) are prohibited. From 24 May, all dealings with Russia-domiciled crypto-asset service providers are banned. Third-country circumvention through UAE, Kazakhstan and Uzbekistan is named as an enforcement target, so sweep your counterparties twice.
The 20th package (adopted 23 April 2026) brought 120 new listings and 36 additional energy-sector listings; two in-force tranches landed in May. From 14 May, transactions with named payment agents (Arneis, Asia Import Group, GPAgent, Platejka) are prohibited. From 24 May, all transactions with Russia-established crypto-asset service providers are banned. Third-country tech suppliers in China, UAE, Uzbekistan and Kazakhstan are within scope.
Previously
The 19th package (October 2025) targeted Russian energy and individual third-country banks but did not impose a blanket prohibition on Russia-established CASPs or this set of payment agents.
Net change
Treasury and trade-finance teams must screen against the four newly-named payment agents and exit any direct or indirect dealings with Russia-domiciled crypto-asset service providers. Anti-circumvention via third countries is an explicit enforcement target.
Impacted
Financial services, energy trading, commodities, fintech and crypto, freight forwarders and shipping insurers; GC, head of sanctions, trade compliance, treasury.
Exposure
National penalties under Directive 2024/1226 — up to 5 years' imprisonment and corporate fines up to 5% of worldwide turnover for serious breaches.
Enforcement
National competent authorities coordinated via the Commission sanctions helpdesk; enforcement appetite high.
Move
Run counterparty screening against the four named payment agents this week and exit any contract with Russia-domiciled CASPs ahead of the 24 May effective date. Add shadow-fleet representations to trade-finance and shipping-insurance clauses.
Actions
Policy updateVendor / procurement reviewContracts to re-paperTraining / awareness
US — OFACOFAC sustains "Economic Fury" Iran-oil designations through UAE and Hong Kong
Energy & utilitiesFinancial services
OFAC designated twelve more entities on 11 May under the Economic Fury Iran-oil campaign, including UAE- and Hong Kong-based facilitators. Follow-on May designations added shadow-banking front companies and nineteen blocked vessels. Secondary-sanctions exposure for traders, shippers and banks now reaches through UAE, Hong Kong and PRC teapot refineries; counterparty diligence has to track the cargo, not the paper.
OFAC designated 12 individuals and entities (including UAE- and Hong Kong-based companies) for enabling IRGC sales and shipments of Iranian oil to the PRC. Follow-on May designations added shadow-banking front companies and 19 blocked vessels. The campaign now runs monthly designation rounds.
Previously
Secondary-sanctions exposure for Iranian-origin barrels was concentrated on Iranian and PRC counterparties; UAE and Hong Kong facilitators were not as routinely captured by name.
Net change
Secondary-sanctions risk for traders, banks and shippers touching Iranian-origin barrels now extends squarely through UAE, Hong Kong and PRC "teapot" refinery counterparties.
Impacted
Commodity traders, shipping and marine insurance, refining (notably PRC "teapots"), correspondent banks, and any financial institution with UAE/HK exposure.
Exposure
SDN blocking, secondary-sanctions exclusion from the US financial system; civil penalties under IEEPA up to ~$377,000 per violation or twice the transaction value.
Refresh KYC and sanctions screening on UAE and Hong Kong trading and shipping counterparties. Check OFAC alerts on PRC teapot refineries; update charterparty and bill-of-lading clauses to require sanctions reps.
Actions
Vendor / procurement reviewContracts to re-paperTraining / awareness
Competition & antitrust
UK — CMACMA opens fourth SMS investigation, this time into Microsoft's business software ecosystem
The CMA opened its fourth strategic-market-status investigation on 14 May, this time into Microsoft's business software ecosystem. Productivity software, OS, database and security are all in scope; the cited theories of harm are bundling, interoperability and default settings. Statutory designation decision by 14 February 2027. If your stack depends on Teams, Defender, Entra or SQL Server, start documenting switching frictions before the market test.
The CMA launched a strategic market status investigation under Part 1 of the DMCC Act 2024 covering Microsoft's business software ecosystem — productivity software, PC and server operating systems, database management systems, and security software. The invitation to comment cites bundling, interoperability constraints and default settings as theories of harm. Statutory designation deadline: 14 February 2027.
Previously
The CMA's completed SMS designations had covered Google (search) and Apple/Google (mobile platforms). Business software sat outside the SMS perimeter.
Net change
The CMA's SMS perimeter now reaches into productivity and enterprise software. Conduct requirements applied to a designated firm bind in this layer for the first time, extending the regime well beyond consumer-facing platforms.
Impacted
UK enterprise IT buyers, Microsoft-ecosystem ISVs, security software vendors competing with bundled Defender; procurement counsel and CIOs.
Exposure
Breach of a conduct requirement attracts penalties up to 10% of global turnover under the DMCC Act.
Enforcement
CMA — active and methodically expanding the SMS pipeline.
Move
If your stack depends on Microsoft bundling decisions (Teams, Defender, Entra, SQL Server), brief procurement on likely conduct-requirement levers. Start documenting switching frictions for any future market-test submission.
Actions
Contracts to re-paperVendor / procurement reviewPolicy update
US — COURTSState AGs win Live Nation/Ticketmaster monopolization verdict; structural remedies open
A Manhattan federal jury found Live Nation and Ticketmaster liable on every state and federal monopolisation, tying, and exclusive-dealing claim brought by 33 state attorneys-general. DOJ had settled in March without divestiture; the states rejected the deal and tried the case alone. Judge Subramanian opened remedies in May with structural breakup live on the table. For any vertically-integrated platform, a DOJ settlement is no longer the ceiling of antitrust risk.
A Southern District of New York jury found Live Nation and Ticketmaster liable on all federal and state monopolization, tying and exclusive-dealing claims brought by 33 states and DC, after DOJ settled mid-trial in March 2026 without divestiture. Judge Subramanian ordered remedies proceedings — including potential structural breakup — to begin in May.
Previously
DOJ's March 2026 consent decree had imposed only behavioural remedies; states rejected the deal and tried the case alone.
Net change
State AGs can — and will — drive structural antitrust outcomes that DOJ has abandoned, and juries will deliver monopolization verdicts in tech-adjacent platforms.
Impacted
Platform businesses with vertically integrated business lines; any company assuming a DOJ settlement is the ceiling of antitrust risk.
Exposure
Damages of $1.72/ticket overcharge across the class, trebled under Sherman §2; potential divestiture of Ticketmaster.
Enforcement
State AG coalition led by NY, MD, UT — appetite extremely high as federal enforcement contracts.
Move
Re-scope antitrust risk maps to include state AG litigation paths after a DOJ closure. Reassess vertically integrated business lines: structural remedies are now a live possibility, not a tail risk.
Actions
Policy updateBoard / audit committee notify
AUSTRALIA — ACCCAustralia's mandatory merger regime expands to partial-asset and voting-power triggers
Cross-sector item — applies to all
The April 2026 wave of Australia's mandatory and suspensory merger regime added partial-asset acquisitions and a voting-power test. Notification triggers now reach minority stake build-ups, JV asset contributions and non-control share purchases (a much wider universe of deals). ACCC pre-clearance is phase-1-quick for the typical filing, but closing without it voids the deal. Update SPA conditions-precedent templates for any Australian-nexus transaction signed from April onward.
The April 2026 wave of the mandatory and suspensory Australian merger regime extended notification triggers to partial-asset acquisitions (notifiable where the acquirer group has at least A$200m Australian revenue and the global deal value is at least A$200m; "very large acquirer" trigger at A$500m + A$50m deal value) and added a voting-power test capturing non-control share acquisitions.
Previously
From 1 January 2026 the mandatory regime applied only to broader change-of-control acquisitions meeting the headline thresholds; partial-asset and voting-power expansions were deferred to 1 April.
Net change
The universe of deals requiring ACCC notification is now materially wider — partial carve-outs, minority stake build-ups and JV asset contributions can trigger mandatory pre-clearance.
Closing a notifiable deal without ACCC clearance renders the transaction void and exposes parties to significant civil penalties under the Competition and Consumer Act.
Enforcement
ACCC pre-clearance with phase 1 decisions targeted at 15–20 business days for ~80% of filings; waiver process available.
Move
Update M&A playbooks and SPA conditions-precedent templates to capture the partial-asset and voting-power triggers for any Australian-nexus transaction signed from April 2026 onward.
Actions
Policy updateContracts to re-paperBoard / audit committee notify
ESG & sustainability
US — SECSEC proposes full rescission of 2024 climate-disclosure rules
Cross-sector item — applies to all
The SEC issued a proposed rulemaking on 29 May to rescind the 2024 climate-related disclosure rules in their entirety, citing lack of statutory authority. Federal mandatory climate disclosure is effectively dead for US issuers. California SB 253/261 and EU CSRD are the binding regimes going forward. Reallocate SEC compliance budget to CARB readiness and CSRD double materiality, but don't tear out the internal controls you already built.
The SEC issued a proposed rulemaking (Release No. 33-11420; S7-2026-19) to rescind the climate-related disclosure rules adopted in March 2024, citing lack of statutory authority and a materiality-first disclosure philosophy.
Previously
The rules were stayed shortly after adoption, challenged in the Eighth Circuit, and the Commission withdrew its defense in March 2025; today's action begins the formal repeal.
Net change
Federal mandatory climate disclosure is effectively dead for US issuers — California SB 253/261 and EU CSRD become the binding regimes Global 2000 GCs must plan around.
Impacted
Every SEC-registered issuer that had been scoping Scope 1/2 reporting, climate-risk governance disclosures, and attestation procurement.
Exposure
No federal penalty exposure once rescinded; California SB 253 civil penalties up to $500,000/year remain live.
Enforcement
SEC Chair Atkins explicitly disavowed using disclosure to dictate corporate behaviour — federal enforcement appetite zero.
Move
Redirect SEC-prep spend toward CARB readiness and CSRD double-materiality work. Keep the internal climate controls and data pipelines you've built — California and the EU will still need them.
EU — EMPLOYMENTEU Pay Transparency Directive transposition deadline hits with most member states unready
Cross-sector item — applies to all
Transposition deadline is 7 June 2026, and most member states aren't ready. Only Slovakia and Italy have comprehensive implementing legislation; Sweden has refused to transpose at all and is seeking renegotiation. From 8 June, unimplemented Directive provisions have direct effect against the state; private employers face a national patchwork. Adopt a pan-EU floor policy now (pay bands in job ads, candidate disclosure rights, no pay-history questions, gap analytics at 100+ employees) and layer national rules as they land.
Transposition deadline is 7 June 2026. As at end-May 2026, only Slovakia and Italy have adopted comprehensive implementing legislation; Poland brought partial measures into force on 24 December 2025; Denmark and the Netherlands have confirmed January 2027; France September 2026; Sweden announced on 26 March 2026 that it will not transpose and is seeking renegotiation; Germany, Ireland and at least seven others have no published draft.
Previously
Member states had three years to transpose. The Directive mandates pay-band disclosure in job ads, candidate information rights, and pay-gap reporting for employers with 100+ workers (phased from 250+).
Net change
Direct effect of unimplemented Directive provisions against the state likely kicks in from 8 June 2026 — but vertical-only direct effect means private-sector employers face a patchwork: comply with the Directive's floor across the EU, then layer national rules as they land.
Impacted
All employers with 100+ EU employees; especially financial services, professional services, manufacturing and retail with multi-country footprints; GC, CHRO, head of reward.
Exposure
National fines under transposing law (Slovakia's regime takes effect 1 June 2026); reversal of burden of proof in equal-pay claims; mandatory remediation where the unjustified gap exceeds 5%.
Enforcement
Member-state equality bodies and labour inspectorates; Commission has signalled infringement proceedings against laggards.
Move
Adopt a pan-EU floor pay-transparency policy this quarter: pay bands in job ads, candidate disclosure rights, no pay-history questions, gap analytics at 100+ employee entities. Track national transposition and bolt on country-specific rules as they land.
EU — ENISAENISA NIS360 2026 lifts three sectors into high maturity but flags critical gaps
Energy & utilitiesFinancial servicesLife sciences & MedTechManufacturingPublic sector
ENISA's 2026 NIS360 lifted trust services, aviation, and financial market infrastructures into the high-maturity band. Gas, road, maritime and health strengthened within moderate. The two-year trend gives national competent authorities a calibration tool when prioritising audits and inspections. If you sit in a sector still flagged moderate (health and gas in particular), the FY27 cyber budget narrative writes itself.
ENISA published the third edition of NIS360, its sector-by-sector cybersecurity maturity and criticality assessment under NIS2 Annex I. Trust services, aviation, and financial market infrastructures moved into the high-maturity band; gas, road, maritime, and health strengthened within the moderate band — leaving several Annex I sectors still trailing the criticality curve.
Previously
The 2025 NIS360 ranked most sectors moderate at best; FMIs and aviation were not yet in the high band.
Net change
ENISA now has a two-year maturity trendline NCAs can lean on when calibrating audits and inspection priorities. Sectors still moderate are the obvious targets for supervisory escalation.
Impacted
NIS2 essential and important entities, especially in gas, road, maritime and health where regulator scrutiny is most likely to escalate first.
Exposure
Up to €10m or 2% of global turnover for essential entities under NIS2; management can be held personally accountable.
Enforcement
ENISA (advisory) + national NIS2 competent authorities — building, with several member states already running early supervisory cycles.
Move
If you sit in a sector ENISA flagged as still moderate (health and gas in particular), use NIS360 as your board narrative for the FY27 cyber budget ask.
TAX — GLOBALOECD Pillar Two Side-by-Side Package operative; US-parented groups excluded, first GIR clock running
Cross-sector item — applies to all
The OECD's January 2026 Side-by-Side Package is now operative. US-parented MNEs can elect a deemed-zero top-up under both the IIR and UTPR, formalising US exclusion from Pillar Two globally. Twenty-two of twenty-seven EU member states now have both an IIR and a QDMTT in force, and the first calendar-year GIR (GloBE Information Return) filing falls due 30 June 2026. US-parented groups can largely stand down Pillar Two top-up planning; non-US-parented groups have a fortnight.
The OECD's January 2026 Side-by-Side Package implementing the June 2025 G7 political deal allows US-parented MNEs to elect a deemed-zero top-up under both the IIR and UTPR — formalising US exclusion from Pillar Two globally. 22 of 27 EU member states now have both an IIR and a QDMTT in force; the first calendar-year GIR (GloBE Information Return) filing falls due 30 June 2026.
Previously
Through 2025, US-parented MNEs faced potential top-up tax exposure in jurisdictions implementing IIR/UTPR; the assumption was a uniform 15% regime with limited carve-outs.
Net change
Following the January 2026 Side-by-Side Package, US-headquartered Global 2000 groups can largely turn off Pillar Two top-up planning; non-US-parented groups still need full GloBE compliance for the 30 June 2026 GIR deadline. The asymmetry is now legally settled, not provisional.
Impacted
Multinational groups with consolidated revenue above €750m; especially US-headquartered groups with EU and UK subgroups; head of tax, GC, CFO.
Exposure
Member-state penalties for late or incorrect GIR filing; UK penalties under FA 2023 Part 3 (Multinational Top-up Tax); substantive top-up risk eliminated for US-parented groups electing SbS.
Enforcement
National revenue authorities (HMRC, German Bundeszentralamt für Steuern, French DGFiP, etc.) coordinated via OECD Inclusive Framework monitoring.
Move
US-parented groups: document the SbS election and brief the audit committee on the EU/non-EU exposure asymmetry. Non-US-parented groups: lock down GIR data and transitional safe-harbour positions before 30 June 2026.
COURTS — GLOBALAI supervision has become a procurement question
Cross-sector item — applies to all
Sanction trackers passed 500 attorney cases tied to AI hallucinations in May; the Oregon $110,000 penalty is still the high-water mark. Enterprise procurement teams now include AI-review questions in security questionnaires, and the absence of a documented supervision workflow is itself a finding. Have a one-paragraph description of your review workflow ready: what the agent does, where the human sits, what gets logged.
With 500+ attorney sanction cases and a six-figure benchmark fine, enterprise clients are starting to ask vendors and outside counsel how AI output is supervised before it leaves the building.
Previously
AI-output supervision was framed primarily as a professional-responsibility issue for outside counsel and an internal-controls issue for in-house teams.
Net change
Supervision evidence is now part of the buying process. Security and procurement questionnaires increasingly include an AI-review question, and the absence of a documented workflow is itself a finding.
Impacted
In-house teams in any territory answering client security and procurement questionnaires — and anyone relying on AI-assisted drafting without a documented review step.
Exposure
Direct: court sanctions up to six figures per matter (Oregon, $110,000 benchmark). Indirect: failed RFPs, lost client trust, malpractice exposure where supervision is absent.
Enforcement
Courts (sanctions and adverse inferences), bar associations (professional discipline), and enterprise buyers (procurement gating).
Move
Write the paragraph your procurement counterpart will ask for: what the agent does, where the human sits, what gets logged, where the audit trail lives. Put it where outside counsel can copy it into RFP responses without asking.
AI: Omnibus buys time on heavy high-risk (Dec 2027) but pulls synthetic-content transparency earlier (Dec 2026). Sanctions: 20th Russia package live in tranches through May. ESG: CSRD and CS3D scaled back under Omnibus I; EUDR simplification before December 2026 go-live. Employment: Pay Transparency deadline 7 June. Cyber: ENISA NIS360 hardens supervisory pipeline.
Germany
EU law, German enforcer
Berlin opted not to create a new agency: the Bundesnetzagentur leads AI Act market surveillance and is the single point of contact for the EU AI Office, with the BfDI on data-protection-relevant high-risk systems. Germany has not published a Pay Transparency Directive transposition draft; expect retrofitting once national law lands.
France
GDPR-first on AI; data-protection lens dominant
The CNIL finalised GDPR-for-AI development recommendations and prioritised workplace and health AI for 2026. France targets September 2026 for Pay Transparency Directive transposition. In France, the data-protection lens often arrives before the AI Act one.
United Kingdom
Principles on AI; statute everywhere else
AI: regulator-led, principles-based — SRA Risk Outlook + ICO guidance under review post-DUAA. Data: ICO £963,900 fine sets cyber-hygiene benchmark; DUAA Section 103 commences 19 June. Antitrust: CMA opens fourth SMS investigation (Microsoft). Cyber: CSR Bill report stage 10 June brings UK closer to NIS2. Employment: day-one SSP live since 6 April under Employment Rights Act.
United States
Federal retreat, state expansion
Colorado's AI Act scale-back, SEC climate-rule rescission, FTC non-compete rule removal — the federal floor is retreating. Meanwhile California ($12.75m GM CCPA), state AGs (Live Nation verdict) and state AI laws (Texas live, Connecticut from October) carry the actual enforcement. Plan for divergence, not convergence; design to the strictest live obligation in your footprint.
Asia–Pacific
Sectoral pressure, country by country
India: SEBI tightens CSCRF expectations with an AI vulnerability-detection advisory. Australia: April 2026 wave of the mandatory merger regime expanded triggers to partial-asset and voting-power deals. Japan: APPI amendment bill before the Diet introduces direct administrative monetary penalties and a biometric data category. China: CAC consultation on a simplified PIPL regime for small processors closed 3 May. APAC content is fragmented but consistently moves; brief sub-region by sub-region, not at "APAC" scale.
No regional note for this region this month.
04 — Deadlines
Effective / trigger
What it is
Window to act
6 Apr 2026
UK Employment Rights Act: day-one SSP (live)
Live since 6 April. Payroll engines and absence policies must be updated; FY26/27 budgets recalibrated for the SSP cost uplift.
7 Jun 2026
EU Pay Transparency Directive transposition deadline
This week. Most member states unready. Adopt a pan-EU floor policy now: pay bands in job ads, candidate disclosure rights, no pay-history questions, gap analytics for 100+ employee entities.
10 Jun 2026
UK Cyber Security & Resilience Bill: report stage and third reading
Imminent. Map vendor contracts to the new "critical supplier" perimeter; flight-test incident-reporting timelines now.
19 Jun 2026
UK DUAA Section 103: standalone data-protection complaints duty
Imminent. Stand up a discrete complaints workflow with documented SLA before 19 June; train front-line teams to route complaints distinctly from DSRs.
30 Jun 2026
First Pillar Two GIR filing deadline (calendar-year groups)
This month. Lock down CbCR safe-harbour analysis for FY2025 and confirm GIR filing approach (local vs. central) before 30 June.
2 Aug 2026
Germany's KI-MIG supervisory regime — BNetzA as lead AI authority
If you operate in Germany, confirm your BNetzA-facing posture and GPAI documentation before August.
1 Oct 2026
Connecticut online safety provisions: chatbots and automated employment decisions
Q3 2026 to update consumer-facing chatbot disclosures and employment AI workflows.
2 Dec 2026
EU AI Act synthetic-content transparency (Omnibus 3-month grace)
This year. Confirm AI-generated content labelling is live in EU-facing products now.
30 Dec 2026
EU Deforestation Regulation (large/medium operators)
H2 2026 to lock in due-diligence statement workflows on the staged Information System; decide downstream-operator status for finished-goods imports.
1 Jan 2027
Colorado AI Act (revised, narrowed) takes effect
H2 2026 to align disclosures to the narrowed automated-decision scope.
2 Dec 2027
EU AI Act Annex III high-risk obligations
Long runway, but classification and conformity work should start in 2026.
14 Dec 2027
EU Forced Labour Regulation full application
Enforcement infrastructure live from 17 May 2026. Map your product portfolio against the Commission's risk database and tighten supplier contracts before 2027.