← Insights home
The Horizon — Current state of play

Where things stand right now

Where things stand right now across the lanes that matter to in-house legal teams — UK, EU, Germany, France, US, APAC. Two-to-three sentences of orientation per lane, no headlines, no historical narrative. Read this once when you arrive cold; come back to it whenever you want to re-baseline before reading a monthly issue.

As of 2 June 2026
Refresh cadence Each monthly issue
Region EU items show for Germany & France; APAC covers CN, JP, SG, IN, AU and more.
United Kingdom
Principles-based on AI, statute-based on almost everything else. The combination of UK GDPR, DUAA, DMCC 2024, the Employment Rights Act and the incoming Cyber Security & Resilience Bill means the UK now has more sector-specific regulatory motion than any other single jurisdiction in the scan.
AI
No horizontal AI statute. Regulator-led: the SRA Risk Outlook + ICO guidance (under review post-DUAA) set the practical expectations. Supervision, confidentiality and privilege are explicitly in scope for regulated firms.
Data & privacy
UK GDPR + the Data (Use and Access) Act 2025. Main provisions live since 5 Feb 2026; Section 103 standalone complaints duty commences 19 June 2026. ICO actively enforcing on cyber-hygiene and legacy-IT controls; penalty cap £17.5m or 4% global turnover.
Sanctions & export controls
Aligned with the EU 20th Russia package, implemented via OFSI. New settlement track introduced February 2026 with up to 70% layered discounts for voluntary self-disclosure; statutory maximum being lifted to the higher of £2m or 100% of breach value.
Competition & antitrust
Digital Markets, Competition and Consumers Act 2024 era. The CMA is running an SMS designation pipeline — Google (search), Apple/Google (mobile platforms), and now Microsoft (business software, opened 14 May 2026). Conduct-requirement breach: up to 10% global turnover.
Commercial & distribution
DMCC Act 2024 consumer-protection provisions live since April 2025 — CMA actively enforcing on subscription traps, drip-pricing and fake reviews. Franchise reform consulted on through 2025-26; no horizontal franchise statute. Joint controllership under UK GDPR follows the Fashion-ID line.
ESG & sustainability
Modern Slavery Act + transition-plan disclosure expectations through FCA listing rules. No horizontal due-diligence statute (CS3D not transposed); UK consulting on its own approach. FRC and FCA the principal enforcers on disclosure.
Employment & labour
Employment Rights Act rolling out in stages — day-one SSP live since 6 April 2026; further commencements through 2026/27. Non-compete reform at working-paper stage. Pay-transparency landscape principles-based via existing equality law.
Cyber & resilience
NIS Regulations 2018 still operative; the Cyber Security & Resilience Bill (report stage 10 June 2026) widens the perimeter to MSPs, data centres and critical suppliers — moving the UK closer to NIS2. NCSC + sector regulators.
Tax
Pillar Two: Multinational Top-up Tax and Domestic Top-up Tax in force; first calendar-year GIR filing 30 June 2026. ICTS transfer-pricing schedule arriving FY2027; PE rules being aligned with the OECD definition.
European Union
Maximalist regulatory perimeter, now in active enforcement across AI, data, antitrust, ESG, cyber and tax — but several files (CSRD, CS3D, EUDR) have been scaled back under the Omnibus simplification programme. Country-level enforcement still drives outcomes; the Commission sets the rules.
AI
AI Act in force. Omnibus shifted Annex III high-risk obligations to 2 December 2027 but pulled synthetic-content transparency forward to 2 December 2026. Penalties up to 7% global turnover (prohibited AI), 3% (high-risk / transparency). AI Office + national authorities enforce.
Data & privacy
GDPR + EU Data Act + sector-specific regimes. EDPB sets coordination; national DPAs (CNIL, BfDI, Garante, AEPD) carry enforcement. Penalty cap €20m or 4% global turnover. Commission Tech Sovereignty Package (CADA + Chips Act 2.0) proposed May 2026.
Sanctions & export controls
20th Russia package adopted 23 April 2026; payment-agent transaction ban live from 14 May, Russia-domiciled CASP ban from 24 May. Third-country circumvention (UAE, Kazakhstan, Uzbekistan, China) named as an enforcement target. Directive 2024/1226 harmonises criminal penalties — up to 5 years' imprisonment + 5% turnover.
Competition & antitrust
DMA + DSA live and being enforced (Apple €500m, Meta €200m to date; Google self-preferencing decision pending). Draft revised Merger Guidelines in consultation to 26 June 2026 — consolidating horizontal + non-horizontal guidance with explicit treatment of innovation and ecosystems.
Commercial & distribution
DSA + DMA carry the platform-distribution work; VBER (vertical block exemption) governs vertical agreements through 2032. Consumer Protection Cooperation Regulation coordinates national enforcers; UCCD reforms pending. EDPB Fashion-ID guidance defines joint-controllership scope under GDPR.
ESG & sustainability
CSRD scope cut by ~90% and CS3D transposition pushed to 2028 under Omnibus I. EUDR (4 May simplification package) lands for large/medium operators 30 December 2026. Forced Labour Regulation enforcement system live from 17 May 2026; full application 14 December 2027.
Employment & labour
Pay Transparency Directive transposition deadline 7 June 2026 — most member states unready, creating direct-effect risk against the state and a national patchwork for private employers. Platform Work Directive transposition deadline 2 December 2026.
Cyber & resilience
NIS2 in force across member states (transposition varies); DORA in force from 17 January 2025 with second annual Register cycle now driving nth-party supervision. ENISA NIS360 2026 (May) tracks sector maturity; penalties up to €10m or 2% turnover for essential entities.
Tax
Pillar Two in force in 22 of 27 member states with both IIR and QDMTT. First calendar-year GIR filing 30 June 2026. FASTER Directive (withholding-tax relief) transposition by 31 December 2028, application from 1 January 2030.
Germany
Established regulators, not new agencies. The dominant pattern is EU rules enforced through German federal authorities with long track records — BNetzA on AI, BfDI on data, BAFA on sanctions, BSI on cyber.
AI
KI-MIG names the Bundesnetzagentur (BNetzA) as AI Act lead market surveillance authority and EU AI Office single point of contact, with the BfDI on data-protection-relevant high-risk systems. Application from 2 August 2026.
Data & privacy
GDPR + BDSG. BfDI active on AI and health data; consistent with EU practice. State-level DPAs (e.g. LfDI Baden-Württemberg) often take the lead on enforcement actions.
Sanctions & export controls
EU sanctions implemented through BAFA (export controls) and Bundesbank (financial). German prosecutors active on circumvention investigations.
Competition & antitrust
Bundeskartellamt active; Section 19a designation regime (Digital Markets Act-style) runs in parallel to the DMA, with Google, Meta, Amazon, Apple, Microsoft designated.
Commercial & distribution
Bundeskartellamt active on vertical restraints and MFN clauses (the Booking.com line of cases ran through the Federal Court of Justice). Strong UWG (unfair-competition) enforcement; consumer rights via VRRL and the BGB.
ESG & sustainability
Lieferkettengesetz (LkSG) continues as a domestic supply-chain due-diligence statute even as CS3D is narrowed. BAFA enforcement on LkSG; first sanctions in the pipeline.
Employment & labour
No published Pay Transparency Directive transposition draft as at end-May 2026 — direct-effect risk and probable retrofit. Strong Betriebsrat (works council) regime for AI and platform-management decisions.
Cyber & resilience
NIS2 transposition (NIS2UmsuCG) delayed; BSI is the principal authority. KRITIS regime for critical infrastructure remains active in parallel.
Tax
Pillar Two enacted via MinStG; full alignment with EU. First GIR filings due June 2026 for calendar-year groups.
France
Data-protection-first lens. The CNIL is among the most active EU regulators on AI, algorithmic decision-making and HR-tech, and tends to arrive at clear positions before the AI Act enforcement bites.
AI
CNIL final recommendations on GDPR-for-AI development; 2026 agenda prioritises workplace and health AI. In France the data-protection lens often arrives before the AI Act one.
Data & privacy
GDPR + Loi Informatique et Libertés. CNIL highly active on cookie consent, dark patterns, and algorithmic processing. Penalties via the LIL track in parallel to GDPR.
Sanctions & export controls
Direction Générale du Trésor enforces; alignment with EU 20th package. French prosecutors (PNF) active on related circumvention investigations.
Competition & antitrust
Autorité de la concurrence active across digital and traditional markets. Revised EU Merger Guidelines will shape French practice; AdLC took the lead on the Google Pixel/AAS investigation.
Commercial & distribution
DGCCRF active on consumer protection; the LME / Code de commerce governs commercial relationships and distribution. CNIL takes a firm line on joint controllership and loyalty-programme data flows.
ESG & sustainability
Devoir de vigilance (Loi 2017-399) continues as France's domestic supply-chain due-diligence regime; growing climate litigation pipeline based on it. Pacte law extends ESG factors in corporate purpose.
Employment & labour
Pay Transparency Directive transposition targeted for September 2026. Strong CSE (works council) consultation regime over algorithmic management and AI in HR.
Cyber & resilience
NIS2 transposition via the resilience act; ANSSI is the principal authority. France implements DORA via AMF/ACPR supervision.
Tax
Pillar Two implemented; ongoing political debate on Digital Services Tax and withholding rules touching cross-border services.
United States
Federal retreat, state expansion. The pattern through 2026 is federal rollback (SEC climate, FTC non-compete, AI Act federalisation absent) while state attorneys-general, state legislatures and California in particular carry the actual enforcement load.
AI
No federal AI statute. State patchwork now diverging on philosophy: Texas TRAIGA live on restricted-purposes; Colorado SB 189 (revised, narrowed) effective 1 January 2027 on disclosure; Connecticut online safety from 1 October 2026; California ADMT/automated-decision regulations live.
Data & privacy
No federal privacy statute. State patchwork (CA, VA, CO, CT, UT, TX, IL BIPA, more). California CPPA + AG the most active enforcer — $12.75m GM CCPA settlement May 2026 is the new benchmark. FTC consumer-protection enforcement under Section 5 covers data brokers, dark patterns, deceptive AI claims.
Sanctions & export controls
OFAC active under "Economic Fury" Iran-oil campaign; UAE and Hong Kong secondary-sanctions exposure heightened. BIS export controls on emerging tech. SEC and DOJ in coordinated enforcement on certain matters.
Competition & antitrust
Federal HSR + Sherman + Clayton Act. DOJ Antitrust and FTC; merger enforcement still demanding structural divestitures in classic horizontal overlap (e.g. Taiheiyo/CalPortland May 2026). State AGs increasingly lead structurally — Live Nation/Ticketmaster verdict shows juries will deliver monopolization findings federal enforcement abandoned.
Commercial & distribution
FTC §5 + state UDAP statutes; Robinson-Patman re-emerging at the FTC. Franchise sales regulated state-by-state (CA, NJ, NY active); FTC Franchise Rule still operative. Loyalty-programme and consumer-data regulation expanding state-by-state.
ESG & sustainability
SEC moves to rescind 2024 climate disclosure rules (proposed 29 May 2026). California SB 253/261 carries the binding climate-disclosure load. Anti-ESG state pressure (TX, FL) sits alongside pro-ESG states. EU CSRD reaches US-parented groups via EU subsidiaries.
Employment & labour
FTC Non-Compete Rule formally removed February 2026; reverts to state law. State non-compete bans (CA, MN, ND, OK strict; NY, IL, WA building). Pay transparency expanding state-by-state. NLRB rulings still active under reduced federal scope.
Cyber & resilience
CIRCIA incident-reporting rules phasing in; HHS HIPAA Security Rule overhaul targeted final-rule 2026; SEC cyber disclosure live. State data-breach notification regimes operate in parallel.
Tax
Pillar Two: US-parented MNEs excluded under the OECD Side-by-Side Package (deemed-zero top-up election). GILTI and CAMT continue; OECD GIR filing not applicable for SbS-electing groups.
Asia–Pacific
Country by country, not region-wide. The umbrella hides large divergences: China runs an active platform-economy enforcement programme, India is bedding in DPDP and SEBI cyber, Japan and Korea are passing new AI and privacy frameworks, Australia is moving its merger regime. Brief sub-region by sub-region.
AI
Japan AI Promotion Act effective 2026; China generative-AI service algorithm filing in force via CAC; Korea AI Framework Act effective January 2026; Australia voluntary AI Safety Standard moving toward mandatory. Each jurisdiction is distinct — no APAC-wide rule.
Data & privacy
China PIPL + Data Security Law (CAC consultation on simplified PIPL for sub-100,000-subject processors closed 3 May 2026); India DPDP Act enforcement ramping; Japan APPI amendment bill before the Diet (biometric category + direct monetary penalties); Australia privacy reform in tranches; Singapore PDPC NRIC-authentication ban from 1 January 2027.
Sanctions & export controls
China anti-foreign-sanctions law; no APAC-wide sanctions regime. The principal APAC exposure for global teams is secondary sanctions: UAE and Hong Kong counterparties named in OFAC's Iran-oil campaign.
Competition & antitrust
Australia mandatory merger regime expanded April 2026 to partial-asset and voting-power triggers. China SAMR active on platform economies — RMB 3.6bn aggregate penalties on seven platforms April 2026. Japan JFTC and Korea KFTC pursue parallel platform investigations.
Commercial & distribution
Singapore CCCS active on consumer protection; PDPC enforcing data portability. Australia ACCC strong on consumer law (Schedule 2 ACL); the Franchising Code is under review. Japan JFTC enforces the Subcontract Act; Korea is active on distribution restrictions.
ESG & sustainability
Fragmented. Singapore SGX climate-disclosure rules; Japan TCFD/ISSB adoption strong; Hong Kong ISSB alignment phasing; Australia mandatory climate reporting commenced 2025. No region-wide framework.
Employment & labour
Region-specific. Japan workstyle reform continues; Australia closing-loopholes reforms phasing; Singapore PME pass changes; India industrial relations codes phasing. No APAC pay-transparency equivalent to the EU Directive.
Cyber & resilience
SEBI tightens CSCRF expectations (India, May 2026 advisory); MAS technology-risk management (Singapore); CAC + MIIT cyber rules (China); ACSC ISM (Australia). Sectoral pressure across financial services especially.
Tax
Pillar Two adoption variable: Japan, Korea, Australia in the early-adopter group; Singapore, Hong Kong selective adoption; China outside the framework but engaged in OECD discussions.

For the dated developments that landed this month, see the latest issue. For the deadlines that follow from this state of play, see the calendar. For how the page is compiled, see the methodology.

Subscribe

The Horizon

Monthly. Delivered via Substack.

Subscribe on Substack
Flank

About Flank

Supervised AI agents for in-house legal teams.

flank.ai

Insource enterprise legal work to supervised agents.
flank.ai

© 2026 Flank. This horizon scan is provided for informational purposes and does not constitute legal advice. Always confirm current obligations against primary sources for your jurisdictions.