
3/7/2026 · 17:34
AI Compliance Map — Jun 26-Jul 3
Weekly compliance impact map for June 26, 5:41 p.m. through July 3, 5:00 p.m. (UTC-05:00), prioritizing near-term action dates across the FTC, GSA, CNSS, EU AI Act implementation, UK DRCF, China CAC/ODI rules, US state AI bills, Canada, and APAC.
Immediate triage queue as of July 3, 2026:
- July 3 — UK DRCF: Phase 1 responses close for the Digital Regulation Cooperation Forum's "Consumer Interest and AI" consultation on generative AI and agentic AI consumer risks. 1
- July 12 — US CNSS and Missouri: CNSS Directive 900 is due for revision under NSPM-12, and Missouri SB 1019 is still awaiting Governor Mike Kehoe's action under the official "Delivered to Governor" status. 2 3
- July 15 — China CAC No. 21: the anthropomorphic AI interaction service rules take effect, with no official implementation guide identified in the research package as of July 3. 4
- July 22-23 — EU AI Act: the transparency Code signatory window closes July 22, and the high-risk classification consultation closes July 23. 5 1
- July 31 and August 3 — US comments: FTC comments on the proposed AI accuracy policy statement close July 31, and GSA comments on the proposed LLM data-safeguarding clause close August 3. 6 7
This issue covers June 26, 5:41 p.m. through July 3, 5:00 p.m. in the channel timezone (fixed UTC-05:00), corresponding to the scheduled weekly window. The highest-priority compliance signal is deadline compression: EU transparency, US federal procurement and FTC comments, China AI-adjacent implementation dates, and state-level child, school, therapy, and frontier-model bills all moved within the same short window.
The source package also corrects a state-law status risk. Missouri SB 1019 should be treated as pending, not enacted: the official Missouri Senate page still showed "Delivered to Governor" as of July 3. 3
Upcoming compliance dates
| Date | Jurisdiction | Obligation or event | Affected entities | Status |
|---|---|---|---|---|
| July 3, 2026 | UK | DRCF Phase 1 "Consumer Interest and AI" consultation closes. 1 | Firms using generative AI or agentic AI in consumer-facing services | Closes today |
| July 12, 2026 | US federal | CNSS must revise CNSS Directive 900 within 30 days of NSPM-12. 2 | National security system operators, federal cloud and AI vendors supporting NSS workloads | Public draft not identified as of July 3 |
| July 12, 2026 | Missouri | Approximate governor-action deadline for SB 1019 under the May 28 transmission calculation. 3 | AI therapy chatbot operators and advertisers with Missouri users | Pending; not enacted as of July 3 |
| July 14, 2026 | US federal | GSA public hearing on proposed GSAR clause 552.239-7001. 7 | Federal contractors using LLM systems as developers, operators, integrators, or service providers | Hearing scheduled |
| July 15, 2026 | China | CAC No. 21 on anthropomorphic AI interaction services takes effect. 4 | Virtual companion, anthropomorphic chatbot, emotional-interaction, and related AIGC services in China | Effective date fixed |
| July 22, 2026 | EU | Initial signatory deadline for the AI-generated content transparency Code. 5 | Generative AI providers and deployers seeking Article 50 compliance presumption | Sign-or-explain decision point |
| July 23, 2026 | EU | Targeted consultation closes on draft high-risk AI classification guidelines. 1 | Providers and deployers classifying Annex I or Annex III AI systems | Extended from June 23 |
| July 31, 2026 | US federal | FTC comments close on the proposed AI accuracy policy statement, Docket FTC-2026-0859. 6 | AI companies whose systems may trade off accuracy, fairness, safety, ideology, or other output objectives | Comment period open |
| August 2, 2026 | EU | Article 50 transparency obligations apply; the Omnibus does not move the main chatbot and deepfake disclosure date. 8 | AI providers and deployers placing systems on the EU market | Date unchanged |
| August 3, 2026 | US federal | Written comments close on the GSA LLM data-safeguarding proposed clause. 7 | Federal LLM contractors and subcontractors | Comment period open |
| August 20, 2026 | China | Network Data Security Risk Assessment Measures take effect. 9 | Network-data processors and AI/data operators covered by the assessment framework | Effective date fixed |
| August 25, 2026 | Illinois | Approximate end of the 60-day governor review window for SB 315, transmitted June 26. 10 | Large frontier-model developers with Illinois exposure | Governor action pending |
US federal and states
FTC frames AI accuracy steering as a deception risk
The Federal Trade Commission published a proposed policy statement on July 1 titled "Concerning the Suppression of Accuracy in Artificial Intelligence Systems," Docket FTC-2026-0859. 6 The statement says an AI company may violate Section 5 of the FTC Act if it steers model outputs away from the user's expected goal without clear disclosure, including when the steering is done to comply with state laws such as the Colorado AI Act. 6
The compliance impact is a direct federal-state tension. AI providers that tune output behavior for bias, safety, or legal-compliance objectives should review whether product claims, model cards, UI disclosures, customer contracts, and release notes clearly explain the system's design goals and tradeoffs.
CISA's EO 14409 deadline passed without a confirmed AI-specific BOD
Executive Order 14409 required CISA to issue binding operational directives within 30 days, by July 2, covering faster federal network defense, AI-enhanced defensive tools, and acquisition of AI cybersecurity tools and services. 11 CISA issued BOD 26-04 on June 10, but that directive focuses on risk-based vulnerability management for operational technology and internet-of-things assets and does not expressly implement the AI-enhanced tool or acquisition elements of EO 14409. 12
The compliance impact is procurement uncertainty. Federal AI cybersecurity vendors should track whether CISA treats BOD 26-04 as partial satisfaction of EO 14409 or issues a separate AI-specific directive.
NSPM-12 gives national security system governance a July 12 checkpoint
President Trump signed NSPM-12 on June 12, reestablishing the Committee on National Security Systems and designating the NSA Director as the national manager for national security systems. 2 Section 6(a) requires CNSS to revise CNSS Directive 900 within 30 days, which places the revision deadline on July 12. 2
The compliance impact falls on classified and national security workloads. AI vendors supporting NSS environments should expect governance, emergency-directive, cloud-baseline, and NIST-standard alignment questions to appear in federal security reviews.
GSA's LLM clause moves toward contractor flow-down duties
GSA published a proposed GSAR clause, 552.239-7001, on June 17 for "Basic Safeguarding of the Data Within Large Language Model Artificial Intelligence Systems." 7 The proposal creates role-specific flow-down requirements for LLM developers, system operators, system integrators, and service providers, with a July 14 hearing and August 3 written-comment deadline. 7
The compliance impact is immediate for federal contracting teams. Contractors should map which LLM role they occupy in each contract chain and prepare comments on documentation, change notice, reporting, and data-safeguarding obligations.
State movement concentrates in schools, minors, therapy, and frontier safety
California Governor Gavin Newsom approved AB 2148 on June 30 and filed it with the Secretary of State as Chapter 45 of the 2026 California Statutes. 13 The bill defines public school employees and public-school contractors as natural persons, which bars AI systems from serving as teachers or contractors in California K-12 public schools. 13
New Jersey A4015, the New Jersey Kids Code Act, passed both houses on June 30 and imposes age-appropriate design requirements on covered online services used by minors. 14 Providers of AI-powered youth services should treat it as a child-privacy and safety design bill rather than a model-development bill.
Missouri SB 1019 remains pending. The official Missouri Senate bill page showed "Delivered to Governor" as of July 3, after May 28 transmission to Governor Mike Kehoe, and the bill's AI therapy chatbot advertising ban should not be described as enacted unless the official status changes. 3
Illinois SB 315, the Artificial Intelligence Safety Measures Act, was sent to Governor JB Pritzker on June 26, and no governor action was recorded as of July 3. 10 If enacted, the bill would require large frontier developers to maintain safety frameworks, report critical safety incidents, and undergo annual independent third-party audits from January 1, 2027. 10
Pennsylvania HB 2006, the AI Companion Safety Act, was re-reported from Rules on July 1, received second consideration with amendments, and was recommitted to Appropriations before final floor passage. 15 Companion-AI teams should keep Pennsylvania in the watch queue, but the bill did not clear final passage before the July 4 recess.
EU, UK, and Ireland
EU Omnibus is approved, but Article 50 still drives August work
The Council of the European Union gave final approval to the Digital Omnibus on AI on June 29, completing the legislative procedure after Parliament approval on June 16. 16 The final package defers standalone Annex III high-risk AI obligations to December 2, 2027, and embedded Annex I high-risk AI obligations to August 2, 2028. 8
Article 50 transparency obligations remain set for August 2, 2026, including chatbot disclosure and deepfake labeling requirements. 8 The research package did not identify Official Journal L-series publication as of July 3, so EU teams should avoid treating the Omnibus as operationally complete until publication occurs. 17
The compliance impact is a two-track EU plan. Providers and deployers should keep Article 50 disclosure implementation on the August 2 track while using the high-risk delay for classification, quality-management, post-market monitoring, and technical-documentation work.
EU Code and classification guidance create two July decisions
The European Commission has issued the final Code of Practice on Transparency of AI-Generated Content, and the initial signatory deadline is July 22 at 18:00 CEST. 5 Signing gives providers and deployers a presumption of conformity for Article 50 obligations, while non-signatories will need a separate compliance theory and evidence package. 5
The Commission also extended the targeted consultation on draft Article 6 high-risk classification guidelines to July 23. 1 The compliance impact is classification governance: product counsel should use the consultation text to test Annex I and Annex III edge cases before final guidance arrives.
Ireland moves its AI Act implementation bill through committee stage
Ireland's Regulation of Artificial Intelligence Bill 2026 completed second reading on June 24 and moved to Committee of the Whole House. 18 The bill establishes the AI Office of Ireland as the national AI Act body and is intended to give the EU AI Act full effect in Ireland without adding to or changing regulated-entity obligations under the AI Act. 18
The timing matters because Ireland needs supervisory and enforcement infrastructure in place by the August 2 Article 50 enforcement date. 18 Companies with Irish headquarters, Irish EU representation, or major Irish regulatory interfaces should map which AI Act questions will go to the AI Office and which will remain with sectoral authorities.
UK DRCF closes one consultation and shows its own AI governance model
DRCF's Phase 1 "Consumer Interest and AI" consultation closes July 3, and its Phase 2 "Consumer Tools" consultation closes September 2. 1 The consultation sits inside the UK's regulator-led AI model, where ICO, CMA, Ofcom, and FCA use existing powers rather than a single standalone AI statute. 1
DRCF also published a June 24 internal generative-AI governance report covering how ICO, FCA, CMA, and Ofcom use GenAI in their own regulatory work. 19 The report says CMA uses agentic AI tools to support eight investigations, while Ofcom has an independent AI ethics committee for internal AI use. 19
The compliance impact is supervisory benchmarking. UK-regulated firms should expect questions about human review, hallucination management, bias mitigation, prompt controls, and evidence that AI governance is operating rather than merely documented.
China, APAC, and Canada
China Decree 837 is now live without public implementing detail
State Council Decree No. 837, China's outbound investment regulation, took effect on July 1 and is the first State Council administrative regulation dedicated to outbound investment. 20 The regulation integrates NDRC, MOFCOM, and SAFE oversight and brings natural-person investors into the outbound-investment control framework. 20
Article 13 restricts indirect export of prohibited or restricted technologies, services, and data through routes such as overseas talent transfers, cross-border technical guidance, and overseas training arrangements. 21 The research package did not identify MOFCOM, SAFE, or NDRC implementing rules as of July 3, and it did not confirm public reports of bank blocks within the first 48 hours after effectiveness. 20
The compliance impact is cross-border deal hygiene. AI companies with China-origin technology, China resident individuals, offshore SPVs, model/data transfers, or outbound R&D investments should refresh ODI filings, technology-export analysis, and bank-transfer documentation.
CAC No. 21 turns virtual companions into a multi-filing compliance problem
CAC No. 21, the interim measures for anthropomorphic AI interaction services, takes effect July 15 and was jointly issued by CAC, NDRC, MIIT, the Ministry of Public Security, and SAMR. 4 A July 2 compliance checklist identified five filing or assessment layers for covered services: generative AI service filing, generative-synthesis algorithm filing, anthropomorphic-service security assessment, basic internet qualifications, and additional overlay filings. 4
The compliance impact is scope control. Virtual companion and emotional-interaction AI products should not treat a generative-AI filing as sufficient if the service creates humanlike interaction, emotional dependence, or companion-style user relationships.
China adds a network-data risk assessment date
China issued Network Data Security Risk Assessment Measures on June 18, and the measures take effect August 20. 9 The measures establish a formal framework for assessment execution, supervision, and reporting. 9
The compliance impact is data-governance alignment. AI teams using China network data for training, evaluation, analytics, personalization, or cross-border processing should connect AI governance inventories to network-data risk assessment controls before August 20.
Canada pauses AI-adjacent bills through summer recess
Canada's Bill C-36, the privacy reform bill, received first reading on June 15 and remains at second reading with no activity during summer recess. 22 Canada's Bill C-34, the Safe Social Media Act, received first reading on June 10 and also remains at second reading with no activity. 23 Parliament entered summer recess on June 18 and is scheduled to return September 21. 24
The compliance impact is preparation time, not closure. C-36 would bring automated-decision transparency, cross-border transfer impact assessment duties, child-data protections, and penalties tied to global revenue, while C-34 would regulate AI chatbots and social-media child safety. 24
APAC signals point to comment integrity, platform speech, and governance proof
Japan's Cabinet Office received 8,774 public comments during the June 19-23 consultation on the draft AI Basic Plan revision, compared with 603 comments in the prior comparable process, and officials suspected 2,000 to 3,000 submissions were AI-generated. 25 The policy signal is procedural: agencies may start treating AI-generated mass comments as a consultation-integrity problem.
South Korea's amended Network Act takes effect July 7 and creates punitive damages up to five times losses for intentional dissemination of false or manipulated information by covered media entities and large YouTubers. 26 Content platforms and creator-tool providers should assess takedown, provenance, and dispute workflows before the effective date.
Singapore and Hong Kong still do not have standalone AI legislation, but a July 3 Mayer Brown assessment says both markets increasingly expect organizations to demonstrate responsible AI governance through privacy, financial-services, and cybersecurity obligations. 27 India also moved from watchful use of existing IT rules toward possible standalone AI legislation after MeitY Secretary S Krishnan said on July 3 that "the time is getting right" to begin looking at AI regulation. 28
For multinational AI teams, APAC work should focus on proof of governance, not just policy monitoring: consultation authenticity, synthetic-content controls, child and companion-AI safeguards, regulator-ready audit trails, and jurisdiction-specific evidence that human oversight exists in practice.
Cover image: AI-generated illustration.
Fuentes de referencia
- 1Osborne Clarke — Artificial intelligence, UK Regulatory Outlook June 2026
- 2The White House — NSPM-12
- 3Missouri Senate — SB 1019 bill information
- 4Tencent Cloud Developer Community — Anthropomorphic AI compliance checklist
- 5AI Governance Playbook — AI Deadline, Thursday 2 July 2026
- 6FTC — Proposed Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems
- 7Federal Register — GSAR acquisition of information and communication technology
- 8Licentium — EU Council adopts Digital Omnibus amendments to AI Act
- 9Hunton Andrews Kurth — China issues new measures for network data security risk assessment
- 10Illinois General Assembly — SB0315 bill status
- 11Federal Register — EO 14409
- 12CISA — BOD 26-04, Prioritizing Security Updates Based on Risk
- 13California Legislative Information — AB 2148
- 14New Jersey Legislature — A4015, 2026-2027 session
- 15Pennsylvania General Assembly — HB 2006
- 16Cyprus Presidency of the Council of the EU — Council gives final green light to simplify and streamline rules
- 17EUR-Lex — Official Journal C series daily view, 2 July 2026
- 18Anglo Celt — Government introduces AI Bill
- 19Bratby Law — DRCF generative AI assurance benchmark
- 20Risk Advisory — Beijing's new outbound investment rules redraw transaction risk
- 21Shumaker — China made Meta give back a $2 billion AI acquisition
- 22Parliament of Canada — Bill C-36 LEGISinfo
- 23Parliament of Canada — Bill C-34 LEGISinfo
- 24ABA Business Law Today — Canada's proposed legislative overhaul has cross-border implications
- 25The Mainichi — Japan AI policy draft draws flood of comments suspected to be AI-generated
- 26Seoul Economic Daily — Tougher fake news penalties must not chill policy criticism
- 27Mayer Brown — AI regulation in Singapore and Hong Kong, a mid-year checkpoint
- 28Big News Network / ANI — AI law may be considered as time is getting right
Más de este canal
Contenido relacionado
- Inicia sesión para comentar.
