AI Compliance Impact Map — Week of June 13–19, 2026
2026/6/19 · 17:30

AI Compliance Impact Map — Week of June 13–19, 2026

This week: EU Parliament votes 423-57 to approve the AI Act Omnibus, deferring high-risk obligations 16–28 months pending OJ publication; Ireland publishes Bill 69 of 2026 establishing an independent AI NCA; DOJ invokes national security to dismiss xAI's Clean Air Act lawsuit; GSA proposes LLM procurement rule (comment deadline August 3); Vermont enacts the first therapy chatbot ban; China's Decree 837 and CAC No. 21 approach their effective dates (July 1 and July 15) with zero official guidance. 28 items, 39 sources, 19-row deadlines table through January 2027.

Global AI Regulation & Compliance Map
Global AI Regulation & Compliance Map@NeoDrop Official
Immediate action items as of June 19, 2026:
  1. DEADLINE June 22 (tomorrow) — EU Code of Practice info session, 14:00–16:00 CEST. Last chance to understand sign-on obligations before the July signatory deadline for Article 50 compliance.
  2. DEADLINE June 23 — EU high-risk AI classification guidelines consultation closes. Final window to influence Article 6 / Annex III classification definitions.
  3. DEADLINE ~June 29 — Missouri SB 1019 (AI therapy chatbot ban): governor window expires. No Kehoe action as of June 19.
  4. DEADLINE July 1 — 12 days — China Decree 837 (Outbound Investment Regulations): effective date. No official implementing regulations published.
  5. DEADLINE July 3 — UK DRCF Phase 1 (consumer AI risk tolerance) closes.
  6. DEADLINE July 15 — 26 days — China CAC No. 21 (Anthropomorphic AI Interaction Services): effective date. Zero implementation guidance found.
  7. GOVERNOR WINDOW ~July 28–30 — Illinois SB 315 (AISM Act): Pritzker has announced intent to sign; clock runs regardless.
This issue covers June 13–19, 2026 — the primary window of this week's regulatory activity. The prior issue (published June 12) covered events from that day's signing of NSPM-12 and contextual carry-forwards. 28 items with new activity were identified across US federal, US states, EU/UK/Ireland, and Canada/APAC.
Three enforcement-infrastructure shifts are worth flagging together before the per-item detail: Ireland formalized its EU AI Act enforcement machinery (Bill 69 of 2026 introduced June 19); the EU Parliament gave final approval to the Omnibus on June 16, but the deferral of high-risk deadlines is not yet legally binding — the Official Journal publication clock is still running; and China opened a crowdsourced AI violations reporting zone while two imminent regulations (Decree 837, CAC No. 21) approach their effective dates with no official guidance.
正在加载统计卡片…

US federal

DOJ intervenes to dismiss xAI Clean Air Act lawsuit — national security invoked

On June 16, 2026, the Department of Justice Environment and Natural Resources Division (ENRD) filed a motion to intervene and dismiss a Clean Air Act citizen suit targeting xAI Corp. and MZX Tech LLC in the U.S. District Court for the Northern District of Mississippi (Case No. 3:26-cv-00074). 1
The NAACP and community plaintiffs allege that gas-powered turbines at xAI's Colossus II data center in Southaven, Mississippi violate Clean Air Act permitting requirements. DOJ's filing argues the facility is critical to "the economy and the Department of War" and that Grok AI supports classified military operations. The motion asserts that citizen suits cannot proceed where the Executive Branch exercises enforcement discretion to forgo action — a novel application of sovereign immunity to shield AI infrastructure from environmental litigation. 1 2
Associate AG Stanley Woodward stated: "Ultimate responsibility for enforcing federal law belongs to the Executive Branch, not private interest groups. The Department of Justice is committed to maintaining that constitutional order while protecting national security and promoting American energy and innovation." 1 NAACP's Abre' Conner responded: "Citizen suits are a bedrock insurance policy for communities to hold polluters accountable for decisions that cause them harm. This should not be up for debate." 2
Compliance impact: This is the first use of Executive Branch enforcement discretion / sovereign immunity arguments to block environmental litigation against an AI data center. AI companies operating or planning large-scale infrastructure should monitor the outcome — if upheld, the doctrine could insulate government-contracted AI facilities from third-party environmental enforcement.

GSA proposed rule: LLM data safeguarding requirements for federal contracts

On June 17, 2026, the General Services Administration published a proposed rule in the Federal Register (91 FR 36559, Document 2026-12205) seeking public comment on a new GSAR clause 552.239-7001: "Basic Safeguarding of Data Within Large Language Model Artificial Intelligence Systems." 3
The proposed clause would apply to GSA government-wide contracts (Federal Supply Schedule, GWACs, OASIS+) whenever Government data is processed by an LLM. Key provisions:
  • Four defined supply chain roles with flow-down requirements: LLM Developer, LLM System Operator, LLM System Integrator, LLM Service Provider
  • Government data ownership: the Government retains full ownership of all data and custom developments; contractors receive only a limited, revocable license; prohibited from using Government data for training, marketing, or monetization
  • Unbiased AI Principles: LLMs must be truthful for factual requests, remain neutral and nonpartisan, and implement continuous improvement to detect bias; the Government may conduct automated assessments and suspend LLM use for non-compliance
  • Preferred sourcing: LLM controlling entity must be incorporated in the US, subject to US jurisdiction, and free from adversary foreign government control
This is a proposed rule, not final — the implementing clause requires formal rulemaking or deviation before it takes effect. Comment deadline: August 3, 2026. Public listening session: July 14, 2026. 3
Compliance impact: LLM providers on or seeking placement on GSA vehicles should review the four role definitions and assess their supply chain obligations. The US jurisdiction and adversary foreign government control provisions will require affirmative certification. Comments are open through August 3.

CISA and G7 publish AI SBOM minimum elements

On June 16, 2026, CISA and G7 partners (Canada, France, Germany, Italy, Japan, UK, EU) released joint voluntary guidance: "Software Bill of Materials for AI – Minimum Elements." 4
The guidance organizes AI SBOM information into seven clusters: Metadata, System Level Properties, Models, Datasets Properties, Infrastructure, Security Properties, and Key Performance Indicators. It extends traditional SBOM concepts to AI-specific components — model provenance, training and validation datasets, adversarial robustness controls — and applies to both AI developers and deployers. The guidance is voluntary but, per Morgan Lewis's analysis, CISA and G7 guidance of this type "often informs procurement requirements and future regulatory frameworks." 4 It also overlaps with EU AI Act Article 9 technical documentation obligations for high-risk AI systems.
Compliance impact: Organizations with AI procurement or vendor risk management programs should assess how the seven-cluster framework maps to existing SBOM processes. Given G7-wide co-authorship, the document is likely to appear in procurement questionnaires and future regulatory references across multiple jurisdictions.

H.R. 9333 — AI Flaw Reporting and Security Enhancement Act introduced

Rep. Deborah Ross (D-NC), with bipartisan co-sponsors Rep. Jeff Hurd (R-CO) and Rep. Donald Beyer (D-VA), introduced H.R. 9333 on June 18, 2026, and referred it to the House Committee on Science, Space, and Technology. 5
The bill directs the NIST Director, in consultation with CISA, to establish a voluntary program for reporting, collecting, and tracking AI flaws. NIST would convene a multi-stakeholder group — industry, academia, nonprofits, standards bodies, civil society — to develop common definitions (vulnerabilities, failure modes, accidents, hazards, misuse, incidents, adverse events), taxonomies, severity and risk measures, detection methods, and standardized reporting mechanisms. A national AI flaw database (or modification of an existing national database) would follow. NIST must report to Congress within three years of enactment. 5
Compliance impact: No immediate obligation. Bipartisan sponsorship indicates a realistic path through committee. If enacted, the voluntary reporting framework could form the foundation of future mandatory incident reporting requirements — analogous to the CISA cyber incident reporting trajectory. AI safety and security teams should monitor.

NSPM-12 first deadline approaching: CNSS Directive 900 revision due July 12

Analysis published June 15 by Federal News Network confirms that NSPM-12 (signed June 12) sets the CNSS Directive 900 revision as its first concrete deadline: July 12, 2026 — 23 days from June 19. The 60-day deadline for the NSS cybersecurity roadmap falls around August 11. No CNSS meeting notices, directive drafts, or implementation progress documents are in the public domain as of June 19. 6
Former DHS CISO Hemant Baidwan told Federal News Network: "All of this gives a very clear signal that this is not just, take a look, read it and kind of go on a shelf somewhere for a year, but actions are needed and they're needed now." 6

FTC signals H2 2026 privacy enforcement surge; no AI-specific actions this week

FTC Chairman Andrew Ferguson told MLex on June 18 that the agency is "poised for a surge in data privacy enforcement cases" in H2 2026, adding that reporters "are going to have a hard time keeping up with the number of cases we're gonna be bringing." 7 No new AI-specific FTC rulemakings, TAKE IT DOWN Act actions, or AI-focused enforcement press releases were identified in the June 13–19 window. TAKE IT DOWN Act enforcement went live May 19, 2026 — the agency's stated basis for increased case volume.

Preemption update: Blackburn package, NO FAKES advances, 203 state legislators oppose

On June 18, the White House convened Apple, Meta, Google, xAI, and children's safety groups to discuss Sen. Marsha Blackburn's (R-TN) proposed package that would trade child safety protections — including KOSA (Kids Online Safety Act), NO FAKES (federal property right over voice and likeness), and the App Store Accountability Act — for federal preemption of state AI laws. 8 The Senate Judiciary Committee advanced NO FAKES on the same day, with three Republicans and one Democrat expressing free-speech reservations, including Sen. Ted Cruz. Most advocates are withholding support until full text is published. Separately, 203 state lawmakers from 42 states urged Congress to oppose the Obernolte/Trahan Great American AI Act preemption provision. 8
Compliance impact: State-law compliance programs covering enacted laws (Colorado SB 26-189, Connecticut AIRT Act, and any signed Illinois/Vermont bills) should proceed without assuming federal preemption relief. If a Blackburn package advances, preemption scope is expected to cover AI model development — not AI deployment or use — and would carry new federal obligations on children's safety, age verification, and deepfakes.

US states

Vermont signs nation's first AI therapy chatbot ban — effective immediately

Governor Phil Scott signed H 816 into law on June 17, 2026; the law took effect immediately on passage. 9 10
H 816 prohibits corporations and other entities from offering or advertising AI-delivered mental health services — counseling, therapy, psychotherapy — unless a qualified mental health professional retains clinical responsibility or the service is part of an approved research study. Administrative and supplementary AI functions (scheduling, billing, transcription) are permitted. The law's legislative purpose: "to safeguard individuals seeking mental health services in Vermont from psychological harm, including death by suicide, by ensuring that these services are delivered by mental health professionals and not independently by artificial intelligence systems." 10
Enforcement routes: licensed clinicians face professional licensing-board discipline for AI-delivered care; companies face Vermont Consumer Protection Act (9 V.S.A. ch. 63) enforcement by the Vermont AG. The Computer & Communications Industry Association, Software & Information Industry Association, and American Telemedicine Association had urged a veto, arguing definitions of "mental health services" and "therapeutic communication" are broad enough to capture general wellness apps, peer-support features, and crisis tools. 10 Vermont joins Illinois, Nevada, and Utah in restricting AI in mental health care.
Governor Scott also signed H 211 (data brokers and personal information) on June 16. 11
Compliance impact: Any platform offering AI-mediated mental health, emotional wellness, or crisis support features with Vermont users should assess immediately whether its services fall within H 816's scope. The broad definitions flagged by industry groups make conservative compliance the safer course until the Vermont AG provides interpretive guidance.

Florida Rule 2.515(d)(2) active — judges reinforce at Bar Convention

Florida Rule 2.515(d)(2) took effect June 15, 2026, requiring every signer of a Florida state court filing to certify that all cited legal authorities are accurate. Sanctions are expressly authorized: reprimand, contempt, striking pleadings, dismissal, costs, or attorneys' fees. The rule applies to attorneys and self-represented litigants alike, is technology-neutral, and supersedes circuit-level AI administrative orders. 12
At the Florida Bar Convention on June 17, U.S. Magistrate Judge Nicholas Mizell (M.D. Fla.) told attendees: "We all have a basic requirement to competency and something everybody is going to have to do on this front is at least understand the broad concepts of how these tools work." 12 Florida Deputy Chief Judge David Langham cited a Mississippi federal case where a lawyer using Grok filed documents riddled with AI hallucinations and described the resulting sanctions as the most egregious example of AI misuse he had seen: "She was using Grok. It's like citing Mad Magazine in your briefs." 12 Judge Langham noted that under Florida Bar rules, firm partners bear responsibility for all filings — including AI-generated work by associates. U.S. District Judge Kathryn Mizelle has separately proposed a comparable rule to the federal Committee on Rules of Practice and Procedure.
Compliance impact: Legal teams with active Florida litigation must have human citation-verification checkpoints for all court filings. Law firms providing AI-assisted legal research tools to Florida practitioners should ensure their platforms surface clear hallucination-risk warnings and audit trails.

California: 15+ AI bills advance, July 2 fiscal deadline 13 days out

Between June 15–17, at least 15 of California's roughly 30 remaining AI bills cleared second-chamber committees. Key committee votes: 11
  • AB 1651 (AI in state bar exam) — Senate Judiciary 11-0, June 17
  • AB 2545 (AI worker impact data project) — Senate Labor 5-0, June 17
  • AB 2656 (public employer AI notice) — Senate Labor 5-0, June 17
  • AB 2713 (CA AI Transparency Act update) — Senate Privacy 8-0, June 15, now at third reading
  • SB 719 (connected vehicle data disclosure) — Assembly Privacy 15-0, June 16
  • SB 867 (chatbot ban in toys) — Assembly P&CP 14-1, June 16
  • SB 1000 (AI disclosure and provenance) — Assembly P&CP 15-0, June 16
  • SB 1050 (AI ad disclosure) — Assembly P&CP 13-2, June 16
  • SB 1119 (chatbot safety) — Assembly Privacy 10-1, June 16
  • SB 813 (CA AI Standards and Safety Commission) — re-referred to Assembly P&CP, June 16
The July 2 fiscal committee deadline falls 13 days from June 19; bills not cleared by then are effectively dead until August. Hearings scheduled for June 23 include AB 412 (AI training data copyright), AB 2023 (chatbot/children's safety), SB 947 (worker AI protections), SB 1050, and SB 1159. The legislature returns August 3 with sine die August 31. 11

Arizona adjourns — three AI bills with Governor Hobbs

The Arizona legislature adjourned sine die on June 13 with three AI bills transmitted to Governor Katie Hobbs: 11
  • HB 2592: Requires every state agency to identify AI implementation opportunities and eliminate regulations restricting AI adoption
  • HB 2133: Amends the unlawful disclosure statute to include "synthetic depiction" of intimate images; Senate approved 16-12, House 35-20
  • HB 2311: Chatbot safety bill — mandatory AI disclosure, prohibition on gamification for minors under 18, prohibition on generating sexual content for all users, parental controls for users under 13; passed Senate 28-0, House 35-20
SB 1786 (AI provenance data for video/image/audio) failed after the House requested the Senate reconsider the bill. 11

Rhode Island: therapy chatbot ban and health insurer AI transparency pass both chambers

Rhode Island H 7349 (AI use in mental health care regulation, effectively a therapy chatbot ban) passed both chambers — House on June 8, Senate on June 10. S 2010 (health insurer AI use transparency) passed the full Senate on June 9. Rhode Island's session adjourns June 30. 11

Michigan: 8-bill AI data center package introduced

Michigan Senate Democrats held a press conference on June 18 to introduce eight bills regulating AI data centers — the broadest such package in the country to date: 13
BillSubjectKey provision
SB 1046Water permitsNew permit required for facilities using >550,000 gallons/day; cap at 2M gallons/day
SB 1047Energy contracts90% clean energy requirement; utilities may curtail during emergencies; contested case hearings required
SB 1048LaborRegistered apprentices, prevailing wages, project labor agreements
SB 1049TransparencyBars public officials from signing data center NDAs; civil fines up to $1,000
SB 1050–1051Community benefitsAgreements required before construction; no local permits without one
SB 762–763ReportingMPSC annual reports on water and energy use; bars utilities from passing upgrade costs to ratepayers
Senator Mallory McMorrow (D-Royal Oak) framed the package: "The question in front of us is whether Michigan sets the terms or whether we let someone else set them for us." 13 Governor Gretchen Whitmer expressed support; House Speaker Matt Hall (R) signaled openness to closed-loop cooling and ratepayer protections. Michigan joins a national trend of state data center regulation: 11+ states have moved on data center development rules in 2026, including Tennessee (local moratoriums, June 15), Utah (coalition letter, June 16), and New York (moratorium bill passed June 4). 13
Compliance impact: AI companies planning data center expansion in Michigan should monitor the package's progress. The water use cap (2M gallons/day) and clean energy mandate are the hardest constraints for large-scale GPU facilities.

Governor windows: Illinois SB 315 and Missouri SB 1019

Illinois SB 315 (AISM Act — mandatory independent audits for frontier AI developers with $500M+ annual revenue, 72-hour incident reporting, pre-deployment transparency reports): passed both chambers (Senate 52-5, House 110-0 on May 29). Faegre Drinker reports that Governor Pritzker has announced he plans to sign the bill into law. The 60-day window from transmittal closes approximately July 28–30. The ILGA website shows no action beyond "Passed Both Houses" as of June 19. 14
Missouri SB 1019 (health care omnibus including AI therapy chatbot ban: $10,000 first offense, $20,000 subsequent): transmitted to Governor Kehoe approximately May 15. The 45-day window expires around June 29 — 10 days from June 19. No governor action, signing ceremony, or veto announcement has been identified as of June 19. 15
正在加载图表…
SAMR Q2 2026 press conference, female spokesperson at podium with reporters
China's SAMR Q2 2026 press conference, June 16–17, 2026. 16

EU, UK, and Ireland

Ireland publishes EU AI Act implementing bill — AI Office established

On June 17, 2026, the Irish Government published the Regulation of Artificial Intelligence Bill 2026 (Bill 69 of 2026); First Stage in Dáil Éireann followed on June 19. 17 18
The Bill is Ireland's national implementing legislation for the EU AI Act (Regulation (EU) 2024/1689). Key features:
  • Establishes Oifig IS na hÉireann (AI Office of Ireland) as an independent statutory body — Ireland's central coordinating authority and single contact point for EU AI Act implementation
  • Ireland previously designated 15 existing bodies as market surveillance authorities (MSAs) via SI No. 366/2025, including the Data Protection Commission (DPC), Central Bank of Ireland (CBI), and Competition and Consumer Protection Commission (CCPC)
  • Provides MSAs with a structured, proportionate enforcement toolkit: cooperative compliance notices → coercive measures (prohibition, seizure) → formal sanctions (fines, prosecution), with independent adjudication and court oversight
  • 10 Parts, 139 Sections, 4 Schedules; amends Central Bank Act 1942, Communications Regulation Act 2002, Competition and Consumer Protection Act 2014, and Freedom of Information Act 2014 19
Minister Peter Burke (Enterprise, Tourism and Employment) called it "a landmark moment for Ireland's digital regulatory framework," noting Ireland's position as home to many leading foundational AI model providers and its incoming EU Council Presidency. 17 The AI Office must be operational by August 2, 2026 under the AI Act. Legislative timeline: Second Stage (debate on general principles) has not yet been scheduled.
Compliance impact: Ireland is the EU headquarters for Google, Meta, Apple, Microsoft, and OpenAI's EU operations. This Bill determines the primary EU AI Act enforcement environment for those companies. The distributed model means companies face multiple competent authorities across domains — DPC for data protection-adjacent AI, CBI for financial AI, CCPC for consumer-facing AI — all supervised by the new AI Office. As of mid-June, only 9 of 27 EU Member States had achieved full NCA designation clarity (designating both market surveillance and notifying authorities); Poland's lower house passed its implementing act on June 11, 2026. 19

EU Parliament approves AI Act Omnibus — but high-risk deferral is not yet law

On June 16, the European Parliament voted 423 in favour, 57 against, 174 abstentions to approve the Digital Omnibus on AI (part of the 7th simplification package). 20
Core changes:
  • High-risk deadlines deferred: standalone Annex III systems → December 2, 2027 (from August 2, 2026); AI embedded in Annex I regulated products → August 2, 2028 (from August 2, 2027)
  • Nudifier ban added: AI systems generating non-consensual intimate imagery or CSAM added to Article 5 prohibited practices; transitional period until December 2, 2026
  • Watermarking grace period: Article 50(2) watermarking obligations for systems already on market granted until December 2, 2026; other Article 50 transparency obligations (chatbot disclosure, deepfake labeling) remain on original August 2, 2026 schedule
  • Machinery Regulation overlap removed: narrower "safety component" definition excludes user-assistance or performance-optimization AI from automatic high-risk classification
  • AI literacy softened: providers/deployers must "support the development" of AI literacy among staff, rather than guarantee a specific level
  • SME exemptions extended to small mid-cap companies 21
Critical: the Omnibus is still NOT published in the Official Journal as of June 19 — now 6+ weeks after the May 7 political agreement. Council formal adoption is expected around June 29. The Omnibus enters into force 20 days after OJ publication. Per banking.vision analysis, OJ publication must occur by July 30 at the latest for the Omnibus to take effect before August 2. 21 Gibson Dunn notes: "The amended dates do not bind until formal adoption and Official Journal publication. Businesses should monitor formal adoption closely." 21
Compliance impact: August 2, 2026 remains the live compliance date for Article 50 transparency obligations regardless of Omnibus status. For high-risk obligations, dual-track readiness is required — assume the deferral until OJ publication, but do not abandon preparation for the original August 2 date until the Omnibus is formally in force. The nudifier ban (December 2, 2026) affects image and video generation providers: assess foreseeable misuse now.
正在加载统计卡片…

EU high-risk AI classification guidelines — consultation closes June 23

The European Commission's draft guidelines on Article 6 high-risk AI system classification (published May 19, 2026, 167 pages) close for consultation on June 23 — four days from June 19. 21 Key interpretive clarification: where a multi-purpose AI system is deployed for a specific high-risk purpose, the entity determining the purpose (deployer) becomes subject to high-risk obligations. Multiple law firm analyses are available from Gibson Dunn, Jones Day, Baker McKenzie, DLA Piper, and others.

EU Code of Practice on AI-generated content — info session June 22

The European Commission published the final Code of Practice on marking and labelling of AI-generated content on June 10, 2026. 22 The voluntary Code supports compliance with Article 50 AI Act transparency obligations (effective August 2, 2026). Two sections: (1) Providers — machine-readable marking and detection of AI-generated content; (2) Deployers — labeling of deepfakes and AI-generated text on matters of public interest. After a positive adequacy assessment by the Commission and AI Board, signatories can rely on Code measures to demonstrate EU-wide compliance. Signatory list is due July 2026. An info session is scheduled for June 22, 2026, 14:00–16:00 CEST. 22 Non-signatories must demonstrate compliance through alternative means assessed individually by each MSA.

Munich Regional Court: Google directly liable for AI Overview false claims — appeal pending

Munich Regional Court I issued a temporary injunction against Google on June 10, 2026, ruling that AI Overviews constitute Google's "own content" — not protected by the search engine liability shield applicable to third-party content — and that Google is directly liable for false statements in AI-generated summaries. 23 Two Munich-based publishing companies brought the case after AI Overviews falsely linked them to scams and dubious business practices.
The court held that AI Overviews make "a self-contained statement with independently comprehensible content" 24 — reasoning that "AI is not necessary to search the web" and therefore the AI overview is an additional commercial function that cannot claim a search-result liability shield. The court ordered Google to stop spreading the false claims and bear 80% of legal costs. Google announced its appeal on June 12, stating: "We disagree with the ruling and plan to appeal." 23 This is a preliminary injunction, not a final judgment.
Compliance impact: This is the first court ruling holding an AI platform directly liable for AI-generated output under a "own content" theory. If the reasoning survives appeal, the liability shield available to traditional search results will not extend to AI-generated summaries in Germany — and potentially across the EU. Providers of AI-generated content that comments on or describes third parties should assess whether the Munich reasoning could apply to their products under applicable national law.

EU-Brazil Digital Partnership, UK DRCF call for input, UK Lords AI regulation debate, CADA pushback

EU-Brazil Digital Partnership (signed June 12): Covers AI governance, data governance, digital infrastructure, online platforms, and digital public goods. A separate administrative agreement was signed with Brazil's ANPD on minor protection. 25
UK DRCF call for input (launched June 3): Phase 1 — consumer attitudes and risk tolerance — closes July 3, 2026. Phase 2 — tools and protections — closes September 2, 2026. The DRCF (ICO, Ofcom, CMA, FCA) has been read by analysts as signaling a Consumer Duty-style outcomes model for AI. 26
UK House of Lords debate (June 4): Cross-party speakers called the government's wait-and-see approach "chronically insufficient" and demanded principles-based legislation, pre-deployment testing, an AI regulatory oversight body, and statutory footing for AISI. The government pointed to the pending Regulating for Growth Bill, which has not been introduced to Parliament as of June 19. 27
EU Cloud and AI Development Act (CADA) (proposed June 3): CCIA Europe called the 4-tier sovereignty framework and Article 18 associated-country mechanism discriminatory, warning that no major technology-producing nation — including the EU itself — could currently satisfy Article 18's standards. CCIA's Daniel Friedlaender stated the Commission is "effectively giving national capitals carte blanche to shut out trusted global vendors from every major technology-producing nation outside the Union." 28 CADA is at Commission proposal stage; Council and Parliament negotiations will shape the final text.

Canada, China, and APAC

Canada tables Bill C-36 — privacy overhaul with AI deepfake deletion rights

On June 15, 2026, the Canadian government tabled Bill C-36, the Protecting Privacy and Consumer Data Act (PPCDA), modernizing PIPEDA after 25 years. 29 Key provisions:
  • Privacy as a fundamental right; meaningful consent with plain-language explanations
  • Right to request deletion of personal information including AI-generated deepfakes
  • Transparency for automated decision-making in significant individual decisions
  • Prohibition on surveillance pricing
  • New regulator: Digital Safety and Data Protection Commission of Canada (also administering the Digital Safety Act under Bill C-34)
  • Penalties: up to CAD $10 million or 3% of global revenue (administrative); up to CAD $25 million or 5% for the most serious offences
The bill was tabled four days after OPC found Grok AI violated PIPEDA (June 11) — it directly addresses the enforcement gap identified in that investigation, which OPC Commissioner Dufresne had cited as evidence that PIPEDA lacks meaningful monetary penalty authority. 29 Minister of AI and Digital Innovation Evan Solomon said: "Canadians deserve strong privacy protections in a rapidly changing digital world." 29

Canada: Bill C-34 (Safe Social Media Act) introduces regulated chatbot obligations

Bill C-34, the Safe Social Media Act, received First Reading on June 10, 2026. 30 It creates three tiers of regulated services — social media, chatbot services, and online services. Regulated chatbot service obligations include:
  • Crisis intervention: must connect suicidal users to a live human within a specified timeframe
  • Prohibition on posing as a human
  • Prohibition on posing as a medical or legal professional
  • Prohibition on manipulative engagement techniques encouraging emotional attachment
  • Mandatory labeling of synthetic content (AI-generated material, including deepfakes, and content subject to automated bot amplification)
The bill also establishes a temporary prohibition on social media accounts for persons under 16, backed by age-verification obligations, and covers seven categories of harmful content. Penalties: AMPs up to CAD $10 million or 3% of global revenue; criminal fines up to CAD $20 million or 5%. A new Digital Safety Commission of Canada would have investigatory and enforcement powers. The bill is at First Reading; implementation is likely years away. 30

OPC Grok PIPEDA ruling: ~1.8 million sexualized images, enforcement gap confirmed

OPC Canada released its Grok AI investigation report on June 11, finding that xAI/X Corp. violated PIPEDA by generating approximately 1.8 million sexualized images of real people without consent, particularly women and children. 31 OPC Commissioner Dufresne sought legislative fining powers; both companies refused the OPC's suspension recommendation but committed to quarterly reports and third-party audits. Bill C-36 (tabled June 15) directly addresses the penalty enforcement gap exposed by the investigation.

China: Chaos Reporting Zone, financial data classification, SAMR ad rules

CAC AI Chaos Reporting Zone (opened June 12): The CAC Reporting Center launched a dedicated zone accepting reports across 14 categories of AI violations, including unregistered LLM services, missing AI content labels, AI-generated disinformation, and violations targeting minors. 32 More than 98,000 accounts have been penalized in 2026 for non-compliant labeling. The zone forms the in-process supervision stage of a three-stage closed loop: May 12 labeling rules (pre-prevention) → June 12 reporting zone (in-process) → special enforcement campaigns (post-enforcement). Platform penalties escalate from warnings and fines of tens to hundreds of thousands of RMB up to license revocation; all penalties are recorded in enterprise credit files. The "safe harbor" principle no longer applies when platforms passively permit AI violations or amplify them via recommendation algorithms. 32
Financial information service data classification guidelines (published June 13): CAC and five other agencies (PBOC, NFRA, CSRC, NBS, SAFE) jointly published the first data classification and grading standard for the financial information services sector (国信办通字〔2026〕2 号). The standard establishes 3 data categories, 9 sub-categories, 67 detailed data classes, and 4 security levels based on sensitivity and harm potential. Financial AI large-model providers must now integrate a six-step classification process — data inventory → classification → grading → checklist → important data directory submission → dynamic update — into their compliance workflows. 33
SAMR AI-generated advertising regulation (announced June 16–17): SAMR's Q2 2026 press conference announced that its Internet Advertising Market Order Rectification Key Tasks now include regulating AI-generated advertisements, explicitly noting that "AI abuse and excessive traffic-pursuit are new emerging problems" requiring systemic governance. 16

China: Decree 837 effective July 1 — still no official guidance

State Council Decree 837 (Outbound Investment Regulations, effective July 1, 2026) — 12 days from June 19 — has received no official implementing regulations, compliance templates, or guidance from the State Council, NDRC, MOFCOM, or SAFE. 34 35 Two private-sector compliance guides published June 18 are available but are not authoritative. Key features of the decree: ODI approval is now a statutory condition precedent — no funds may be remitted abroad before approval; applies to individual residents (居民个人) for the first time; penalties include fines of 5‰–10‰ of the investment amount, confiscation of illegal gains, individual fines of ¥50,000–100,000, and prohibition from ODI activities for 1–3 years. AI, algorithms, data, and core technology explicitly trigger security review under the private-sector analysis published June 18. 35

China CAC No. 21 — still zero guidance, 26 days to effective date

CAC No. 21 (《人工智能拟人化交互服务管理规定》, effective July 15, 2026) — requiring real-identity verification for anthropomorphic AI services, content moderation, AI content labeling, and minor protection — has produced zero implementation guidance, compliance templates, FAQ, or enforcement preview in any Chinese-language source during the June 12–19 window. This mirrors the Decree 837 situation and is the highest-urgency guidance gap on the China compliance calendar.

APAC: South Korea, Australia, Singapore

South Korea (June 18): Bill No. 2219336 introduced to the National Assembly, amending the Network Act to require preservation of AI-generated labels. Related to the existing AI Basic Act (effective January 22, 2026). 36
Australia (June 15): OAIC closed its ADM transparency guidance consultation. Regulated entities must disclose use of automated decision-making systems for decisions about individuals by December 10, 2026. BSA and ACCI filed comments; no final guidance published yet. 37
Singapore (June 12–16): PDPC signed MOUs with the Republic of Korea and Hong Kong, China on June 16. IMDA updated its Model AI Governance Framework for Agentic AI to v1.5. IMDA and Microsoft signed an AI safety and security MOU on June 12. Singapore and the UK signed a new Memorandum of Cooperation on AI safety and governance. 38

Upcoming compliance deadlines

PriorityDateJurisdictionObligationScope
⚠️ IMMEDIATEJune 22, 2026EUCode of Practice on AI-generated content — info session 14:00–16:00 CEST. Last event before July signatory deadline. Sign or prepare alternative compliance demonstration. 22Generative AI providers and deployers targeting EU market
⚠️ IMMEDIATEJune 23, 2026EUHigh-risk AI classification guidelines consultation closes. Final window to influence Article 6 / Annex III definitions. 21All AI providers conducting Annex I/III self-classification
⚠️ IMMEDIATE~June 29, 2026MissouriSB 1019 (therapy chatbot ban): 45-day governor window expires. $10,000 first / $20,000 subsequent if signed. 15AI therapy chatbot operators with Missouri users
🔴 HIGHJuly 1, 2026 — 12 daysChinaDecree 837 (Outbound Investment Regulations): ODI approval now a condition precedent; AI, algorithms, data, and core technology trigger security review. No official guidance published. 34AI companies with China operations involving ODI, cross-border data transfer, or outbound investment
🔴 HIGHJuly 2, 2026CaliforniaFiscal committee deadline: bills not cleared are dead until August. 15+ AI bills in final stages. 11California legislature watchers; AI companies with active CA lobbying
🔴 HIGHJuly 3, 2026UKDRCF call for input Phase 1 (consumer AI attitudes and risk tolerance) closes. 26Consumer-facing AI companies; FCA-regulated entities deploying AI
🔴 HIGHJuly 12, 2026US FederalNSPM-12: CNSS Directive 900 revision due (30 days from June 12). 6NSS owners and operators; agencies with classified AI workloads
🔴 HIGHJuly 14, 2026US FederalGSA proposed rule (91 FR 36559) — public listening session. 3LLM providers on GSA vehicles; government contractors
🔴 HIGHJuly 15, 2026 — 26 daysChinaCAC No. 21 (Anthropomorphic AI Interaction Services): real-identity verification, content moderation, AI content labeling, minor protection. Zero official guidance published.AI companion, assistant, emotional support, and chatbot operators with Chinese users
🟡 WATCHJuly 30 (latest)EUOJ publication deadline for AI Act Omnibus to take effect before August 2, 2026. If missed, high-risk obligation deferral is not yet legally binding. 21All companies relying on Omnibus high-risk deadline deferral
🟡 WATCH~July 28–30, 2026IllinoisSB 315 (AISM Act): 60-day governor window closes. Pritzker has stated intent to sign. 14Frontier AI developers with annual revenue above $500M
🟡 WATCHAugust 2, 2026EUAI Act Article 50 transparency obligations effective regardless of Omnibus status: chatbot disclosure, deepfake labeling, human-AI interaction disclosure. 20All AI system providers and deployers on the EU market
🟡 WATCHAugust 3, 2026US FederalGSA proposed rule (91 FR 36559) comment deadline. 3LLM providers on or seeking GSA vehicles; government contractors
🟡 WATCHAugust 11, 2026US FederalNSPM-12: NSS cybersecurity roadmap due (60 days); NSS incident reporting standards due.NSS owners/operators; cloud providers with classified AI workload accreditations
🟡 WATCHSeptember 2, 2026UKDRCF call for input Phase 2 (tools and protections consumers need) closes. 26Consumer AI service providers; ICO/Ofcom/CMA/FCA regulated entities
🟡 WATCHDecember 2, 2026EUNudifier ban (Article 5 AI Act) fully effective after transitional period. AI watermarking obligations (Article 50(2)) effective for systems placed on market before August 2. 20Image/video generation providers; AI content platforms
🟡 WATCHDecember 10, 2026AustraliaOAIC ADM transparency obligation: mandatory disclosure of automated decision-making use affecting individuals. 37Entities using AI for automated decisions about individuals in Australia
🟡 WATCHJanuary 1, 2027ColoradoSB 26-189 (ADMT Transparency Act): ADMT notice, 30-day adverse-action explanations, 3-year record retention, AG enforcement. "Materially influence" standard in effect.Deployers using ADMT for consequential decisions in covered domains
🟡 WATCHJanuary 1, 2027IllinoisSB 315 effective if signed: mandatory independent audits, 72-hour incident reporting, pre-deployment transparency reports, whistleblower protections. 14Frontier AI developers with annual revenue above $500M
Cover image: AI-generated.

参考来源

  1. 1DOJ press release — Justice Dept. Files to Intervene and Dismiss xAI Lawsuit
  2. 2Bloomberg Law — Trump DOJ Says xAI Gas Turbines Needed for National Security
  3. 3Federal Register — GSA ICT Acquisition Proposed Rule
  4. 4Morgan Lewis — US CISA, G7 Partners Release AI SBOM Minimum Elements
  5. 5GovInfo — H.R. 9333 AI Flaw Reporting and Security Enhancement Act
  6. 6Federal News Network — Trump memo sets 'aggressive' timelines to secure sensitive systems
  7. 7MLex — Ferguson says FTC poised for jump in US privacy enforcement in late 2026
  8. 8Transformer — Blackburn preemption package, G7 AI talks, White House meetings
  9. 9Vermont Governor's Office — Action Taken June 17, 2026
  10. 10Recording Law — Vermont Enacts H.816 Restricting AI Mental Health Therapy
  11. 11Transparency Coalition — AI Legislative Update June 19, 2026
  12. 12Florida Bar News — AI competence is no longer optional, judges tell Bar Convention
  13. 13Michigan Advance — Senate Democrats propose tighter regulations on data centers
  14. 14Faegre Drinker — Frontier AI Models, Cybersecurity, and the Trump Administration
  15. 15Missouri Senate — SB 1019 Bill Information
  16. 16SAMR — Q2 2026 Press Conference
  17. 17Irish Government — Publication of the Regulation of AI Bill 2026
  18. 18Houses of the Oireachtas — Regulation of AI Bill 2026 (Bill 69/2026)
  19. 19Matheson LLP — Irish Government publishes the AI Bill 2026
  20. 20European Parliament — AI Act: EP approves simplification measures and "nudifier" app ban
  21. 21Gibson Dunn — EU AI Act Omnibus Agreement: Postponed High-Risk Deadlines
  22. 22EC Digital Strategy — Commission publishes Code of Practice on AI-generated content
  23. 23Reuters — Google to challenge German ruling on AI Overview liability
  24. 24DW — German court holds Google liable for fake AI answers
  25. 25EC Digital Strategy — EU and Brazil deepen ties through Digital Partnership
  26. 26Digital Watch — Future of agentic AI: Cross-regulatory perspective from the UK
  27. 27UK Parliament Hansard — AI Regulation Bill, House of Lords, June 4, 2026
  28. 28CCIA Europe — Discriminatory EU Cloud and AI Development Act Risks Severe Market Fragmentation
  29. 29Government of Canada — Tables new legislation to protect children's data and privacy
  30. 30DLA Piper — Overview of Canada's Safe Social Media Act (Bill C-34)
  31. 31Law360 Canada — OPC's Grok investigation points to privacy and online harms reform
  32. 32中国经营报/百度百家号 — 涉AI应用乱象举报专区上线
  33. 33CAC — 金融信息服务数据分类分级指南
  34. 34新浪财经/安永国际 — 对外投资新规合规步骤指南
  35. 35大旗财税 (百度百家号) — 7月1日前企业如何自查ODI风险
  36. 36Digital Policy Alert — Bill amending Network Act (No. 2219336)
  37. 37BSA — Comments on Guidance for Transparency in Automated Decision-Making
  38. 38PDPC Singapore — MOUs with Republic of Korea and Hong Kong, China

相似内容

围绕这条内容继续补充观点或上下文。

  • 登录后可发表评论。