This week, the biggest compliance movement came from Australia’s eSafety Commissioner, which registered new industry codes and started enforcement activity aimed at AI companion chatbots, age assurance, and child safety. In the EU, ESMA sharpened supervisory expectations for algorithmic trading, while the ESAs flagged geopolitical and private-finance risk pressures that should feed directly into board-level risk reviews. In the US, FDA finalized a device reclassification that changes premarket pathways and special controls for melanoma detection devices and electrical impedance spectrometers. Most of the remaining court items were caption-only and do not create actionable compliance changes yet.
Other jurisdictions / frameworks
Australia tightens rules for AI chatbots and age checks
eSafety registered six new industry codes covering AI chatbots, app stores, pornography services, and social services. The codes create legally enforceable obligations to implement age assurance, safety controls, and privacy safeguards before the social media minimum age obligation takes effect in December 2025.
Why it matters: If your product can reach minors, you now need documented age-gating, child-safety, and privacy controls rather than policy language alone. Compliance teams should treat this as an enforcement-ready regime and check whether age assurance and content restrictions are proportionate and auditable.
Read source →eSafety warns on unrestricted AI chatbots
eSafety issued an advisory warning that unrestricted AI chatbots expose children to sex, drug-taking, self-harm, suicide, and eating-disorder content. The advisory is guidance rather than a new rule, but it signals the regulator’s safety-by-design expectations for AI companion products.
Why it matters: Providers should not wait for a formal investigation to add safeguards. This points to immediate review of child access, moderation, escalation paths, and parent-facing disclosures for AI companion services.
Read source →eSafety targets AI companion providers
eSafety issued legal notices to four AI companion providers asking how they protect children from sexually explicit conversations, images, suicidal ideation, self-harm, and similar harms. The notices are enforceable and the source warns that non-compliance can expose providers to daily financial penalties.
Why it matters: This is a direct demand for evidence, not just assertions, so teams need ready documentation of design controls and Basic Online Safety Expectations compliance. Legal, compliance, and product owners should coordinate responses immediately because the risk is now enforcement, not just policy review.
Read source →ESMA raises algorithmic trading expectations
ESMA issued a supervisory briefing on algorithmic trading, signaling tighter supervisory scrutiny of controls, testing, governance, and monitoring. The briefing is intended to shape supervisory practice across the EU rather than create a new standalone rule.
Why it matters: Firms using automated trading need to prove their governance, kill-switches, testing, and change controls work in practice. If your audit trail is thin, supervisors now have a clear benchmark to challenge approvals, monitoring, and incident response.
Read source →ESAs flag geopolitical and private-finance risk
The ESAs’ spring risk update highlights geopolitical pressure and rising private-finance risk exposures. It does not impose a hard deadline, but it clearly points supervisors toward more scrutiny of firms’ risk registers, stress testing, and board reporting.
Why it matters: Compliance and risk teams should refresh scenario analysis, concentration assumptions, and liquidity/counterparty stress tests now. The practical risk is not a new rule, but a mismatch between what your board reports and what supervisors now expect to see.
Read source →EU AI Act
ESMA adds AI oversight pressure to trading systems
ESMA’s algorithmic trading briefing was also cross-referenced against EU AI Act governance themes in the source set, reinforcing the need for stronger oversight of automated decision-making in market systems. The briefing itself is supervisory guidance, not a binding AI Act rule.
Why it matters: Organizations using AI in trading should align governance, documentation, and monitoring with both market-supervision expectations and broader AI governance controls. The practical issue is whether you can evidence human oversight and risk management during an exam or incident review.
Read source →DORA (Digital Operational Resilience)
Risk update signals resilience pressure in EU markets
The ESAs’ spring risk update points to elevated geopolitical and private-finance risks that can spill into liquidity, concentration, and operational resilience concerns. The source ties the update to supervisory attention rather than a new DORA deadline.
Why it matters: DORA teams should fold these risks into ICT and operational-resilience scenarios, especially where third-party concentration or market stress could disrupt critical services. This is a prompt to test whether resilience plans still reflect the current risk environment.
Read source →GDPR / Data Protection Enforcement
Age assurance must respect Australian privacy law
eSafety’s new industry codes require age assurance and privacy safeguards for platforms, AI chatbots, and age-restricted services. The source specifically notes that age-assurance and safety measures must be proportionate and comply with Australian privacy law.
Why it matters: Privacy teams need to assess whether identity checks, age-estimation tools, and logging practices are minimally intrusive and properly disclosed. This matters because an age-safety control that over-collects data can create a new privacy problem even as it solves a child-safety issue.
Read source →EDPB publishes 2025 annual report
The EDPB published its 2025 Annual Report on 2026-04-09. The report is retrospective and does not create a new deadline, but it signals supervisory themes and guidance priorities for GDPR teams.
Why it matters: Privacy programs should scan the report for recurring enforcement or guidance themes that may affect current governance, documentation, and stakeholder engagement. This is especially useful for updating board reporting on where European regulators are focusing.
Read source →US Federal & State Regulation
FDA reclassifies melanoma detection devices
FDA issued a final order reclassifying optical diagnostic devices for melanoma detection and electrical impedance spectrometers from class III to class II. The move adds special controls and premarket notification obligations for products in scope.
Why it matters: Manufacturers may need to shift submission strategy from class III pathways to 510(k)-style filings where applicable. Teams should also update design controls, labeling, and validation evidence to match the new special controls framework.
Read source →ISO Standards
Standards dispute may affect code-use controls
American Society for Testing & Materials v. UPCODES Inc appeared several times in the source set, but only as caption-level court entries with no operative holding provided. One entry notes a decision date, but the excerpt gives no substantive outcome or injunction.
Why it matters: If your organization relies on ASTM materials, code compilations, or standards incorporation, this is a legal-watch item rather than an immediate control change. Keep it on the radar for licensing, publication, and standards-use implications once the opinion is available.
Read source →On Our Radar
AI child-safety enforcement: Australia’s eSafety actions show that AI companion and chatbot products are moving from guidance into active enforcement. Expect closer scrutiny of age assurance, self-harm escalation, and child-access controls.
Algorithmic trading supervision: ESMA’s briefing suggests firms should expect supervisors to ask for stronger evidence of testing, kill-switches, and change management. This is worth reviewing before the next supervisory exam or incident review.
FDA pathway changes: The FDA reclassification changes the compliance path for in-scope diagnostic devices. Manufacturers should check whether current submissions and technical files need to be reworked for the new class II framework.