AI Compliance Weekly — 2026-06-07

The European Commission’s AI Office is actively advancing codes of practice and related guidance for general-purpose AI and AI-generated content. The published materials show the EU is operationalizing the AI Act through implementation guidance, not waiting for the rulebook to settle on its own.

Why it matters: Providers and deployers of GPAI should start mapping their current documentation, transparency notices, and copyright-related processes against likely AI Act expectations now. Waiting for final delegated or implementing acts increases the risk that product and legal teams will have to retrofit disclosures under time pressure.

The European Commission opened a consultation on future cloud and AI policies, and the call for input explicitly ties into AI Act implementation. The consultation is ongoing and may shape future operational requirements around cloud, compute, interoperability, and AI governance.

Why it matters: Organizations with EU cloud or AI dependencies should consider submitting positions, especially where their deployment model depends on compute access or infrastructure portability. Legal, policy, and engineering teams should align now so internal views are ready before policy options harden into obligations.

The EBA, EIOPA and ESMA published their first annual overview of major ICT-related incidents under DORA. The report underscores that cross-border ICT and AI-driven dependencies are now a supervisory focus for financial entities.

Why it matters: Financial firms should compare their incident taxonomy and escalation workflow to the incident types reflected in the overview, then tighten board reporting and third-party dependency monitoring. If AI tools materially increase attack surface or operational dependence, those risks now need to be clearly reflected in DORA controls and reporting.

The FTC’s recent AI enforcement and 6(b) activity show it is still targeting deceptive AI marketing, misleading chatbot claims, and data-handling practices. The agency is using existing consumer-protection powers to scrutinize AI products without waiting for new AI-specific legislation.

Why it matters: Teams should substantiate every public AI claim, especially any statement implying safety, legal, or performance outcomes. Consumer-facing bots, companion tools, and review-generation features need documented testing, monitoring, and escalation paths because those are the areas most likely to attract Section 5 scrutiny.

ISO published ISO/IEC 42005:2025, a formal standard for AI system impact assessments. It gives organizations a structured way to evidence AI governance alongside ISO/IEC 42001.

Why it matters: Compliance teams can now turn AI impact assessment into a reusable control artifact for significant use cases, rather than relying on ad hoc review notes. That helps with internal audit, customer questionnaires, and certification readiness because it creates a more defensible governance trail.

UKAS granted BSI accreditation for ISO/IEC 42001 certification, creating a live accredited certification market. That makes independent assurance for AI management systems materially more practical for organizations seeking external validation.

Why it matters: Procurement teams can now distinguish between accredited certification and weaker attestations when assessing suppliers or preparing for customer demands. Companies considering certification should verify whether an accredited path is available in the markets where they operate or sell.

Recent U.S. court decisions and state legislative actions around AI, biometric data, and automated decision tools indicate that litigation and state-law exposure are expanding. The material does not point to a single federal AI statute, but it does show the risk landscape is becoming more fragmented and more active.

Why it matters: Companies using employment AI, surveillance pricing, or biometric systems should prepare for state-by-state claims and discovery requests, not just regulatory inquiries. Product language, transparency notices, and governance records should be written to survive judicial scrutiny on discrimination and privacy.

GPAI code of practice: The EU AI Office is still shaping the operational baseline for general-purpose AI. Providers should watch for what becomes expected in practice on transparency, safety, and copyright-related documentation.

DORA incident learning loop: The new annual incident overview is likely to influence how supervisors interpret DORA readiness. Financial firms should expect more attention on cross-border escalation, concentration risk, and third-party dependencies.

FTC AI enforcement tempo: FTC scrutiny of AI claims and companion tools looks set to continue. Marketing, legal, and product teams should keep checking claims against evidence and preserve support files for every public statement.

ISO 42001 certification uptake: With accredited certification now available, demand for ISO/IEC 42001 and ISO/IEC 42005 evidence may rise quickly. Expect customers and auditors to start asking for clearer proof of AI governance maturity.