This week, the EU AI Act stayed on a live compliance footing as the EESC backed simplification in the AI and Digital Omnibus proposals but warned high-risk obligations may still bite as early as August 2026. In the UK, the ICO reiterated that its AI and data protection guidance is the operational baseline for UK GDPR enforcement, so AI DPIAs, transparency, and automated decision-making controls remain expected now. In the US, Congress still has no single federal AI statute, while the FTC opened comment on an AI accuracy policy statement that could sharpen scrutiny of performance claims under Section 5. Separately, ISO/IEC 42001 is maturing as a certification ecosystem, which matters for firms using it as evidence of AI governance readiness.
EU AI Act
EESC backs AI Omnibus, warns August deadlines loom
The European Economic and Social Committee supported simplification of the AI Act and wider digital rulebook through the AI Omnibus and Digital Omnibus proposals. It also warned that high-risk AI obligations are still expected to become binding as early as August 2026, despite the simplification debate.
Why it matters: Companies should not pause high-risk AI planning while omnibus negotiations continue. Teams still need to map provider and deployer responsibilities, evidence AI literacy and transparency controls, and track where harmonised standards and notified body capacity may affect launch timing.
Read source →GDPR / Data Protection Enforcement
ICO says AI guidance is enforcement baseline
The UK ICO said its AI and data protection guidance is both compliance best practice and the basis for audit and enforcement activity. It is updating the guidance hub to reflect new UK legislative developments, including the Data (Use and Access) Act 2026.
Why it matters: UK teams using AI on personal data should treat the ICO guidance as current supervisory expectation, not optional advice. That means keeping AI DPIAs current, documenting automated decision-making, and checking governance, vendor oversight, and rights-handling processes against the ICO toolkit.
Read source →US Federal & State Regulation
Congress still lacks a unified federal AI law
Several AI-adjacent bills remain active in Congress, but none creates a single federal AI regime. Federal compliance planning therefore remains agency-driven rather than statute-driven, with sector regulators still setting the practical rules.
Why it matters: Compliance teams should track bills only where they affect their sector or federal contracting exposure. Do not treat pending legislation as overriding FTC, SEC, FDA, or EEOC obligations.
Read source →FTC targets AI accuracy claims for comment
The FTC opened public comment on a proposed policy statement addressing AI accuracy claims. The move signals heightened scrutiny of claims about model performance, detection, and benchmarks under Section 5 deception standards.
Why it matters: Marketing, sales, and product teams should review public-facing AI claims now and keep substantiation files ready. If demos, benchmarks, or output claims overstate capability, they could create deception risk before any final policy is issued.
Read source →ISO Standards
ISO 42001 certification ecosystem keeps expanding
ISO/IEC 42001 is being operationalized through new accreditation and certification guidance, making the assurance market around the standard more mature. The update points organizations to related ISO/IEC 42006 and assessor guidance when selecting certifiers and relying on certifications.
Why it matters: If your company uses ISO/IEC 42001 as evidence of AI governance, you now need to verify the certifier is properly accredited for your jurisdiction and assurance needs. This also means aligning scope, statement of applicability entries, and audit evidence before treating a certificate as a credible control signal.
Read source →On Our Radar
AI Omnibus trilogue: The EU simplification talks are moving, but high-risk AI obligations may still arrive on a near-term timetable. Watch for changes to transparency, AI literacy, and role allocation requirements.
ICO guidance refresh: The UK ICO says its AI guidance hub will be updated for new legislation. Compliance teams should monitor whether the Data (Use and Access) Act 2026 changes supervisory expectations.
FTC claim substantiation: The FTC comment process could harden expectations around AI accuracy and performance claims. Companies with public benchmarks or product demos should be ready to evidence every material claim.
ISO 42001 vendor due diligence: As accreditation guidance matures, buyers will need to distinguish real assurance from generic claims of certification. Procurement and legal teams should check certifier recognition before relying on certificates.