CyberEyeQ Weekly Podcast https://cybereyeq.github.io/podcast/ en-us (c) 2026 CyberEyeQ Two hosts break down enforcement actions, compliance deadlines, and policy developments across AI governance, privacy, cybersecurity, financial services, healthcare, and child safety regulation. Produced from CyberEyeQ's daily regulation tracking pipeline. 10-minute weekly briefings on the regulatory stories that actually matter Two hosts break down enforcement actions, compliance deadlines, and policy developments across AI governance, privacy, cybersecurity, financial services, healthcare, and child safety regulation. Produced from CyberEyeQ's daily regulation tracking pipeline. CyberEyeQ CyberEyeQ info@cybereyeq.com false episodic Thu, 21 May 2026 11:41:04 +0000 Episode 22: CIRCIA Still Missing + EU AI Transparency August 2 + CT Neural Data Episode 22: CIRCIA Still Missing + EU AI Transparency August 2 + CT Neural Data 22 full Thu, 21 May 2026 12:00:00 +0000 cybereyeq-podcast-ep-022 00:09:06 CIRCIA's final rule is still unpublished past its May 2026 target, leaving 300,000 critical infrastructure entities in limbo with $500K/day penalties ahead. Plus: EU AI Act Article 50 transparency obligations still land August 2, Connecticut pioneers neural data protections, and two sector deadlines hit this week — NERC CIP-003-11 on May 26 and EUDAMED on May 28. CIRCIA's final rule is still unpublished past its May 2026 target, leaving 300,000 critical infrastructure entities in limbo with $500K/day penalties ahead. Plus: EU AI Act Article 50 transparency obligations still land August 2, Connecticut pioneers neural data protections, and two sector deadlines hit this week — NERC CIP-003-11 on May 26 and EUDAMED on May 28. Episode 22: CIRCIA Still Missing + EU AI Transparency Lands August 2 + CT Neural Data

Episode 22: CIRCIA Still Missing + EU AI Transparency Lands August 2 + CT Neural Data

CyberEyeQ Weekly Podcast · May 21, 2026 · ~8 min · Hosts: Alex & Sarah

Subscribe via RSS  ·  Apple Podcasts

This Week in One Minute

CIRCIA's final rule remains unpublished past its own May 2026 target — 300,000 critical infrastructure entities in compliance limbo, with $500K/day penalties once the rule lands. The EU AI Act Omnibus is now clearer: Article 50 transparency obligations still hit August 2, 2026 — that date was NOT moved. China confirmed a comprehensive omnibus AI law is in drafting. Connecticut's AI bill passed the legislature: first US law to classify neural data as sensitive personal information, effective July 1. EUDAMED's four mandatory modules go live May 28. NERC CIP-003-11 extends cybersecurity controls to low-impact electric grid sites on May 26.

Top 5 Stories

Critical 1. CIRCIA Final Rule Still Missing

CISA's cyber incident reporting rule missed its own May 2026 target. ~300,000 critical infrastructure entities remain in compliance limbo. DHS funding disruptions cancelled stakeholder town halls; further delay is "increasingly likely." Core requirements — 72-hour incident reporting, 24-hour ransomware payment reporting — are not expected to change. Once published: $500,000/day penalties apply immediately.

Action: Design compliance programs to the proposed rule now. Do not wait for the final.

CISA CIRCIA FAQ

High 2. EU AI Act: What August 2, 2026 Still Means

The Omnibus pushed Annex III deadlines to December 2027 and Annex I to August 2028. But Article 50(1) transparency obligations stay at August 2, 2026: deepfake labelling, AI-interaction disclosure, biometric/emotion-recognition notices. Commission's draft guidelines adopt the "average consumer" standard — consultation closes June 3.

Action: Map every EU-facing AI surface against Article 50(1) and file a consultation response before June 3.

EU Article 50 Consultation

High 3. Connecticut Pioneers Neural Data Protection

Connecticut's AI bill (SB 5) awaits the governor's signature. Effective July 1: neural data (BCI, EEG) classified as sensitive requiring opt-in consent. Minor protections expanded to ages 13-17 with a blanket ban on targeted advertising and data sale. The bill also covers frontier AI supply chains, chatbot transparency, employment AI use, and content provenance.

Action: Reclassify neural-interface product data as sensitive. Rewire minor-protection flows for CT users before July 1.

Medium 4. China's Two-Track AI Governance

Track 1 (May 17): State Council confirms comprehensive national AI law in drafting — a single statute to replace CAC's patchwork. No timeline yet. Track 2 (July 15): CAC Anthropomorphic AI Interactive Services rules effective — mandatory AI identity disclosure, emotional dependency prohibitions, ban on simulating vulnerable groups for China-facing conversational AI.

CAC China

Critical 5. Two Sector Deadlines in 7 Days

May 26 — NERC CIP-003-11: FERC Order No. 918 extends mandatory cybersecurity controls to low-impact Bulk Electric System (BES) Cyber Systems for the first time. Utilities must document physical security, transient cyber asset management, and supply chain risk.

May 28 — EUDAMED Mandatory Modules: Actor registration, UDI/Devices, Notified Bodies & Certificates, and Vigilance modules become mandatory across EU MDR/IVDR. Non-compliant manufacturers risk supply-chain disruption.

Compliance Action Items

  • Now: Design CIRCIA compliance to proposed rule — don't wait for the final.
  • May 26: Audit low-impact BES assets against CIP-003-11 requirements.
  • May 28: Verify EUDAMED SRN issuance; complete UDI submissions before deadline.
  • June 3: File EU Article 50 consultation response if you operate generative, biometric, or emotion-recognition AI in the EU.
  • July 1: Reclassify CT neural data as sensitive; rewire minor ad/data protections for ages 13-17.
  • July 15: Audit China-facing conversational AI for CAC Anthropomorphic AI compliance.
  • August 2: EU AI Act Article 50(1) transparency obligations live — deepfake labelling, AI-interaction disclosure, biometric notices.

Upcoming Deadlines (60 Days)

DateRegulationJurisdictionSector
May 26NERC CIP-003-11 effectiveUSEnergy
May 28EUDAMED four mandatory modulesEUHealthcare / MedTech
June 3EU AI Act Article 50 consultation closesEUAI Governance
July 1Connecticut neural data + privacy + AI amendmentsUS / CTPrivacy / AI
July 15CAC Anthropomorphic AI rules effectiveChinaAI / Conversational AI
August 2EU AI Act Article 50(1) transparency obligationsEUAI Governance

Resources

Subscribe to stay current on regulatory compliance

Add RSS feed to your podcast app
CyberEyeQ — Actionable Regulatory Intelligence · info@cybereyeq.com
]]> false Episode 21: EU AI Three-Track Locks In + Record $12.75M CCPA Fine + China AI Agents Episode 21: EU AI Three-Track Locks In + Record $12.75M CCPA Fine + China AI Agents 21 full Thu, 14 May 2026 12:00:00 +0000 cybereyeq-podcast-ep-021 00:08:36 EU AI Act Digital Omnibus reaches political agreement May 7 (Annex III to Dec 2 2027, GPAI still Aug 2 2026). California AG hits GM/OnStar with a record $12.75M CCPA penalty for selling driver telemetry. Plus: Connecticut SB 5 / SB 4 and Colorado SB 26-189 advance, China issues the first horizontal AI-agent regime, CMS freezes new hospice/HHA Medicare enrollments for six months, Luxembourg NIS2 goes live, and FedRAMP CR26 hits public preview. EU AI Act Digital Omnibus reaches political agreement May 7 (Annex III to Dec 2 2027, GPAI still Aug 2 2026). California AG hits GM/OnStar with a record $12.75M CCPA penalty for selling driver telemetry. Plus: Connecticut SB 5 / SB 4 and Colorado SB 26-189 advance, China issues the first horizontal AI-agent regime, CMS freezes new hospice/HHA Medicare enrollments for six months, Luxembourg NIS2 goes live, and FedRAMP CR26 hits public preview. CyberEyeQ Weekly Podcast — Episode 21 (May 14, 2026)

CyberEyeQ Weekly Podcast

Episode 21 · May 14, 2026 · Source: Weekly Briefing #20 (May 14, 2026)

This week's briefing: Brussels reaches political agreement on the EU AI Act Digital Omnibus (Annex III slips to Dec 2 2027); California AG secures a record $12.75M CCPA penalty against GM/OnStar for selling driver telemetry; Connecticut and Colorado pass new AI laws; China issues the world's first horizontal regime for autonomous AI agents; CMS freezes new hospice and home-health enrollments nationwide for six months; Luxembourg's NIS2 goes live; FedRAMP CR26 enters public preview.

Top 5 Stories

1. EU AI Act Digital Omnibus — Political Agreement, Annex III to Dec 2 2027

On May 7 the Council and Parliament reached political agreement on the EU AI Act Digital Omnibus. Annex III high-risk obligations slip to December 2, 2027; AI embedded in Annex I regulated products moves to August 2, 2028; GPAI enforcement still goes live August 2, 2026; and nudification apps are now banned EU-wide. Risk: governance teams treat the postponement as a pause and miss the GPAI date and the November 2 2026 watermarking obligation.

Source: European Commission — AI Act regulatory framework

2. California AG — Record $12.75M CCPA Penalty Against GM & OnStar

The California Attorney General secured a $12.75 million CCPA penalty against General Motors and OnStar for selling driver geolocation and telemetry data without proper notice or opt-out. The figure is roughly 4.6× the prior Disney/ABC CCPA record. Notable for connected-vehicle and IoT-data programs — the AG is now pricing sensitive-attribute sales materially above prior baselines.

Source: California Attorney General — CCPA enforcement

3. Connecticut SB 5 / SB 4 and Colorado SB 26-189 — State AI & Privacy Wave

Connecticut passed SB 5 (AI) and SB 4 (privacy & data brokers) on May 1; Colorado passed SB 26-189 on May 9 to replace its stayed AI Act. Both Connecticut bills and the Colorado bill are awaiting governor signatures. Pattern continues: state-level AI/privacy frameworks are filling federal gaps and creating compounding multi-state compliance work.

Source: Connecticut General Assembly · Colorado General Assembly

4. China — World's First Horizontal AI-Agent Regime (CAC/NDRC/MIIT, May 8)

On May 8 the Cyberspace Administration of China, the National Development and Reform Commission, and the Ministry of Industry and Information Technology jointly issued Implementation Opinions on autonomous AI agents — the first horizontal regulatory regime for agent-based AI anywhere. Headline obligations: mandatory digital-ID registration for agents, a 70% smart-terminal adoption target by 2027, and supply-chain accountability requirements for terminal manufacturers. Multinational AI deployments with a China nexus need to plan for an agent-registration pathway.

Source: Cyberspace Administration of China

5. CMS Hospice / HHA Enrollment Moratorium — Six Months, Nationwide

On May 13 the Centers for Medicare & Medicaid Services imposed a nationwide six-month moratorium on new Medicare enrollments for hospice agencies and home health agencies under the Anti-Fraud Task Force. Most majority-ownership changes are also paused. Existing providers and current patients are unaffected. The moratorium may be extended in six-month increments. Healthcare M&A counsel: pause hospice/HHA transactions or expect change-of-ownership delays.

Source: CMS — Newsroom

Compliance Action Items

May 19, 2026 (5 days) — FTC Take It Down Act §3 takedown obligations effective. Covered platforms must operationalize a notice-and-takedown process for non-consensual intimate imagery and remove valid-request content (and known identical copies) within 48 hours. Trust & Safety: confirm intake form is live, dedup/hash-matching pipeline is operational, and 48-hour SLA telemetry feeds the audit log.
May 28, 2026 (14 days) — EUDAMED four-module mandatory use. Actor registration, UDI/Devices, Notified Bodies & Certificates, and Vigilance modules become mandatory across the EU MDR/IVDR perimeter. MedTech RA: verify SRN issuance and complete UDI submissions before this date.
June 11, 2026 — EU CRA Member-State conformity-assessment-body designation. Member States must designate CABs under the Cyber Resilience Act framework.
June 19, 2026 — UK DUAA mandatory complaints-procedure deadline.
End of June 2026 — FedRAMP CR26 final. Public preview launched May 4; final by end of June; in force early July; baseline runs through December 31, 2028. Cloud providers seeking federal authorization: review the preview now.
August 2, 2026 — EU AI Act GPAI obligations operative. Despite the Annex III/Annex I postponements, general-purpose AI enforcement is still on the original timeline.
November 2, 2026 — EU AI Act watermarking obligation. Any organisation creating synthetic media. Don't let the Annex III/Annex I postponements push this date out of view.
December 2, 2027 — EU AI Act Annex III high-risk obligations (revised).

Enforcement Watch

  • California AG — $12.75M CCPA penalty against GM/OnStar for selling driver geolocation/telemetry; ~4.6× the prior Disney/ABC record.
  • CMS — Six-month nationwide moratorium on new hospice/HHA Medicare enrollments effective May 13 under the Anti-Fraud Task Force.
  • Luxembourg — NIS2 transposition went live May 10; EU tally now ~23 of 27 Member States transposed.
  • CISA — CIRCIA final rule still pending; the May target window closed without publication.

Resources & References

CyberEyeQ Weekly is an automated regtech-intelligence digest. The dialogue is generated from the weekly newsletter; treat the show notes and the underlying primary-source links as authoritative.

RSS: https://cybereyeq.github.io/podcast/feed.xml

]]> false Episode 20: EU AI Three-Track Timeline + EUDAMED Deadline + China Crypto Marketing Ban Episode 20: EU AI Three-Track Timeline + EUDAMED Deadline + China Crypto Marketing Ban 20 full Thu, 07 May 2026 12:00:00 +0000 cybereyeq-podcast-ep-020 00:07:43 Three-week look at the regtech week-of-April-30: EU Digital Omnibus on AI emerges as a three-track program (watermarking Nov 2 2026, Annex III Dec 2 2027, Annex I Aug 2 2028), HHS OCR's $1.165M four-settlement HIPAA ransomware bundle, today's Ofcom OSA platform deadline, China's eight-agency online crypto-marketing ban, and the EDPB's 25-DPA Article 12-14 transparency sweep. EUDAMED four-module mandatory use lands May 28. Three-week look at the regtech week-of-April-30: EU Digital Omnibus on AI emerges as a three-track program (watermarking Nov 2 2026, Annex III Dec 2 2027, Annex I Aug 2 2028), HHS OCR's $1.165M four-settlement HIPAA ransomware bundle, today's Ofcom OSA platform deadline, China's eight-agency online crypto-marketing ban, and the EDPB's 25-DPA Article 12-14 transparency sweep. EUDAMED four-module mandatory use lands May 28. CyberEyeQ Weekly Podcast — Episode 20 (May 7, 2026)

CyberEyeQ Weekly Podcast

Episode 20 · May 7, 2026 · Source: Weekly Briefing #19 (April 30, 2026)

This week's briefing: the EU Digital Omnibus on AI moves into a three-track compliance program; HHS OCR bundles four HIPAA ransomware settlements; Ofcom's OSA platform-response deadline lands; eight Chinese regulators ban online crypto marketing; and the EDPB launches a 25-DPA transparency sweep.

Top 5 Stories

1. EU Digital Omnibus on AI — Three-Track Compliance Program Emerges

The April 28 trilogue reached political agreement on the AI Act timeline split. Proposed deadlines: watermarking obligation Nov 2, 2026; Annex III high-risk systems Dec 2, 2027; Annex I embedded AI Aug 2, 2028. Risk: governance teams treat the postponement as a pause and miss the Nov 2026 watermarking date.

Source: European Commission — AI Act

2. HHS OCR HIPAA Ransomware Bundle — $1.165M Across Four Settlements

OCR settled four investigations on April 23, 2026: Regional Women's Health Group/Axia (37,989 affected), Assured Imaging, Star Group L.P. Health Benefits Plan, and Consociate Health. 427K individuals affected total. 2-year corrective action plans on each. Risk Analysis Initiative now extends to risk management, not just analysis.

Source: HHS — OCR Settles Four Ransomware Investigations

3. UK Ofcom Online Safety Act — Mandatory Platform Submissions

April 30 was the mandatory deadline for Facebook, Instagram, Roblox, Snapchat, TikTok, and YouTube to provide written submissions on under-18 protection measures. Six post-OSA age-assurance fines totalling £2.3M+ already logged. Non-response or weak response expected to drive the next enforcement wave through May.

Source: Ofcom — Protecting Children

4. China — PBOC + Seven Agencies Ban Online Crypto Marketing

The Financial Product Online Marketing Management Measures, issued April 24, 2026 by PBOC plus seven other regulators (effective September 30, 2026), explicitly prohibit online marketing for virtual-currency issuance and trading. Also bans misleading promotional language ("low barrier", "instant funding"), requires loan products to display annualised interest rates, and limits live-stream financial promoters to direct employees of licensed institutions. Liability sits squarely on the platform.

Source: People's Bank of China

5. EDPB Coordinated Enforcement Framework — Transparency Sweep

The European Data Protection Board launched its 2026 Coordinated Enforcement Framework focused on GDPR Articles 12–14 transparency obligations. Twenty-five Data Protection Authorities are participating. The throughline for 2026: "say what you do, in writing, before you do it." Disclosure design is no longer a late-stage task.

Source: EDPB — Coordinated Enforcement Framework

Compliance Action Items

May 4, 2026 (past) — CISA KEV remediation. Eight-CVE batch (PaperCut, JetBrains TeamCity, three Cisco CVEs) for FCEB agencies under BOD 22-01. Private-sector benchmark. If you missed it: confirm patches in place and document remediation evidence.
May 28, 2026 (21 days) — EUDAMED four-module mandatory use. Actor registration, UDI/Devices, Notified Bodies & Certificates, Vigilance modules become mandatory across the EU MDR/IVDR perimeter. MedTech regulatory affairs — verify SRN issuance and complete UDI submissions before this date.
June 1, 2026 — CMS CY2027 MA / Part D final rule effective.
June 11, 2026 — EU CRA Member-State conformity-assessment-body designation.
June 19, 2026 — UK DUAA mandatory complaints-procedure deadline.
June 30, 2026 — Colorado AI Act enforcement clock (absent further amendments).
September 30, 2026 — China Financial Product Online Marketing Measures effective. Multinational platforms with a China nexus: expect inspection campaigns. Audit affiliate-link and in-stream commerce flows for crypto and financial-product references.
November 2, 2026 — EU AI Act watermarking obligation. Any organisation creating synthetic media. Don't let the Annex III/Annex I postponements push this date out of view.

Enforcement Watch

  • OCR HIPAA Ransomware Bundle — $1,165,000 across 4 settlements (April 23, 2026). Largest single-day Risk Analysis Initiative bundle since October 2024.
  • CFTC + SDNY parallel insider-trading action (April 23). First-of-its-kind on a CFTC-regulated prediction market.
  • Ofcom post-OSA age-assurance fines — £2.3M+ cumulative across six actions.
  • FTC OkCupid / Match Group privacy settlement. First Section 5 privacy settlement under Chair Ferguson.

Resources & References

CyberEyeQ Weekly is an automated regtech-intelligence digest. The dialogue is generated from the weekly newsletter; treat the show notes and the underlying primary-source links as authoritative.

RSS: https://cybereyeq.github.io/podcast/feed.xml

]]> false Episode 19: EU Digital Omnibus Lands + $1.165M HIPAA Ransomware Bundle Episode 19: EU Digital Omnibus Lands + $1.165M HIPAA Ransomware Bundle 19 full Thu, 30 Apr 2026 12:00:00 +0000 cybereyeq-podcast-ep-019 00:07:59 EU AI Act Digital Omnibus hits political agreement at the April 28 trilogue with a three-track new timeline (Annex III Dec 2 2027, Annex I Aug 2 2028, watermarking Nov 2 2026). Plus: OCR's $1.165M four-settlement HIPAA ransomware bundle, today's Ofcom OSA platform deadline, China's eight-agency crypto-marketing ban, and the EDPB's 25-DPA transparency sweep. EU AI Act Digital Omnibus hits political agreement at the April 28 trilogue with a three-track new timeline (Annex III Dec 2 2027, Annex I Aug 2 2028, watermarking Nov 2 2026). Plus: OCR's $1.165M four-settlement HIPAA ransomware bundle, today's Ofcom OSA platform deadline, China's eight-agency crypto-marketing ban, and the EDPB's 25-DPA transparency sweep. CyberEyeQ Weekly — Episode 19 (April 30, 2026)

Episode 19: EU Digital Omnibus Lands + $1.165M HIPAA Ransomware Bundle

CyberEyeQ Weekly · April 30, 2026 · ~9 minutes

This week's five stories: the EU Digital Omnibus on AI hits political agreement at the April 28 trilogue with a three-track new timeline; OCR settles four ransomware investigations on a single day; Ofcom's hard platform-response deadline lands today; eight Chinese regulators outlaw online marketing of crypto and other illegal financial products; and the EDPB launches a 25-DPA coordinated enforcement sweep on GDPR transparency.

Top 5 Stories

1. EU Digital Omnibus on AI — Political agreement at April 28 trilogue

The trilogue converged on three structural changes: Annex III high-risk standalone systems postponed to December 2, 2027; Annex I AI embedded in regulated products to August 2, 2028; and a watermarking obligation for AI-generated content on November 2, 2026. Note: this is political agreement, not yet legal enactment — until Official Journal publication, August 2, 2026 remains operative.

Sources: European Parliament Legislative Train · European Commission — AI regulatory framework · A&O Shearman — Digital Omnibus trilogue analysis

2. HHS OCR HIPAA Ransomware Bundle — $1.165M, four settlements (April 23)

OCR settled four ransomware investigations on April 23: Regional Women's Health Group / Axia (37,989 affected), Assured Imaging, Star Group L.P. Health Benefits Plan, and Consociate Health. Total payments $1,165,000; 427,000 individuals affected; two-year corrective action plans on each. Largest single-day Risk Analysis Initiative bundle since October 2024. Posture shifts from risk analysis to risk management evidence.

Source: HHS — OCR settles four ransomware investigations

3. Ofcom OSA platform-response deadline — Today (April 30)

Mandatory written submissions due today from Facebook, Instagram, Roblox, Snapchat, TikTok, and YouTube on under-18 protection measures under the UK Online Safety Act 2023. Six post-OSA age-assurance fines totalling £2.3M+ already logged. Non-response expected to feed Ofcom's next enforcement wave through May.

Source: Ofcom — Protecting Children

4. China — Eight-agency Financial Product Online Marketing Measures (April 24)

PBOC + MIIT + SAMR + NFRA + CSRC + NIPA + CAC + SAFE released the Financial Product Online Marketing Management Measures (金融产品网络营销管理办法), effective September 30, 2026. Bans misleading promotional language; requires loan products to display annualised rates; restricts live-stream/short-video promoters to direct employees of licensed institutions; explicitly prohibits online marketing services for virtual currency issuance and trading.

Sources: Bastille Post — China adopts marketing measures · Cointelegraph — Crypto promotion ban

5. EDPB 2026 Coordinated Enforcement Framework — GDPR transparency

EDPB launched its 2026 CEF on GDPR Articles 12–14 (privacy-notice transparency); 25 supervisory authorities participating. Companion development: Ireland's DPC opened an inquiry into X / Grok using public posts to train an LLM — Article 13/14 question.

Source: EDPB — 2026 CEF on transparency

Compliance Action Items with Deadlines

TODAY · April 30, 2026 — UK platform legal/policy leads (Facebook, Instagram, Roblox, Snapchat, TikTok, YouTube): confirm Ofcom submission filed and audit log retained. UK · OSA
May 4, 2026 (4 days) — Federal civilian agencies and benchmarked private-sector teams: remediate the 8-CVE CISA KEV batch (PaperCut, JetBrains TeamCity, Cisco). US · CISA
May 28, 2026 (28 days) — MedTech regulatory affairs: complete EUDAMED actor / UDI / Notified Body / Vigilance module registration ahead of mandatory use. EU · MDR/IVDR
June 19, 2026 (50 days) — UK organisations: implement DUAA mandatory complaints procedure. UK · DUAA
September 30, 2026 (155 days) — Multinational platforms with China nexus: complete financial-promotion content review under PBOC + 7-agency Measures. China · Financial
November 2, 2026 (188 days) — AI-generated content producers: implement watermarking under EU AI Act Omnibus track. EU · AI Act

Resources

CyberEyeQ — Actionable Regulatory Intelligence. This podcast is for informational purposes only and does not constitute legal advice. Always consult qualified legal counsel for compliance decisions. Contact: info@cybereyeq.com

]]> false Episode 18: EU AI Act Countdown + Iranian OT Attacks on US Infrastructure Episode 18: EU AI Act Countdown + Iranian OT Attacks on US Infrastructure 18 full Sun, 26 Apr 2026 12:00:00 +0000 cybereyeq-podcast-ep-018 00:11:59 EU AI Act Omnibus trilogue targets April 28 for a deal that would push high-risk compliance to December 2027 — but August 2 remains operative until enacted. Plus: Iranian APTs actively attacking US critical infrastructure PLCs, COPPA 2025 now in force, China supply chain data conflicts, and FDA-CMS RAPID device coverage pathway. EU AI Act Omnibus trilogue targets April 28 for a deal that would push high-risk compliance to December 2027 — but August 2 remains operative until enacted. Plus: Iranian APTs actively attacking US critical infrastructure PLCs, COPPA 2025 now in force, China supply chain data conflicts, and FDA-CMS RAPID device coverage pathway. CyberEyeQ Weekly — Episode 18: EU AI Act Countdown + Iranian OT Attacks (2026-04-26)

← All Episodes

Episode 18: EU AI Act Countdown + Iranian OT Attacks

Published: April 26, 2026  ·  CyberEyeQ Weekly  ·  ~9 min

⏰ Upcoming Deadlines

EU AI Act Omnibus — Trilogue political agreement targetedApr 28
OCC GENIUS Act Stablecoin NPRM — Comment deadlineMay 1
China CAC Draft Digital Virtual Human Measures — Comment closesMay 6
EUDAMED — Mandatory enforcement beginsMay 28
NERC CIP-003-11 — Effective dateMay 26
MiCA CASP transitional period endsJul 1
EU AI Act high-risk compliance (operative until Omnibus enacted)Aug 2

This Week's Top 5

URGENT1. EU AI Act Digital Omnibus — April 28 Trilogue

The EU Parliament and Council are targeting a political agreement on April 28 that would delay the high-risk AI compliance deadline from August 2, 2026 to December 2, 2027 for standalone Annex III systems (and August 2028 for AI in regulated products).

Critical caveat: No agreement has been reached yet. August 2, 2026 remains the operative enforcement date (97 days). Do not pause conformity assessments.

The Omnibus also introduces a new prohibition on AI-generated non-consensual intimate imagery of real, identifiable persons, and softens mandatory AI literacy training to a voluntary industry initiative.

Action items:

  • Monitor April 28 for political agreement announcement
  • Continue treating August 2, 2026 as the compliance deadline until Official Journal publication
  • Audit image/video generation products against the forthcoming non-consensual intimate imagery prohibition

Sources: EU Parliament Legislative Train · Ropes & Gray Analysis

CRITICAL THREAT2. Iranian APT Actively Exploiting US Critical Infrastructure PLCs

CISA, FBI, NSA, EPA, DOE, and US Cyber Command issued joint advisory AA26-097A (April 7, 2026). Iranian-affiliated threat actors have been exploiting internet-facing Rockwell Automation Allen-Bradley PLCs across energy, water, healthcare, and manufacturing since at least March 2026, causing operational disruptions.

Action items:

  • Audit all internet-facing OT/SCADA devices; take offline from public internet immediately where possible
  • Review CISA AA26-097A indicators of compromise against OT logs now
  • Apply Rockwell Automation security hardening for Allen-Bradley PLCs
  • Verify OT-specific incident detection rules are active

Sources: CISA AA26-097A · Cybersecurity Dive

NOW IN FORCE3. COPPA 2025 Amendments — Compliance Deadline Passed April 22

The FTC's amended COPPA Rule is now enforceable. No grace period has been announced. Four new obligations are in force:

  • Biometric identifiers (fingerprints, face prints, voice prints) added to COPPA-protected information
  • Separate parental consent required for sharing children's data with third parties for targeted advertising
  • Written information security program and data retention policy with named responsible party required
  • New consent methods approved: text message and knowledge-based authentication

Action items:

  • Verify written WISP and data retention policy are finalized and signed off
  • Audit all third-party data sharing flows for children's data; confirm separate consent is live
  • Document compliance progress — partial compliance with evidence is better than nothing

Sources: Hunton Andrews Kurth · White & Case

MNC RISK4. China Decrees 834 & 835 — Supply Chain Data Creates Cross-Jurisdictional Conflict

State Council Decree 834 (effective April 7, 2026) creates China's first supply chain security framework. Article 13 restricts collection/transfer of supply chain data located in China. Article 15 authorizes and Article 16 mandates countermeasures against non-compliant multinationals.

The conflict: Compliance with the EU CSDDD or US Uyghur Forced Labor Prevention Act (UFLPA) — both of which require supply chain data collection — may simultaneously violate Decree 834 Article 13. No implementing guidelines or grace periods have been issued.

Decree 835 (also effective April 7) establishes a Malicious Entity List blocking compliance with certain foreign legal orders.

Action items:

  • Legal review of cross-border supply chain data flows against Decree 834 Article 13 scope
  • Assess UFLPA/CSDDD compliance programs for China conflict exposure
  • Brief China subsidiary leadership on Article 15/16 countermeasure risk

Sources: Morgan Lewis · State Council (English)

OPPORTUNITY5. FDA-CMS RAPID Pathway — Breakthrough Device Coverage in 2 Months

FDA and CMS jointly announced the RAPID (Regulatory Alignment for Predictable and Immediate Device) coverage pathway on April 23, 2026. Eligible breakthrough devices can receive Medicare national coverage within approximately two months of FDA market authorization — down from one year or more under the current process.

Eligibility: FDA Breakthrough Device designation + unmet Medicare beneficiary need + IDE study enrolling Medicare patients.

A proposed procedural notice will be published in the Federal Register with a 60-day comment period. A separate near-term deadline: EUDAMED mandatory enforcement begins May 28 (32 days) for EU medical device manufacturers.

Action items:

  • Evaluate pipeline devices for RAPID eligibility criteria (breakthrough designation + IDE study with Medicare enrollees)
  • Monitor Federal Register for procedural notice; submit comments in the 60-day window
  • Confirm EUDAMED registration is complete ahead of May 28

Sources: FDA Announcement · CMS Press Release

📚 Resources

CyberEyeQ Weekly · Episode 18 · April 26, 2026 · Generated from CyberEyeQ daily regulation tracking pipeline

]]> false Episode 17: COPPA Deadline in 4 Days + China AI Companion Law Episode 17: COPPA Deadline in 4 Days + China AI Companion Law 17 full Sat, 18 Apr 2026 12:00:00 +0000 cybereyeq-podcast-ep-017 00:09:55 FTC's amended COPPA Rule takes effect April 22 (4 days). China's AI Companion Law passes second NPCSC reading. Plus updates on EU AI Act GPAI compliance and 3 enforcement actions worth tracking. FTC's amended COPPA Rule takes effect April 22 (4 days). China's AI Companion Law passes second NPCSC reading. Plus updates on EU AI Act GPAI compliance and 3 enforcement actions worth tracking. CyberEyeQ Weekly Podcast — Episode 17 (April 18, 2026)

CyberEyeQ Weekly Podcast — Episode 17

Date: April 18, 2026 · Duration: ~10 minutes · Hosts: Alex Chen & Dr. Sarah Kim

Your weekly briefing on the regulatory stories that actually matter for compliance teams. Sourced from CyberEyeQ Weekly Newsletter Issue #17.

This Week's Top 5 Stories

  • 1. COPPA Amended Rule — Full Compliance Deadline (April 22, 4 days out). Operators of child-directed services need written security programs, retention policies, and separate verifiable parental consent for non-integral disclosures. Biometric identifiers (voiceprints, faceprints, facial templates) are now protected personal information.
  • 2. China Finalizes World's First AI Companion Law. Interim Measures for Anthropomorphic AI Interaction Services (CAC, NDRC, MIIT, MPS, SAMR), effective July 15, 2026. Blanket ban on virtual intimate relationships for minors; mandatory AI-nature disclosure and 2-hour continuous-use reminders; consent required before interaction data is used for model training. Fines RMB 10,000–200,000 with service-suspension powers.
  • 3. FinCEN Proposes Largest AML Overhaul in Decades. Joint NPRM with OCC, FDIC, NCUA shifts US AML/CFT compliance from an "existence" standard to an "effectiveness" standard. Includes an innovation safe harbor for AI/ML in compliance — a first for US financial regulation. Comments due June 9, 2026.
  • 4. EU Cyber Resilience Act — Conformity Body Notification Deadline. Member States must designate notifying authorities for conformity assessment bodies by June 11, 2026 (54 days out). Manufacturer reporting obligations for actively exploited vulnerabilities take effect September 11, 2026. Covers all products with digital elements placed on the EU market.
  • 5. EU Digital Omnibus Trilogue — Targeted April 28. Political trilogue aims to finalize deal on AI Act high-risk deadline extensions and new prohibited-practice rules. Outcome will shape 2026–2027 AI Act compliance roadmaps.

Action Items This Week

  • Verify COPPA program covers biometric data and confirm written security / retention policies are operational before April 22.
  • If you operate emotional-AI or companion products with users in China, begin compliance mapping against the July 15 effective date.
  • US financial institutions: start drafting a FinCEN comment letter and assess your AML program against the effectiveness standard. Deadline June 9.
  • Watch Colorado AI Act enforcement begin June 30 (75 days) and EUDAMED mandatory use begin May 28 (40 days).

Full Transcript

Alex: Welcome back to the CyberEyeQ Weekly Podcast. I'm Alex Chen, and this is your ten-minute briefing on the regulatory stories that actually matter for compliance teams. With me as always is Dr. Sarah Kim, our regulatory analyst. Sarah, we have an unusually deadline-heavy week. What should listeners focus on first?

Sarah: Alex, the single most urgent item on every compliance calendar right now is the FTC's amended COPPA Rule. Full compliance is due April 22, which is exactly four days from today. Operators of child-directed websites and services must have a written information security program, a written data retention policy, and separate verifiable parental consent for any non-integral data disclosure. On top of that, biometric identifiers — voiceprints, faceprints, facial templates — are now explicitly protected personal information under COPPA.

Alex: So this is not a drill. What should compliance teams be doing right now?

Sarah: Three things. One: verify that your COPPA program covers biometric data, not just traditional identifiers. Two: review your parental consent flows for non-integral disclosures, which is the trickiest new category. Three: confirm your written security and retention policies are documented and actually operational — not sitting in a draft folder. And separately, remember the Senate just passed COPPA 2.0 unanimously, which extends protections to ages 13 through 16. That's on the horizon, but April 22 is the live wire.

Alex: Let's pivot across the Pacific. On April 10, China finalized what our newsletter calls the world's first AI companion regulation. Walk us through it.

Sarah: This is a landmark. Four agencies — the CAC, NDRC, MIIT, MPS, and SAMR — jointly issued the Interim Measures for the Administration of Anthropomorphic AI Interaction Services. Effective July 15, so a 90-day compliance window starts now. The centerpiece is a blanket prohibition on virtual intimate relationships — virtual family members, virtual partners — for minors. All covered services must disclose that the user is interacting with AI, must issue continuous-use reminders every two hours, must obtain separate user consent before using interaction data for model training, and must undergo security assessments if they exceed one million registered users or 100,000 monthly active users.

Alex: What's the penalty range, and why does this matter outside China?

Sarah: Fines run from 10,000 to 200,000 RMB, with service suspension powers available to regulators. But the real significance is global. This is the first regulatory framework anywhere to treat sustained emotional AI interaction as a distinct category requiring specialized oversight. The EU AI Act addresses exploitation of vulnerabilities for specific groups, but not emotional engagement as a category. The US has COPPA for children's data, but nothing specifically about the psychological dynamics of AI companionship. European and US regulators will study this template closely. If you operate companion chatbots or emotional-AI products accessible to Chinese users, compliance mapping needs to start this week.

Alex: Let's talk about money. FinCEN proposed what the newsletter calls the largest AML overhaul in decades. What's actually changing?

Sarah: It's a philosophical shift. For decades, US anti-money laundering compliance has been measured against an existence standard — does your program exist, does it cover the required components. FinCEN's proposed rule, developed jointly with the OCC, FDIC, and NCUA, replaces that with an effectiveness standard — does your program actually work. That's a fundamentally different regulatory posture. The rule also includes an innovation safe harbor that explicitly encourages the use of AI and machine learning in AML compliance without triggering additional enforcement risk. That's a first for US financial regulation.

Alex: And the comment deadline?

Sarah: June 9, so you have roughly 52 days. Banks, credit unions, and money services businesses should be drafting comment letters now. The practical question is whether your current AML program — your transaction monitoring, your customer due diligence, your suspicious activity reporting — can demonstrate effectiveness, not just coverage. Institutions with mature risk analytics are well-positioned. Institutions relying on legacy rules-based systems will need to invest.

Alex: Over to Europe, but sticking with cybersecurity. The EU Cyber Resilience Act has a conformity body notification deadline coming up on June 11. Why does this matter?

Sarah: The CRA is the EU's comprehensive cybersecurity regulation for products with digital elements — everything from consumer IoT to enterprise software. Member States must designate notifying authorities responsible for conformity assessment bodies by June 11, so 54 days from now. That's the infrastructure step. The real operational hammer comes on September 11, when manufacturer reporting obligations for actively exploited vulnerabilities take effect.

Alex: What should manufacturers be doing now?

Sarah: Two things. First, review the CRA conformity assessment requirements for your specific product category — some products will need third-party assessment, others can self-declare, and getting that classification wrong is expensive. Second, engage with the designated notifying authorities in your operating jurisdictions as they come online. If you ship products with digital elements into the EU, this is not optional. And start building your vulnerability disclosure and reporting workflow now, because the September 11 deadline for reporting actively exploited vulnerabilities is an absolute cliff.

Alex: Last story. The EU Digital Omnibus — there's a political trilogue targeted for April 28, just ten days out. What's at stake?

Sarah: The trilogue aims to finalize a political deal on extensions to the AI Act's high-risk system deadlines and on new prohibited-practice rules. For companies that have been building AI Act compliance programs assuming the original deadlines, this could mean more runway — or it could mean new obligations, depending on how the final text lands. The key thing for compliance teams is: don't assume your current AI Act implementation plan is final. Track the April 28 outcome closely, because it will shape your 2026 and 2027 compliance roadmap.

Alex: Sarah, before we close, three takeaways for compliance teams leaving this podcast.

Sarah: First: if you operate any child-directed service, COPPA April 22 is non-negotiable. Verify your written security program, data retention policy, and biometric data controls today. Second: if you operate emotional-AI or companion products, begin China compliance mapping now — the July 15 effective date gives you 90 days and the penalty exposure includes service suspension. Third: if you're a US financial institution, start drafting your FinCEN comment letter this week and begin assessing whether your AML program meets an effectiveness standard, not just an existence standard.

Alex: And one more to watch. Colorado's AI Act enforcement begins June 30 — that's 75 days from now — for high-risk AI system deployers. If you haven't started your Colorado impact assessments, that deadline is the next one after China.

Sarah: Right. And EUDAMED mandatory use for medical device manufacturers begins May 28. That's 40 days out. A lot of calendars are converging this quarter.

Alex: That's the briefing. Five stories, four urgent deadlines, one clear message: the regulatory velocity is not slowing down. Subscribe to the CyberEyeQ Weekly Newsletter for the full written briefing, the enforcement watch, and our deep dives. Thanks for listening. I'm Alex Chen, she's Dr. Sarah Kim, and we'll see you next week.

Sarah: Thanks Alex. Stay compliant out there.

Subscribe to the CyberEyeQ Weekly Newsletter
Actionable regulatory intelligence across AI governance, financial services, healthcare, cybersecurity, privacy, age verification, cloud security, and China regulation — delivered weekly.
Contact: info@cybereyeq.com

Episode sourced from CyberEyeQ Weekly Newsletter Issue #17 (April 16, 2026). All fine amounts, dates, and regulatory details verified against the newsletter source. This podcast is for informational purposes only and does not constitute legal advice.

]]> false