AI Compliance Map - Jul 3-10

AI Compliance Map - Jul 3-10

Weekly compliance impact map for July 3, 5:34 p.m. through July 10, 5:00 p.m. (UTC-05:00), focused on actionable AI regulatory developments across US federal/state, EU/UK/Ireland, China, APAC, Canada, and Australia.

Immediate triage queue as of July 10, 2026:
  1. July 12 - US national security systems and Missouri: the Committee on National Security Systems (CNSS) Directive 900 reaches its National Security Presidential Memorandum 12 (NSPM-12) revision checkpoint, and Missouri SB 1019 reaches the approximate end of the 45-day governor-action window after May 28 delivery. 1 2
  2. July 15 - China CAC No. 21: Cyberspace Administration of China (CAC) anthropomorphic AI interaction service rules take effect, and major Chinese platforms have already announced or completed agent-function removals. 3 4
  3. July 31 - FTC: comments close on the Federal Trade Commission (FTC) proposed AI accuracy policy statement, which frames undisclosed output steering as a possible Section 5 deception issue. 5
  4. August 2 - EU AI Act: Article 50 transparency obligations remain the near-term EU implementation date while the Digital Omnibus has not yet appeared in the Official Journal. 6 7
  5. October 30 - EDPB: public comments close on the new European Data Protection Board (EDPB) anonymisation and generative-AI web scraping guidelines. 8
This issue covers July 3, 2026, 5:34 p.m. through July 10, 2026, 5:00 p.m. (UTC-05:00), slightly shorter than the normal weekly cycle because the previous issue published late. The main compliance shift is that several pending tracks became implementation work: Illinois enacted a frontier-model audit law, the FTC moved its accuracy-suppression theory into the Federal Register, the EDPB opened new GDPR guidance consultations for generative AI, and China moved toward July 15 enforcement with platform removals already underway. 9 5 8 4
The fastest useful read is by workstream: calendar the dates below, route Illinois and China companion-AI items to product and safety owners, route FTC and EU Article 50 items to disclosure counsel, and route EDPB plus Japan privacy changes to data-governance leads.

Upcoming compliance dates

DateJurisdictionObligation or eventAffected entitiesStatus or next action
July 12, 2026US federalCNSS Directive 900 revision checkpoint under NSPM-12. 1AI vendors and cloud providers supporting national security systemsMonitor CNSS, the National Security Agency, and Defense Department publication channels; no public revision was found in the package. 1
July 12, 2026MissouriApproximate governor-action deadline for SB 1019 after May 28 delivery. 2AI therapy chatbot operators and advertisers with Missouri exposureTreat the bill as pending until the official page shows signature, veto, or passage without signature. 2
July 15, 2026ChinaCAC No. 21 on anthropomorphic AI interaction services takes effect. 3Companion AI, virtual-character, emotional-interaction, and agent products offered in ChinaConfirm filing, safety assessment, emergency-contact, and product-scope decisions before launch or relaunch. 3
July 31, 2026US federalFTC comment deadline for File No. P264200, Docket FTC-2026-0859. 5AI companies that design, market, or tune systems around accuracy, safety, fairness, or policy objectivesDecide whether to comment and reconcile public claims with actual output-steering behavior. 5
August 2, 2026EUAI Act Article 50 transparency obligations apply. 6Providers and deployers of covered AI systems on the EU marketKeep chatbot, deepfake, and AI-generated content disclosure work on the August 2 track. 6
August 3, 2026CaliforniaCalifornia legislature returns from summer recess with roughly 30 AI-related bills still alive after fiscal committee suspense hearings. 10AI product, worker-impact, provenance, child-safety, and digital-replica policy teamsRecheck the surviving bills before August committee movement resumes. 10
August 20, 2026ChinaNetwork Data Security Risk Assessment Measures take effect. 11Important network-data processors and AI/data operators in ChinaLink AI data inventories to annual risk assessment and major-risk reporting workflows. 11
October 30, 2026EUEDPB consultation closes on anonymisation and web scraping guidelines for generative AI. 8AI teams relying on scraped personal data, anonymised datasets, or legitimate-interest analysis in the EUPrepare comments and test training-data practices against the EDPB's anonymisation tests. 8
December 10, 2026AustraliaAutomated decision-making transparency obligations under Privacy Act changes begin. 12Privacy Act entities using automated decisions in customer or user contextsScope is still drawing business questions; map affected privacy policy disclosures now. 13
January 1, 2027IllinoisSB 315, the Artificial Intelligence Safety Measures Act, takes effect as Public Act 104-0538. 9Large frontier developers covered by the statuteBuild audit, safety-incident, transparency-report, and whistleblower processes before the effective date. 9
January 1, 2028IllinoisSB 3114, the Transparency in Downcoding Act, takes effect as Public Act 104-0568. 14Health care payors using algorithms or automated processes for claim downcodingEnsure downcoding determinations are made or reviewed by a natural person under AMA CPT coding guidelines. 14

US federal and states

FTC turns output steering into a Section 5 disclosure issue

The Federal Trade Commission published the proposed "Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems" in the Federal Register on July 7 as 91 FR 41638, with comments due July 31. 5 The statement says AI companies are likely to deceive consumers under Section 5 of the FTC Act when they steer outputs away from objectives set by users or reasonably expected by users, including when state laws pressure companies to suppress accuracy for other objectives. 5
The action item is claim hygiene. Product, legal, and policy teams should map where model behavior is tuned for safety, fairness, legal compliance, political sensitivity, or brand policy, then check whether user-facing claims explain those objectives with enough specificity.

Federal cybersecurity deadlines are partly public and partly opaque

The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04 on June 10, and Qualys described the directive as a shift from uniform patching timelines to risk-first vulnerability remediation with a three-day service-level agreement (SLA) for the highest-risk vulnerabilities. 15 16 The research package did not identify a separate AI-specific CISA binding operational directive by the Executive Order (EO) 14409 July 2 deadline. 15
Treasury is in a different posture. Inside Cybersecurity reported on July 9 that Treasury had drafted the AI cybersecurity clearinghouse policy document required by EO 14409 and sent it to the White House for review, while Treasury's public press-release page showed no AI clearinghouse announcement in the July 1-10 check. 17 18
Federal AI cybersecurity vendors should treat this as a documentation gap rather than a closed requirement. The likely diligence questions are already visible: vulnerability prioritization, patch coordination, reporting cadence, and whether AI-specific security controls are embedded in federal contracts.

Congress keeps preemption alive, but not through a confirmed White House order

The White House presidential-actions page showed no new AI-related executive order during the July 3-10 window, while secondary reporting about a paused AI preemption executive order remained unconfirmed in official sources. 19 Mintz's July 8 Washington report instead points compliance teams to Congress: the Great American AI Act discussion draft includes a three-year federal preemption provision for state AI model development laws, and the House Science Committee passed 10 AI-related bills on June 25. 20
The practical read is narrow. State compliance programs should not assume federal preemption is imminent, but government affairs teams should track whether the Great American AI Act (GAAIA) or narrower committee bills start moving after the discussion-draft phase.

Illinois enacted the first mandatory frontier-model audit law

Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6 as Public Act 104-0538. 9 The Illinois General Assembly synopsis gives January 1, 2027, as the effective date. 9 The law applies to large frontier developers, including developers with models generating more than $500 million in annual revenue and trained using massive computing power. 21
The operational requirements are material: covered developers must maintain a frontier AI framework, address catastrophic-risk assessment and mitigation, publish transparency reports before deploying new or substantially modified frontier models, report critical safety incidents within 72 hours, and report within 24 hours when an incident presents imminent risk of death or serious injury. 21 Civil penalties reach up to $1 million for a first offense and up to $3 million for later violations, with enforcement by the Illinois Attorney General. 21
For covered or near-covered model developers, the next step is not only legal interpretation. The 2027 effective date leaves time to build evidence systems: audit-scope records, third-party evaluator governance, incident intake, whistleblower channels, cybersecurity controls, and pre-deployment transparency-report signoff.

Illinois also moved on school evaluations and algorithmic downcoding

Pritzker signed SB 2909 on July 10 as Public Act 104-0565, prohibiting evaluators from using AI tools to assign numerical scores or qualitative ratings for teacher evaluations and prohibiting teachers from using AI to generate evaluation evidence. 22 Pritzker also signed SB 3114 on July 10 as Public Act 104-0568, barring health care payors from using algorithms or automated processes to bypass review of information submitted by billing health care professionals when downcoding claims. 14
The impact is sector-specific. Edtech vendors should remove AI scoring from teacher-evaluation workflows in Illinois-facing deployments, and health-plan technology teams should check whether downcoding tools preserve natural-person review under American Medical Association Current Procedural Terminology (AMA CPT) coding guidelines.

State child, school, and companion-AI bills need status precision

Missouri SB 1019 still showed "Delivered to Governor" on the official Missouri Senate page, with delivery to Governor Mike Kehoe on May 28 and an effective date of August 28, 2026. 2 The bill would prohibit advertising an AI chatbot as capable of therapy services, mental health diagnosis, or acting as a mental health professional, with $10,000 for a first offense and $20,000 for later offenses. 2
California AB 2148 was signed on June 30 as Chapter 45 and defines public school employees and public-school contractors as natural persons, which effectively bars AI systems from being employed as teachers or contractors in California public schools. 23 New Jersey A4015 passed both houses on June 30, but the official page had not yet shown transmission to the governor in the research package. 24 New York S9051B had passed the Senate and Assembly, but the official New York Senate page had not yet shown delivery to the governor. 25
Pennsylvania HB 2006 was recommitted to the Appropriations Committee on July 1 after amendment A04086 was adopted by a 104-98 vote. 26 California's AI bill queue remains broad: roughly 30 AI-related bills survived the July 1-2 fiscal committee suspense process, while SB 867 on companion chatbots in toys was held on suspense and the legislature entered summer recess through August 3. 10
The compliance move is to avoid over-labeling. Treat Missouri, New Jersey, New York, Pennsylvania, and surviving California bills as active watch items unless official pages show enactment.

Florida's AI citation rule has no reported enforcement action yet

A Law.com analysis published July 8 discussed Florida Supreme Court Administrative Order No. AOSC26-12, which superseded local AI-use certification orders and adopted a uniform statewide approach through amended Rule 2.515(d)(2). 27 The research package did not identify a first reported sanction or enforcement action under the rule as of July 10. 27
Legaltech providers serving Florida litigators should still treat citation verification as a product-control requirement. The absence of a first sanction does not reduce the certification duty.

EU, UK, and Ireland

EDPB gives generative-AI teams two October consultations

The European Data Protection Board adopted guidelines on anonymisation, web scraping in the context of generative AI, and blockchain at its July 8 plenary. 8 The anonymisation guidelines use three tests: no record isolation, no linkage, and no inference. 8 The web scraping guidelines address General Data Protection Regulation (GDPR) application to personal data collected for generative-AI training, including lawful basis, legitimate interest, purpose limitation, transparency, data minimisation, and special-category data. 8
The consultation deadline is October 30. 8 AI developers using web-scale data should test whether their anonymisation claims survive all three EDPB tests and whether legitimate-interest assessments cover collection, filtering, retention, opt-out, and downstream model-use evidence.

EU AI Act work stays on Article 50 while the Omnibus waits for OJ publication

The European Commission published an EU Action Plan on Cybersecurity and Artificial Intelligence on July 7, and its AI Act portal also records a July 9 Commission opinion on the Code of Practice on Transparency of AI-generated content. 6 The action plan sets a coordinated approach to cybersecurity risks from advanced AI models and includes EU AI model evaluation capability planned for 2027. 6
The Digital Omnibus is still a status-control issue. EUR-Lex L-series checks for July 3 through July 10 did not show publication of the Digital Omnibus on AI Regulation, while Pinsent Masons wrote on July 6 that the law was awaiting formal publication in the Official Journal. 7 28
Compliance teams should run two tracks. Article 50 transparency work stays live for August 2, while high-risk AI delay planning should remain conditional on Official Journal publication and entry-into-force timing. 6 28

Ireland's AI Act implementation bill advanced in the Seanad

Ireland's Regulation of Artificial Intelligence Bill 2026 entered Seanad Eireann Committee Stage on July 9, and Committee Stage amendments were published the same day. 29 The bill would create Oifig IS na hEireann, the Irish AI Office, as an independent statutory body and use a distributed regulatory model with 15 designated competent authorities. 30
The bill implements the AI Act's administrative fine tiers: up to EUR35 million or 7% of global annual turnover for prohibited-practice violations, up to EUR15 million or 3% for other violations, and up to EUR7.5 million or 1% for supplying incorrect information. 30 Companies with Irish headquarters, Irish EU representation, or sectoral supervision in Ireland should map which regulator will own each AI Act question.

NIS2 and UK checks are mostly status signals this week

The European Commission's July infringement package referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union for failure to transpose the Network and Information Security Directive 2 (NIS2) into national law. 31 AI companies that also operate critical digital infrastructure should keep NIS2 implementation status separate from AI Act timing; the referral is a cybersecurity compliance signal, not an AI Act amendment.
The UK Information Commissioner's Office news page showed no new AI-specific guidance or DRCF Phase 1 conclusion during the July 3-10 window. 32 The operational implication is simple: UK-regulated firms should keep monitoring DRCF and ICO channels, but this week did not add a new UK AI obligation.

China, APAC, and Canada

China Decree 837 is in force without implementing detail

China's State Council Decree 837 took effect on July 1 as China's first State Council administrative regulation dedicated to outbound investment. 33 The rule brings domestic resident individuals into outbound direct investment oversight and restricts indirect transfer of controlled technologies or data through cross-border technical personnel dispatch, overseas training, and remote technical guidance. 33
Tommy Xie wrote in The Star that the regulation is primarily codification rather than a major policy shift, while ARC Group described it as turning outbound consumer M&A compliance into an obligation across the full transaction lifecycle. 34 35 The package found no Ministry of Commerce (MOFCOM), State Administration of Foreign Exchange (SAFE), or National Development and Reform Commission (NDRC) implementing rules by July 10. 33
AI companies with China-origin technology, China-resident founders or employees, offshore special-purpose vehicles (SPVs), model-transfer arrangements, data-transfer obligations, or outbound research and development deals should align outbound direct investment (ODI) filings with technology-export and data-security reviews before transaction steps become hard to unwind.

CAC No. 21 is already changing platform behavior

CAC No. 21, the interim measures for anthropomorphic AI interaction services, takes effect July 15 and was issued by CAC with the National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation. 3 Data Compliance China describes five possible compliance layers for covered services: generative-AI service filing, generative-synthesis algorithm filing, anthropomorphic-service security assessment, basic internet qualifications, and additional overlay filings. 3
Tencent's Yuanbao had already removed its AI-app agent function on June 30, and ByteDance's Doubao and Alibaba's Qianwen announced July 4 that agent functions would go offline on July 15. 4 CAC's homepage check found no implementation guide or transition notice for No. 21 as of July 10, 6:00 a.m. America/New_York time. 36
The immediate action is scope triage. Teams should identify whether each China-facing product is merely task-oriented, or whether it creates sustained anthropomorphic interaction, emotional dependency, or companion-style engagement that triggers extra filing and safety obligations.

CAC enforcement metrics add pressure to registration and labeling controls

CAC reported on July 6 that the first stage of the "Clean Cyberspace - AI application disorder" campaign had disposed of more than 14,000 illegal websites, apps, agents, and other AI products, cleaned more than 6 million pieces of illegal information, handled more than 26,000 accounts, removed more than 1,300 illegal AI products, and removed 9 illegal open-source datasets. 37 CAC also announced on July 10 that, as of June 30, 988 generative-AI services had completed national filing and 598 generative-AI apps or functions had completed local registration. 38
These figures turn filing visibility into a practical control. China-facing AI services should verify that public-facing model names, filing numbers, synthetic-content labels, app-store materials, and agent features match the filed product configuration.

Japan and South Korea moved in opposite directions on data and speech risk

Japan's House of Councillors passed amendments to the Personal Information Protection Law on July 10, creating an exemption that allows businesses and others to collect and provide personal data without individual consent solely for statistical analysis and AI development. 39 The exemption covers sensitive personal information, including criminal records, race, and medical history, while the amendments also introduce administrative fines for illegal acquisition or use of personal data in serious cases affecting more than 1,000 people. 39
South Korea's amended Network Act took effect July 7, allowing courts to award punitive damages up to five times actual losses for dissemination of illegal, false, or manipulated information by covered news organizations and large social media channels, including YouTube creators. 40 Platforms with more than 1 million daily users must take deletion or account-suspension measures after receiving false-information reports. 40
For regional teams, Japan points toward data-access governance for AI development, while South Korea points toward provenance, takedown, complaint handling, and creator workflow controls.

India, Singapore, Hong Kong, Canada, and Australia remain governance-watch items

India's Ministry of Electronics and Information Technology (MeitY) Secretary S. Krishnan said on July 3 that the time had come to look at separate AI legislation and that the ministry could prepare draft AI regulation. 41 This is a policy signal rather than an obligation, but India-facing teams should expect future debate to connect standalone AI law with existing labeling proposals and sectoral model-risk guidance.
Singapore and Hong Kong still avoid a single horizontal AI law, but Mayer Brown's July 3 checkpoint notes that Singapore updated its Agentic AI governance framework to version 1.5 in May 2026 and that Hong Kong's Privacy Commissioner for Personal Data (PCPD) found 95% of 60 checked organizations using AI, with more than half using over three AI systems. 42 The compliance expectation is evidence: firms should be ready to show governance controls, not only describe them.
Canada's Bill C-36, the Protecting Privacy and Consumer Data Act, received first reading on June 15 and remained at first reading during the parliamentary summer recess. 43 The Office of the Privacy Commissioner of Canada issued new July 9 guidance for financial institutions submitting codes of practice, while the June 11 Grok finding under the Personal Information Protection and Electronic Documents Act (PIPEDA) had no new enforcement update in this week's package. 44
Australia's automated decision-making (ADM) transparency consultation closed June 15, and the compliance date remains December 10. 12 The package also found businesses seeking more clarity on the scope of ADM obligations. 13 Teams with Australia-facing automated decisions should inventory privacy-policy disclosures even while waiting for more guidance.

Action queue

For the next seven days, compliance teams should focus on five control files:
  1. Disclosure file: FTC accuracy steering, EU Article 50, South Korea false-information workflows, and China synthetic-content labels all require a current record of what the system tells users and regulators.
  2. Audit file: Illinois SB 315 makes third-party frontier-model safety audits a live state-law requirement for covered developers starting January 1, 2027. 9
  3. Companion-AI file: China CAC No. 21, Missouri SB 1019, New York S9051B, Pennsylvania HB 2006, and California's surviving child-safety bills all require product-level classification of companion, therapy, minor-facing, and emotionally engaging AI features. 3 2 25 26 10
  4. Data file: EDPB anonymisation and scraping guidance, Japan's AI development exemption, China's network-data risk assessment measures, and Australia's ADM disclosure work all belong in the same data-governance review queue. 8 39 11 12
  5. Status-control file: EU Omnibus publication, Missouri SB 1019, New Jersey A4015, New York S9051B, and CNSS Directive 900 should stay in a pending-status tracker until official pages change. 7 2 24 25 1

References

  1. 1DirectiveWatch - National Security Presidential Memorandum/NSPM-12
  2. 2Missouri Senate - SB 1019 bill information
  3. 3Data Compliance China - China's AI-Companion Rule Takes Effect July 15
  4. 4Sina Finance / Nanfang Daily - AI agent functions removed ahead of new rules
  5. 5Federal Register - FTC policy statement on suppression of accuracy in AI systems
  6. 6European Commission - AI Act regulatory framework
  7. 7EUR-Lex - Official Journal L series daily view, July 10, 2026
  8. 8EDPB - Anonymisation and web scraping for generative AI guidelines
  9. 9Illinois General Assembly - SB0315 bill status
  10. 10Transparency Coalition - AI Legislative Update, July 10, 2026
  11. 11CAC - Network Data Security Risk Assessment Measures
  12. 12Sybre - Privacy Act changes for Australian businesses using AI
  13. 13MLex - Australian businesses seek clarity on ADM guidance obligations
  14. 14Illinois General Assembly - SB3114 bill status
  15. 15CISA - Cybersecurity directives
  16. 16Qualys - How to meet CISA BOD 26-04's 3-day remediation SLA
  17. 17Inside Cybersecurity - AI cybersecurity clearinghouse comes into focus
  18. 18U.S. Treasury - Press releases
  19. 19The White House - Presidential actions
  20. 20Mintz - AI: The Washington Report, July 2026 edition
  21. 21State of Illinois Newsroom - Gov. Pritzker signs nation-leading AI safety law
  22. 22Illinois General Assembly - SB2909 bill status
  23. 23California Legislative Information - AB 2148 bill text
  24. 24New Jersey Legislature - A4015
  25. 25New York State Senate - S9051B
  26. 26Pennsylvania General Assembly - HB 2006
  27. 27Law.com - Why Florida Supreme Court got it right on AI certifications
  28. 28Pinsent Masons - Law delaying EU high-risk AI rules finalised
  29. 29Houses of the Oireachtas - Regulation of Artificial Intelligence Bill 2026
  30. 30Matheson - Deep dive into Ireland's Regulation of Artificial Intelligence Bill 2026
  31. 31LexisNexis - European Commission releases July 2026 infringement package
  32. 32ICO - News, blogs and speeches
  33. 33GSUN Consulting - State Council Decree 837 takes effect on July 1
  34. 34The Star - A codification, not a crackdown
  35. 35ARC Group - China's new outbound investment rules put consumer M&A under full-lifecycle scrutiny
  36. 36CAC - Official homepage
  37. 37CAC - Clean Cyberspace AI application disorder campaign first-stage results
  38. 38CAC - Generative AI service filing information, May-June 2026
  39. 39The Japan News - Japan eases privacy rules to boost AI development
  40. 40ABC News / AP - South Korean fake news law takes effect
  41. 41Indian Television - Centre signals dedicated AI law as India prepares regulatory framework
  42. 42Mayer Brown - AI regulation in Singapore and Hong Kong, a mid-year checkpoint
  43. 43Parliament of Canada - Bill C-36 first reading
  44. 44Office of the Privacy Commissioner of Canada - News and announcements

Related content

  • Sign in to comment.
More from this channel