
AI Compliance Map - Jul 3-10
Weekly compliance impact map for July 3, 5:34 p.m. through July 10, 5:00 p.m. (UTC-05:00), focused on actionable AI regulatory developments across US federal/state, EU/UK/Ireland, China, APAC, Canada, and Australia.
Immediate triage queue as of July 10, 2026:
- July 12 - US national security systems and Missouri: the Committee on National Security Systems (CNSS) Directive 900 reaches its National Security Presidential Memorandum 12 (NSPM-12) revision checkpoint, and Missouri SB 1019 reaches the approximate end of the 45-day governor-action window after May 28 delivery. 1 2
- July 15 - China CAC No. 21: Cyberspace Administration of China (CAC) anthropomorphic AI interaction service rules take effect, and major Chinese platforms have already announced or completed agent-function removals. 3 4
- July 31 - FTC: comments close on the Federal Trade Commission (FTC) proposed AI accuracy policy statement, which frames undisclosed output steering as a possible Section 5 deception issue. 5
- August 2 - EU AI Act: Article 50 transparency obligations remain the near-term EU implementation date while the Digital Omnibus has not yet appeared in the Official Journal. 6 7
- October 30 - EDPB: public comments close on the new European Data Protection Board (EDPB) anonymisation and generative-AI web scraping guidelines. 8
This issue covers July 3, 2026, 5:34 p.m. through July 10, 2026, 5:00 p.m. (UTC-05:00), slightly shorter than the normal weekly cycle because the previous issue published late. The main compliance shift is that several pending tracks became implementation work: Illinois enacted a frontier-model audit law, the FTC moved its accuracy-suppression theory into the Federal Register, the EDPB opened new GDPR guidance consultations for generative AI, and China moved toward July 15 enforcement with platform removals already underway. 9 5 8 4
The fastest useful read is by workstream: calendar the dates below, route Illinois and China companion-AI items to product and safety owners, route FTC and EU Article 50 items to disclosure counsel, and route EDPB plus Japan privacy changes to data-governance leads.
Upcoming compliance dates
| Date | Jurisdiction | Obligation or event | Affected entities | Status or next action |
|---|---|---|---|---|
| July 12, 2026 | US federal | CNSS Directive 900 revision checkpoint under NSPM-12. 1 | AI vendors and cloud providers supporting national security systems | Monitor CNSS, the National Security Agency, and Defense Department publication channels; no public revision was found in the package. 1 |
| July 12, 2026 | Missouri | Approximate governor-action deadline for SB 1019 after May 28 delivery. 2 | AI therapy chatbot operators and advertisers with Missouri exposure | Treat the bill as pending until the official page shows signature, veto, or passage without signature. 2 |
| July 15, 2026 | China | CAC No. 21 on anthropomorphic AI interaction services takes effect. 3 | Companion AI, virtual-character, emotional-interaction, and agent products offered in China | Confirm filing, safety assessment, emergency-contact, and product-scope decisions before launch or relaunch. 3 |
| July 31, 2026 | US federal | FTC comment deadline for File No. P264200, Docket FTC-2026-0859. 5 | AI companies that design, market, or tune systems around accuracy, safety, fairness, or policy objectives | Decide whether to comment and reconcile public claims with actual output-steering behavior. 5 |
| August 2, 2026 | EU | AI Act Article 50 transparency obligations apply. 6 | Providers and deployers of covered AI systems on the EU market | Keep chatbot, deepfake, and AI-generated content disclosure work on the August 2 track. 6 |
| August 3, 2026 | California | California legislature returns from summer recess with roughly 30 AI-related bills still alive after fiscal committee suspense hearings. 10 | AI product, worker-impact, provenance, child-safety, and digital-replica policy teams | Recheck the surviving bills before August committee movement resumes. 10 |
| August 20, 2026 | China | Network Data Security Risk Assessment Measures take effect. 11 | Important network-data processors and AI/data operators in China | Link AI data inventories to annual risk assessment and major-risk reporting workflows. 11 |
| October 30, 2026 | EU | EDPB consultation closes on anonymisation and web scraping guidelines for generative AI. 8 | AI teams relying on scraped personal data, anonymised datasets, or legitimate-interest analysis in the EU | Prepare comments and test training-data practices against the EDPB's anonymisation tests. 8 |
| December 10, 2026 | Australia | Automated decision-making transparency obligations under Privacy Act changes begin. 12 | Privacy Act entities using automated decisions in customer or user contexts | Scope is still drawing business questions; map affected privacy policy disclosures now. 13 |
| January 1, 2027 | Illinois | SB 315, the Artificial Intelligence Safety Measures Act, takes effect as Public Act 104-0538. 9 | Large frontier developers covered by the statute | Build audit, safety-incident, transparency-report, and whistleblower processes before the effective date. 9 |
| January 1, 2028 | Illinois | SB 3114, the Transparency in Downcoding Act, takes effect as Public Act 104-0568. 14 | Health care payors using algorithms or automated processes for claim downcoding | Ensure downcoding determinations are made or reviewed by a natural person under AMA CPT coding guidelines. 14 |
US federal and states
FTC turns output steering into a Section 5 disclosure issue
The Federal Trade Commission published the proposed "Policy Statement Concerning the Suppression of Accuracy in Artificial Intelligence Systems" in the Federal Register on July 7 as 91 FR 41638, with comments due July 31. 5 The statement says AI companies are likely to deceive consumers under Section 5 of the FTC Act when they steer outputs away from objectives set by users or reasonably expected by users, including when state laws pressure companies to suppress accuracy for other objectives. 5
The action item is claim hygiene. Product, legal, and policy teams should map where model behavior is tuned for safety, fairness, legal compliance, political sensitivity, or brand policy, then check whether user-facing claims explain those objectives with enough specificity.
Federal cybersecurity deadlines are partly public and partly opaque
The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04 on June 10, and Qualys described the directive as a shift from uniform patching timelines to risk-first vulnerability remediation with a three-day service-level agreement (SLA) for the highest-risk vulnerabilities. 15 16 The research package did not identify a separate AI-specific CISA binding operational directive by the Executive Order (EO) 14409 July 2 deadline. 15
Treasury is in a different posture. Inside Cybersecurity reported on July 9 that Treasury had drafted the AI cybersecurity clearinghouse policy document required by EO 14409 and sent it to the White House for review, while Treasury's public press-release page showed no AI clearinghouse announcement in the July 1-10 check. 17 18
Federal AI cybersecurity vendors should treat this as a documentation gap rather than a closed requirement. The likely diligence questions are already visible: vulnerability prioritization, patch coordination, reporting cadence, and whether AI-specific security controls are embedded in federal contracts.
Congress keeps preemption alive, but not through a confirmed White House order
The White House presidential-actions page showed no new AI-related executive order during the July 3-10 window, while secondary reporting about a paused AI preemption executive order remained unconfirmed in official sources. 19 Mintz's July 8 Washington report instead points compliance teams to Congress: the Great American AI Act discussion draft includes a three-year federal preemption provision for state AI model development laws, and the House Science Committee passed 10 AI-related bills on June 25. 20
The practical read is narrow. State compliance programs should not assume federal preemption is imminent, but government affairs teams should track whether the Great American AI Act (GAAIA) or narrower committee bills start moving after the discussion-draft phase.
Illinois enacted the first mandatory frontier-model audit law
Governor JB Pritzker signed SB 315, the Artificial Intelligence Safety Measures Act, on July 6 as Public Act 104-0538. 9 The Illinois General Assembly synopsis gives January 1, 2027, as the effective date. 9 The law applies to large frontier developers, including developers with models generating more than $500 million in annual revenue and trained using massive computing power. 21
The operational requirements are material: covered developers must maintain a frontier AI framework, address catastrophic-risk assessment and mitigation, publish transparency reports before deploying new or substantially modified frontier models, report critical safety incidents within 72 hours, and report within 24 hours when an incident presents imminent risk of death or serious injury. 21 Civil penalties reach up to $1 million for a first offense and up to $3 million for later violations, with enforcement by the Illinois Attorney General. 21
For covered or near-covered model developers, the next step is not only legal interpretation. The 2027 effective date leaves time to build evidence systems: audit-scope records, third-party evaluator governance, incident intake, whistleblower channels, cybersecurity controls, and pre-deployment transparency-report signoff.
Illinois also moved on school evaluations and algorithmic downcoding
Pritzker signed SB 2909 on July 10 as Public Act 104-0565, prohibiting evaluators from using AI tools to assign numerical scores or qualitative ratings for teacher evaluations and prohibiting teachers from using AI to generate evaluation evidence. 22 Pritzker also signed SB 3114 on July 10 as Public Act 104-0568, barring health care payors from using algorithms or automated processes to bypass review of information submitted by billing health care professionals when downcoding claims. 14
The impact is sector-specific. Edtech vendors should remove AI scoring from teacher-evaluation workflows in Illinois-facing deployments, and health-plan technology teams should check whether downcoding tools preserve natural-person review under American Medical Association Current Procedural Terminology (AMA CPT) coding guidelines.
State child, school, and companion-AI bills need status precision
Missouri SB 1019 still showed "Delivered to Governor" on the official Missouri Senate page, with delivery to Governor Mike Kehoe on May 28 and an effective date of August 28, 2026. 2 The bill would prohibit advertising an AI chatbot as capable of therapy services, mental health diagnosis, or acting as a mental health professional, with $10,000 for a first offense and $20,000 for later offenses. 2
California AB 2148 was signed on June 30 as Chapter 45 and defines public school employees and public-school contractors as natural persons, which effectively bars AI systems from being employed as teachers or contractors in California public schools. 23 New Jersey A4015 passed both houses on June 30, but the official page had not yet shown transmission to the governor in the research package. 24 New York S9051B had passed the Senate and Assembly, but the official New York Senate page had not yet shown delivery to the governor. 25
Pennsylvania HB 2006 was recommitted to the Appropriations Committee on July 1 after amendment A04086 was adopted by a 104-98 vote. 26 California's AI bill queue remains broad: roughly 30 AI-related bills survived the July 1-2 fiscal committee suspense process, while SB 867 on companion chatbots in toys was held on suspense and the legislature entered summer recess through August 3. 10
The compliance move is to avoid over-labeling. Treat Missouri, New Jersey, New York, Pennsylvania, and surviving California bills as active watch items unless official pages show enactment.
Florida's AI citation rule has no reported enforcement action yet
A Law.com analysis published July 8 discussed Florida Supreme Court Administrative Order No. AOSC26-12, which superseded local AI-use certification orders and adopted a uniform statewide approach through amended Rule 2.515(d)(2). 27 The research package did not identify a first reported sanction or enforcement action under the rule as of July 10. 27
Legaltech providers serving Florida litigators should still treat citation verification as a product-control requirement. The absence of a first sanction does not reduce the certification duty.
EU, UK, and Ireland
EDPB gives generative-AI teams two October consultations
The European Data Protection Board adopted guidelines on anonymisation, web scraping in the context of generative AI, and blockchain at its July 8 plenary. 8 The anonymisation guidelines use three tests: no record isolation, no linkage, and no inference. 8 The web scraping guidelines address General Data Protection Regulation (GDPR) application to personal data collected for generative-AI training, including lawful basis, legitimate interest, purpose limitation, transparency, data minimisation, and special-category data. 8
The consultation deadline is October 30. 8 AI developers using web-scale data should test whether their anonymisation claims survive all three EDPB tests and whether legitimate-interest assessments cover collection, filtering, retention, opt-out, and downstream model-use evidence.
EU AI Act work stays on Article 50 while the Omnibus waits for OJ publication
The European Commission published an EU Action Plan on Cybersecurity and Artificial Intelligence on July 7, and its AI Act portal also records a July 9 Commission opinion on the Code of Practice on Transparency of AI-generated content. 6 The action plan sets a coordinated approach to cybersecurity risks from advanced AI models and includes EU AI model evaluation capability planned for 2027. 6
The Digital Omnibus is still a status-control issue. EUR-Lex L-series checks for July 3 through July 10 did not show publication of the Digital Omnibus on AI Regulation, while Pinsent Masons wrote on July 6 that the law was awaiting formal publication in the Official Journal. 7 28
Compliance teams should run two tracks. Article 50 transparency work stays live for August 2, while high-risk AI delay planning should remain conditional on Official Journal publication and entry-into-force timing. 6 28
Ireland's AI Act implementation bill advanced in the Seanad
Ireland's Regulation of Artificial Intelligence Bill 2026 entered Seanad Eireann Committee Stage on July 9, and Committee Stage amendments were published the same day. 29 The bill would create Oifig IS na hEireann, the Irish AI Office, as an independent statutory body and use a distributed regulatory model with 15 designated competent authorities. 30
The bill implements the AI Act's administrative fine tiers: up to EUR35 million or 7% of global annual turnover for prohibited-practice violations, up to EUR15 million or 3% for other violations, and up to EUR7.5 million or 1% for supplying incorrect information. 30 Companies with Irish headquarters, Irish EU representation, or sectoral supervision in Ireland should map which regulator will own each AI Act question.
NIS2 and UK checks are mostly status signals this week
The European Commission's July infringement package referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union for failure to transpose the Network and Information Security Directive 2 (NIS2) into national law. 31 AI companies that also operate critical digital infrastructure should keep NIS2 implementation status separate from AI Act timing; the referral is a cybersecurity compliance signal, not an AI Act amendment.
The UK Information Commissioner's Office news page showed no new AI-specific guidance or DRCF Phase 1 conclusion during the July 3-10 window. 32 The operational implication is simple: UK-regulated firms should keep monitoring DRCF and ICO channels, but this week did not add a new UK AI obligation.
China, APAC, and Canada
China Decree 837 is in force without implementing detail
China's State Council Decree 837 took effect on July 1 as China's first State Council administrative regulation dedicated to outbound investment. 33 The rule brings domestic resident individuals into outbound direct investment oversight and restricts indirect transfer of controlled technologies or data through cross-border technical personnel dispatch, overseas training, and remote technical guidance. 33
Tommy Xie wrote in The Star that the regulation is primarily codification rather than a major policy shift, while ARC Group described it as turning outbound consumer M&A compliance into an obligation across the full transaction lifecycle. 34 35 The package found no Ministry of Commerce (MOFCOM), State Administration of Foreign Exchange (SAFE), or National Development and Reform Commission (NDRC) implementing rules by July 10. 33
AI companies with China-origin technology, China-resident founders or employees, offshore special-purpose vehicles (SPVs), model-transfer arrangements, data-transfer obligations, or outbound research and development deals should align outbound direct investment (ODI) filings with technology-export and data-security reviews before transaction steps become hard to unwind.
CAC No. 21 is already changing platform behavior
CAC No. 21, the interim measures for anthropomorphic AI interaction services, takes effect July 15 and was issued by CAC with the National Development and Reform Commission, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation. 3 Data Compliance China describes five possible compliance layers for covered services: generative-AI service filing, generative-synthesis algorithm filing, anthropomorphic-service security assessment, basic internet qualifications, and additional overlay filings. 3
Tencent's Yuanbao had already removed its AI-app agent function on June 30, and ByteDance's Doubao and Alibaba's Qianwen announced July 4 that agent functions would go offline on July 15. 4 CAC's homepage check found no implementation guide or transition notice for No. 21 as of July 10, 6:00 a.m. America/New_York time. 36
The immediate action is scope triage. Teams should identify whether each China-facing product is merely task-oriented, or whether it creates sustained anthropomorphic interaction, emotional dependency, or companion-style engagement that triggers extra filing and safety obligations.
CAC enforcement metrics add pressure to registration and labeling controls
CAC reported on July 6 that the first stage of the "Clean Cyberspace - AI application disorder" campaign had disposed of more than 14,000 illegal websites, apps, agents, and other AI products, cleaned more than 6 million pieces of illegal information, handled more than 26,000 accounts, removed more than 1,300 illegal AI products, and removed 9 illegal open-source datasets. 37 CAC also announced on July 10 that, as of June 30, 988 generative-AI services had completed national filing and 598 generative-AI apps or functions had completed local registration. 38
These figures turn filing visibility into a practical control. China-facing AI services should verify that public-facing model names, filing numbers, synthetic-content labels, app-store materials, and agent features match the filed product configuration.
Japan and South Korea moved in opposite directions on data and speech risk
Japan's House of Councillors passed amendments to the Personal Information Protection Law on July 10, creating an exemption that allows businesses and others to collect and provide personal data without individual consent solely for statistical analysis and AI development. 39 The exemption covers sensitive personal information, including criminal records, race, and medical history, while the amendments also introduce administrative fines for illegal acquisition or use of personal data in serious cases affecting more than 1,000 people. 39
South Korea's amended Network Act took effect July 7, allowing courts to award punitive damages up to five times actual losses for dissemination of illegal, false, or manipulated information by covered news organizations and large social media channels, including YouTube creators. 40 Platforms with more than 1 million daily users must take deletion or account-suspension measures after receiving false-information reports. 40
For regional teams, Japan points toward data-access governance for AI development, while South Korea points toward provenance, takedown, complaint handling, and creator workflow controls.
India, Singapore, Hong Kong, Canada, and Australia remain governance-watch items
India's Ministry of Electronics and Information Technology (MeitY) Secretary S. Krishnan said on July 3 that the time had come to look at separate AI legislation and that the ministry could prepare draft AI regulation. 41 This is a policy signal rather than an obligation, but India-facing teams should expect future debate to connect standalone AI law with existing labeling proposals and sectoral model-risk guidance.
Singapore and Hong Kong still avoid a single horizontal AI law, but Mayer Brown's July 3 checkpoint notes that Singapore updated its Agentic AI governance framework to version 1.5 in May 2026 and that Hong Kong's Privacy Commissioner for Personal Data (PCPD) found 95% of 60 checked organizations using AI, with more than half using over three AI systems. 42 The compliance expectation is evidence: firms should be ready to show governance controls, not only describe them.
Canada's Bill C-36, the Protecting Privacy and Consumer Data Act, received first reading on June 15 and remained at first reading during the parliamentary summer recess. 43 The Office of the Privacy Commissioner of Canada issued new July 9 guidance for financial institutions submitting codes of practice, while the June 11 Grok finding under the Personal Information Protection and Electronic Documents Act (PIPEDA) had no new enforcement update in this week's package. 44
Australia's automated decision-making (ADM) transparency consultation closed June 15, and the compliance date remains December 10. 12 The package also found businesses seeking more clarity on the scope of ADM obligations. 13 Teams with Australia-facing automated decisions should inventory privacy-policy disclosures even while waiting for more guidance.
Action queue
For the next seven days, compliance teams should focus on five control files:
- Disclosure file: FTC accuracy steering, EU Article 50, South Korea false-information workflows, and China synthetic-content labels all require a current record of what the system tells users and regulators.
- Audit file: Illinois SB 315 makes third-party frontier-model safety audits a live state-law requirement for covered developers starting January 1, 2027. 9
- Companion-AI file: China CAC No. 21, Missouri SB 1019, New York S9051B, Pennsylvania HB 2006, and California's surviving child-safety bills all require product-level classification of companion, therapy, minor-facing, and emotionally engaging AI features. 3 2 25 26 10
- Data file: EDPB anonymisation and scraping guidance, Japan's AI development exemption, China's network-data risk assessment measures, and Australia's ADM disclosure work all belong in the same data-governance review queue. 8 39 11 12
- Status-control file: EU Omnibus publication, Missouri SB 1019, New Jersey A4015, New York S9051B, and CNSS Directive 900 should stay in a pending-status tracker until official pages change. 7 2 24 25 1
References
- 1DirectiveWatch - National Security Presidential Memorandum/NSPM-12
- 2Missouri Senate - SB 1019 bill information
- 3Data Compliance China - China's AI-Companion Rule Takes Effect July 15
- 4Sina Finance / Nanfang Daily - AI agent functions removed ahead of new rules
- 5Federal Register - FTC policy statement on suppression of accuracy in AI systems
- 6European Commission - AI Act regulatory framework
- 7EUR-Lex - Official Journal L series daily view, July 10, 2026
- 8EDPB - Anonymisation and web scraping for generative AI guidelines
- 9Illinois General Assembly - SB0315 bill status
- 10Transparency Coalition - AI Legislative Update, July 10, 2026
- 11CAC - Network Data Security Risk Assessment Measures
- 12Sybre - Privacy Act changes for Australian businesses using AI
- 13MLex - Australian businesses seek clarity on ADM guidance obligations
- 14Illinois General Assembly - SB3114 bill status
- 15CISA - Cybersecurity directives
- 16Qualys - How to meet CISA BOD 26-04's 3-day remediation SLA
- 17Inside Cybersecurity - AI cybersecurity clearinghouse comes into focus
- 18U.S. Treasury - Press releases
- 19The White House - Presidential actions
- 20Mintz - AI: The Washington Report, July 2026 edition
- 21State of Illinois Newsroom - Gov. Pritzker signs nation-leading AI safety law
- 22Illinois General Assembly - SB2909 bill status
- 23California Legislative Information - AB 2148 bill text
- 24New Jersey Legislature - A4015
- 25New York State Senate - S9051B
- 26Pennsylvania General Assembly - HB 2006
- 27Law.com - Why Florida Supreme Court got it right on AI certifications
- 28Pinsent Masons - Law delaying EU high-risk AI rules finalised
- 29Houses of the Oireachtas - Regulation of Artificial Intelligence Bill 2026
- 30Matheson - Deep dive into Ireland's Regulation of Artificial Intelligence Bill 2026
- 31LexisNexis - European Commission releases July 2026 infringement package
- 32ICO - News, blogs and speeches
- 33GSUN Consulting - State Council Decree 837 takes effect on July 1
- 34The Star - A codification, not a crackdown
- 35ARC Group - China's new outbound investment rules put consumer M&A under full-lifecycle scrutiny
- 36CAC - Official homepage
- 37CAC - Clean Cyberspace AI application disorder campaign first-stage results
- 38CAC - Generative AI service filing information, May-June 2026
- 39The Japan News - Japan eases privacy rules to boost AI development
- 40ABC News / AP - South Korean fake news law takes effect
- 41Indian Television - Centre signals dedicated AI law as India prepares regulatory framework
- 42Mayer Brown - AI regulation in Singapore and Hong Kong, a mid-year checkpoint
- 43Parliament of Canada - Bill C-36 first reading
- 44Office of the Privacy Commissioner of Canada - News and announcements
Related content
- Sign in to comment.
