EU AI Act implementation streamlined – Binding timelines now confirmed
On 7 May 2026, the European Commission acknowledged a political agreement between the European Parliament and the Council to streamline implementation of the EU AI Act under the Digital Omnibus package. The reforms ease certain compliance requirements for businesses while maintaining core safety and fundamental rights protections. Key measures include phased implementation timelines – with high-risk AI obligations applying from 2 December 2027 for most systems, and 2 August 2028 for AI embedded in regulated products – alongside confirmed prohibitions on AI tools that generate non-consensual intimate content.
This is no longer a future concern. The timelines are confirmed. Organisations developing, deploying, or procuring AI systems need to begin mapping their obligations now, before the implementation windows close.
EU AI Act transparency requirements – Consultation on draft guidelines
On 8 May 2026, the European Commission launched a consultation on draft guidelines on transparency obligations under Article 50 of the AI Act, ahead of the application of these provisions from 2 August 2026. The draft guidelines set out how providers and deployers of AI systems must inform users when they are interacting with an AI, implement machine-readable labelling for AI-generated content, and disclose AI involvement in decision-making processes.
The consultation window is narrow and the application date is imminent. Organisations using AI in any customer-facing or decision-making context – from automated emails to AI-generated reports – need to assess their disclosure practices now. August 2026 is closer than it appears.
UK Cyber Security and Resilience Bill – Expanded scope, critical infrastructure
On 14 May 2026, the UK Parliament reintroduced the Cyber Security and Resilience (Network and Information Systems) Bill at the Report Stage in the House of Commons, marking significant progress towards enactment. The Bill seeks to strengthen the security and resilience of network and information systems by amending the Network and Information Systems Regulations 2018. Critically, it extends the regulatory scope to data centres, managed service providers, and critical supply chain operators – significantly widening the pool of businesses that will be subject to mandatory cybersecurity obligations.
The Bill's progression to Report Stage signals that enactment is near. Businesses in digital infrastructure, technology services, and critical supply chains should be assessing their readiness now rather than waiting for Royal Assent.
New Data Protection Complaints Framework – Effective 19 June 2026
On 19 May 2026, the UK Information Commissioner's Office (ICO) issued guidance ahead of new data protection complaint-handling requirements under the Data (Use and Access) Act 2025, coming into force on 19 June 2026. Under the new framework, organisations must provide a clear and accessible mechanism for individuals to raise data protection concerns directly, acknowledge complaints promptly, and handle them within defined timeframes before individuals can escalate to the ICO.
This is a structural change to how data protection complaints are managed – not merely a guidance update. Businesses that do not have a compliant internal complaints process in place by 19 June 2026 will be in breach of statutory requirements from day one.
EU revised European sustainability reporting standards – Consultation now open
On 6 May 2026, the European Commission launched a public consultation on draft revised European Sustainability Reporting Standards (ESRS) under the Corporate Sustainability Reporting Directive (CSRD). The proposed changes aim to simplify reporting requirements, including reducing mandatory data points, introducing additional flexibility, and refining materiality assessment requirements. The Commission also published a draft voluntary reporting standard for smaller companies. The consultation closed on 3 June 2026.
For organisations currently aligning their sustainability reporting to the existing ESRS, these revisions will require a recalibration of reporting frameworks, governance structures, and data collection processes.
