On May 28, 2026, the European Union Agency for Cybersecurity (“ENISA”) published the third edition of its NIS360 report, an annual benchmarking tool that assesses the cybersecurity maturity of entities in the sectors set out in Annex I of the NIS2 Directive (which includes certain entities in the energy, transport, healthcare, digital infrastructure, and space sectors), as well as the relative criticality of the relevant sectors. The NIS360 is designed to support national authorities, policymakers, and other stakeholders in understanding where sectors stand in terms of cybersecurity readiness, including where more support or oversight might be needed.

Continue Reading ENISA’s NIS360 2026 report highlights both the criticality of the European space sector, and flags a persistent cybersecurity maturity gap

On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.

Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment

On 19 May 2026, the European Commission published its long-awaited draft, non-binding guidelines on the classification of high-risk AI systems (“HRAIs”) under the EU AI Act (the “Guidelines”). Across three documents—covering general principles, high-risk classification in the context of regulated products (Annex I), and high-risk use cases (Annex III)—the Commission sets out its approach to one of the AI Act’s central questions: when does an AI system fall within the high-risk regime (and, just as importantly, when does it not)?

Rather than restating every aspect of the Guidelines, this post highlights a number of interpretative points likely to matter most in practice.

Continue Reading EU AI Act Update: The European Commission Publishes Draft Guidelines on HRAIs

On May 29, 2026, the Governor of Louisiana signed into law SB 386, the Louisiana Data Privacy Act (“LDPA”). Louisiana joins Alabama and Oklahoma as the third state to enact a comprehensive privacy law this year. The law will take effect on January 1, 2027.

Continue Reading Louisiana Enacts Comprehensive Privacy Law

On June 2, 2026, the White House issued an executive order titled “Promoting Advanced Artificial Intelligence Innovation and Security” (the “Order”).  The Order reflects the Administration’s stated policy of advancing U.S. leadership in artificial intelligence (“AI”) while addressing national security risks associated with increasingly capable AI systems.  To

Continue Reading White House Releases Executive Order on Advanced AI Innovation and Security

Last month, the Illinois Department of Human Rights (“IDHR”) released draft regulations addressing employers’ use of AI in employment decisions and invited public comment. The IDHR will hold a hearing on the draft regulations on June 10, and the public comment period will close on June 29.

Background

HB

Continue Reading Illinois Department of Human Rights Seeks Public Comment on Draft AI Employment Regulations

On May 27, 2026, the Connecticut governor signed SB 4, an omnibus privacy law, which among other things, amends the Connecticut Data Privacy Act (“CTDPA”), establishes a data broker registry and accessible deletion mechanism, imposes restrictions on the use of price setting devices and surveillance pricing, and creates requirements for direct-to-consumer genetic testing companies.

Continue Reading Connecticut Enacts Omnibus Privacy Law

States continue to enact laws regulating genetic data. Since our last update, the Connecticut governor has signed SB 4, an omnibus privacy law which contains provisions regulating direct-to-consumer (“DTC”) genetic testing companies. You can read our full analysis of SB 4 here.

Continue Reading Connecticut Enacts Genetic Privacy Law

Earlier this month, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency and other international partners, released guidance for organizations on adopting agentic artificial intelligence systems (i.e., systems composed of one or more agents that fundamentally rely on an AI model, such as an LLM

Continue Reading CISA Releases Guidance on the Careful Adoption of Agentic AI Services

On May 11, 2026, the Department of Justice, acting on notification from the Federal Trade Commission, and the Illinois Attorney General, filed a complaint against “Premium Home Service” and its owner for alleged violations of Section 5 of the FTC Act, the Consumer Reviews Rule, and the Gramm-Leach-Bliley Act (GLB Act).  The Complaint seeks injunctive relief, monetary relief, and civil penalties.  

Continue Reading FTC and DOJ Continue Focus on Consumer Reviews Rule with Complaint Against Premium Home Service