AI and Cybersecurity Regulation: What Is in Force Right Now

The regulatory landscape for artificial intelligence and cybersecurity is changing faster than most compliance programs can track. This page keeps a running record of the regulations that matter, what they actually require, and where they stand today — written for practitioners, not just attorneys.

All dates and status information below were verified against official primary sources in late June and early July 2026. This is a time-sensitive page: re-verify every deadline against the official source linked before relying on it for a compliance decision.

EU AI Act: Current Status and Key Deadlines (as of July 2026)

The EU AI Act entered into force on 1 August 2024. A Digital Omnibus simplification package reached provisional political agreement on 7 May 2026, deferring several major deadlines. Current phase-in status:

Already in force:
2 February 2025 — Prohibitions on unacceptable-risk AI systems and AI literacy obligations took effect.
2 August 2025 — GPAI (general-purpose AI) model obligations became applicable.

Upcoming as of July 2026:
2 August 2026 — Article 50 transparency rules: disclosure requirements when users interact with AI systems; watermarking obligations for AI-generated content.
2 December 2026 — Watermarking under Article 50(2) for AI systems placed on market before August 2026 (four-month grace period per the Digital Omnibus).
2 December 2027 — High-risk AI obligations for standalone Annex III use-cases (recruitment, credit scoring, law enforcement, education, border control). Deferred by 16 months from the original August 2026 date.
2 August 2028 — High-risk AI embedded in regulated Annex I products (medical devices, machinery, vehicles).

Source: EU AI Act official page (digital-strategy.ec.europa.eu); Digital Omnibus provisional agreement 7 May 2026; Gibson Dunn client alert May 27 2026.

US State AI Laws: The Current Compliance Landscape

The United States has no comprehensive federal AI statute as of July 2026. State law is the primary US compliance obligation.

Colorado: The original Colorado AI Act (SB 24-205) was repealed before it ever took effect. Governor Polis signed its replacement — SB 26-189 — on May 14 2026. The new ADMT law is narrower: it drops the high-risk AI impact-assessment framework, the affirmative duty to avoid algorithmic discrimination, and the NIST/ISO affirmative defense. Obligations now centre on pre-use consumer notices, 30-day adverse-outcome explanations, and human review rights. Effective January 1 2027.

California: Multiple laws in effect from January 1 2026: SB 53 (Frontier AI Transparency — frontier developers must publish risk frameworks and report safety incidents); AB 2013 (AI training data transparency); SB 942 (AI watermarking, effective August 2 2026). CPPA automated decision-making regulations phase in through 2027.

Texas: TRAIGA (HB 149) effective January 1 2026 — narrower than earlier drafts, focused on banned harmful AI uses and state-agency disclosure.

New York: RAISE Act signed March 27 2026, effective January 1 2027.

Illinois: Amendment to Illinois Human Rights Act effective January 1 2026 — prohibits employer AI that produces discriminatory outcomes.

The EU AI Act has applied in phases since August 2024. Transparency rules (Article 50) take effect August 2 2026. High-risk AI obligations for most standalone use-cases (Annex III) apply December 2 2027, deferred under the Digital Omnibus agreement reached May 7 2026. High-risk AI in regulated Annex I products applies from August 2028.

No. As of July 2026 there is no comprehensive federal AI statute in the United States. The December 2025 executive order directed agencies to challenge state laws deemed burdensome but has not resulted in federal preemption of any specific state law. California, Texas, Colorado (SB 26-189), and New York are the states with the most significant AI-specific legislation currently in force or taking effect in 2026-2027.

Colorado's original 2024 AI Act (SB 24-205) was repealed and replaced by SB 26-189, signed May 14 2026. The original law never took effect. The replacement is narrower: no high-risk AI impact assessments, no affirmative duty to avoid algorithmic discrimination. Instead it requires pre-use consumer notices, 30-day adverse-outcome explanations, and human review rights. Effective January 1 2027.

Yes, where a US company provides AI systems used by EU residents or deployed in the EU. Jurisdiction follows the user. GPAI model providers are in scope from August 2025 if their models are made available in the EU. US companies should assess which AI products reach EU users before the August 2026 Article 50 transparency deadline.

Fines for the most serious violations — prohibited AI practices — can reach EUR 35 million or 7% of global annual turnover, whichever is higher. Other violations: up to EUR 15 million or 3% of global annual turnover. GPAI provider non-compliance: up to EUR 15 million or 3% of global annual turnover. Enforcement starts at national level with the EU AI Office overseeing GPAI providers.