Special Focus · AI Regulation
专题聚焦 · AI监管
AI Regulation — Global Update
AI监管全球动态
🤖 EU
Digital Omnibus
数字综合法
AI-1
EU Digital Omnibus Package: GDPR Relief & AI Act Acceleration
欧盟"数字综合法":GDPR减负与AI法案加速
The European Commission has proposed the "Digital Omnibus" package, aimed at reducing administrative burdens across GDPR, the AI Act, and the Data Act. Key provisions include a de minimis threshold under GDPR that would exempt micro and small enterprises from many GDPR obligations, fast-track implementation timelines for high-risk AI system requirements, and streamlined compliance pathways designed to reduce duplication across overlapping regimes. The package is still in proposal stage and will require co-legislative approval.
欧盟委员会提出"数字综合法"一揽子方案,旨在减轻GDPR、AI法案及《数据法》带来的合规负担。主要内容包括:为GDPR引入最低门槛豁免,减轻微型和小型企业的合规义务;加快高风险AI系统要求的落地时间表;并为多项重叠监管制度设计简化的统一合规路径。该方案目前仍处于提案阶段,需经立法程序批准方可生效。
Key Obligation:关键义务:
Monitor proposal progress. Assess whether your entity qualifies for any SME exemptions. Track national implementations for divergence risk.
持续跟踪提案进展;评估本机构是否符合中小企业豁免条件;关注各成员国实施差异风险。
🤖 EU
AI Act · Code of Practice
AI法案·实践准则
AI-2
EU AI Act: GPAI Code of Practice — Iteration Three Published
欧盟AI法案:GPAI实践准则第三次迭代稿发布
The EU AI Office has published the third draft of the Code of Practice for General Purpose AI (GPAI) model providers. The draft introduces mandatory AI literacy obligations for deployers, enhanced transparency disclosures around training data, and new requirements for AI-generated content labelling. The final Code of Practice is expected to be adopted by August 2025, ahead of the GPAI provisions entering full effect. Non-compliance after adoption may result in enforcement action under Article 101 AI Act.
欧盟AI办公室发布了通用人工智能(GPAI)模型提供商实践准则第三次迭代草案。草案新增部署方的AI素养强制义务,强化训练数据透明度披露要求,并就AI生成内容的标注提出新规范。最终版实践准则预计于2025年8月前通过,届时GPAI相关条款将全面生效。通过后如违反准则,可能依据AI法案第101条触发执法程序。
Key Obligation:关键义务:
Review third-draft Code against your GPAI use cases. Assess AI literacy training gaps. Implement AI-generated content labelling for customer-facing outputs.
对照第三稿检查本机构GPAI使用场景;评估AI素养培训差距;为面向客户的AI生成内容实施标注机制。
🇺🇸 US
Executive Order · FTC
行政令·FTC
AI-3
US: Trump AI Executive Order & Recalibrated FTC Posture
美国:特朗普AI行政令与FTC执法立场调整
President Trump's December 2025 Executive Order on AI revoked the Biden-era EO 14110 and directed federal agencies to remove barriers to AI development, prioritising innovation over precautionary regulation. The order withdrew from the OECD AI Principles framework, directing agencies to develop domestic AI safety standards independent of international bodies. Separately, FTC under the new administration has signalled a narrower focus on demonstrable consumer harm rather than broader structural concerns, indicating reduced enforcement frequency for data-driven AI products in the near term. State-level regulation (particularly California, Texas, Illinois) continues independently.
特朗普总统于2025年12月发布AI行政令,撤销拜登政府的第14110号行政令,并要求联邦机构消除AI发展障碍,将创新优先于预防性监管。该令还退出了OECD AI原则框架,要求各机构独立于国际组织制定国内AI安全标准。与此同时,新政府领导下的FTC已发出信号,将把执法重心聚焦于对消费者造成实际可证明损害的行为,而非更宏观的结构性问题,短期内对数据驱动型AI产品的执法频率预计将有所下降。各州层面的监管(尤其是加利福尼亚州、德克萨斯州和伊利诺伊州)仍将独立推进。
Action:建议行动:
Monitor state AI legislation developments separately from federal posture. Do not assume reduced FTC activity means zero risk — state AGs remain active. Review Biden-era AI compliance commitments for continued applicability.
密切跟踪州级AI立法进展,不能因联邦层面放松管制而忽视各州检察长的执法活跃度;重新审视拜登时期AI合规承诺是否仍需继续履行。
🇨🇳 China
CAC · National Standards
网信办·国家标准
AI-4
China: CAC AI Enforcement Surge & 30 National AI Standards Published
中国:网信办AI执法提速,30项AI国家标准正式发布
China's Cyberspace Administration (CAC) has intensified enforcement of the Generative AI Service Regulations (effective July 2023) with multiple significant penalties issued in Q1 2026 targeting large-language model (LLM) providers for inadequate content moderation and failure to conduct algorithm security assessments. In parallel, SAC/TC260 has published 30 national standards related to AI, covering AI system transparency, security testing methodologies, and data labelling quality. These standards, while non-mandatory on their face, are increasingly referenced by regulators as baseline expectations in enforcement proceedings.
中国国家互联网信息办公室(网信办)持续强化对《生成式人工智能服务管理暂行办法》(2023年7月起施行)的执法力度,2026年第一季度已对多家大语言模型(LLM)服务提供商开出重大罚款,主要违规内容包括内容审核不力和未按要求开展算法安全评估。与此同时,国家标准化管理委员会(SAC)/TC260发布30项AI领域国家标准,涵盖AI系统透明度、安全测试方法论及数据标注质量等方面。上述标准虽在形式上属于推荐性标准,但监管机构在执法程序中已越来越多地将其援引为基准预期。
Key Obligation:关键义务:
All China-based or China-serving AI/LLM services must have filed algorithm security assessments with CAC. Content moderation policies must align with published national standards. Legal entities providing AIGC services need security assessments before public launch.
所有在华或面向中国用户提供AI/LLM服务的主体,须已向网信办完成算法安全评估备案;内容审核政策需符合已发布的国家标准;向公众提供AIGC服务前须完成安全评估。
Priority Alerts
重点关注
Priority Alerts
重点关注
⚡ Priority
🇪🇺 EU · GDPR
P-1
GDPR Total Fines Reach €7.1 Billion — Enforcement Acceleration Continues
GDPR累计罚款达71亿欧元——执法力度持续升级
Cumulative GDPR fines across the EEA have surpassed €7.1 billion since the regulation became enforceable in May 2018. The past 12 months saw the largest ever single fine (Meta Ireland, €1.2B, subsequently reduced on appeal) and an increase in cross-border enforcement coordination under the EDPB's Article 60 one-stop-shop mechanism. DPAs in France (CNIL), Ireland (DPC), Germany (DSK/BfDI), and Italy (Garante) recorded the highest enforcement activity. Notably, enforcement against non-EU-based processors increased significantly, with DPAs asserting jurisdiction over data exports and third-country transfers.
自2018年5月GDPR生效以来,欧洲经济区GDPR累计罚款总额已突破71亿欧元。过去12个月内,史上最高单笔罚款(爱尔兰Meta,12亿欧元,后经上诉部分减免)及EDPB第60条"一站式机制"下的跨境执法协作均有所强化。法国CNIL、爱尔兰DPC、德国DSK/BfDI及意大利Garante的执法活动最为活跃。值得注意的是,针对非欧盟主体的处理者执法明显增加,各数据保护机构就数据出口和第三国传输积极主张管辖权。
Key Obligation:关键义务:
Audit international data transfer mechanisms (SCCs, adequacy). Ensure RoPA is current and includes all processors. Review DPA complaint response procedures.
审查国际数据传输机制(SCCs、充分性决定);确保ROPA记录处于最新状态并涵盖所有处理者;审查对数据保护机构投诉的回应程序。
⚡ Priority
🇨🇳 China · PIPL
P-2
China PIPL: GB/T 46068-2025 National Standard for Compliance Enters Force
中国PIPL:GB/T 46068-2025个人信息保护合规国家标准正式生效
China's national standard GB/T 46068-2025 — "Requirements for Personal Information Protection Compliance Management" — has entered force, providing detailed technical guidance on implementing China's Personal Information Protection Law (PIPL). The standard sets out mandatory management system elements, internal audit requirements, privacy risk assessment methodologies, and cross-border data transfer protocols. Although technically a "recommended" (GB/T) standard, regulators are treating it as the de facto compliance benchmark in enforcement proceedings.
中国国家标准GB/T 46068-2025《个人信息保护合规管理要求》正式生效,为落实《个人信息保护法》(PIPL)提供了详细的技术指引。该标准明确了管理体系的必要构成要素、内部审计要求、隐私风险评估方法论及跨境数据传输协议等内容。尽管在形式上属于"推荐性"(GB/T)标准,监管机构在执法实践中已将其视为实质性合规基准。
Key Obligation:关键义务:
Map your PIPL compliance programme against GB/T 46068-2025 requirements. Complete internal audit cycles per the standard. Ensure cross-border data transfers (SCCs or CAC-approved mechanisms) are documented.
将PIPL合规体系对照GB/T 46068-2025要求进行差距分析;按标准要求完成内部审计周期;确保跨境数据传输(标准合同条款或网信办批准机制)均已留存记录。
Enforcement & Annual Reviews
执法动态与年度综述
Enforcement & 2025 Annual Reviews
执法动态与2025年度综述
⚖️ Enforcement
EDPB · ICO · FTC · SEC · CAC
E-1
Regulatory Authorities: 2025 Annual Enforcement Reviews
主要监管机构:2025年度执法综述
EDPB: Published its 2025 Work Programme emphasising coordinated enforcement of cross-border data flows, AI systems, and children's data. Announced a new coordinated enforcement action targeting connected vehicles and mobility data.
ICO (UK): 2025 annual report confirmed record reprimand activity and increased monetary penalty notices. Key themes: data brokers, employee monitoring, and adtech. ICO has expanded its enforcement against non-UK controllers processing UK residents' data.
FTC (US): Issued multiple orders under the US Health Breach Notification Rule. Key 2025 action: enforcement against data broker practices (precise geolocation data sales). Note the shift under new administration toward consent-based framework review.
SEC (US): Continued enforcement of cybersecurity disclosure rules under Reg S-K Item 106 and Form 8-K/6-K incident disclosure. FY2025 saw first enforcement actions for material omissions in cyber incident disclosures.
CAC (China): Record 847 enforcement actions in 2025. Top violations: unlawful data collection in mobile apps (42%), failure to provide opt-out mechanisms (28%), cross-border transfer violations (18%).
ICO (UK): 2025 annual report confirmed record reprimand activity and increased monetary penalty notices. Key themes: data brokers, employee monitoring, and adtech. ICO has expanded its enforcement against non-UK controllers processing UK residents' data.
FTC (US): Issued multiple orders under the US Health Breach Notification Rule. Key 2025 action: enforcement against data broker practices (precise geolocation data sales). Note the shift under new administration toward consent-based framework review.
SEC (US): Continued enforcement of cybersecurity disclosure rules under Reg S-K Item 106 and Form 8-K/6-K incident disclosure. FY2025 saw first enforcement actions for material omissions in cyber incident disclosures.
CAC (China): Record 847 enforcement actions in 2025. Top violations: unlawful data collection in mobile apps (42%), failure to provide opt-out mechanisms (28%), cross-border transfer violations (18%).
EDPB:发布2025年工作计划,重点强化跨境数据流、AI系统及儿童数据的协调执法,并宣布启动针对联网汽车及出行数据的新一轮协调执法行动。
ICO(英国):2025年度报告显示谴责通知及货币处罚数量均创历史新高。重点执法领域:数据经纪商、员工监控及广告技术。ICO已将执法范围扩展至处理英国居民数据的非英国数据控制者。
FTC(美国):依据《健康违规通知规则》发出多份执法令;2025年重要执法行动针对数据经纪商销售精确地理位置数据的行为。在新政府领导下,执法重心已转向基于同意的框架审查。
SEC(美国):持续依据S-K条例第106条及8-K/6-K表格推进网络安全披露规则执法,2025财年出现首批针对网络安全事件重大遗漏披露的执法案例。
网信办(中国):2025年共开展执法行动847次,创历史新高。主要违规类型:移动应用违规收集数据(42%)、未提供退出机制(28%)、跨境传输违规(18%)。
ICO(英国):2025年度报告显示谴责通知及货币处罚数量均创历史新高。重点执法领域:数据经纪商、员工监控及广告技术。ICO已将执法范围扩展至处理英国居民数据的非英国数据控制者。
FTC(美国):依据《健康违规通知规则》发出多份执法令;2025年重要执法行动针对数据经纪商销售精确地理位置数据的行为。在新政府领导下,执法重心已转向基于同意的框架审查。
SEC(美国):持续依据S-K条例第106条及8-K/6-K表格推进网络安全披露规则执法,2025财年出现首批针对网络安全事件重大遗漏披露的执法案例。
网信办(中国):2025年共开展执法行动847次,创历史新高。主要违规类型:移动应用违规收集数据(42%)、未提供退出机制(28%)、跨境传输违规(18%)。
📋 Law Firm Reviews
Annual Outlook
年度展望
E-2
Law Firm 2025 Annual Reviews — Key Themes
律所2025年度综述——核心主题汇总
Leading practices have published their 2025 data privacy and AI regulatory annual reviews. Key convergent themes across Sidley, White & Case, Bird & Bird, and Skadden:
1. Fragmentation over harmonisation: US state-level privacy laws accelerating (20 states now active), creating an EU-vs-US divergence that is increasingly difficult to manage under a single global compliance programme.
2. AI governance as the dominant compliance investment: All firms highlight board-level accountability for AI systems, with governance frameworks becoming a pre-condition for insurance, M&A due diligence, and regulatory approval.
3. Cross-border data transfer risk remains elevated: EU-US Data Privacy Framework faces renewed legal challenges; UK adequacy under active review; China's standard contract filing mechanism generating delays.
4. Enforcement velocity increasing: Average time from complaint to final decision shortened significantly. DPAs investing in automated complaint processing tools.
1. Fragmentation over harmonisation: US state-level privacy laws accelerating (20 states now active), creating an EU-vs-US divergence that is increasingly difficult to manage under a single global compliance programme.
2. AI governance as the dominant compliance investment: All firms highlight board-level accountability for AI systems, with governance frameworks becoming a pre-condition for insurance, M&A due diligence, and regulatory approval.
3. Cross-border data transfer risk remains elevated: EU-US Data Privacy Framework faces renewed legal challenges; UK adequacy under active review; China's standard contract filing mechanism generating delays.
4. Enforcement velocity increasing: Average time from complaint to final decision shortened significantly. DPAs investing in automated complaint processing tools.
主要律所已发布2025年数据隐私与AI监管年度综述报告。Sidley、White & Case、Bird & Bird及Skadden在以下核心主题上高度一致:
1. 碎片化取代协调统一:美国各州隐私立法加速推进(目前已有20州立法生效),欧美合规体系差异日益扩大,单一全球合规方案愈发难以应对。
2. AI治理成为合规投入的首要议题:各律所均强调AI系统须落实董事会层面的问责机制,AI治理框架已成为保险核保、并购尽职调查及监管审批的前置条件。
3. 跨境数据传输风险依然高企:欧美数据隐私框架面临新的法律挑战;英国充分性认定正处于主动审查之中;中国标准合同条款备案机制造成延误。
4. 执法节奏明显加快:从投诉到最终决定的平均时长显著缩短;各数据保护机构正加大对自动化投诉处理工具的投入。
1. 碎片化取代协调统一:美国各州隐私立法加速推进(目前已有20州立法生效),欧美合规体系差异日益扩大,单一全球合规方案愈发难以应对。
2. AI治理成为合规投入的首要议题:各律所均强调AI系统须落实董事会层面的问责机制,AI治理框架已成为保险核保、并购尽职调查及监管审批的前置条件。
3. 跨境数据传输风险依然高企:欧美数据隐私框架面临新的法律挑战;英国充分性认定正处于主动审查之中;中国标准合同条款备案机制造成延误。
4. 执法节奏明显加快:从投诉到最终决定的平均时长显著缩短;各数据保护机构正加大对自动化投诉处理工具的投入。
Cybersecurity
网络安全
Cybersecurity Regulation
网络安全监管
🔒 EU
CRA — Cyber Resilience Act
C-1
EU Cyber Resilience Act (CRA): Incident Reporting Live September 2026
欧盟《网络弹性法》(CRA):事件报告义务2026年9月生效
The EU Cyber Resilience Act entered into force in December 2024. The first set of obligations — active exploitation reporting (72-hour window to ENISA) — apply from 11 September 2026. Full conformity requirements for all products with digital elements apply from 11 December 2027. Manufacturers, importers and distributors of hardware and software products placed on the EU market must implement mandatory vulnerability handling processes, publish a Software Bill of Materials (SBOM), and provide minimum 5-year security support.
欧盟《网络弹性法》(CRA)已于2024年12月正式生效。首批义务——被主动利用漏洞的报告义务(72小时内向ENISA报告)——将于2026年9月11日起适用。所有含数字元素产品的完整合规要求自2027年12月11日起全面生效。向欧盟市场投放硬件和软件产品的制造商、进口商及经销商,须实施强制性漏洞处置流程、发布软件物料清单(SBOM),并提供最少5年的安全支持。
Key Obligation:关键义务:
Products with digital elements placed on EU market must meet CRA requirements. Begin conformity assessment procedures now — especially for critical products requiring third-party assessment. Establish ENISA reporting channel before September 2026.
在欧盟市场投放的含数字元素产品须满足CRA要求;立即启动合格性评估程序(尤其是需要第三方评估的关键产品);在2026年9月前建立向ENISA的报告渠道。
🔒 EU
NIS2 Directive
C-2
NIS2 Directive: National Implementations & First Enforcement Actions
NIS2指令:各国落地实施与首批执法行动
NIS2 implementation deadline passed in October 2024. As of Q1 2026, 18 EU member states have fully transposed NIS2; 9 states remain in partial or pending transposition. First enforcement actions have emerged in Germany (BSI), Netherlands (NCSC-NL), and France (ANSSI) targeting entities that failed to register as "essential" or "important" entities. The Directive's expansion of scope — including medium enterprises in newly covered sectors (food, waste management, digital infrastructure) — means many organisations previously outside NIS1 are now within scope.
NIS2转化实施截止期限已于2024年10月届满。截至2026年第一季度,欧盟已有18个成员国完成完整转化,另有9国转化工作尚未完成或仍在推进中。德国(BSI)、荷兰(NCSC-NL)及法国(ANSSI)已针对未完成"基本实体"或"重要实体"注册的机构启动首批执法行动。NIS2将监管范围扩展至新纳入领域(食品、废物管理、数字基础设施)中的中型企业,意味着大量此前不在NIS1管辖范围内的机构现已纳入监管。
Action:建议行动:
Confirm NIS2 registration status in each EU member state of operation. Implement incident reporting pipeline (24h initial report, 72h detailed report, 1-month final report). Conduct board-level cybersecurity risk assessments — NIS2 makes management personally liable.
确认各欧盟运营所在地成员国的NIS2注册状态;建立事件报告流程(24小时初始报告、72小时详细报告、1个月最终报告);开展董事会层面的网络安全风险评估——NIS2明确管理层承担个人责任。
Legislative Updates
立法动态
Legislative Updates
立法动态
📜 US
State Privacy Laws
州隐私法
L-1
US State Privacy Laws: 20 States Now Active — Compliance Complexity Reaches Critical Mass
美国州级隐私法:已有20州立法生效——合规复杂性达到临界点
As of Q1 2026, 20 US states have enacted and brought into force comprehensive consumer privacy laws, with another 8 states in active legislative session. Key 2026 additions include Texas (TDPSA in force January 2025), Oregon (effective July 2024), and Montana (effective October 2024). The lack of a federal framework means each law has distinct definitions, thresholds, opt-out mechanisms, and enforcement agencies. States diverge significantly on: sensitive data categories, universal opt-out signal recognition, cure periods, and private right of action.
截至2026年第一季度,美国已有20个州颁布并施行综合消费者隐私法,另有8个州的立法程序正在积极推进中。2026年新增生效法律包括:德克萨斯州(TDPSA,2025年1月生效)、俄勒冈州(2024年7月生效)及蒙大拿州(2024年10月生效)。联邦层面立法缺失意味着各州法律在定义、门槛、退出机制及执法机构等方面存在显著差异,尤其是在敏感数据类别划定、通用退出信号识别、整改期安排及私人诉权等方面分歧明显。
📜 UK
DUAA — June 2026
DUAA — 2026年6月
L-2
UK Data (Use and Access) Act: Royal Assent Expected June 2026
英国《数据(使用与获取)法》:预计2026年6月获御准
The UK Data (Use and Access) Act (DUAA) is progressing through Parliament and is expected to receive Royal Assent by June 2026. The Act introduces a "recognised legitimate interests" test that reduces reliance on consent for certain processing activities, establishes a statutory framework for data sharing between public bodies, creates a new category of "digital verification services", and updates the ICO's powers and enforcement toolkit. Post-Brexit divergence from GDPR will accelerate upon commencement, requiring dual-track compliance for UK-EU operations.
英国《数据(使用与获取)法》(DUAA)正在议会审议推进中,预计于2026年6月获御准通过。该法引入"公认正当利益"测试,减少特定处理活动对同意的依赖;建立公共机构间数据共享的法定框架;设立新的"数字验证服务"类别;并更新ICO的权力和执法工具。法案生效后,英国与GDPR的脱欧后分歧将进一步加深,英欧两地同时运营的机构须维护双轨合规体系。
Key Obligation:关键义务:
UK operations should begin mapping processing activities against the new "recognised legitimate interests" categories. Plan for dual-track compliance (UK DUAA + EU GDPR) if operating across both markets.
英国业务应尽早梳理处理活动,对照新设的"公认正当利益"类别进行匹配分析;如同时在英欧两地运营,应规划双轨合规体系(UK DUAA + EU GDPR)。
12-Month Rolling Compliance Calendar
12个月滚动合规日历
Compliance Calendar
合规日历
Calendar covers EU, UK, US, Canada, Singapore, Japan, China. Updated weekly. Dates subject to legislative developments. 日历覆盖欧盟、英国、美国、加拿大、新加坡、日本、中国。每周更新,日期随立法进展调整。
← All Issues← 全部期刊
Issue #001 · 28 March 2026 · legal-hub.ai
第001期 · 2026年3月28日 · legal-hub.ai
Home →首页 →