Chaos and Order

💡 왼쪽 원문을 읽으면서 오른쪽에 따라 써보세요. Tab 키로 힌트를 받을 수 있습니다.

원문 렌더가 준비되기 전까지 텍스트 가이드로 표시합니다.

Prologue — 2026, the year regulation has arrived

For anyone who remembers May 2018, when GDPR took effect, the 2026 landscape feels different. Eight years later, data and AI regulation is no longer "that thing Europe is fussy about" — it has become the **default setting of the global digital infrastructure.** On top of GDPR, the EU has stacked the EU AI Act, the DSA, the DMA, the Data Act, and the Cyber Resilience Act. The US still has no coherent federal law, yet eight states actively enforce comprehensive privacy laws; IL BIPA forms a separate biometric front; and Texas TDPSA, Minnesota MIPA, and Oregon OCPA all came online in 2024-2025. Koreas PIPA was amended in 2024 to formalize pseudonymized data, MyData, and medical MyData; Japans APPI continues to refine its 2022-era rules on foreign transfers. China PIPL, Brazil LGPD, OECD AI Principles, NIST AI RMF, ISO 42001, and the AISI multilateral agreements complete the picture. **No digital product in 2026 can exist without consciousness of its "regulatory surface."**

> **One headline drives 2026 — the EU AI Act enters full enforcement in August 2026.** It came into force in August 2024, the prohibited practices kicked in February 2025, and in August 2026 the bulk of high-risk obligations apply. This touches cloud providers, LLM vendors, SaaS, robotics, HR, healthcare — almost every product category.

What this article covers:

1. The 2026 privacy/AI regulation map — five camps

2. GDPR — eight years in, enforcement matured

3. EU AI Act — staged enforcement to August 2026

4. DSA + DMA — platform regulation

5. EU Data Act — IoT manufacturers must share data

6. EU Cyber Resilience Act — software vendor liability

7. US state laws — eight active comprehensive laws + a mosaic

8. IL BIPA — the biometric front

9. Korea PIPA 2024 amendments

10. Japan APPI — foreign transfers and anonymized processing

11. China PIPL, Brazil LGPD, and the rest of the world

12. OECD AI Principles, NIST AI RMF, ISO 42001

13. AI Safety Institutes — multilateral agreements

14. What should your company do — a phased compliance plan

15. References

1. The 2026 privacy and AI regulation map

Big picture first. As of May 2026, meaningful data and AI regulation splits into five camps.

**Camp 1 — EU: comprehensive, mandatory, extraterritorial.**

GDPR (2018) sits at the base. On top: EU AI Act (2024), DSA (2022/2024), DMA (2022/2024), Data Act (2023/2025), Cyber Resilience Act (2024/2027). Common traits: (a) extraterritorial reach, (b) fines tied to global turnover, (c) administrative enforcement. Almost every digital service aimed at EU citizens or the EU market is exposed.

**Camp 2 — US: state mosaic + federal silence.**

There is no federal omnibus privacy law as of May 2026. Instead, eight states run comprehensive laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, MIPA, OAPA, TDPSA), and sector-specific laws like IL BIPA form additional layers. Federal AI executive orders shape procurement, but private-sector duties come from state laws.

**Camp 3 — Korea and Japan: omnibus + sectoral.**

Korea amended PIPA in 2024 to formalize pseudonymized data, the MyData (data portability) regime, medical MyData, and an adequacy-assessment procedure for foreign transfers. Japan has been refining APPI since the 2022 amendment — foreign transfer disclosure, anonymized processing, breach reporting. Both hold an EU adequacy decision and consciously preserve GDPR interoperability.

**Camp 4 — China, Brazil, India, Middle East.**

Chinas PIPL (2021) resembles GDPR formally but layers national-security and party-priority data classifications. Brazils LGPD (2020) is almost a direct GDPR transplant. Indias DPDP Act (2023) is rolling out in 2025-2026. Saudi PDPL and UAE PDPL operate alongside.

**Camp 5 — AI-specific international norms.**

OECD AI Principles (2019, updated 2024), NIST AI RMF (2023), ISO 42001 (2023), and the AISI multilateral agreements among the UK, US, Korea, Japan, Singapore, France, Spain. Not directly enforceable, but absorbed into EU AI Act, US procurement, and enterprise governance.

> One-line summary: **EU mandates, US mosaics, Asia combines omnibus laws with data sovereignty, and international norms set the floor.**

2. GDPR — eight years in, enforcement matured

GDPR (Regulation EU 2016/679) took effect on May 25, 2018. As of May 2026 it is eight years old. The first five years drew the skeptical question "will the big fines really land?" — answered by Amazon EUR 746M (2021), Meta EUR 1.2B (2023), and TikTok EUR 345M (2024). **GDPR is no longer a paper tiger.**

**Six core obligations that haven't changed**

- **Lawful basis (Article 6)** — one of six grounds: consent, contract, legal obligation, vital interest, public task, legitimate interest.

- **Special categories (Article 9)** — race, religion, union membership, health, sex life, biometric, genetic data require extra conditions.

- **Transfers (Chapter V)** — adequacy decision, SCC, BCR, or another route to send data outside the EU.

- **DPIA (Article 35)** — impact assessment for high-risk processing.

- **DPO (Article 37)** — mandatory for public bodies, systematic monitoring, large-scale sensitive processing.

- **Notification (Article 33-34)** — supervisory authority within 72 hours of a breach.

**What changed in 2024-2026**

- **EU-US Data Privacy Framework (2023)** — restored the US transfer route broken by Schrems II. NOYB is pursuing a Schrems III challenge, but as of May 2026 the framework remains in force.

- **GDPR Procedural Regulation (2025)** — streamlines cross-border cooperation. Eases the bottleneck in the "one-stop shop" mechanism.

- **Interplay with the AI Act** — the AI Act does not replace GDPR. If an AI system processes personal data, **both laws apply simultaneously.**

**The weight of fines**

The ceiling is 4 percent of global turnover or EUR 20M, whichever is higher. Cumulative fines from 2024 and 2025 crossed EUR 5B. The single largest case remains the 2023 Meta decision (Irish DPC) at EUR 1.2B.

Serving EU users without knowing GDPR is no longer a defensible posture. In 2026, GDPR is **the default setting.**

3. EU AI Act — Aug 2024 in force, Feb 2025 prohibitions, Aug 2026 full enforcement

The EU AI Act (Regulation EU 2024/1689) was adopted on June 13, 2024, published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024. The staged timeline is what matters in 2026:

- **Aug 1, 2024** — entry into force.

- **Feb 2, 2025** — prohibited practices and general definitions apply.

- **Aug 2, 2025** — obligations on general-purpose AI (GPAI) models, governance bodies, and penalty provisions apply.

- **Aug 2, 2026** — high-risk system obligations, market surveillance, and most remaining duties take effect.

- **Aug 2, 2027** — high-risk systems classified as safety components under Annex I get an extra year.

May 2026 sits just three months before full enforcement. Every AI product on the EU market must align with the new obligations from that date.

**Four-tier risk classification**

The Act takes a risk-based approach. AI systems fall into four tiers.

- **Prohibited** — listed in Article 5. Social scoring, emotion recognition in workplaces and schools, untargeted facial-recognition database scraping, manipulation of children, exploitation of vulnerabilities, real-time remote biometric identification (with narrow exceptions).

- **High-risk** — listed in Annex III. Recruitment, credit scoring, education assessment, law enforcement, migration, justice, critical infrastructure, medical devices (combined with MDR).

- **Limited risk** — chatbots, deepfakes. Transparency duties only (users must know they are interacting with AI).

- **Minimal risk** — spam filters, game NPCs. No mandatory duties beyond voluntary codes.

**Core duties for high-risk systems**

- **Risk management system (Article 9)** — lifecycle risk identification, evaluation, mitigation.

- **Data governance (Article 10)** — training, validation, and test data must meet quality, representativeness, and bias requirements.

- **Technical documentation (Article 11 plus Annex IV)** — system, data, logs, results.

- **Automatic logs (Article 12)** — retain and make traceable.

- **Transparency (Article 13)** — usage instructions, limitations, accuracy disclosure to users.

- **Human oversight (Article 14)** — natural persons must be able to oversee and intervene effectively.

- **Accuracy, robustness, cybersecurity (Article 15)** — appropriate accuracy and resilience.

- **Conformity assessment (Article 43)** — self-assessment or third-party certification depending on the system.

- **CE marking and EU database registration (Articles 49, 71)** — register before placing on the market.

**General-purpose AI models — Articles 51-55**

Separate duties for foundation-model providers: publish a training-data summary, follow a copyright policy, maintain technical documentation, share information with downstream integrators. Models that present "systemic risk" (currently the 10^25 FLOPs training threshold) additionally face model evaluations, adversarial testing, serious-incident notification, and cybersecurity obligations.

**Penalties**

- Violations of prohibitions — up to EUR 35M or 7 percent of global turnover.

- High-risk obligation breaches — up to EUR 15M or 3 percent.

- Supplying incorrect information — up to EUR 7.5M or 1 percent.

Seven percent beats GDPRs four — **the number itself signals intent.**

**EU AI Office**

Set up inside the European Commission in 2024. Directly enforces the GPAI provisions of the AI Act, coordinates with national market-surveillance authorities, and publishes guidance such as the Code of Practice (final version, May 2025).

4. DSA + DMA — platform regulation

If the EU AI Act addresses the safety of models and systems, the DSA and DMA address the conduct of platforms.

**Digital Services Act (Regulation EU 2022/2065)**

Adopted in November 2022, applies to all online intermediaries, hosts, and platforms from February 2024. Core duties:

- **Notice-and-action (Article 16)** — receive, review quickly, decide. Tell the user the reason and how to appeal (Article 17).

- **Risk assessments (Article 34)** — very large online platforms (VLOPs, monthly active users above 45 million) and search engines (VLOSEs) must perform an annual systemic-risk assessment.

- **Recommender system transparency (Articles 27, 38)** — disclose key parameters. VLOPs must provide at least one non-profiling option.

- **Ad transparency (Articles 26, 39)** — label ads, disclose identifier, criteria, and funder. No targeting of minors or based on special-category data.

- **Dark-pattern prohibition (Article 25)** — interfaces that distort user decisions are banned.

Through 2024 and 2025 the Commission opened formal proceedings against X, Meta, AliExpress, TikTok, and Temu. The first decisions are imminent.

**Digital Markets Act (Regulation EU 2022/1925)**

Ex-ante regulation of designated "gatekeepers." Applies in full from March 2024. As of May 2026 the gatekeeper list comprises Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft, and Booking. Core duties:

- **Interoperability** — messaging services must enable message exchange across services.

- **No self-preferencing** — search, app store, and OS must not unfairly favor first-party services.

- **Consent for data combination** — explicit consent required to combine user data across services.

- **External payments and sideloading** — Apple iOS must allow external payments and alternative app stores.

Apple has faced EUR 1.8B (antitrust) and EUR 500M (DMA Article 5(4)) decisions during 2024-2025 and even sparked diplomatic friction with the US.

**Implications**

DSA and DMA are no longer "just a European story." When gatekeepers change behavior for the EU (iOS sideloading, Meta consent flows), the change tends to ripple globally. Korean and Japanese platform regulators cite the DMA frequently.

5. EU Data Act — IoT manufacturers must share data

The EU Data Act (Regulation EU 2023/2854) entered into force in January 2024 and applies from September 2025. The premise is simple — **"who owns the data my IoT product generates?"** The Data Act gives users a right of access.

**Core duties**

- **User access (Chapter II)** — users of connected products get free access to the data the product generates. Users have the right to direct that data to third parties of their choice.

- **B2G data sharing (Chapter V)** — public bodies can request data in exceptional public-interest situations.

- **Cloud switching (Chapter VI)** — limits on lock-in practices, especially exit fees and transition timelines for cloud providers.

- **Interoperability (Chapter VIII)** — standards for data spaces.

**Who is affected**

Automotive OEMs, appliance makers, industrial IoT, farm equipment — anyone who manufactures a "data-generating product." Tesla, John Deere, BMW, Siemens, Samsung, and LG sit squarely in the target. Cloud providers (AWS, Azure, GCP, OCI) feel it through the switching rules.

**Korea and Japan impact**

Korean and Japanese automotive, semiconductor, and appliance vendors need Data Act compliance for EU market entry. ETRI, KISA, and KISDI are publishing implementation guidance.

6. EU Cyber Resilience Act — software vendor liability

The EU Cyber Resilience Act (Regulation EU 2024/2847) took effect in December 2024. Reporting duties apply from September 2026, core duties from December 2026, full enforcement from December 2027. The premise is simple — **"digital products should meet safety standards like cars do."**

**Scope**

Almost every "product with digital elements" placed on the EU market — hardware plus firmware plus software. Domains already regulated separately (medical devices under MDR, vehicles, civil aviation) are carved out.

**Core duties**

- **Essential cybersecurity requirements (Annex I)** — security by design, no known vulnerabilities at release, secure defaults.

- **Vulnerability handling** — vulnerability reporting and patches for a minimum of five years.

- **Notification of actively exploited vulnerabilities** — early warning to ENISA within 24 hours, formal notification within 72 hours, full report within 14 days.

- **CE marking** — conformity assessment, CE marking, instructions for use, EU database registration.

**Open-source partial exemption**

Non-commercial open source is exempt. The Act introduces "open source software steward" as a category with a lighter set of duties — not a full carve-out.

**Penalties**

Essential cybersecurity violations — up to EUR 15M or 2.5 percent of global turnover.

EU AI Act + GDPR + CRA together mean digital products entering the EU market in 2026-2027 must carry **three layers of certification, documentation, logging, and notification duties simultaneously.**

7. US state laws — eight active comprehensive laws plus a mosaic

There is no federal omnibus privacy law as of May 2026. The American Privacy Rights Act (APRA) was introduced in May 2024 but did not pass. States have continued to legislate.

**Eight active comprehensive laws**

- **California — CCPA (2020) + CPRA (2023)** — the strongest. Covers any business with USD 25M in global revenue, data on 100,000 California residents, or 50 percent of revenue from selling personal data. The California Privacy Protection Agency (CPPA) is a dedicated regulator. Automated decision-making technology (ADMT) rules and cybersecurity audit duties phase in during 2025-2026.

- **Virginia — VCDPA (2023)** — the first non-California omnibus. Consent, DPIA, sensitive categories, opt-out.

- **Colorado — CPA (2023)** — second-strongest. Universal Opt-Out Mechanism (UOOM) mandatory.

- **Connecticut — CTDPA (2023)** — a middle path between VCDPA and CPA.

- **Utah — UCPA (2023)** — the lightest. Opt-out based rather than consent-based.

- **Texas — TDPSA (effective July 2024)** — broad applicability to anyone processing Texas resident data, not gated by revenue or volume thresholds.

- **Minnesota — MIPA (effective July 2025)** — explicit right to object to profiling.

- **Oregon — OCPA (effective July 2024)** — close to CTDPA in structure.

On top of these, Tennessee TIPA, Iowa, Indiana, Montana, and Delaware DPDPA have rolled out through 2024-2026. As of May 2026 roughly **15 to 18 states** have a comprehensive law in force.

**The six rights pattern (VCDPA family)**

- Right to access

- Right to correct

- Right to delete

- Right to portability

- Right to opt out of sale, sharing, and targeted advertising

- Right to opt out of profiling

CPRA additionally grants (a) the right to limit use of sensitive personal information and (b) rights related to automated decisions.

**Federal — AI executive orders and aftermath**

- **Biden AI Executive Order (October 2023)** — EO 14110. AI safety evaluations, red-teaming, synthetic-content watermarking, establishment of US AISI.

- **Trump administration (2025-)** — partially rescinded Biden EO and emphasized voluntary regulation. NIST AI RMF remains as a procurement benchmark.

- **California SB 1047 (AI safety, vetoed 2024)** — successors like SB 53 still being negotiated through 2025-2026.

- **Colorado AI Act (adopted May 2024, effective February 2026)** — the first US comprehensive AI anti-discrimination law. High-risk AI faces impact assessments and anti-discrimination duties.

**Penalties**

CCPAs intentional-violation cap is USD 7,500 per violation; CPRA escalates for children. Other states fall into the thousand-to-tens-of-thousand USD range. Class-action exposure is a separate concern — CCPA allows a private right of action only for data-breach cases.

**Implications for the US camp**

- Operators must track a **state-by-state matrix.** "Just look at California" is over.

- Technical standards like the IAB Global Privacy Control (GPC) and the UOOM are growing in importance.

- Without federal law, compliance costs keep increasing. APRA returning would change the picture.

8. IL BIPA — the biometric front

The Illinois Biometric Information Privacy Act (BIPA) was passed in 2008 — the oldest biometric law in the US. In 2026 it remains the single largest litigation risk facing US-operating companies.

**Why it stands apart**

- **Private right of action** — USD 1,000 (negligent) or USD 5,000 (intentional) per violation.

- **Per-instance calculation** — until 2024, courts treated each individual biometric capture (each facial scan, each fingerprint event) as a separate violation. The 2023 White v. Cintas decision was the high-water mark.

**Class-action history**

- Facebook (Meta) — settled for USD 650M in 2020.

- TikTok — settled for USD 92M in 2021.

- Google — settled for USD 100M in 2022.

- Snap — settled for USD 35M in 2022.

- Clearview AI — multiple state actions and an ACLU settlement in 2022.

**The 2024 BIPA amendment**

In August 2024 Illinois amended BIPA so that violations are calculated **per person and per session**, not per capture. The cumulative per-instance era is over, but BIPA still ranks as the most dangerous US biometric law.

**Texas CUBI, Washington HB 1493**

Texas CUBI is enforced only by the attorney general; Washingtons law is similar. Neither is as scary as BIPA, but each requires a separate matrix entry.

**Takeaway**

Any company touching computer vision, facial recognition, or biometric authentication — with US users — must maintain a separate operations track for BIPA consent (written or electronic), retention policy, and destruction procedure.

9. Korea PIPA 2024 amendment — pseudonymized data, MyData, medical MyData

The Personal Information Protection Act (PIPA) of Korea was enacted in 2011. The 2020 "Data 3 Acts" amendment introduced pseudonymized data. The September 2023 amendment aligned rights with GDPR. The **March 2024 amendment** adds:

**Highlights of the 2024 amendment**

- **General data portability (MyData)** — extends portability from finance and public sector to all sectors. Subordinate regulations phase in from 2025.

- **Right concerning automated decisions** — when automated decisions (hiring, credit, education) significantly affect a data subject, the subject can demand refusal or explanation.

- **Portability plus interoperability** — standardization, intermediary entities, fee caps.

- **Adequacy assessment for cross-border transfers** — the Personal Information Protection Commission (PIPC) formalizes adequacy decision procedures.

- **Fine calculation** — fines can be calculated against total turnover, not just turnover related to the violation. GDPR-style.

**Medical MyData (2024-2025)**

Under the Ministry of Health and Welfare medical data plan, medical MyData expands. Patients can transmit their records, prescriptions, and test results to outside apps (My Health Way). General hospitals and clinics begin onboarding through 2025-2026.

**EU adequacy decision**

Korea received an EU adequacy decision in December 2021, allowing data transfers from the EU to Korea without separate SCCs. To preserve it, PIPC must maintain GDPR-equivalent rights and enforcement — the 2024 amendment was partly motivated by that.

**AI-related guidance**

- 2023 PIPC self-checklist for AI personal data handling.

- 2024 PIPC guidance on privacy policies for generative AI.

- 2025 KISA update of anonymization and pseudonymization technical guide.

**Penalties**

Up to 3 percent of total turnover — below the EU 4 percent but converging. Kakao and SKT faced tens-of-billions-of-won fines during 2024-2025.

10. Japan APPI — foreign transfers and anonymized processing

The Act on the Protection of Personal Information (APPI) was enacted in 2003, with major amendments in 2017 and 2022. Additional review is under way in 2025.

**Basic structure**

- **Personal identifier code** — fingerprints, DNA, passport number, etc.

- **Special-care-required personal information** — race, religion, medical history, criminal record. Sensitive categories.

- **Anonymously processed information** — Japans counterpart to GDPR anonymization. Enables academic and industrial use.

- **Pseudonymously processed information** — added in the 2022 amendment. Allows internal use without consent; restricted for external sharing.

**Key 2022 amendments**

- Foreign transfers — provide information about the destination countrys privacy regime to the data subject.

- Mandatory breach reporting — large breaches must be reported to the Personal Information Protection Commission (PPC) and notified to data subjects.

- Wrongful acquisition and wrongful use — explicitly prohibited.

- Pseudonymously processed information introduced.

- Penalties strengthened — up to JPY 100M for entities.

**EU adequacy decision**

Japan received an EU adequacy decision in 2019, mutually with the EU. Data flows bidirectionally without separate SCCs.

**2024-2026 discussion**

PPC is preparing the next triennial review. Key topics:

- Considering a class-action regime.

- Restructuring consent requirements.

- Strengthening extraterritorial application against foreign operators.

- Possible explicit AI provisions.

**AI guidance**

- April 2024 — METI and MIC jointly published "AI Guidelines for Business." Non-binding but aligned with OECD AI Principles and NIST AI RMF.

- 2023 G7 Hiroshima AI Process — international code of conduct.

11. China PIPL, Brazil LGPD, and the rest of the world

**China PIPL (2021)**

The Personal Information Protection Law took effect in November 2021. Resembles GDPR formally but with differences:

- **Critical Information Infrastructure (CII) operators** must localize data inside China.

- **National security and party priority** — the state can compel data sharing.

- **Foreign transfers** — security assessment by CAC, standard contract, or certification. A March 2024 relaxation introduced thresholds that exempt certain transfers.

- **Sensitive categories** — minors under 14, biometric, religious, financial, and others.

PIPL penalties reach 5 percent of revenue or RMB 50M. Alibaba, Didi, Tencent faced large fines through 2024.

**Brazil LGPD (2020)**

The General Data Protection Law took effect in September 2020, enforced from August 2021. Almost a direct GDPR transplant. Regulator is ANPD. Cap is 2 percent of revenue or BRL 50M.

**India DPDP Act (2023)**

The Digital Personal Data Protection Act was enacted in August 2023. Rolls out in phases during 2025-2026. Core features:

- Consent-centric.

- Data Fiduciary concept.

- Additional protection for children and persons with disabilities.

- New Data Protection Board.

**Saudi PDPL (2023), UAE PDPL (2023)**

Two Middle East omnibus laws inspired by GDPR. Saudi Arabia is supervised by SDAIA and NDMO. The UAE runs separate GDPR-aligned rules in free zones (DIFC, ADGM) alongside the federal PDPL.

12. OECD AI Principles, NIST AI RMF, ISO 42001

Not laws — but global standards.

**OECD AI Principles (2019, updated 2024)**

OECD AI Principles were adopted in May 2019; 38 member states plus many non-members endorse them. The May 2024 update added (a) generative AI and (b) safety and information integrity. Five principles:

- Inclusive growth, sustainable development, well-being.

- Human rights, democratic values, plus fairness and privacy.

- Transparency and explainability.

- Robustness, security, safety.

- Accountability.

Most national laws and guidance cite the OECD AI Principles. EU AI Act, NIST AI RMF, and Koreas AI ethics guidelines all do.

**NIST AI RMF (2023)**

The US National Institute of Standards and Technology released the AI Risk Management Framework 1.0 in January 2023. Non-binding but absorbed into federal procurement and thus a de-facto standard. Four functions:

- **Govern** — governance, policy, roles.

- **Map** — context, risk, stakeholders.

- **Measure** — quantitative and qualitative measurement.

- **Manage** — risk treatment, prioritization, resourcing.

July 2024 saw the additional Generative AI Profile (NIST AI 600-1). Crosswalks to EU AI Act and ISO 42001 are published separately.

**ISO/IEC 42001 (2023)**

ISO/IEC 42001:2023 is the worlds first AI management-system certification standard. Released in December 2023. Think of it as the AI version of ISO 9001 (quality) plus ISO 27001 (information security).

Core elements:

- AI policy, roles, responsibilities.

- AI risk and impact assessment.

- Controls over data, models, operations.

- Lifecycle management — development, evaluation, deployment, monitoring, decommissioning.

- Continual improvement.

BSI, DNV, TUV and other certification bodies began offering ISO 42001 certifications in 2024-2025. Big tech is lining up to get certified. Korean and Japanese enterprises are following.

ISO 42001 is not a formal presumption of conformity with the EU AI Act — yet in practice it is **the central evidence package.**

13. AI Safety Institutes — multilateral agreements

After the first AI Safety Summit at Bletchley Park in November 2023, major countries set up AI Safety Institutes (AISIs) and built a multilateral network.

**Member countries — as of May 2026**

- **UK AISI** — founded November 2023. The de-facto secretariat of the Bletchley and Seoul declarations.

- **US AISI** — established under NIST in February 2024. Pre-release evaluation agreements with Anthropic and OpenAI.

- **Japan AISI** — February 2024.

- **Korea AISI** — November 2024.

- **Singapore AISI** — May 2024.

- **France INESIA / AISI** — 2025.

- **Spain AESIA** — 2024.

- Canada, the EU AI Office, and others have entered separate cooperation frameworks.

**What they do**

- **Pre-release evaluations** — frontier models (GPT-4, Claude, Gemini, Llama 4) get a risk evaluation before launch. Anthropic and OpenAI signed voluntary agreements.

- **Joint evaluation standards** — red-team protocols for CBRN, cyber, autonomy, and deception.

- **Incident sharing** — serious incidents are shared multilaterally.

- **Research funding and cohorts** — building safety evaluation tools.

**Seoul Declaration (May 2024) and Paris Action (February 2025)**

- Seoul Declaration — three pillars: safety, innovation, inclusion.

- Paris Action — action plan and resource commitments.

**Limits and significance**

AISI agreements are voluntary, not law. Yet they (a) institute pre-release government evaluations, (b) feed into the EU AI Act GPAI Code of Practice, and (c) anchor industry-self-regulation governance.

14. What should your company do — a phased compliance plan

The theory was long; the practice has clear stages.

**Phase 0 — Determine scope (one week)**

- Do you have EU citizens or EU-market users? — exposure to GDPR, EU AI Act, DSA, CRA.

- US state matrix — CCPA, VCDPA, CPA, CTDPA, UCPA, TDPSA, MIPA, OCPA. Check revenue, user count, sensitive data thresholds.

- Korea and Japan — PIPA and APPI matrices.

- China — PIPL and possible data localization.

- AI features — self-classify by risk tier (prohibited, high, limited, minimal).

Deliverable: **a one-page applicability matrix.**

**Phase 1 — Data mapping (2-4 weeks)**

- Where does personal data come from, where is it stored, where is it sent — Record of Processing Activities (GDPR Article 30).

- Lawful basis — consent, contract, legitimate interest?

- Sensitive categories — where are they processed?

- Transfers — cross-border flows, SCC and BCR status.

Deliverable: **data-flow map plus lawful-basis register.**

**Phase 2 — Policies and rights handling (2-4 weeks)**

- Update privacy policies in multiple languages and jurisdictions.

- DSAR (data subject access request) procedure — 30-day or 45-day clock.

- Opt-out machinery — recognize GPC and UOOM technical signals.

- Children — COPPA (US), CCPA Children, GDPR under-13 conditions.

Deliverable: **rights-handling SOP plus policy documents.**

**Phase 3 — DPIA and AI impact assessment (4-8 weeks)**

- GDPR DPIA for high-risk processing — credit scoring, large-scale monitoring, new technology.

- EU AI Act impact assessment — Article 27 Fundamental Rights Impact Assessment for public bodies and high-risk providers.

- Automated decisions — GDPR Article 22 and Koreas PIPA automated-decision rights.

Deliverable: **DPIA reports plus risk register.**

**Phase 4 — Technical controls (8-12 weeks)**

- Encryption at rest, in transit, key management.

- Access controls plus audit logs.

- Pseudonymization and anonymization — KISA guides, ISO 27018.

- Retention plus disposal automation.

- Cybersecurity — SBOM for CRA, vulnerability reporting.

Deliverable: **control catalog plus audit trail.**

**Phase 5 — Governance (6-8 weeks)**

- Appoint DPO or CPO — GDPR Article 37, Korea PIPA obligation.

- Establish an AI committee or accountable officer — ISO 42001 Clause 5.

- Periodic risk assessment, management review, internal audit.

- Breach response plan — 72-hour and 24-72-hour notification clocks.

- Supply chain — processor agreements, SCC, DPA (Data Processing Agreement).

Deliverable: **governance RACI plus breach playbook.**

**Phase 6 — Certification, documentation, disclosure (8-12 weeks)**

- ISO 27001 (information security) and ISO 42001 (AI) certification review.

- EU AI Act conformity assessment — self-assessment or third-party for high-risk systems.

- EU database registration — for high-risk AI systems.

- Transparency reports — DSA VLOPs, EU AI Act foundation models, voluntary publication like Anthropic and OpenAI.

Deliverable: **certification, registration, and disclosure calendar.**

**Phase 7 — Operations (ongoing)**

- Annual audits plus change impact assessments.

- Breach response exercises.

- AISI participation for frontier-model vendors.

- Track new legislation — monitor EU AI Office, national supervisors.

**Bottom line: compliance is not a one-off project but a continuous system.**

15. References

Primary sources first.

**EU**

- EUR-Lex full text — https://eur-lex.europa.eu/

- GDPR — https://eur-lex.europa.eu/eli/reg/2016/679/oj

- EU AI Act — https://eur-lex.europa.eu/eli/reg/2024/1689/oj

- DSA — https://eur-lex.europa.eu/eli/reg/2022/2065/oj

- DMA — https://eur-lex.europa.eu/eli/reg/2022/1925/oj

- EU Data Act — https://eur-lex.europa.eu/eli/reg/2023/2854/oj

- EU Cyber Resilience Act — https://eur-lex.europa.eu/eli/reg/2024/2847/oj

- European Data Protection Board (EDPB) — https://edpb.europa.eu/

- EU AI Office — https://digital-strategy.ec.europa.eu/en/policies/ai-office

- EDPS — https://www.edps.europa.eu/

**US**

- California CPPA — https://cppa.ca.gov/

- IAPP US State Privacy Tracker — https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

- NIST AI RMF — https://www.nist.gov/itl/ai-risk-management-framework

- US AISI — https://www.nist.gov/aisi

- Biden AI Executive Order 14110 — https://www.whitehouse.gov/briefing-room/presidential-actions/2023/10/30/executive-order-on-the-safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence/

**Korea**

- Personal Information Protection Commission (PIPC) — https://www.pipc.go.kr/

- KISA — https://www.kisa.or.kr/

- National Law Information Center (PIPA) — https://law.go.kr/

- Korea AISI — https://www.kaisi.kr/

**Japan**

- Personal Information Protection Commission (PPC) — https://www.ppc.go.jp/

- METI AI Guidelines for Business — https://www.meti.go.jp/policy/it_policy/jinzai/ai/

- Japan AISI — https://aisi.go.jp/

**China, Brazil, India**

- CAC (Cyberspace Administration of China) — http://www.cac.gov.cn/

- ANPD (Brazil) — https://www.gov.br/anpd/

- India MeitY DPDP — https://www.meity.gov.in/

**International standards**

- OECD AI Principles — https://oecd.ai/en/ai-principles

- ISO/IEC 42001 — https://www.iso.org/standard/81230.html

- ISO/IEC 27001 — https://www.iso.org/standard/27001

- G7 Hiroshima AI Process — https://www.mofa.go.jp/ecm/ec/page5e_000076.html

**Reference materials**

- IAPP (International Association of Privacy Professionals) — https://iapp.org/

- Future of Privacy Forum — https://fpf.org/

- AI Index Report (Stanford HAI) — https://aiindex.stanford.edu/

Epilogue — regulation is not the enemy, it is the product

One-line summary of the whole article: **In 2026 the digital product must treat its regulatory surface as a feature.** The era when GDPR was "a marketing expense" is over. The EU AI Act demands data, logs, documentation, and evaluation from the training stage. CRA requires SBOMs and vulnerability reporting as built-ins. CCPA and PIPA are no longer satisfied with a single "opt-out" button.

Still — if you read all of this as "cost," you are seeing only half the picture. Companies that handle the regulatory surface well (a) accelerate global market entry, (b) capitalize trust, and (c) recover faster from incidents. **Compliance is part of product design.**

> "The law is always late to the technology — that claim is no longer true. The EU AI Act of 2026 arrived almost on time with the technology. Learning to run alongside regulation is a core capability of the next ten years."

— Privacy and AI Regulation 2026, end.