AI Regulation Tracker
Every AI bill, rule, and enforcement action. Tracked.
Real-time legislative intelligence across 32 jurisdictions and 53 US states. See live source coverage →
Total tracked
4256
Legislation
1983
Enforcement
64
Critical
110
By jurisdiction
3435 items across US
US State Coverage
International
Filters
4256 results
Page 1
OFAC designates two individuals and several entities, including a VPN service and Cuban organizations, adding them to the Specially Designated Nationals (SDN) List for cyber and Cuba-related reasons, prohibiting transactions by U.S. persons.
The Treasury Department's OFAC has updated its Specially Designated Nationals and Blocked Persons List, adding two individuals (Dmytro Rashevskyi and Yevgeniy Vladimirovich Silayev) and several entities, including a VPN service and various Cuban organizations. These designations are based on cyber-related activities and Cuba sanctions programs. The action prohibits U.S. persons from engaging in transactions with the listed individuals and entities and blocks their property and interests in property within U.S. jurisdiction, effective immediately.
Brazil's Senate approved a bill to increase penalties for digital sexual violence against minors, including cases involving AI and deepfakes, classifying many as heinous crimes.
Brazil's Senate has approved PL 3.066/2025, which significantly stiffens penalties for digital sexual violence against children and adolescents, with the bill now moving for presidential sanction. The legislation specifically addresses the use of artificial intelligence, deepfakes, and other digital tools as aggravating factors for these crimes. It reclassifies several related offenses as 'heinous crimes,' leading to harsher sentences and reduced benefits for convicts, aiming to deter the exploitation and abuse of minors online. The bill also changes terminology from 'child pornography' to 'sexual violence against children or adolescents' to better reflect the gravity of the acts.
South Korea's PIPC sanctioned Coupang and CFS with significant penalties for multiple violations of the Personal Information Protection Act, including a major data breach affecting 33 million users, insufficient security, delayed notifications, and undermining CPO independence.
The South Korean Personal Information Protection Commission (PIPC) issued substantial administrative sanctions against Coupang and Coupang Fulfillment Services (CFS) for severe breaches of the Personal Information Protection Act (PIPA). This action, including a penalty of KRW 624.681 billion for Coupang, resulted from a data breach affecting over 33 million users and 4.33 million third parties, caused by inadequate security management, delayed notifications, and undermining the Chief Privacy Officer's role. The PIPC also found failures in data destruction and evidence preservation. This indicates an active enforcement posture by the PIPC.
CISA warns of critical vulnerabilities (CVSS 9.8) in Yarbo's mobile application and cloud infrastructure, allowing remote access and control of a global robot fleet, and recommends immediate user updates and security measures.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding critical vulnerabilities (CVSS 9.8) in Yarbo's mobile application and cloud infrastructure that control its global robot fleet. These flaws involve hard-coded credentials and missing authorization, enabling attackers to gain fleet-wide access, monitor telemetry, and send operational commands. CISA recommends users update the Yarbo app to version 3.17.4 or later and implement defensive cybersecurity measures, while Yarbo is deploying server-side authorization fixes. The enforcement risk score is low (25) as CISA is issuing an advisory rather than an enforcement action.
Texas HB581 prohibits the creation of artificial sexual material harmful to minors, taking effect on September 1, 2025.
Texas House Bill 581 has been enacted and will become effective on September 1, 2025. This law prohibits the use of artificial intelligence to create sexual material that is harmful to minors. The enactment indicates a strong regulatory stance against the misuse of AI for generating illicit content, particularly concerning child protection, and carries a high enforcement risk.
BIS implements new export controls on advanced computing and semiconductor manufacturing items, expands controls for supercomputer and semiconductor end uses in China, and requires licenses for certain U.S. person activities supporting IC development/production in the PRC.
The U.S. Bureau of Industry and Security (BIS) has issued a final rule significantly tightening export controls on advanced computing chips and semiconductor manufacturing equipment. The rule expands licensing requirements for transactions involving these items intended for supercomputer and semiconductor manufacturing end-uses, particularly impacting 28 Chinese entities. Additionally, U.S. persons supporting the development or production of certain ICs in the PRC now require a license. A Temporary General License is established to mitigate immediate supply chain disruptions, allowing limited manufacturing in China for items ultimately used outside the country, and BIS provides guidance on due diligence certificates for compliance programs.
This U.S. interim final rule revises export controls on advanced computing items and semiconductor manufacturing equipment to restrict China's military modernization capabilities.
The U.S. Bureau of Industry and Security (BIS) has issued an interim final rule (IFR) that amends the Export Administration Regulations (EAR). This rule strengthens controls on advanced computing integrated circuits (ICs), computers containing these ICs, and semiconductor manufacturing items. The primary objective is to make existing controls more effective and less burdensome while protecting U.S. national security by limiting China's access to critical technologies that could be used for military modernization. This IFR is part of a broader effort by BIS to refine export controls initiated with the October 7, 2022 IFR.
Croatia's data protection agency fined a telecommunications operator EUR 4.5 million for General Data Protection Regulation (GDPR) violations related to personal data transfers.
The Croatian Personal Data Protection Agency (AZOP) issued a significant administrative fine of EUR 4.5 million to a telecommunications operator for infringements of the General Data Protection Regulation (GDPR). The violations specifically concerned the unlawful transfer of personal data, underscoring the strict enforcement of data protection rules by EU member state authorities.
Brazilian agencies ANPD, MPF, and Senacon issued recommendations to X (Twitter) to prevent and remove non-consensual sexualized synthetic content generated by its AI tool, Grok.
Brazilian federal agencies, including the National Data Protection Authority (ANPD), Federal Public Ministry (MPF), and National Consumer Secretariat (Senacon), issued joint recommendations to X (formerly Twitter). The recommendations require X to immediately prevent its AI tool, Grok, from generating non-consensual sexualized or eroticized synthetic content, particularly involving minors or identifiable adults. X must also establish procedures within 30 days to identify and remove existing illicit content, suspend involved accounts, provide a transparent complaint mechanism, and conduct a Data Protection Impact Assessment for Grok's generative features. Non-compliance could lead to further administrative and judicial action.
Colorado SB26-189 is a bill introduced in the Senate concerning the use of automated decision-making technology in consequential decisions.
Colorado Senate Bill 26-189, introduced on May 1, 2026, aims to regulate the use of automated decision-making technology, particularly in consequential decisions. It is currently under consideration and assigned to the Senate Business, Labor, & Technology Committee, with subjects including Labor & Employment and Telecommunications & Information Technology.
The European Commission has preliminarily found Meta in breach of the Digital Services Act due to the addictive design of Instagram and Facebook, citing risks to users' physical and mental well-being.
The European Commission has issued a preliminary finding that Meta's Instagram and Facebook are in breach of the Digital Services Act (DSA) due to their addictive design features, including infinite scroll, autoplay, push notifications, and highly personalised recommender systems. The investigation found that Meta failed to adequately assess and mitigate risks to the physical and mental well-being of users, especially minors and vulnerable adults. This is an ongoing enforcement action by the EU under its binding DSA regulation, signaling increasing scrutiny on platform design and AI-driven features impacting user health.
Commissioner Lahbib's speech at the OECD Gender Equality Forum highlights the risks of AI-generated explicit images and the need for addressing online harms.
In a speech at the OECD Gender Equality Forum, EU Commissioner Lahbib used an example of a 15-year-old girl whose photo was used by an AI app to create explicit images. This highlights the urgent need to address the harms caused by AI-generated content, particularly concerning minors and gender-based violence.
The Dutch Data Protection Authority (AP) warns that the rapid growth of AI increases the dangers of cyberattacks, phishing, and data breaches, urging organizations to immediately enhance digital security.
The Dutch Data Protection Authority (AP) has issued a warning, based on its annual data breach report, that AI is significantly escalating the risks of cyberattacks, particularly phishing and data breaches. The AP highlights a 'flywheel effect' where AI creates more sophisticated phishing, leading to more breaches, which then fuel further AI-powered attacks. Organizations are urged to act immediately to strengthen their digital security, with a strong emphasis on management responsibility ('chefsache') to protect personal data and avoid severe financial and reputational damage.
West Virginia's lawsuit against Apple, alleging failures to detect and report child sexual abuse materials due to product design and lack of detection technology, has been remanded to state court.
A lawsuit brought by the West Virginia Attorney General against Apple, alleging the company's business practices and product design choices safeguard child sexual abuse materials (CSAM) from detection and that it failed to adequately report CSAM to NCMEC, has been sent back to state court after a federal court rejected Apple's attempt to remove it. The Attorney General states the case is about holding Apple accountable for prioritizing profits over child safety, citing Apple's alleged failure to deploy detection technology.
The FCA's Mills Review outlines how AI will transform UK retail financial services by 2030, identifying risks and opportunities and making recommendations for the FCA.
The UK Financial Conduct Authority (FCA) has published The Mills Review, a landmark report assessing the impact of AI on retail financial services by 2030. It identifies potential benefits like improved access and personalization, alongside amplified risks such as fraud, cyber security, consumer harm, and market concentration. The report provides a roadmap for the FCA, industry, and government, with seven key recommendations for the FCA to adapt its regulatory approach, building on existing frameworks like the Consumer Duty and Senior Managers Regime. This report does not create new compliance obligations for firms, but signals future regulatory direction.
Brazil's ANPD has initiated an administrative sanctioning process against Claro for alleged LGPD violations in data sharing with Serasa, and an investigation into Serasa's transparency.
Brazil's National Data Protection Authority (ANPD) has begun an administrative sanctioning process against telecommunications operator Claro for alleged violations of the General Data Protection Law (LGPD). Claro is accused of excessive data sharing with credit analysis company Serasa, lack of transparency with clients, and hindering access to its Data Protection Officer. If proven, Claro could face fines up to R$50 million per infraction or 2% of its revenue. Separately, Serasa is undergoing a new fiscalization process focusing on its data transparency and mechanisms for data subject rights. Both companies have 10 business days to present their defense, with failure to respond potentially leading to additional sanctions.
Singapore's IMDA issued Letters of Caution to X and TikTok for severe weaknesses in AI-driven child sexual exploitation material and terrorism content detection, placing them under enhanced supervision with a June 30, 2026 deadline for rectification proof.
The Infocomm Media Development Authority (IMDA) of Singapore has issued Letters of Caution to X and TikTok due to serious failures in their systems to proactively detect and remove child sexual exploitation and abuse material (CSEM) and terrorism content, respectively. These failures are a violation of Singapore's Code of Practice for Online Safety – Social Media Services. Both companies are now under 'Enhanced Supervision' and must regularly report on their progress to implement rectification measures and provide supporting data by June 30, 2026. This indicates active enforcement against named organizations for content moderation failures, implying a high enforcement risk.
North Carolina AG Jeff Jackson and eight other attorneys general reached a $7 million settlement with landlord LivCor, LLC, prohibiting the use of AI and non-public data for rent setting.
North Carolina Attorney General Jeff Jackson, alongside other state attorneys general, announced a $7 million settlement with LivCor, LLC, a major landlord. The settlement requires LivCor to cease using non-public data from other landlords, including data processed through RealPage's software, for setting apartment rents. This action addresses concerns about algorithmic pricing practices that may harm consumers.
Virginia enacted SB394, requiring the Department of Education to develop AI guidance for schools and establish a pilot program for AI in instruction.
Virginia's newly enacted SB394 mandates the Department of Education to compile information on existing AI use in public schools, create and publish guidance for the safe, ethical, and equitable use of AI systems (AIS) in instruction, and establish an 'AIS Innovation in Education Pilot Program' which expires in 2030. School boards are required to implement policies consistent with this state guidance. An annual report is also required by the DOE.
CISA warns about OpenSSL vulnerabilities (CVE-2025-15467) affecting various Siemens products, including an AI Lightweight Inference Server, recommending immediate updates and countermeasures.
CISA has issued an advisory regarding a critical stack-based buffer overflow vulnerability (CVE-2025-15467) in OpenSSL that affects numerous Siemens products, including their AI Lightweight Inference Server. This vulnerability could lead to denial of service or remote code execution. Siemens has released updates for some affected products and recommends applying fixes or specific countermeasures for all vulnerable versions.
The SEC published a notice for NYSE Arca's immediately effective proposed rule change to amend equities fees, prompted in part by the disproportionate impact of algorithmic trading strategies.
The Securities and Exchange Commission (SEC) issued a notice regarding a rule change by NYSE Arca, Inc. to amend its equities fees and charges, which became effective immediately. This change is partly influenced by concerns raised in a prior report about the disproportionate impact and externalized costs associated with high-frequency trading (HFT) and algorithmic strategies in market surveillance and message traffic.
CISA urges Fortinet customers to immediately terminate sessions, reset credentials, enable MFA, and secure management access due to reports of global credential exposure impacting FortiGate devices.
CISA has issued an urgent alert regarding a global cyber incident, dubbed 'FortiBleed,' involving the exposure of approximately 74,000 Fortinet device credentials. Malicious actors are using these compromised credentials to target internet-accessible Fortinet devices in government and private sector organizations. CISA strongly recommends immediate actions for affected customers, including terminating all sessions, resetting passwords with strong policies, enabling phishing-resistant multifactor authentication, reviewing logs for suspicious activity, and restricting management interface access.
Minnesota AG announces a $7 million settlement with LivCor for using algorithmic rent-setting software to illegally align rental prices and stifle competition.
Minnesota Attorney General Keith Ellison announced a $7 million settlement with LivCor, a property management company, for its role in an algorithmic rent alignment scheme. LivCor used RealPage's software to illegally share and gather confidential pricing information with competitors, leading to artificially inflated rent prices. The settlement requires LivCor to cease using such software, refrain from sharing sensitive data, establish an antitrust compliance program, and cooperate in ongoing litigation against RealPage and other defendants.
The Colorado Attorney General announced a $7 million settlement with LivCor, LLC, for its involvement in an algorithmic rent-setting scheme, as part of a bipartisan coalition of nine attorneys general.
The Colorado Attorney General, Phil Weiser, along with eight other attorneys general, announced a $7 million settlement with LivCor, LLC. This settlement addresses LivCor's alleged role in an algorithmic rent-setting scheme, which is part of ongoing antitrust litigation. This indicates strong enforcement against anti-competitive practices involving AI in real estate pricing.
Governor Hochul signed legislation expanding the Empire AI consortium and enacting new laws for AI companion safety and prohibiting AI-generated child sexual abuse material in New York.
New York Governor Kathy Hochul has signed legislation as part of the FY26 budget to expand the Empire AI consortium with $90 million for increased computing power and new members, aiming to advance AI research for public good. The legislation also establishes "first-in-the-nation" safeguards for AI companion systems, requiring them to implement safety features, detect self-harm, refer users to crisis centers, and clearly disclose they are not human. Additionally, it modernizes penal law to treat AI-generated child sexual abuse material as child pornography, which is now considered binding law in New York.
Get daily alerts
Subscribe to receive daily intelligence briefs on the bills and regulations that matter to your team.