Weekly AI Governance Brief:11–17 May 2026

Bringing you the latest developments in the AI governance world.

EU Council publishes operative AI Omnibus compromise text.

On 13 May 2026, the Council of the European Union published the operative compromise text linked to the AI Omnibus negotiations through an information note and first-reading offer letter concerning amendments to the AI Act and Regulation (EU) 2018/1139. The development followed Coreper’s confirmation of the compromise reached on 6 May and authorisation for the Presidency to transmit the first-reading offer to the European Parliament.

The compromise text sets out concrete implementation changes to the AI Act framework. According to the published text, the application of stand-alone high-risk AI system rules would be delayed until 2 December 2027, while product-embedded high-risk requirements would apply from 2 August 2028. The text also reinstates database registration obligations where providers conclude that systems qualify for exemptions from high-risk classification. In addition, it maintains the “strict necessity” threshold for the processing of special-category personal data in bias detection and correction contexts. The compromise further clarifies supervisory competences for the AI Office in relation to certain GPAI-linked systems and introduces mechanisms intended to reduce overlap with sectoral frameworks, including machinery regulation requirements.

The development was documented in Council document ST 9247/26 under interinstitutional file 2025/0359 (COD).

Why this matters

The publication of the operative compromise text provides organisations, regulators, and compliance teams with the authoritative wording behind the previously announced political agreement. This materially improves visibility into implementation timelines and supervisory responsibilities.

The text is also relevant for governance planning because it clarifies how exemptions, registration obligations, and oversight competences may operate in practice. For organisations preparing AI Act implementation programmes, the revised dates and procedural obligations affect compliance sequencing, documentation planning, and interaction with existing sector-specific regulatory regimes.

Banco de España links AI capability advances to cyber-risk supervision

In its Spring 2026 Financial Stability Report published on 14 May 2026, the Banco de España addressed the implications of AI-related technological developments for cybersecurity and financial stability. The report includes a dedicated section, Box 5.3, examining technological disruption in cybersecurity.

The report states that advances in AI and quantum-related technologies could accelerate the development of tools capable of compromising information security. It also notes that recent AI developments may already be making vulnerabilities easier to identify and exploit more rapidly. According to the report, rapid technological change could generate “potentially critical imbalances” between offensive and defensive cybersecurity capabilities.

The observations were published as part of the central bank’s broader financial-stability assessment rather than as a standalone AI policy initiative.

Why this matters

The report reflects the increasing integration of AI capability developments into mainstream financial stability and cyber-resilience supervision. Rather than treating AI exclusively as a technology governance issue, the publication frames frontier AI capabilities as a factor relevant to operational resilience and systemic cyber risk.

For financial institutions and regulated operators, the development is significant because it aligns AI-related cyber risks with broader resilience expectations already visible in frameworks such as DORA. The report contributes to a supervisory environment in which AI capability assessments may increasingly intersect with cyber controls, third-party risk management, and resilience governance obligations.

UK regulations establishing an AI and automated decision-making code enter into force

On 12 May 2026, the United Kingdom brought into force the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026. The statutory instrument requires the Information Commissioner to prepare a code of practice addressing the processing of personal data in the development and use of AI systems and automated decision-making.

The Regulations specify that the future code must include guidance relating to children’s personal data. The instrument also modifies procedural requirements for the mandatory advisory panel involved in the code-development process, stating that the panel must not consider or report on national-security aspects of the code.

The measure was introduced through Statutory Instrument 2026 No. 425.

Why this matters

The Regulations formalise a statutory route for AI and automated decision-making guidance under UK data protection law. This moves governance expectations beyond non-binding policy discussion toward a more operational framework connected to data protection obligations.

The planned code is relevant for organisations using AI-enabled profiling, automated decision-making, or personal-data processing systems because it may shape expectations around transparency, fairness, governance procedures, and safeguards involving children’s data. The statutory basis of the code also gives the Information Commissioner a clearer institutional role in AI-related supervisory guidance.

FTC issues pre-enforcement warnings ahead of Take It Down Act compliance deadline

On 11 May 2026, the US Federal Trade Commission announced that it had issued warning letters to more than a dozen technology companies concerning compliance with the Take It Down Act before the 19 May statutory deadline.

According to the FTC statement, covered platforms are required to establish mechanisms allowing victims to request the removal of non-consensual intimate images or videos and to comply with the law’s notice and response obligations. The agency stated that letters were sent to companies including Amazon, Alphabet, Apple, Bumble, Discord, Meta, Microsoft, Reddit, Snapchat, TikTok, and X.

The FTC also stated that covered platforms must provide clear notice regarding the removal process and remove the content, including identical copies, within 48 hours of receiving a valid request. Subsequent FTC consumer guidance clarified that the law applies to real images, digitally altered material, and AI-generated deepfakes.

Why this matters

The FTC’s actions translated new statutory obligations into immediate operational expectations for platform operators. The development is notable because it connected AI-generated content governance directly to concrete compliance workflows and response-time requirements.

For platforms and AI deployers handling image or content moderation systems, the measure reinforces the growing role of procedural governance obligations, including takedown handling, user-notification processes, auditability, and rapid-response compliance capabilities.

Looking ahead

Across this period, several developments pointed toward deeper integration between AI governance, cyber resilience, and operational-risk supervision. The Banco de España report framed advances in AI capability as part of the financial sector’s evolving cyber-risk environment, connecting AI developments to resilience and security oversight rather than treating them as a separate policy category.

A second observable trend was the continued shift from high-level governance discussion toward implementation detail. The Council compromise text focused on revised timelines, supervisory competences, and procedural obligations under the AI Act framework, while the UK statutory instrument and FTC compliance notices centred on operational processes, designated responsibilities, and formal governance mechanisms.

Sources

Council publication of AI Omnibus compromise text: Council of the European Union document ST 9247/26

Banco de España Financial Stability Report Spring 2026: Banco de España Financial Stability Report Spring 2026

UK regulations establishing AI and automated decision-making code framework: The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

FTC warning letters regarding Take It Down Act compliance: FTC Chairman Ferguson Advises Companies to Comply with the Take It Down Act