Weekly AI Governance Brief #2 — January 2026

Introduction

This Weekly AI Governance Brief covers verifiable regulatory and institutional developments between 12 and 18 January 2026. It focuses on actions and publications relevant to AI governance in the European Union, including EU institutions, national regulators, and closely aligned European bodies.

The brief summarises primary institutional activity and associated guidance with direct relevance to AI governance, standardisation, and implementation. It reports developments factually and situates them within their immediate governance and compliance context.

European Commission opens consultation on Open-Source Digital Ecosystems

On 12 January 2026, the European Commission (DG CNECT) launched a call for evidence on a forthcoming European Open Digital Ecosystem strategy. The consultation seeks stakeholder input to inform a new policy approach to open-source software and digital commons at EU level.

According to the Commission’s announcement, the initiative will review the EU’s 2020–2023 open source software strategy and assess how EU-level measures could better support open-source communities and infrastructure. The consultation explicitly links this work to a planned Cloud and AI Development Act, indicating that open-source policy is being considered alongside future legislative activity in cloud and AI development.

The Commission notes that the strategy will build on existing programmes such as Next Generation Internet and reference the creation of a Digital Commons consortium. Stakeholders from industry, public administration, research, and civil society are invited to identify barriers and propose measures at EU level. The call for evidence is open until 3 February 2026.

Why this matters

The consultation marks an early stage in policy development that intersects with AI and cloud governance. By positioning open-source ecosystems alongside a forthcoming Cloud and AI Development Act, the Commission signals an intention to align infrastructure, software practices, and AI development with broader EU governance objectives. For AI governance, this raises questions about how open-source components, community-driven development, and shared digital infrastructure will be supported within future regulatory frameworks, including those addressing transparency, cybersecurity, and digital sovereignty.

AEPD issues warning on use of third-party images in AI systems

On 13 January 2026, the Spanish Data Protection Agency (AEPD) published a press release accompanied by an informational guidance note examining risks associated with the use of images or videos of individuals in AI systems.

The AEPD distinguishes between “visible” harms and “invisible” risks. Visible harms include the creation of sexualised or deepfake content, false attributions that damage reputation, and misuse involving minors or vulnerable persons. Invisible risks arise from the act of uploading an image into an AI tool itself, including loss of control over the image, opaque data retention practices, and the propagation of biometric data without the individual’s awareness.

The guidance clarifies the limits of data protection law in personal or domestic contexts, while emphasising that certain uses—such as realistic non-consensual deepfakes, harassment, or severe reputational harm—may infringe rights to honour, privacy, and one’s image. In such cases, the AEPD notes that conduct may also fall under criminal law and should be handled by law enforcement authorities. The agency calls for responsible use of AI that respects fundamental rights.

Why this matters

This publication provides a national regulatory perspective on generative AI and image-based systems under existing legal frameworks, notably GDPR and related rights protections. It illustrates how data protection authorities are framing accountability not only for AI developers but also for users who introduce personal data into AI systems. The guidance also highlights coordination between data protection, fundamental rights, and criminal law, which is relevant for the practical enforcement landscape that will coexist with the EU AI Act once applicable.

Council of Europe publishes reports on AI-driven discrimination

On 15 January 2026, the Council of Europe released two publications addressing discrimination arising from AI and algorithmic decision-making. The publications were launched through an online event co-funded by the European Union.

The first report, Legal protection against algorithmic discrimination in Europe: current frameworks and remaining gaps, analyses existing legal protections and identifies shortcomings in addressing bias and discrimination linked to automated systems. The second document, European policy guidelines on AI and algorithm-driven discrimination for equality bodies and other national human rights structures, provides practical guidance aimed at public authorities and national equality and human rights institutions.

The publications describe how algorithmic systems can reproduce or amplify social inequalities. Examples cited include hiring tools that favour men, biased profiling by employment services, and discriminatory uses of facial recognition in law enforcement. The guidelines outline governance and oversight approaches intended to prevent discrimination and support effective redress mechanisms.

Why this matters

Although the Council of Europe operates outside the EU legislative framework, its work has direct relevance for EU AI governance. The reports identify legal gaps and governance challenges that overlap with the EU AI Act’s focus on fundamental rights and non-discrimination. By targeting national equality bodies and human rights institutions—including those in EU member states—the guidance contributes to a shared understanding of oversight and enforcement practices that will interact with AI Act implementation at national level.

Council of the EU approves amendment enabling AI “gigafactories”

On 16 January 2026, the Council of the European Union adopted an amendment to the regulation governing the EuroHPC Joint Undertaking, expanding its mandate to support the creation of large-scale AI “gigafactories” in Europe.

The amendment extends EuroHPC’s remit beyond supercomputing to include world-class AI compute infrastructure and introduces a dedicated pillar for quantum technologies. It establishes rules for funding and procurement of these facilities and includes provisions intended to safeguard startups and scale-ups, alongside support for public–private partnerships among member states and industry.

According to the Council, the amended regulation is scheduled for publication in the Official Journal on 19 January 2026 and is set to enter into force the following day.

Why this matters

This is a concrete implementation step within the EU’s broader AI strategy. By legally enabling EuroHPC to develop AI-specific compute infrastructure, the EU is strengthening the technical foundation for AI development within a regulated environment. The amendment also reflects governance considerations, including access for smaller actors and structured public–private cooperation. These infrastructure investments form part of the broader context in which AI Act obligations will be met, particularly for training, testing, and deploying AI systems at scale.

First harmonised standard under the AI Act enters final consultation stage

During January 2026, European standardisation bodies advanced the first draft harmonised standard intended to support compliance with the EU AI Act. The draft, prEN 18286, titled Artificial Intelligence – Quality management system for EU AI Act regulatory purposes, was developed by CEN-CENELEC Joint Technical Committee 21.

The draft standard was circulated to national standard bodies for public enquiry and ballot from 30 October 2025 to 22 January 2026. It responds to a European Commission standardisation request and is designed to operationalise Article 17 of the AI Act, which requires providers of high-risk AI systems to implement a quality management system.

prEN 18286 sets out processes covering AI system design and development, testing and validation, data management, risk management integration, post-market monitoring, and documentation. Once finalised and cited in the Official Journal, compliance with the standard would confer a presumption of conformity with the AI Act’s quality management system requirements.

Why this matters

Harmonised standards are central to translating the AI Act’s legal obligations into operational practice. prEN 18286 is the first standard specifically tailored to the Act and provides a structured route for providers to demonstrate compliance. Its progression to the final consultation stage indicates tangible progress in the EU’s implementation timeline. The standard also reflects a Europe-specific approach to AI governance, developed to meet AI Act requirements where existing international AI management standards were considered insufficient.

Looking ahead

Taken together, the developments this week show continued movement from policy framing toward implementation across multiple layers of EU AI governance. Consultations and guidance address upstream issues such as open-source ecosystems and fundamental rights, while legislative amendments and standardisation work focus on infrastructure and compliance mechanisms. These parallel tracks illustrate how institutional, regulatory, and technical elements are being aligned ahead of the AI Act’s broader application in 2026.

Sources

Commission opens call for evidence on Open-Source Digital Ecosystems: https://digital-strategy.ec.europa.eu/en/news/commission-opens-call-evidence-open-source-digital-ecosystems

AEPD warns of visible and invisible risks of using third-party images in AI systems: https://www.aepd.es/prensa-y-comunicacion/notas-de-prensa/la-aepd-alerta-sobre-los-riesgos-visibles-e-invisibles-del

Council of Europe publishes reports on AI- and algorithm-driven discrimination: https://www.coe.int/en/web/portal/-/gaps-and-policies-in-ai-and-algorithm-driven-discrimination-in-europe

Council of the EU press release on AI gigafactories under EuroHPC: https://www.consilium.europa.eu/en/press/press-releases/2026/01/16/artificial-intelligence-council-paves-the-way-for-the-creation-of-ai-gigafactories/

Draft harmonised standard prEN 18286 public enquiry overview: https://adamleonsmith.substack.com/p/pren-18286