Weekly AI Governance Brief: 22–29 June 2026

Share

Bringing you the latest developments in the AI governance world.

EU Council gives final approval to the AI Omnibus simplification regulation

On 29 June 2026, the Council of the European Union gave final approval to a regulation intended to simplify parts of the AI Act and related digital rules under the EU’s Omnibus VII simplification package. The Council press release describes the measure as a final legislative adoption designed to streamline implementation of harmonised rules on artificial intelligence.

The regulation changes the timing of several AI Act compliance milestones. According to the material provided, the application date moves to 2 December 2027 for stand-alone high-risk AI systems and to 2 August 2028 for high-risk AI systems embedded in products. The package also bans AI practices involving non-consensual sexual deepfakes and AI-generated child sexual abuse material. It postpones the deadline for national AI regulatory sandboxes to 2 August 2027 and shortens the grace period for transparency solutions for AI-generated content to three months, with a new deadline of 2 December 2026.

The measure also clarifies aspects of competence between the AI Office and national authorities for some systems linked to general-purpose AI. The supplied Council source identifies the measure as the regulation on simplification of the implementation of harmonised rules on artificial intelligence, also described as the digital omnibus on AI.

Why this matters

This development directly affects implementation planning under the AI Act. For organisations developing or deploying high-risk AI systems, the revised dates change the sequencing of compliance work, documentation preparation, internal governance, and product release planning. The distinction between stand-alone systems and systems embedded in products is operationally important because it affects which teams and regulatory interfaces are likely to be involved.

For public authorities, the postponed sandbox deadline affects the institutional timetable for national implementation. The competence clarification between the AI Office and national authorities is also relevant because it addresses where oversight responsibility sits for certain general-purpose AI-linked systems. The regulation therefore matters not only as a timing change, but as an adjustment to the administrative structure around AI Act implementation.

EU Commission reaches preliminary view that AWS and Azure should be designated under the DMA

On 25 June 2026, the European Commission announced a preliminary position that Amazon’s and Microsoft’s market-leading cloud services should be designated under the Digital Markets Act. The supplied material identifies this as a preliminary designation step under the DMA, referenced through Commission Press Corner and Digital Europe materials, including the Daily News of 25 June 2026.

This is not an AI-specific measure. Its relevance to AI governance comes from the role of cloud infrastructure in AI development and operational dependency. The Commission’s preliminary position concerns the possible application of DMA gatekeeper obligations to a layer of infrastructure that many AI developers and deployers rely on.

Why this matters

The practical governance relevance is the extension of digital-market scrutiny toward cloud infrastructure. If the designation process is finalised, cloud services used for AI development and deployment may become subject to ex ante platform obligations under the DMA. That would place infrastructure dependencies closer to the centre of EU digital governance.

For organisations deploying AI, the issue is not only competition law in the abstract. Cloud concentration affects procurement, third-party risk, portability, resilience planning, and dependency mapping. This development therefore sits at the intersection of AI operations, digital infrastructure governance, and market oversight. It also shows that AI governance questions may arise through non-AI legal instruments where infrastructure conditions shape the deployment environment.

EBA finalises revised SREP guidelines and integrates ICT risk into prudential supervision

On 26 June 2026, the European Banking Authority announced revised SREP and supervisory stress testing guidelines. The EBA described the package as part of a more risk-focused and forward-looking supervisory framework.

The supplied material states that the revised guidelines repeal the separate ICT SREP guidelines and integrate ICT risk assessment provisions into the core SREP framework. This means ICT risk is no longer treated as a parallel supervisory track in this context, but is folded into the main prudential supervisory process.

This is not presented as a new AI-specific banking framework. Its relevance to AI governance is adjacent and institutional. AI systems used in banking often depend on ICT infrastructure, third-party providers, data pipelines, model operations, and many operational controls. The EBA’s integration of ICT risk into core supervision is therefore relevant to the governance environment in which AI use in financial institutions is assessed.

Why this matters

For banks and supervised financial institutions, the integration of ICT risk into the SREP framework affects how operational and technology risks are likely to be examined within prudential supervision. AI systems used in areas such as credit, fraud monitoring, compliance operations, or customer processes may be assessed through broader governance expectations concerning ICT risk, third-party dependency, resilience, and supervisory control.

The relevance is especially practical for compliance, risk, and technology governance teams. AI deployment in finance is unlikely to be assessed only through AI-specific rules. It may also be reviewed through supervisory expectations that concern operational resilience and ICT risk management. The link to AI is an inference from the integration of ICT risk into core supervision, not a statement that the EBA has created a new AI-specific rulebook in this item.

G7 data protection authorities publish roundtable outcomes on age assurance and emerging technologies

On 26 June 2026, the Office of the Privacy Commissioner of Canada reported that the G7 Data Protection and Privacy Authorities Roundtable had taken place in Paris on 25 and 26 June. The roundtable, hosted by the CNIL, addressed issues with cross-border relevance for privacy supervision and emerging technology governance.

According to the Canadian Commissioner’s official release, the authorities issued a joint communiqué and a joint statement on privacy-preserving age assurance. The supplied material also identifies discussion of age assurance, smart glasses, agentic AI, connected home devices, and data-free flow with trust. These topics place AI governance within a broader privacy and data protection agenda. Especially where systems affect children, automated decision processes, or collect ambient data.

The outcome is not binding legislation. It is a statement of regulatory coordination among data protection authorities. Its importance lies in the institutional alignment it signals across major privacy regulators.

Why this matters

For organisations deploying AI systems that interact with children, connected devices, or automated decision processes, the G7 roundtable indicates the areas receiving coordinated attention from privacy regulators. Age assurance is especially relevant because it requires organisations to balance protection of minors with data minimisation and privacy-preserving design.

The discussion of agentic AI and connected devices also matters for oversight responsibilities. These systems can reduce direct human intervention, expand data collection environments, or create complex accountability chains. For compliance teams, the practical issue is how privacy obligations are embedded into product design, documentation, and risk review before deployment. The roundtable does not create direct obligations, but it helps identify the privacy governance themes being addressed by supervisory authorities.

ISO moves AI cybersecurity standard ISO/IEC FDIS 27090 into final approval phase

On 23 June 2026, ISO/IEC FDIS 27090, titled “Cybersecurity — Artificial Intelligence — Addressing security threats and compromises to artificial intelligence systems,” moved to stage 50.20. The supplied ISO source states that this means the proof was sent to the secretariat or that the FDIS ballot was initiated.

ISO describes the draft standard as covering AI-specific security threats and compromises across the AI lifecycle. It applies to organisations of all types and sizes that develop or use AI systems. The development is a standards milestone rather than a legislative act.

The standard is relevant because cybersecurity is becoming a more defined part of AI governance. AI systems introduce specific security concerns across development, deployment, monitoring, and use. A dedicated ISO standard points toward a more structured vocabulary and control baseline for addressing those risks.

Why this matters

For compliance, procurement, and assurance teams, ISO standardisation is operationally significant even where it is not legally binding. Standards can shape vendor due diligence, contractual requirements, internal audit checklists, and evidence expectations. They can also support a common framework for assessing whether AI-specific cybersecurity risks have been identified and controlled.

The movement of ISO/IEC FDIS 27090 into the final approval phase therefore matters as part of the emerging assurance infrastructure around AI. It may be relevant to organisations that need to demonstrate security governance across the AI lifecycle - especially where regulators or counterparties ask for structured evidence of controls.

Pax Silica participants publish joint AI Opportunity Partnership statement

The Finnish Government reported that participants at the Pax Silica Summit in Washington on 25 and 26 June 2026 published a Joint Statement on AI Opportunity Partnership. The English-language Finnish Government press release was published on 29 June 2026 and links the summit to AI and reliable technology supply chains.

In Finland’s account, the statement links AI policy to trusted technology supply chains, economic security, fair competition, and private-sector investment in semiconductors and data centres. The supplied material also notes that the EU joined Pax Silica on 25 June 2026.

This development has a weaker immediate compliance effect than the EU AI Omnibus or the ISO standardisation item. It is included as a policy signal because it links AI governance to supply-chain security, compute infrastructure, data centres, semiconductors, and industrial coordination.

Why this matters

The practical relevance is mainly institutional and strategic. AI governance is increasingly being discussed in connection with infrastructure, supply chains, and economic security. For policymakers and firms active in cloud computing, semiconductors, data centres, or AI infrastructure, this framing matters because it places AI governance within industrial and technology-security policy.

For private-sector compliance teams, the immediate effect is limited. The statement does not appear, based on the supplied material, to create direct legal obligations. Its relevance is instead that it identifies the policy vocabulary used by participating governments when discussing trusted AI ecosystems and technology supply chains.

Sources

Council press release on final approval of AI Omnibus simplification regulation: https://www.consilium.europa.eu/en/press/press-releases/2026/06/29/artificial-intelligence-council-gives-final-green-light-to-simplify-and-streamline-rules/

European Commission Daily News item on AWS and Azure under the DMA: https://digital-markets-act.ec.europa.eu/commission-reaches-preliminary-position-amazons-and-microsofts-market-leading-cloud-services-should-2026-06-25_en

European Banking Authority homepage announcement on revised SREP Guidelines: https://www.eba.europa.eu/publications-and-media/press-releases/eba-reaches-another-important-milestone-enhancing-supervisory-efficiency-its-revised-srep-guidelines

Office of the Privacy Commissioner of Canada news release on G7 Data Protection and Privacy Authorities Roundtable: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2026/nr-c-g7_260626/

ISO page for ISO/IEC FDIS 27090: https://www.iso.org/standard/56581.html

Finnish Government press release on Pax Silica Summit: https://valtioneuvosto.fi/en/-/1410877/finland-participated-in-pax-silica-summit-on-ai-and-reliable-technology-supply-chains

Read more