Weekly AI Governance Brief #3 — January 2026

AI Governance Brief Team

25 Jan 2026 — 4 min read

This Weekly AI Governance Brief covers regulatory and institutional developments in artificial intelligence governance published between 19 and 25 January 2026. It focuses on EU-level actions, standardisation activity, and closely relevant international developments.

The brief examines legislative changes, supervisory guidance on AI Act implementation, progress on harmonised standards, and one international framework with relevance for AI risk management practices in the EU.

EuroHPC Joint Undertaking Regulation Amended to Support AI “Gigafactories”

On 19 January 2026, the Council of the European Union adopted Council Regulation (EU) 2026/150, published in the Official Journal (OJ L 150). The regulation entered into force on 20 January 2026 and amends the mandate of the EuroHPC Joint Undertaking.

The amendment expands EuroHPC’s remit beyond high-performance computing to explicitly include next-generation infrastructures for artificial intelligence and quantum technologies. It introduces a legal basis for the establishment of AI “Gigafactories”, described as large-scale compute and data facilities intended for the training and deployment of advanced AI systems, including foundation and generative models.

Under the amended mandate, EuroHPC may support and coordinate these infrastructures within an EU-level governance framework. AI Gigafactories are positioned alongside existing EuroHPC activities and linked to strategic objectives related to computing capacity and coordinated public investment.

Why this matters

This amendment places large-scale AI development capacity within an established public governance structure. Rather than treating advanced model development solely as a market activity, the EU is embedding it within an institutional framework with defined mandates and oversight.

For AI governance, this links infrastructure investment with regulatory expectations. It signals that future large-scale AI development in Europe may increasingly take place within publicly coordinated environments that reflect EU standards and policy priorities.

EDPB-EDPS Joint Opinion on the “Digital Omnibus” Proposal for AI Act Implementation

On 21 January 2026, the European Data Protection Board and the European Data Protection Supervisor issued Joint Opinion 1/2026 on the European Commission’s proposed “Digital Omnibus on AI”. The proposal aims to simplify aspects of AI Act implementation, including certain timelines and operational requirements for high-risk AI systems.

The joint opinion recognises practical challenges in implementing the AI Act and supports targeted simplification measures. At the same time, the authorities stress that simplification should not reduce protections for fundamental rights or weaken accountability mechanisms.

The opinion supports EU-level AI sandboxes and reduced administrative burdens, provided that Data Protection Authorities retain a meaningful oversight role where personal data are involved. It urges caution regarding proposals that would allow broader processing of sensitive data for bias mitigation without strict safeguards. The authorities also oppose removing registration obligations for high-risk AI systems, even where providers classify systems as non-high-risk.

The opinion further calls for clearer boundaries around the supervisory role of the EU AI Office. In particular, it emphasises the need to preserve independent oversight, including for AI systems used by EU institutions.

Why this matters

This joint opinion sets out a clear institutional position on how AI Act implementation should be adjusted, if at all. It confirms that efficiency considerations do not override core governance mechanisms such as registries, supervisory independence, and data protection oversight.

The opinion also highlights unresolved questions around institutional roles, especially the relationship between the EU AI Office and existing authorities. These issues are central to how accountability under the AI Act will function in practice.

Draft EU Standard on AI Trustworthiness Enters Public Consultation

On 23 January 2026, a draft European standard titled “Artificial Intelligence – Trustworthiness Framework (Part 1: Logging, transparency and human oversight)”, designated prEN 18229-1, entered the public enquiry phase.

The draft has been developed by CEN-CENELEC Joint Technical Committee 21 as part of the harmonised standards programme supporting the EU AI Act. It addresses technical requirements related to logging and record-keeping, transparency obligations, and human oversight mechanisms for high-risk AI systems.

During the public enquiry phase, national standardisation bodies and stakeholders may review and comment on the draft. PrEN 18229-1 forms part of a wider set of AI Act standards covering areas such as risk management, data governance, accuracy, robustness, and cybersecurity. Once adopted and referenced in the Official Journal, harmonised standards will provide a presumption of conformity with corresponding legal requirements.

Why this matters

The public consultation of prEN 18229-1 marks progress from legal obligations to implementable technical guidance. Logging, transparency, and oversight are central to the AI Act’s governance model, but require clear technical interpretation to be applied consistently.

For organisations subject to high-risk AI requirements, harmonised standards offer a recognised route to demonstrating compliance. Institutionally, their development is a necessary condition for the effective application of the AI Act’s obligations.

NIST Releases Draft “Cybersecurity Profile” for AI Risk Management

In December 2025, the U.S. National Institute of Standards and Technology published a preliminary draft “Cybersecurity Framework Profile for AI” (NISTIR 8596). Public consultation remains open through 30 January 2026.

The draft adapts the NIST AI Risk Management Framework to focus on cybersecurity-related risks associated with AI systems. It addresses secure AI development and deployment, resilience against AI-enabled attacks, and vulnerabilities introduced by AI components. NIST also held a public workshop on 14 January 2026 to discuss the draft.

Once finalised, the profile will supplement NIST’s AI Risk Management Framework 1.0 by providing more detailed guidance on integrating AI considerations into cybersecurity practices.

Why this matters

Although this is not an EU initiative, NIST’s AI Risk Management Framework has influenced international approaches to AI governance. The draft Cyber AI Profile reflects a growing focus on AI-related security risks as a governance concern.

For EU stakeholders, it offers an external reference point for practices related to robustness and security, which are also addressed under the AI Act. It illustrates a broader convergence between regulatory requirements and technical risk management frameworks.

Looking ahead

The developments this week reflect a continued shift from legislative design toward implementation structures. Institutional mandates, supervisory guidance, and technical standards are being refined in parallel. Together, they shape the practical environment in which the AI Act will operate.