Weekly AI Governance Brief #5 — February 2026

This edition of the AI Governance Brief covers regulatory and institutional developments published between 2 February and 8 February 2026. The focus is on European Union AI governance implementation, related data protection developments, standardisation activity, and directly relevant international institutional engagement.

The brief draws exclusively on primary institutional sources. It documents formal actions, publications, and updates by EU bodies, national authorities, international standard-setters, and multilateral organisations during the reporting period.

Signatory Taskforce established for the General-Purpose AI Code of Practice

On 2 February 2026, the European Commission updated its public page on the General-Purpose AI (GPAI) Code of Practice to state that signatories have established a “Signatory Taskforce” chaired by the AI Office. According to the updated page, the taskforce is intended to support coherent application of the Code. The same page references a “Vademecum,” described as containing the taskforce’s rules of procedure and the list of members.

On the same date, the Commission’s AI Act standardisation page listed an item titled “Signatory Taskforce established.” The relevant information appears on the Commission’s Digital Strategy website and is presented as part of the evolving implementation architecture around the GPAI Code of Practice.

Why this matters

The establishment of a chaired Signatory Taskforce indicates the introduction of a structured coordination mechanism linked to the GPAI Code of Practice. As the Code operates within the broader implementation framework of the AI Act, this development documents a formalised forum for signatory coordination under the oversight of the AI Office.

For organisations that are signatories to the Code, the reference to rules of procedure and a defined membership list signals the operationalisation of governance processes beyond initial commitments. From an institutional perspective, it reflects the Commission’s move from policy formulation to structured oversight and coordination mechanisms in the GPAI domain.

Commission launches tender for AI Act and DSA implementation chatbots

Also on 2 February 2026, the European Commission listed a call for tenders titled “Design of Chatbots to Support the Implementation of the DSA and AI Act,” with a call period running from 2 February 2026 to 6 March 2026. The procedure is described as an open procedure under reference EC-CNECT/2025/OP/0095.

The tender specifications outline the design, development, piloting, delivery, and maintenance of two public-facing multilingual chatbots. One chatbot is intended to help users navigate rights and guidance under the Digital Services Act. The second is designed to provide practical guidance on the AI Act, particularly for SMEs, start-ups, and stakeholders with limited legal or technical resources.

The specifications state that the chatbots are to be hosted on Commission websites within the ec.europa.eu domain. Requirements include ongoing maintenance, security updates, and safeguards for handling requests beyond the system’s scope, including cases where users seek individualised legal opinions.

Why this matters

The publication of a formal procurement procedure for AI Act–related implementation tools documents Commission investment in public-facing guidance infrastructure. The inclusion of detailed specifications on hosting, maintenance, and safeguards reflects the integration of operational, security, and governance considerations into implementation support.

For stakeholders subject to the AI Act, particularly smaller organisations, the planned chatbot indicates an institutional channel for structured guidance. From a governance perspective, this development illustrates how the Commission is embedding digital tools into its compliance and information ecosystem alongside legislative obligations.

AI Office announces participation in India AI Impact Summit 2026

On 4 February 2026, the EU AI Office published a news article announcing its participation in the India AI Impact Summit 2026 in New Delhi. The article describes the summit as part of a sequence of global AI summits following events in Bletchley Park, Seoul, and Paris.

According to the publication, the AI Office is expected to host two high-level panel discussions scheduled for 20 February. One session will focus on innovative AI solutions, including reference to EU initiatives such as AI Factories. The second session will address challenges posed by powerful AI systems and will highlight the EU General-Purpose AI Code of Practice. The article notes that the panels will feature remarks by Henna Virkkunen and will be moderated by Lucilla Sioli.

Why this matters

The announcement documents formal international engagement by the EU AI Office in a multilateral summit context. It also indicates that the GPAI Code of Practice is being referenced in international discussions about powerful AI systems.

From an institutional standpoint, participation in international forums forms part of the EU’s external governance positioning. The publication reflects how internal governance instruments, including the GPAI Code, are presented within broader international policy dialogues during the implementation phase of the AI Act.

EDPB publishes report on international data protection enforcement cooperation

On 2 February 2026, the European Data Protection Board published a report under its Support Pool of Experts programme focusing on cooperation between EEA data protection authorities and authorities in countries or organisations subject to an EU adequacy decision.

The report examines current instruments for international enforcement cooperation, including legally binding and soft-law tools. It analyses their practical use and identifies obstacles to stronger cooperation. The publication notes that the project was completed by external expert Helena Kastlova in September 2025.

The report is presented as part of the EDPB’s ongoing work programme under the Support Pool of Experts framework.

Why this matters

Many AI development and deployment activities involve cross-border personal data processing. Effective cooperation between supervisory authorities is therefore a structural component of GDPR enforcement in AI-related contexts.

While the report is not AI-specific, it documents institutional reflection on cross-border enforcement mechanisms that may be relevant where AI systems process personal data across jurisdictions. For organisations operating in multiple jurisdictions, developments in enforcement cooperation frameworks form part of the broader compliance environment intersecting with AI governance.

CNIL issues public guidance on deepfakes and privacy risks

On 3 February 2026, the French data protection authority CNIL published public-facing guidance on “hypertrucage (deepfake).” The page explains that deepfakes may involve audio, photo, or video content created or modified using AI techniques, enabling realistic imitation of a person’s voice, face, or movements.

The guidance outlines categories of risks associated with deepfakes, including privacy and identity misuse, harassment, fraud, and disinformation. It provides practical steps for protection, including recognising deepfakes, using platform reporting tools, and preserving evidence where content has been published. The page also references CNIL’s role in informing and advising the public and in handling complaints where personal data are used without consent.

Why this matters

Deepfake technologies intersect directly with data protection, identity, and reputational harm considerations. CNIL’s publication reflects a national supervisory authority’s engagement with AI-enabled content manipulation within its existing mandate.

From a governance perspective, the guidance illustrates how AI-related risks are being addressed through established regulatory frameworks such as the GDPR. It also documents how supervisory authorities are communicating expectations and reporting pathways to the public in response to AI-enabled practices.

ISO/IEC TS 27103:2026 published on cybersecurity framework guidance

On 6 February 2026, ISO published ISO/IEC TS 27103:2026 (Edition 1), titled “Cybersecurity — Guidance on using ISO and IEC standards in a cybersecurity framework.” The ISO page records the life-cycle milestone “International Standard published” on that date and provides bibliographic information, including a publication month of February 2026, 19 pages, and development under ISO/IEC JTC 1/SC 27.

According to the abstract, the Technical Specification provides guidance on leveraging existing ISO and IEC standards within a cybersecurity framework.

Why this matters

Cybersecurity and robustness are cross-cutting considerations in many AI governance regimes. Although ISO/IEC TS 27103:2026 is not AI-specific, it provides guidance on structuring cybersecurity controls using recognised international standards.

For organisations aligning AI system governance with established standards, this publication constitutes a new artefact within the broader technical standardisation landscape. It may be relevant where AI governance frameworks incorporate or reference cybersecurity requirements.

Looking ahead

The period from 2 to 8 February 2026 shows continued institutional consolidation around AI Act implementation, including structured coordination among GPAI signatories and investment in public-facing guidance tools. It also reflects sustained interaction between AI governance and adjacent domains, including data protection, cybersecurity standardisation, and multilateral policy forums.

These developments indicate ongoing operationalisation of governance frameworks at both EU and international levels.

Sources

European Commission – General-Purpose AI Code of Practice page (updated 2 February 2026):
https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai

European Commission – AI Act standardisation page (listing “Signatory Taskforce established”):
https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation

European Commission – Artificial Intelligence policy page (tender listing):
https://digital-strategy.ec.europa.eu/en/policies/artificial-intelligence

European Commission – Tender Specifications EC-CNECT/2025/OP/0095:
https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/opportunities/tender-details/docs/b74a2278-5248-42c0-93db-74fc0127ab93-CN/Tender%20Specifications%20CNECT2025OP0095_V1.pdf

European Commission – AI Office to host sessions at India AI Impact Summit 2026 (news article, 4 February 2026):
https://digital-strategy.ec.europa.eu/en/news/ai-office-host-2-sessions-india-ai-impact-summit-2026

European Data Protection Board – Report on International Data Protection Enforcement Cooperation (2 February 2026):
https://www.edpb.europa.eu/our-work-tools/our-documents/support-pool-experts-projects/report-international-data-protection_en

CNIL – Hypertrucage (deepfake) guidance page (3 February 2026):
https://www.cnil.fr/fr/hypertrucage-deepfake

ISO – ISO/IEC TS 27103:2026 publication page (6 February 2026):
https://www.iso.org/standard/85057.html