Foundations System

AI Legislation Brief: June 2026

A comparative analysis of the three dominant AI regulatory models as they stood in June 2026 — the EU's comprehensive law, the US's fragmented patchwork governed through existing authorities, and China's layered standards stack. All three trajectories converge on the same structural gap: compliance obligations are expanding while insurance coverage contracts, and model access has become subject to sovereign risk. Anchored by the 12 June 2026 US export-control directive that disabled Anthropic's Fable 5 and Mythos 5 for all customers globally, the brief argues that organisations — particularly firms subject to DORA — must treat inference as a switchable commodity, map AI providers as ICT third-party dependencies, and build multi-engine resilience against nationality-based access revocation.

2026-06-25 - 12 min read

AI Legislation Brief: June 2026

AI Legislation Brief: June 2026

Prepared by: Scott - Senior Advisor, Robbie - Research : Nullproof Studio
Date: June 25, 2026


The Paradox

Three jurisdictions. Three regulatory philosophies. One outcome nobody planned.

The global AI regulatory landscape has split into three distinct models — comprehensive law, state patchwork, and layered architecture. All three are producing the same pressure on organisations: compliance obligations are expanding while insurance coverage contracts. And in June 2026, a fourth force emerged that nobody legislated for: a sovereign government used export control to restrict foreign nationals' access to a frontier AI model overnight.

The through-line: Compliance spend is rising. Coverage is narrowing. Model access is now conditional on your nationality and your provider's jurisdiction. This is not a temporary misalignment — it is a structural gap that requires board-level attention.

The Landscape

Three models, each answering the same question differently: how do you govern AI without stifling innovation or ceding strategic ground?

EU: The Comprehensive Model

The EU pursued a first-mover comprehensive strategy — then it hit the brakes.

High-risk obligations delayed to December 2027. The Digital Omnibus on AI reached provisional trilogue agreement on 7 May 2026 and was approved by the European Parliament on 16 June 2026 (423–57–174). At the time of writing, these changes remain subject to formal adoption and should be treated as provisional until the final legislative text is published.

Timeline of 4 date ranges on a shared time axis, anchored at Jun 2026. 2026 2027 2028 2029 Jun 2026 Art 50(2) watermarking / synthetic disclosure +4 months 2 Aug 2026 2 Dec 2026 National AI sandboxes +12 months 2 Aug 2026 2 Aug 2027 Annex III standalone high-risk AI +16 months 2 Aug 2026 2 Dec 2027 Annex I embedded high-risk AI +12 months 2 Aug 2027 2 Aug 2028

| Obligation | Original Date | New Date | Delay | |---|---|---|---| | Art 50(2) watermarking / synthetic disclosure | 2 Aug 2026 | 2 Dec 2026 | 4 months | | National AI sandboxes | 2 Aug 2026 | 2 Aug 2027 | 12 months | | Annex III standalone high-risk AI | 2 Aug 2026 | 2 Dec 2027 | 16 months | | Annex I embedded high-risk AI | 2 Aug 2027 | 2 Aug 2028 | 12 months |

Core obligations remain in force except where expressly deferred. The Digital Omnibus delays high-risk AI obligations and postpones the application of watermarking obligations on AI-generated content until 2 December 2026, subject to formal adoption. Broader Article 50 transparency obligations largely remain on the original schedule, and prohibited AI practices, GPAI obligations, and governance structures remain live.

  • Broader Article 50 transparency obligations: Largely remain on the original timetable
  • Banned AI practices: Prohibited uses remain prohibited
  • GPAI obligations: General-purpose AI model requirements remain live
  • Governance structure: AI Office and member state authorities remain in place

New obligations introduced by the Digital Omnibus:

  • NCII/CSAM prohibition (Art 5): AI systems generating non-consensual intimate imagery or child sexual abuse material are expressly prohibited. Compliance by 2 December 2026. Safe harbour for systems with effective preventive safeguards
  • Safety component definition narrowed: AI must have the intended purpose of preventing/mitigating health/safety risks
  • Machinery regulation carve-out: Full carve-out from direct AI Act applicability — one conformity assessment regime
  • Small mid-cap (SMC) category: New simplified compliance tier between SMEs and full obligations

Insurance: Some insurers are introducing AI-specific exclusions or tighter underwriting requirements, particularly for high-risk AI applications. The gap between compliance obligation and coverage availability is widening — see The Convergence Trap for the structural argument.

Immediate pressure relieved — but classification work must start now

US: The Fragmented Model

The US strategy is decentralised: no federal AI mandates, state-level experimentation, and federal action through existing authorities. The result is a patchwork accelerating in complexity.

No federal AI statute exists. But the federal government is not idle:

  • Commerce Department export control (12 June 2026): The US government directed Anthropic to suspend all foreign national access to Claude Fable 5 and Mythos 5, citing national security. Anthropic complied the same day, disabling the models for all customers. No new legislation required — executed under existing export control authority
  • AI Litigation Task Force actively challenging state AI laws on preemption grounds
  • Federal guidance (EO 14409) in force — 30-day agency deadlines for AI cybersecurity, IP protection
  • Agency enforcement (FTC, CFPB) uses existing authority rather than AI-specific rules
Timeline of 5 milestones on a shared time axis, anchored at Jun 2026. Mar 26 Apr 26 May 26 Jun 26 Aug 26 Jun 2026 FTC state-law evaluations 11 Mar 2026 TAKE IT DOWN Act 19 May 2026 EO 14409 2 Jun 2026 Anthropic export control 12 Jun 2026 H.R. 5388 24 Jun 2026

| Item | Date | Status | |---|---|---| | TAKE IT DOWN Act compliance deadline | 19 May 2026 | Deadline passed — platforms must have NCII removal processes | | EO 14409 — "Promoting Advanced AI Innovation and Security" | 2 Jun 2026 | In force — 30-day agency deadlines for AI cybersecurity, IP protection | | Anthropic export control — US government directive | 12 Jun 2026 | Active — Fable 5 / Mythos 5 access suspended for all customers | | H.R. 5388 — American AI Leadership and Uniformity Act | Introduced 119th Congress | Pending — federal preemption of inconsistent state AI laws | | Commerce/FTC state law evaluations | Due 11 Mar 2026 | Overdue — Colorado AI Act cited as "excessive regulation" |

State landscape: five states active, one just pulled back:

| Jurisdiction | Law | Key Change | Effective Date | |---|---|---|---| | Colorado | SB 26-189 | Major rollback. Repealed comprehensive AI Act. Replaced with narrower ADMT regulation. No duty of care, no risk management program, no impact assessments. Consumer notices + 30-day adverse-outcome explanations. | 1 Jan 2027 | | California | SB 53 (Frontier AI Act) | Frontier models (>10²⁶ FLOPS) must publish risk frameworks, report safety incidents, whistleblower protections. | 1 Jan 2026 | | California | AB 2013 | Generative AI developers must publish training dataset summaries. | 1 Jan 2026 | | California | SB 942 | Generative AI providers must disclose AI-generated content, watermarking, detection tools. | 1 Jan 2026 (provider); 1 Jan 2027 (platforms) | | Texas | TRAIGA (HB 149) | Prohibited AI uses (self-harm, discrimination, CSAM). Primarily government-facing. | 1 Jan 2026 | | Illinois | HB 3773 | AI in employment decisions requires notice; ZIP code proxy ban. Private right of action. | Feb 2026 | | Nevada | NRS 294A | Political advertising synthetic media disclosure. | 1 Jan 2026 |

Insurance: ISO CG 40 47 exclusions developing. State-level coverage varies. The export control event highlights a category of supply-chain risk that may be difficult to insure on commercially acceptable terms — see The Convergence Trap.

The US is regulating AI through existing authorities — export controls, FTC enforcement, and state laws — without passing a single new AI statute

China: The Layered Model

Where the EU built one law and the US built none, China built a stack: foundation laws, sectoral rules, technical standards, and a policy framework — each layer binding, each incrementally tightening.

No single comprehensive AI law — and that's the design. The system is mature, actively enforced, and incrementally tightening.

| Layer | Examples | Status | |---|---|---| | Foundation laws (binding) | Cybersecurity Law (amended Jan 2026 — now has AI provisions), Data Security Law, PIPL | Enacted, enforced | | Sectoral rules (binding) | Algorithm Recommendation, Deep Synthesis, GenAI Services, Content Labeling | Enacted, enforced | | Technical standards (GB/GB/T) | GB 45438-2025 (labeling), GB/T 45654-2025 (GenAI security) | National standards | | Policy framework (guiding) | TC260 AI Safety Governance Framework 2.0 | 5-tier risk classification |

Three recent moves shape the landscape:

| Date | Development | Significance | |---|---|---| | 12 May 2026 | CAC nationwide short-video labeling rules | Six mandatory labels including "Contains AI-generated content." Pilots ran March–May across 12 major platforms (Douyin, Kuaishou, Bilibili, etc.). | | 1 Jan 2026 | Amended Cybersecurity Law in effect | Introduces dedicated AI compliance provisions — first major foundational law update explicitly targeting AI. | | Sep 2025 | AI Safety Governance Framework 2.0 (TC260) | National AI safety governance framework. 5-tier risk classification (Low to Extremely Serious). Lifecycle-based safety guidelines. Derivative risks (job replacement, bias amplification, resource pressures) newly included. | | 2025 | GB 45438-2025 | National standard for AI-generated/synthetic content labeling method. | | 2025 | GB/T 45654-2025 | Generative AI service security basic requirements. |

Enforcement is real and recent. According to CAC official sources, Chinese authorities have reported significant enforcement activity against non-compliant short-video and synthetic-content practices, including removal of over 520,000 illegal short videos, punishment of 68,000+ accounts, and 54 rectification announcements since January 2026. The short-video labeling mandate is the most operationally significant recent change — directly affecting every platform and creator in China's short-video ecosystem.

Insurance: Content liability is the primary coverage concern. Regulatory enforcement coverage gaps emerging. Local insurance products being developed to address regulatory compliance risk. Chinese domestic models (DeepSeek, Qwen, etc.) are not a refuge from US export control — they carry their own compliance burden under the layered stack.

No single law to comply with — the stack is the compliance program

The Convergence Trap

You've read three jurisdiction updates. Here's what they actually mean together.

The Event

On 12 June 2026, the US government directed Anthropic to suspend all foreign national access to Claude Fable 5 and Mythos 5, citing national security. Anthropic complied the same day — but because it could not technically isolate foreign nationals, the company disabled both models for all customers globally. Access to other Anthropic models was not affected. The action was taken under existing export control authority. No new legislation required. No transition period.

Important caveat: Fable 5 had launched just three days earlier (June 9). The immediate supply disruption is a probable near miss for most organisations — they were not yet in production with a model that had barely been released. A select few on Anthropic's pilot programme may have been more affected, but they would have been working on assumptions for using a generally unreleased model. The risk that materialised was smaller than it could have been — this time.

The near miss is the warning. Fable 5 wasn't in production. The next frontier model from any US provider might be.

The Precedent

The Anthropic event is not an Anthropic-specific risk. It is a US-based inference provider risk:

  • Any US-based inference provider is exposed to the same mechanism. OpenAI, Google, Meta — all subject to the same export control authority
  • This is a compliance event, not a technical outage. Models that were compliant yesterday may be unreachable tomorrow for portions of your team. The trigger is geopolitical, not technical
  • No transition period, no immediate recourse. The directive took effect the same day, leaving no time for affected organisations to migrate workloads or assess operational impact

The DORA Intersection

This is where the narrative pivots from description to obligation. Firms subject to DORA (Digital Operational Resilience Act) should assess whether AI model providers form part of their ICT third-party dependency landscape, particularly where AI services support important or critical functions. Where relevant, contractual arrangements may need to address incident notification, audit, access, inspection, exit, and business-continuity requirements.

| DORA obligation area | Gap exposed by the Anthropic event | |---|---| | ICT third-party risk management (Chapter V) | Most firms mapped cloud providers (AWS, Azure). Very few mapped inference providers as ICT dependencies. This is an unmapped exposure. | | Incident reporting (Chapter IV) | Reporting timelines may be compressed once a firm becomes aware of and classifies a major ICT-related incident. Firms should ensure AI-provider disruption scenarios are captured in incident detection, escalation, and reporting processes. | | Digital operational resilience testing (Chapter VI) | BCPs that assume AI model availability need model-switching scenarios, not just cloud failover. Has yours been tested? | | Contractual arrangements (Art. 30) | Where DORA applies, contractual arrangements may need to address audit, access, inspection, exit, incident notification, and business-continuity requirements. Most AI service agreements currently lack these provisions. |

While DORA is framed as an operational resilience act, its practical effect has been to expose the risks created by concentration on US-based AI providers. The Anthropic export control action demonstrates how that concentration can become a geopolitical vulnerability. European firms are now caught between regulations that assume model availability and a reality that makes it conditional.

No Safe Default

If US models carry export control risk, and Chinese models carry future supply restriction risk, and EU providers may reduce certain sovereign-access risks - there is no inference provider that doesn't carry sovereign risk. The risk profile differs by delivery method, not just by jurisdiction.

US hosted APIs (OpenAI, Anthropic, Google, Meta): Subject to export control. Access can be revoked by nationality — immediately, without transition. Proven.

Chinese hosted APIs (DeepSeek API, Qwen via Alibaba): Subject to China's layered regulatory stack, cross-border data controls, and content obligations. Using Chinese-hosted APIs for EU operations introduces compliance burden, not relief.

Self-hosted open-weight models (any origin, on your infrastructure): The most resilient deployment against immediate sovereign risk — but vulnerable to future supply restriction. China currently leads open-weight releases (DeepSeek, Qwen, Z-ai), but the strategic incentive to give away frontier models may not persist. The incentive flips when Chinese models achieve clear superiority: at that point, giving away weights subsidises competitors, and the rational move is to restrict releases to domestic or licensed partners. When China applies US-style restrictions on weight releases, organisations dependent on Chinese open-weight families will face the same supply disruption that Anthropic's customers faced in June. The question is when, not if.

In-region hosted open-weight (e.g., OpenRouter routing to EU-based providers): A practical middle ground for small and mid-size organisations that lack the infrastructure to self-host. Using routing platforms to access open-weight models hosted on infrastructure within your regulatory jurisdiction gives you sovereignty over the deployment without the capital cost of GPUs. The sovereign risk shifts from the model origin to the hosting jurisdiction — and if the hosting provider is in the EU, DORA and AI Act obligations apply but US export controls do not.

Partner-hosted proprietary models (e.g., Anthropic via AWS Bedrock, OpenAI via Azure): US providers are increasingly allowing partners to host their models for enterprise customers. This moves the inference layer into a jurisdiction the customer can choose (e.g., Anthropic models hosted on EU AWS regions). This mitigates nationality-based access revocation but does not eliminate it — the model provider retains the ability to revoke or restrict access, and the underlying weights remain subject to US export control authority.

EU models (Mistral, etc.): Not subject to US export control or Chinese regulatory stack. EU providers may reduce certain sovereign-access risks, but organisations still need to assess capability, performance, compliance obligations, and operational fit. EU regulatory obligations (AI Act, DORA) still apply. Lower probability of supply restriction given EU's open-market posture, but not zero.

The distinctions that matter:

Hosted APIs carry immediate revocation risk. Self-hosted open-weight models carry forward-looking supply risk. But two further complications apply:

The frozen weights problem. A model that is state-of-the-art in June 2026 will be behind the curve by December. Self-hosting preserves a snapshot, not current capability. The gap between your frozen model and the frontier widens every month. You need hosted APIs for currency and self-hosted or in-region open-weight for resilience. Neither is sufficient alone.

Self-hosting shifts liability entirely to you. When you use a hosted API, the provider bears some responsibility — they can update the model, patch vulnerabilities, apply guardrails. When you self-host open-weight, you are the deployer and the provider simultaneously. Under the EU AI Act, deployer obligations fall on you with no upstream party to contractually transfer risk to. This has a counterintuitive insurance implication: self-hosting might make insurance harder to obtain, not easier. You lose the provider liability shield. An insurer may prefer that you use a hosted API from a named provider with a track record, rather than running your own instance of a model you cannot fully explain or control.

A multi-engine strategy that includes self-hosted open-weight models is more resilient than one that relies solely on hosted APIs — but only if you maintain access to multiple model families, track release pipelines, and accept the liability trade-off.

The Commodity Inference Thesis

If every provider carries sovereign risk, inference should be treated as a commodity - switchable, portable, and independent of any single provider's ecosystem.

The "benefits" of provider-specific features - plugins, desktop integrations, fine-tuned models, proprietary extensions - are real, but they are also lock-in mechanisms. Under DORA, lock-in may become a compliance and operational-resilience risk. If your primary inference provider becomes unavailable, and your entire workflow depends on their proprietary plugin ecosystem, your business continuity plan fails at the application layer - not just the model layer.

Portability is resilience. Use providers whose models you can swap without rewriting applications. Avoid proprietary plugins, extensions, and integrations that create switching costs.

The Imperative

Comparative Matrix - June 2026

Three paths, one destination. The regulatory philosophies diverge, but the pressure on organisations converges.

| Dimension | EU | US | China | |---|---|---|---| | Approach | Single comprehensive law, risk-tiers | No federal law; state patchwork + preemption fight + export controls | Layered sectoral rules + standards | | Enforcement body | AI Office + member state authorities | FTC + state AGs + AI Litigation Task Force + Commerce Department export control | CAC-led, multi-agency | | Content focus | Moderate - transparency, high-risk categories | Sector-specific (employment, consumer, political ads) + model access restriction | Heavy - labeling, filtering, content safety | | Data | GDPR alignment | Sectoral (HIPAA, FCRA, etc.) | Data Security Law + PIPL + cross-border controls | | Penalty style | For certain prohibited-practice breaches, up to 7% of worldwide annual turnover | State-level ($/violation); FTC enforcement; model access denial via export control | Service suspension, license revocation, fines | | Extraterritorial | Yes - marketplace rule | Limited - state laws apply in-state; export controls restrict foreign access to US models | Yes - platform obligations + data rules | | Sovereign risk | EU models subject to AI Act + DORA; lower supply restriction risk | US hosted APIs subject to export control - access revocable by nationality; partner-hosted (AWS/Azure) mitigates but doesn't eliminate | Chinese hosted APIs subject to layered stack; self-hosted open-weight vulnerable to future supply restriction when incentive flips | | DORA exposure | Direct - DORA applies; inference providers should be assessed as part of ICT dependencies | Indirect - US firms exposed through EU subsidiaries subject to DORA | Limited - Chinese firms using domestic stack; but cross-border DORA exposure if serving EU markets | | Insurance response | AI-specific exclusions emerging | ISO CG 40 47 (US); European exclusions developing | Content liability; regulatory enforcement | | Nearest live deadline | Watermarking: 2 Dec 2026 | TAKE IT DOWN compliance: passed (19 May 2026); Anthropic export control: active (12 Jun 2026) | Short-video labeling: in force |

What This Means

| Finding | Implication | |---|---| | EU high-risk deadline delayed to Dec 2027 | Immediate pressure relieved, but inventory/classification work should start now | | EU watermarking deadline: 2 Dec 2026 | Less than six months of engineering required for generative AI providers | | NCII/CSAM prohibition (Art 5) | High-risk category expanded; existing content moderation systems may not qualify for safe harbour | | US federal action via existing authorities | Export controls, FTC enforcement, Commerce Department actions - no new legislation required | | US Colorado repeal | Comprehensive state AI laws face political resistance; sector-specific approach more viable | | US export control on Anthropic models | Supply disruption for non-US nationals; precedent for inference provider as geopolitical risk vector | | China layered stack | No single law — compliance requires managing multiple binding layers simultaneously | | Insurance coverage tightening | Coverage appears to be becoming more constrained for some AI liability exposures, particularly high-risk use cases | | Short-video labeling (China) | Directly affects platforms and creators; enforcement is active | | Model access as geopolitical instrument | Multi-inference-engine strategy is becoming a resilience and compliance expectation for organisations with material AI dependencies, especially regulated firms | | DORA third-party mapping gap | Inference providers may be unmapped ICT dependencies for firms subject to DORA | | DORA incident reporting exposure | Reporting timelines may be compressed once a firm becomes aware of an AI-provider disruption | | DORA business continuity | BCPs should include model-switching scenarios, not just cloud failover | | DORA contractual gap | Where DORA applies, AI service agreements may lack audit, access, inspection, exit, and incident notification provisions | | Commodity inference thesis | Inference should be treated as a switchable commodity; provider lock-in may become a compliance and operational-resilience risk | | Open-weight supply restriction risk | Self-hosted open-weight models are resilient against immediate revocation but vulnerable to future supply restriction — especially Chinese model families, where the incentive to release weights freely flips when they achieve dominance | | Frozen weights problem | Self-hosted models depreciate from download — you preserve a snapshot, not current capability. Need hosted APIs for currency | | Self-hosting liability shift | Self-hosting open-weight makes you the deployer and provider simultaneously — no upstream liability shield. May make insurance harder to obtain | | Deployment method diversity | In-region hosted open-weight (e.g., OpenRouter to EU providers) and partner-hosted proprietary models (AWS Bedrock, Azure) offer middle grounds between full self-hosting and US-hosted APIs |

The Compliance Calendar

Timeline of 7 date ranges on a shared time axis, anchored at Jun 2026. 2026 2027 2028 Jun 2026 China short-video labeling In force 12 May 2026 12 May 2026 US TAKE IT DOWN Act In force 19 May 2026 19 May 2026 US Anthropic export control Active 12 Jun 2026 12 Jun 2026 EU watermarking / synthetic disclosure ~6 months 2 Dec 2026 2 Dec 2026 Colorado ADMT law ~6 months 1 Jan 2026 1 Jan 2027 EU national AI sandboxes ~14 months 2 Aug 2026 2 Aug 2027 EU high-risk AI obligations ~18 months 2 Aug 2027 2 Dec 2027

Note: EU deadlines are delayed from original omnibus proposal; China and US deadlines are as enacted

The Call to Action

Audit your inference dependencies. Which models does your team use? Which providers are subject to foreign access controls? Could access restrictions affect users, teams, contractors, or locations that rely on those models? The overlap is your exposure.

Diversify your deployment methods, not just your providers. The Anthropic event proved that hosted APIs carry immediate revocation risk. Self-hosted open-weight models offer resilience but depreciate from the moment you download them and shift full liability to you. In-region hosted open-weight (via routing platforms like OpenRouter to EU-based providers) offers a practical middle ground for organisations without GPU infrastructure. Partner-hosted proprietary models (e.g., Anthropic via AWS Bedrock, OpenAI via Azure) move inference into your chosen jurisdiction but don't eliminate the provider's ability to restrict access. The resilient strategy combines multiple deployment methods: hosted APIs for currency, self-hosted or in-region open-weight for sovereignty, and multiple model families to hedge against supply restriction. If your platform already supports multiple inference engines, that is now a selling point — not an architecture preference.

Treat portability as compliance. Avoid provider-specific plugins, desktop integrations, and proprietary extensions that create switching costs. Under DORA, lock-in may become a compliance and operational-resilience risk. Portability-first architecture is the resilience strategy.

Review your contracts. Check your AI service agreements for force majeure, export control, and compliance-with-law clauses. Most providers reserve the right to suspend service for regulatory reasons - and that now includes nationality-based restrictions. If you're subject to DORA, ensure your contractual framework covers incident notification, audit rights, and business continuity.

Audit. Diversify. Treat portability as compliance.


This article is for general information only and does not constitute legal, regulatory, insurance, or procurement advice. Organisations should obtain specific advice based on their jurisdiction, sector, use case, and contractual arrangements.


Sources

  • EU AI Act Digital Omnibus: European Parliament press release (28 May 2026) — https://www.europarl.europa.eu/news/sv/press-room/20260427IPR42011/ai-act-deal-on-simplification-measures-ban-on-nudifier-apps ; Gibson Dunn (27 May 2026) — https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ ; DLA Piper (Jun 2026) — https://knowledge.dlapiper.com/dlapiperknowledge/globalemploymentlatestdevelopments/2026/The-Digital-AI-Omnibus-Proposed-deferral-of-high-risk-AI-obligations-under-the-AI-Act ; CDT analysis (17 Jun 2026) — https://cdt.org/insights/final-ai-omnibus-text-dilutes-fundamental-rights-protections/
  • US Federal: White House EO 14409 (2 Jun 2026), Baker Botts (Jan 2026), Brennan Center (Sep 2025)
  • US Export Control (Anthropic): Anthropic statement (12 Jun 2026) — https://www.anthropic.com/news/fable-mythos-access ; Al Jazeera (13 Jun 2026) — https://www.aljazeera.com/news/2026/6/13/us-orders-anthropic-to-disable-ai-models-for-all-foreign-nationals ; Forbes (16 Jun 2026) — https://www.forbes.com/sites/anishasircar/2026/06/16/anthropic-disabled-fable-5-and-mythos-5-after-a-us-export-control-order-heres-what-happened/
  • US State: VerifyWise (May/Jun 2026), Norton Rose Fulbright (May 2026), Colorado Legislature SB 26-189
  • China: Simmons & Simmons AI View (May 2026) — https://www.simmons-simmons.com/en/publications/cmpqqg17d0036u4uc4cy0o17e/ai-view-may-2026 ; Global Times (12 May 2026), CAC official sources, Carnegie Endowment (Oct 2025)
  • DORA: Digital Operational Resilience Act (Regulation EU 2022/2554), Chapters IV–VI, Art. 30
  • Insurance: ISO CG 40 47, Policyholder Pulse, Business Insurance, Baker Botts (Jan 2026)

This brief supersedes the April 30, 2026 version and the June 23 slides version. The regulatory landscape continues to evolve - particularly the Digital Omnibus formal adoption process, US federal preemption litigation, and the scope of export control directives targeting AI model providers.

Verify this paper →

This paper is signed with Ed25519. Run the signature check in your browser to confirm it hasn't been altered since it was signed.

Want this for your team?

Start a conversation →