Looking ahead to 2026, we will be watching how the Netherlands builds on its early-mover advantage under MiCA — for example by deepening supervisory practice, refining guidance, and shaping EU-level implementation. On December 31, 2024, the MiCA rules for CASPs came into force alongside the obligations placed on firms under the Travel Rule. In January 2025, ESMA released a supervisory briefing to support national competent authorities (NCAs) in implementing the regime, and started to publish a registry of MiCA-authorized entities, alongside a list of non-compliant entities.

What is the EU Digital Markets Act?

Meanwhile, Dubai’s VARA released Version 2.0 of its rulebooks in May 2025, expanding governance and reporting standards for all licensed virtual asset activities. The authority imposed a deadline for compliance by June 19, 2025, allowing firms a 30-day transition period, underscoring the regulator’s shift from sandbox experimentation to mature supervision. In 2025, South Africa took a range of steps to broaden understanding of the crypto asset sector,  and support more effective supervision and development of future https://www.downloadwasp.com/13253/buy-folder-lock.html regulatory frameworks — for example for stablecoin arrangements. Within the financial sector, regulators and enforcement agencies continue to maintain a cautious stance. The 2018 FinTech Law confines virtual asset activities to licensed financial institutions with prior Banxico authorization, and approvals remain scarce.

The California Consumer Privacy Act (CCPA)

It also logs your compliance activities to easily show auditors what actions your organization has taken. All companies conducting business with the DOD, including subcontractors, must be certified. The fines for failing to comply with GDPR are significant – some organizations can be fined as much as 4% of their annual revenue or €20 million, whichever is higher.

• Full compliance is required by 1 January 2027, with the law effective from 1 January 2026 and a one-year transition period.
• In China, regulations require strict data localization and censorship; and Middle East and Africa regulations are patchwork, by comparison.
• Beyond this, consistent monitoring of data activity and use is required to maintain GDPR compliance.
• DORA applies to banks, insurance companies, investment firms, payment platforms, and crypto businesses.
• Complicating matters further for financial institutions are the inherent enhanced risks of fraud and cybersecurity concerns due to its use of confidential data in the banking industry.
• Notably, in May, A7 — the issuer of the ruble-pegged A7A5 stablecoin — was designated under UK sanctions law for its involvement in financial services that undermine Ukraine’s sovereignty.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Multinational organizations must be http://www.greengauge21.net/privacy-policy/ cognizant of the regulatory compliance rules of each country in which they operate. For example, GDPR went into effect in 2018 and applies to all data produced by EU citizens, regardless of whether the company collecting the data is located within the EU. GDPR also applies to all people whose data is stored within the EU, regardless of whether they are EU citizens. Across jurisdictions, 2026 brings a convergence of privacy and AI governance requirements that make early planning and system inventories essential.

International privacy regulations

Kasowitz’s Data Strategy, Privacy, and Security team has deep knowledge in the data, privacy, and security sectors, and is familiar with the potentially existential risks faced by companies that rely on data as an engine of commerce and innovation. Global data, AI, privacy, and security threats are “bet the company” issues that Kasowitz is well equipped to handle. Our team consists of seasoned lawyers who have worked at or represented the largest and most innovative companies in the world, former regulators, and former government attorneys. We leverage our extensive subject matter knowledge to support companies through global privacy and technology counseling, regulatory support in the AI, privacy and security space, litigation, and incident preparedness and response.

The ICO is launching a monitoring programme into 10 popular online games to assess their compliance with default privacy settings, geolocation controls and targeted advertising practices. The regulator will also consider any other privacy issues identified during the review process. The ICO’s early review suggests that many mobile games’ design features can be intrusive, which raises concerns about their compliance with the ICO’s Children’s Code standards. Related to this, but included in the separate AI Omnibus, there would be an extension to the situations in which special category data can be processed for the purposes of detecting and correcting bias in AI systems (subject to strict safeguards). This is currently limited to providers of high-risk AI systems, but would also cover deployers of high-risk systems, and providers and deployers of non-high-risk systems and models where “reasonable and proportionate”. The FTC has repeatedly taken the position that chat responses promising specific results from a product (e.g., financial returns, health benefits, etc.) or guaranteeing eligibility or refunds, can be deceptive or misleading if not substantiated.