EU raises the security bar; US issues national AI framework
Europe’s new Cyber Resilience Act and proposed Digital Networks rules are pushing security and interoperability standards higher for vendors, while the White House released a national AI legislative framework and states like Oklahoma continue layering privacy laws—creating a faster, more complex compliance landscape. Vendors serving European and US customers will face bigger oversight and reporting obligations. (futurumgroup.com, mondaq.com, ktul.com)
The EU’s Cyber Resilience Act (Regulation (EU) 2024/2847) is already in force (Dec. 10, 2024) but phases in key duties: mandatory reporting of actively exploited vulnerabilities and severe incidents from Sept. 11, 2026, and full conformity/market access rules from Dec. 11, 2027. (eur-lex.europa.eu)) The CRA’s scope covers “products with digital elements” — software, firmware and connected hardware — and explicitly requires secure‑by‑design, continuous vulnerability handling and post‑market monitoring, with administrative fines up to €15 million or 2.5% of global turnover plus powers to withdraw or recall products. (digital-strategy.ec.europa.eu)) The European Commission published the Digital Networks Act proposal on Jan. 21, 2026, a draft that would merge four telecoms acts into one regulation and introduce measures such as a Single Passport authorisation, harmonised cross‑border rules and an EU‑level preparedness plan to boost connectivity resilience. (oxera.com)) The White House released a National AI Legislative Framework on March 20, 2026, setting six policy objectives — including protecting children, safeguarding IP, preventing censorship and easing data‑center permitting — and explicitly pitching a federal approach to AI regulation. (whitehouse.gov)) The framework is a principles‑based roadmap that urges Congress toward federal preemption but does not itself create binding obligations, meaning private-sector actors must still comply with state‑level AI and privacy laws as they stand. (nixonpeabody.com)) Oklahoma’s SB 546 was signed into law on March 20, 2026 and takes effect Jan. 1, 2027; the statute grants consumers rights to access, correct, delete and obtain copies of personal data and creates opt‑outs for sale and certain targeted advertising. (mcdermottlaw.com)) Under SB 546 controllers must respond to verified consumer requests within 45 days and offer at least two submission methods, must perform documented data‑protection assessments for targeted advertising/sale/ high‑risk profiling and sensitive data processing, and the Attorney General has exclusive enforcement authority with a 30‑day cure period before litigation. (okbusinessvoice.com)) The upshot for vendors is hard dates and layered obligations: CRA reporting begins Sept. 11, 2026 and full CRA compliance is required by Dec. 11, 2027, Oklahoma’s privacy rules take effect Jan. 1, 2027, and the White House framework signals potential federal legislation without immediate preemption — compressing timelines and expanding overlapping reporting, assessment and governance duties. (hackerone.com))
