The Commission's publication of draft high-risk classification guidelines on 19 May constitutes a guidance publication for feedback, not a final decision; binding obligations under Article 6 AI Act apply from their existing statutory dates, but these guidelines will shape how providers and deployers document and justify their classification assessments in practice. A third round of AI Office working group meetings on the transparency Code of Practice for AI-generated content labelling is also progressing, with the third draft being developed; compliance obligations on labelling will follow once the Code is finalised. The European Parliament adopted a non-binding resolution on AI and EU trade strategy on 20 May, which carries no direct compliance weight but signals political appetite for using AI governance as a trade instrument.

Beyond the 19 June DPDI Act deadline, two ICO enforcement actions this week deserve attention from compliance teams. The ICO imposed a monetary penalty of £160,000 on Energy Prices Direct Limited for PECR Regulations 21 and 24 violations involving unsolicited marketing calls to TPS and CTPS-registered numbers; this is an enforcement action, not guidance, and confirms continued ICO appetite for direct marketing enforcement. A separate enforcement action resulted in a confiscation order of £355,880.10 under the Proceeds of Crime Act following conviction for insider unauthorised data access, demonstrating that criminal enforcement exposure sits alongside standard regulatory fines for data misuse. In the EU, an Austrian court upheld a Data Protection Authority ruling requiring equal visual prominence for accept and reject buttons in cookie banners on ORF.at, a court ruling that sets an enforceable design standard for cookie consent interfaces across Austria and signals the direction of DPA enforcement elsewhere.

The DSA Article 40 researcher data access mechanism moved from framework to operational reality this week: the Commission held a roundtable with VLOPs and VLOSEs on 19 May to facilitate the launch of the first formal researcher data access requests, meaning platforms must now handle live requests under that mechanism. This is a regulatory signal that the mechanism is active, not a final enforcement decision, but non-response will carry compliance risk. BEUC and 13 consumer groups filed complaints against Meta, TikTok, and Google on 21 May alleging DSA non-compliance on fraudulent advertisement moderation; these are NGO complaints, not Commission enforcement decisions, but they create a documented evidentiary record that could support Commission investigations. The EU's short-term rental transparency regulation (Regulation EU 2024/1028) entered application this week, placing mandatory data-sharing obligations on platforms operating STR listings in the EU market.

The CJEU issued a judgment in Joined Cases C-684/24 and C-685/24 on 21 May confirming that the public has access to beneficial ownership information on trusts where a legitimate interest is demonstrated, binding EU member state AML registers. This is a court ruling with immediate effect on how national registers handle access requests; UK trust register obligations under its separate AML regime are not directly affected but practitioners advising cross-border trust structures should note the diverging access conditions. The FCA also signalled active scrutiny of claims management companies in the motor finance sector through a published analytical note, indicating enforcement attention on CMC conduct is a watch point for that sector.

The European Parliament formally adopted the legislative resolution consenting to the EU's conclusion of the UN Convention on Cybercrime on 20 May, which is a final legislative decision binding EU member states to the Convention's international cooperation and electronic evidence sharing obligations. The UK is not an EU member and will implement or ratify the Convention separately; divergent ratification timelines and implementing legislation could create parallel electronic evidence request obligations for dual operators. No binding UK implementing legislation has been confirmed at this stage.

Alongside the MHRA rare disease consultation, the EU health data and digital health technology compliance survey closed on 22 May 2026, having run since 13 May; organisations active in EU digital health markets should note that this targeted survey will inform forthcoming regulatory guidance under the European Health Data Space framework. The MHRA and NICE published details of their joint Real-World Evidence Scientific Dialogue programme, a regulatory signal of the UK's direction on evidence standards for market authorisation that has no current EMA-EUnetHTA equivalent process. MHRA also updated its list of suspended and revoked manufacturing and wholesale distribution licences, requiring affected holders to verify their status against the current register immediately.

Beyond the DIWASS entry into application, the Environment Agency in England finalised its guidance on appropriate measures for waste battery permitted facilities, which now constitutes a binding operational standard for site operators under the Environmental Permitting Regulations. The guidance covers pre-acceptance, storage, treatment, emissions monitoring, and process efficiency requirements across multiple published sections; all affected permit holders must implement these measures operationally. The EA also published its packaging producer responsibility monitoring plan, confirming a programme of compliance visits on packaging producers in England in 2025 under producer responsibility regulations.

BEREC published both its adopted 2026-2030 Strategy and an early assessment of the proposed EU Digital Networks Act this week. The strategy document sets BEREC's regulatory priorities through 2030 with no immediate compliance obligations, but the assessment of the Digital Networks Act is a regulatory signal that the proposal is advancing and that BEREC is positioning itself as an active contributor to its development. The Digital Networks Act remains a legislative proposal at early stage; no binding compliance obligations arise yet, but telecoms operators with EU market presence should track its progress as it will restructure access, investment, and spectrum obligations across member states.

OPSS issued a product recall this week for Grafix toy sand found to contain asbestos, requiring immediate retailer withdrawal and end-user notification. A separate recall was issued for fragrances sold by Savers Health and Beauty containing BMHCA/lilial and HICC, both substances banned under EU Cosmetics Regulation; the timing of the UK recall relative to EU prohibition implementation warrants supply chain review by cosmetics operators. Multiple border rejection enforcement actions were also issued for electrical products failing UK-specific plug and fuse standards, including an e-bike, a shoe dryer, and a steam beauty device, each constituting a separate enforcement action under OPSS powers.

The European Commission launched a call for evidence on 18 May 2026 to gather views on targeted measures to modernise EU copyright rules, opening a consultation process that may alter text and data mining rules and platform liability obligations. This is a consultation launch, not a draft measure or final decision; no binding changes arise yet. For dual operators with content licensing or TDM activities across UK and EU markets, the EU review is a watch point given the UK has already evolved its own copyright framework independently since Brexit, and further EU changes could widen that gap.

The FCA published its response to the Treasury's policy statement on Consumer Credit Act reform, confirming the direction of travel towards FCA-led flexible regulation replacing prescriptive statutory CCA obligations. This is a regulatory signal at policy statement stage, not enacted legislation; no compliance deadline has yet been set. Firms operating under both UK consumer credit rules and the EU Consumer Credit Directive should monitor the UK reform trajectory given its potential to create structurally distinct regulatory obligations for the same financial products across the two markets.