AI Governance Daily, 28 May 2026

Enforcement day. Not "guidance day," not "consultation day." Enforcement.

In a single news cycle the Commission landed a €200M DSA fine on Temu, and CNIL hit IQVIA with €5M for health data violations. Two regulators, two jurisdictions, two very different targets, same message: the machinery is operational and it bites.

Add Connecticut signing SB 5 into law this week, plus the EDPB's 120th plenary meeting today, and you've got three jurisdictions moving on AI and data governance inside 24 hours.

Operational regulation = the thing your board kept saying was "years away." It isn't.

🇪🇺 Europe & Regulation

• Temu fined €200M under the DSA. The Commission isn't using the DSA as a press release anymore. It's using it as a cheque book. If you sell, host, or recommend on a platform inside the EU, the compliance posture you signed off in 2024 is now the floor, not the ceiling. Read

• CNIL fines IQVIA €5M for health data violations. A processor, not a controller, getting hit directly. If your vendor risk register still treats processors as "someone else's problem," update it this week. Read

• CNIL and Korea's PIPC co-produce a GenAI privacy poster. Looks small. Isn't. Cross-border DPA coordination on GenAI messaging = a preview of cross-border enforcement coordination. Read

• CNIL: the processor at the centre of the crisis. Read this alongside the IQVIA fine. CNIL is telling you, in plain French, where it's looking next. Read

🇺🇸 US

• Connecticut SB 5 is now law. 39 sections of AI obligation. The US "patchwork" line is getting tired: Colorado, then Texas, now Connecticut. If you operate in more than three states, you no longer have a state strategy, you have a multi-state programme. Read

• Connecticut also enacted its annual privacy update. CTDPA revisions land in the same week as SB 5. Treat them as one compliance workstream, not two. Read

• OpenAI Election Safeguards 2026. Access to information, cyber defender support, AI transparency. Whatever you think of the vendor, the framing is now the de facto industry baseline for election-year AI risk. Read

🏢 Enterprise & Operating Model

• OpenAI and Cisco on Codex in enterprise engineering. A worked example of AI-native development inside a regulated infrastructure vendor. Useful if you're trying to convince your CTO that "Copilot for everyone" is not a strategy. Read

• Azhar: why AI isn't showing up on your bottom line. Honest answer for the CFO who keeps asking. Productivity gains without process redesign = no P&L impact. Read

🧠 Voices worth 5 minutes

• MIT Sloan: what AI still can't do for leaders. A useful corrective for anyone who thinks their judgement is now optional. It isn't. The model doesn't sit in your board meetings, carry your accountability, or sign your accounts. Read

⚠️ Watchlist

• EDPB 120th plenary today, 28 May 2026. AI Act implementation likely on the agenda.
• Article 50 transparency consultation closes 3 June 2026 (6 days).
• High-risk classification consultation closes 23 June 2026 (26 days).
• Code of Practice on AI-generated content: finalisation expected May/June 2026.
• Article 50 transparency obligations apply 2 August 2026.
• High-risk AI obligations apply 2 August 2026 on the current calendar.
• EU Omnibus: formal adoption still pending.
• Trump AI security executive order: still expected.

---

Two fines, one new state law, one plenary. If your AI governance plan still has "monitor regulatory developments" as a 2026 action, today is the day to rewrite it. See you tomorrow.