AI View: May 2026

Welcome to AI View, Simmons & Simmons' fortnightly round-up of key AI legislative, regulatory, and policy updates from around the world.

Launch of EU AI Act Transparency Toolkit

The August 2026 deadline for complying with the EU AI Act's transparency obligations is fast approaching. Today, we are launching our EU AI Act Transparency Toolkit, a suite of products designed to help you understand the transparency regime, identify in-scope systems, determine whether you are the provider or deployer and, crucially, implement compliance steps. 

More information on the transparency regime and the Toolkit can be found here.

We have also recently hosted a flash webinar, discussing our key takeaways from the draft guidelines on the transparency regime, which you can watch on demand here.

This edition brings you:

1. UK Data Protection Act (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations come into force

2. UK government announces Regulating for Growth Bill with cross-cutting AI sandbox powers

3. UK financial regulators warn firms to take action against frontier AI cyber threats

4. European Commission launches call for evidence on copyright and generative AI

5. Colorado Governor signs law replacing the state's landmark AI Act

6. Australia's cyber security agency leads multi-jurisdictional guidance on the adoption of agentic AI services 

7. Spain's competition regulator issues report on AI product safety regulations

8. China's internet regulator mandates content labelling for AI-generated short videos

9. South Korean privacy regulator issues generative AI user-data guide

1. UK Data Protection Act (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations come into force

On 12 May 2026, the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (the Regulations) came into force. The Regulations require the Information Commissioner's Office (ICO) to develop a formal code of practice setting out how organisations should process personal data when developing and using AI, as well as when relying on automated decision-making.

The code will sit within the existing UK data protection framework and apply to the use of personal data under the UK GDPR and the Data Protection Act 2018. It must also include specific guidance on the processing of children's personal data.

While the Regulations do not impose any immediate new obligations on organisations, once finalised, the code is expected to carry significant weight and will be taken into account by the ICO and courts when assessing compliance. The ICO has already begun consulting on draft guidance on automated decision-making, which is expected to inform the development of the statutory code.

Read the Regulations here.

2. UK government announces Regulating for Growth Bill with cross-cutting AI sandbox powers

On 13 May 2026, the UK Government announced the Regulating for Growth Bill (the Bill) as part of the King's Speech. The Bill includes measures intended to support the development and deployment of emerging technologies, including AI, through changes to the UK's regulatory framework.

A central feature of the Bill is the introduction of cross sector regulatory sandboxing powers. These powers would allow regulators to establish controlled testing environments in which businesses can trial AI systems and other advanced technologies in real world conditions, with certain regulatory requirements temporarily adjusted where appropriate.

According to the Government's briefing notes, these sandboxing arrangements are intended to facilitate the responsible testing and adoption of AI enabled products and services, particularly in areas where existing regulatory frameworks may currently limit innovation. The aim is to enable organisations to generate evidence on the performance, risks and benefits of AI systems in practice, while remaining subject to appropriate oversight and safeguards.

The announcement reflects the UK Government's continued preference for a pro-innovation, sector-led approach to AI governance, rather than introducing comprehensive AI specific legislation. AI is expected to be regulated through a combination of existing frameworks, regulatory experimentation (such as sandboxing), and targeted legislative reform.

The Bill is expected to be introduced to Parliament in due course.

Read the King's Speech background briefing notes here.

3. UK financial regulators warn firms to take action against frontier AI cyber threats

On 15 May 2026, the Bank of England, Financial Conduct Authority and HM Treasury published a joint statement on frontier AI models and cyber resilience (the Statement), highlighting increasing cybersecurity risks arising from advances in AI and setting out expectations for regulated firms.

The Statement emphasises that frontier AI models represent a "step change" in capability, with the potential to significantly enhance cyber attack capabilities. In particular, such models can identify and exploit vulnerabilities at greater speed, scale and lower cost than previously possible. The authorities warn that, if used maliciously, these capabilities could materially increase risks to firms' operational resilience. Firms with weaker cybersecurity foundations are expected to become increasingly exposed as these technologies continue to develop.

The Statement identifies key areas where firms are expected to take action to mitigate frontier AI-driven risks:

• Governance and oversight: Boards and senior management should have sufficient understanding of frontier AI risks to inform strategy and oversee risk management.
• Vulnerability management: Firms should be able to identify, prioritise and remediate vulnerabilities more quickly and at scale, including through automation, in response to AI enabled exploitation techniques.
• Third-party risk management: Firms are expected to strengthen oversight of suppliers and third-party technologies, ensuring the ability to monitor and address vulnerabilities across the supply chain.
• Protective controls: Effective access management, network security and data protection measures should be in place to reduce the attack surface available to AI enabled threats. The Statement also notes that firms may need to adopt automated or AI enabled defensive tools to respond at comparable speed to attacks.
• Response and recovery: Firms should maintain the ability to respond to and recover from cyber incidents rapidly, in line with existing guidance on cyber resilience.

UK regulators expect firms not only to maintain baseline cyber resilience capabilities, but to adapt them to reflect the increasing sophistication and speed of AI driven threats.

The authorities confirm that they will continue to monitor developments in frontier AI and engage with industry through existing forums, indicating that further guidance or supervisory focus in this area is likely as AI capabilities evolve.  
Read the Statement here.

4. European Commission launches call for evidence on copyright and generative AI

On 13 May 2026, the European Commission launched a call for evidence seeking stakeholder input on whether the EU's existing copyright and AI frameworks are adequate to support licensing, enforcement and fair remuneration in the generative AI market. The call for evidence is expected to inform a targeted legislative proposal, currently planned for Q1 2027, and runs alongside a separate review of the Directive on Copyright in the Digital Single Market (the CDSM Directive).

In particular, the Commission is seeking stakeholder input across several AI-related areas:

• Transparency and access to information: Whether rightsholders have adequate visibility over how their works are being used to train generative AI models, and whether existing transparency obligations under the AI Act are sufficient.
• Licensing and remuneration: Whether additional measures, such as mediation, arbitration or new remuneration mechanisms, are needed to support fair licensing of content for AI purposes and ensure appropriate compensation for creators.
• Protection against AI-generated imitations: Whether performers are adequately protected against AI-generated replications of their personal characteristics and performances.
• Online piracy: Whether stronger enforcement tools are needed to address the piracy of live and time-sensitive content, which the Commission considers to be insufficiently addressed by current EU remedies.

The call for evidence is open until 25 June 2026.

Read the call for evidence here.  

5. Colorado Governor signs law replacing the state's landmark AI Act

On 14 May 2026, the Governor of Colorado signed Senate Bill 26-189 (SB 189) into law, repealing and replacing the state's original Colorado Artificial Intelligence Act.

SB 189 focuses on "automated decision making technology" (ADMT), which is any technology that processes personal data and uses computation to generate outputs (such as predictions, recommendations, rankings or scores) used to inform decisions about individuals. The law applies where ADMT plays a meaningful role in a "consequential decision", meaning a decision affecting an individual's access to education, employment, housing, financial services, insurance, healthcare, or essential government services.

Key features of SB 189 include:

• Requirements for AI developers: Developers of ADMT must provide users of their technology with clear documentation covering the system's intended uses, known risks and limitations, the types of data used to train the system, and guidance on appropriate use and human oversight.
• Transparency for consumers: Before using a covered ADMT in a consequential decision, businesses must inform the affected individual. Where the decision results in an adverse outcome (for example, a denial of credit or a job application rejection), the business must provide a plain language explanation of the system's role in the decision within 30 days, along with information on how the individual can seek further details and exercise their rights.
• Consumer rights: Individuals who experience an adverse outcome may request correction of inaccurate personal data and an opportunity for a human to review and reconsider the decision.
• Discrimination protections: Those who build or use AI systems can be held responsible if the technology contributes to a discriminatory outcome under Colorado's existing anti-discrimination laws.

SB 189 is due to take effect on 1 January 2027.

Read SB 189 here.

6. Australia's cyber security agency leads multi-jurisdictional guidance on the adoption of agentic AI services

On 1 May 2026, six international cybersecurity agencies jointly published guidance on the secure adoption of agentic AI systems (the Guidance). The Guidance was co-authored by the Australian Signals Directorate's Australian Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency, the US National Security Agency, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the UK National Cyber Security Centre. 

The Guidance focuses on the security risks that arise from agentic AI systems, particularly where such systems are integrated into critical infrastructure, government operations or business processes.

The Guidance identifies five broad categories of risk:

• Privilege risks: Overly broad access rights allow compromised agents to perform actions beyond their intended function.
• Design and configuration risks: Unvetted third-party components or poorly managed permissions create vulnerabilities that compound over time. 
• Behaviour risks: Agents act in unexpected ways, find unintended shortcuts or develop unanticipated capabilities. 
• Structural risks: Failures in one part of an interconnected system cascade across the whole.
• Accountability risks: The complexity and autonomy of the system make it difficult to trace how a decision was reached or assign responsibility when something goes wrong.

To address these risks, the Guidance recommends that organisations deploy agentic AI only for clearly defined, low risk tasks, grant agents the minimum level of access needed, and build in human approval checkpoints for high impact actions. It encourages a phased approach to deployment, starting with limited autonomy and expanding access as the system's behaviour is better understood, supported by continuous monitoring.

The Guidance is non-binding but reflects a coordinated international position on how organisations should approach the adoption of agentic AI.

Read the Guidance here.

7. Spain's competition regulator issues report on AI product safety regulations

On 12 May 2026, Spain's National Commission on Markets and Competition (CNMC) issued a report on a Draft Royal Decree on general product safety (the Draft Decree). The Draft Decree is intended to update Spain's existing product safety framework in line with EU Regulation 2023/988, and the CNMC's report calls for it to be adapted to better address the challenges posed by AI, connected products and e-commerce.

The Draft Decree is expected to incorporate risks associated with AI, cybersecurity and connected products into Spain's general product safety regime. It would also introduce new obligations for digital platforms, requiring them to take an active role in withdrawing unsafe products and improving the traceability of sellers on their platforms. The CNMC welcomed this approach, noting that it would help create a more level playing field by requiring all operators, including those based outside the EU and online-only sellers, to bear the same product safety costs.

Read the CNMC's press release here (only available in Spanish).

8. China's internet regulator mandates content labelling for AI-generated short videos

On 12 May 2026, the Cyberspace Administration of China (CAC) announced the nationwide rollout of mandatory content labelling requirements for short videos published on digital platforms.

Under the new requirements, all platforms must provide users with six mandatory labels (referred to as "must-choose tags") that publishers are required to select before a short video can be uploaded. One of the six mandatory tags is "contains AI-generated content", which must be applied to any video that incorporates material produced using AI tools.

The CAC has set out a phased implementation timeline. Platforms must complete the necessary technical upgrades and make the labelling function available to all users by the end of May 2026. Before December 2026, platforms are expected to conduct retrospective reviews of existing video libraries, supplementing or correcting labels where necessary and notifying publishers accordingly. The CAC has stated that accounts which fail to label content as required, and platforms which fail to enforce the labelling standards, will be subject to penalties and public exposure.

The announcement follows enforcement action earlier in the year, during which the CAC reported the removal of over 520,000 short videos and the punishment of more than 68,000 accounts for violations including fake or staged content. The labelling initiative forms part of a broader effort by Chinese regulators to improve transparency and authenticity in online content, with a particular focus on ensuring that AI generated material is clearly identified to users.

Read the CAC's press release here (only available in Chinese).

9. South Korean privacy regulator issues generative AI user-data guide

On 19 May 2026, South Korea's Personal Information Protection Commission (PIPC) published a user-focused guide on how personal information is handled in generative AI services (the Guide). The Guide is designed to help individuals understand how their data is processed when using AI tools and to take practical steps to protect their personal information.

The Guide addresses eight common concerns raised by users, including whether prompts and uploaded content are used for AI training, how deleted conversations are retained, whether data may be transferred abroad, precautions when inputting workplace data, what to do if AI outputs contain personal information, and the privacy implications of connecting AI services to external tools and plug-ins. It advises users to review each service's data policies before use, opt out of AI training where possible, avoid entering sensitive personal information, and limit the permissions granted when connecting to external applications.

The PIPC noted that while previous regulatory guidance has focused primarily on the responsibilities of AI developers and service providers, this Guide is specifically designed to improve AI privacy literacy among everyday users.

Read the PIPC's press release here (only available in Korean).