[object Object]

The EU Lead

The EU AI Act remains the most comprehensive horizontal AI regulation in force. Prohibited-practice provisions enforceable since February 2, 2025; GPAI obligations since August 2, 2025; high-risk system enforcement lands August 2, 2026; safety-component AI tranche August 2027. Penalties up to 7% of global turnover (€35M floor). The Act sets the de facto international compliance benchmark: many multinationals treat EU-Act-aligned controls as their global baseline because building two systems is more expensive than building one.

The EU AI Office (within DG CNECT) handles GPAI cases directly; member-state market surveillance authorities handle deployer enforcement.

US State Patchwork

Federal action stalled in 2025 — the proposed Algorithmic Accountability Act and AI Bill of Rights remain non-binding; the executive-order regime shifted across administrations. State action proliferates and creates real multi-state compliance complexity:

  • California: CPRA-derived ADMT (Automated Decision-Making Technology) regulations finalized late 2025, enforcement 2026. AB-2013 transparency for generative training data. SB-942 watermarking for large GenAI providers.
  • Colorado: SB-205 (signed May 2024) — high-risk AI obligations modeled loosely on EU framework. Effective February 1, 2026. Covers consequential decisions including employment, housing, financial services.
  • New York: Local Law 144 on automated employment decision tools (NYC), state-level AI in employment bills pending.
  • Illinois: BIPA continues to drive biometric AI litigation; new HB-3773 on AI in employment effective January 2026.
  • Texas, Tennessee, Utah, Virginia: each with sectoral AI provisions in consumer protection or insurance code.

A national patchwork now requires either state-by-state compliance mapping or a generally-conservative posture aligned to the strictest applicable jurisdiction. Most enterprises pick the latter for operational simplicity.

UK Approach

The UK opted for a sectoral regulation model — AI rules issued by existing regulators (FCA for financial services, MHRA for medical, ICO for data protection, CMA for competition) rather than a single overarching AI Act. The Artificial Intelligence (Regulation) Bill, reintroduced in November 2024, would create a central AI Authority but as of April 2026 has not become law. Practical effect for CRM AI: comply with sector-specific guidance and the ICO’s AI and data protection guidance (updated November 2025).

China

A layered regime that pre-dates and continues to evolve in parallel with the EU:

  • Algorithmic Recommendation Provisions (March 2022): registration, transparency, opt-out.
  • Deep Synthesis Provisions (January 2023): labeling, provenance.
  • Generative AI Measures (August 2023): training data legality, content controls, security assessment.
  • Generative AI Service Management Measures (updated 2025): tighter content alignment with “core socialist values,” CAC pre-launch security assessment for public-facing services.

Different posture from EU — government-direction rather than enumerated individual rights. Multinationals deploying CRM AI in China require a China-specific stack and a Chinese legal entity with PIPL compliance, separate from global operations.

Other Emerging Frameworks

  • Brazil: PL 2338/2023 (AI Bill) progressing through Senate; modeled on EU risk tiers.
  • Canada: AIDA (Artificial Intelligence and Data Act) within Bill C-27 stalled at federal level; provincial activity in Quebec under Law 25.
  • Japan: AI Bill (April 2025) — relatively light-touch, principles-based.
  • South Korea: Framework Act on AI (passed December 2024, effective January 2026); high-impact AI obligations.
  • India: DPDP Act 2023 in force; Digital India Act with AI provisions still pending.
  • UAE, Saudi Arabia: government-led AI strategies, sector regulation, sovereign-AI infrastructure focus.

Implementation Sequence

  1. Inventory your AI systems by jurisdiction of deployment and data subject location.
  2. Map each system to the strictest applicable regime.
  3. Build to the strictest baseline; document deviations downward where local law permits.
  4. Maintain a regulatory watch process — 2026 will see at least 5 new framework updates worth tracking.

What to Do This Week

Identify which of your CRM AI systems serve customers in California, Colorado, the EU, and China. That’s your immediate compliance scope. Everything else is forecast.

[object Object]
Share