What is the most significant regulatory event of the week?

It depends on your stack. For OT and infrastructure operators, the CISA AA26-097A advisory on Iranian APT activity inside US PLCs is the most operationally urgent item. For fintechs, Colombia's mandatory open finance decree is the bigger structural shift.

Why does Honduras re-signing ICSID matter for tech companies?

ICSID coverage gives foreign investors access to multilateral investor-state arbitration, which is a precondition many cross-border lenders and platforms require before entering a market. Without it, contractual protections are harder to enforce, so Honduras just became materially easier to underwrite.

When does Chile's new data protection law take effect?

Law 21.719 enters full legal force on December 1, 2026, the same day the Agencia de Protección de Datos Personales (APDP) begins operations as Chile's first independent supervisory authority. Controllers should already be running readiness assessments now.

Regulation Brief

Regulation Brief: Global Tech Rules, June 3-10, 2026

By Anurag Verma•June 10, 2026

The week of June 3 to June 10, 2026 wasn't dominated by Brussels or Washington. The most consequential moves came from places most US tech reporters skip: Baku, Bogotá, Honduras, and a CISA advisory that should have gotten more attention than it did.

Here are the five items from this week's World Watch tracker that actually matter.

Azerbaijan: National Cybersecurity Agency replaces the old Electronic Security Service

On June 2, President Aliyev signed a decree creating a National Cybersecurity Agency under the Ministry of Digital Development and Transport, absorbing the Electronic Security Service and adding an explicit mandate over AI-system security and critical-infrastructure resilience.

This isn't a rename. Pairing AI-system oversight with critical-infrastructure defense under one agency is the model I expect more mid-sized states to copy, because splitting those mandates the way the US does (CISA here, NIST AI RMI there, sectoral regulators everywhere else) is expensive and slow. Baku is also continuing the through-line from February's Digital Development Council and 2026-2028 action plan, so this is a structural build, not a one-off. See the Azerbaijan AI page for the rolling thread.

United States: CISA confirms an Iranian APT is inside critical-infrastructure PLCs

The CISA joint advisory AA26-097A confirms that an Iranian-affiliated APT has been disrupting programmable logic controllers across US water, energy, government facilities, and manufacturing since at least March 2026. PLCs. Not corporate email, not customer databases. The boxes that open valves and trip relays.

I think the industry keeps under-rating OT compromise because it doesn't produce a clean dollar-loss number the way a DeFi hack does. It should rate higher, not lower. A water utility in a mid-sized US city has roughly the cybersecurity budget of a Series B startup, and the threat surface of a defense contractor. The full background is on the Iran cybersecurity tracker.

Colombia: open finance is now mandatory, not voluntary

Colombia spent April finalizing Decreto 0368/2026, replacing the voluntary regime from Decreto 1297/2022 with a binding mandatory open finance system. Banks, insurers, pension funds, and brokerages all have to share customer data through standardized APIs.

The SFC had already telegraphed the compliance pain in February when it extended the architecture-and-security deadline to 30 months under Circular Externa 001/2026. My read: this is one of the most ambitious LatAm fintech moves of the year, and the longer runway is a feature, not a retreat. Tracking it on the Colombia fintech page.

Honduras: re-signs ICSID, signaling a hard reset on investor protections

On his inauguration day, President Nasry Asfura re-signed the ICSID Convention, reversing the Castro administration's 2024 withdrawal and restoring multilateral investor-state arbitration.

For anyone building cross-border, this matters more than it looks. ICSID coverage is the difference between a usable arbitration clause and a piece of paper. If you're a fintech, a hosting provider, or a tokenization platform looking at LatAm expansion, Honduras just moved from "risky" to "workable" in one signature. Background on the Honduras starting-business tracker.

Chile: Law 21.719 lands a hard deadline, and a real regulator

Chile's Law 21.719 takes full legal effect on December 1, 2026, alongside the launch of the Agencia de Protección de Datos Personales (APDP), Chile's first independent data-protection authority. The framework is broadly GDPR-aligned, which makes vendor due diligence dramatically simpler if you already serve EU customers.

A quick contrarian point: I think the bigger story is the regulator, not the law. LatAm has had GDPR-flavored statutes for years. Independent, funded supervisory authorities are the rarer commodity, and they are what actually change behavior at the controller level.

What I'm watching next

The pattern across all five items is the same: enforcement infrastructure (agencies, courts, supervisory bodies) is finally catching up with the statutes that were passed in the 2022-2025 wave. Expect more agency stand-ups and fewer headline laws through the rest of 2026.

The live cross-jurisdiction map is at anuragverma.co/worldwatch, and the weekly newsletter goes out every Wednesday.

Researched with AI assistance from official sources. Analysis and conclusions are my own.