What's changing worldwide

The EU's European Travel Information and Authorisation System (ETIAS) is expected to go live in the last quarter of 2026, requiring visa-exempt non-EU travellers (incl. would-be nomads on short stays) to obtain pre-travel authorisation to enter Austria and the Schengen area.

Two new pathways replace the post-2023 SMC structure: a Skilled Work Experience Pathway (5 years experience, 2 years in NZ earning ≥1.1× median wage) and a Trades & Technician Pathway (Level 4+ qualification, 18 months NZ experience). NZ-completed qualifications earn a bonus point, and English test results extend to 5-year validity for registered occupations.

Norway's dedicated law implementing EU Regulation 2024/1689 is targeted for August 2026, aligned with the EU full-application date. It will establish a risk-based framework, designate Nkom as the coordinating market surveillance authority, and create a national AI regulatory sandbox hosted in Digdir.

Ireland must transpose EU AMLD6 provisions requiring the RBO to grant beneficial-ownership access to persons with a legitimate interest and to interconnect with EU systems, partially reopening data that was restricted after the 2022 CJEU ruling. It re-shapes the transparency obligations attached to forming and owning an Irish company.

Vietnam's consolidated Cybersecurity Law 2025, passed on 10 December 2025 with 434/443 votes in the National Assembly, takes full effect, replacing both the 2015 and 2018 laws. It mandates data localisation for all domestic and foreign platform operators, sets 24-hour (and 6-hour in urgent cases) content-removal windows, and reaffirms the Ministry of Public Security as the principal cybersecurity authority.

Norway's amendment to the Security Act to transpose the EU NIS2 Directive (2022/2555) enters its registration phase, bringing roughly 5,000 organisations into scope across expanded critical sectors; NSM will act as central CSIRT coordinator, with first audits scheduled from 1 October 2026.

Liechtenstein-based providers operating under the TVTG must hold full MiCAR authorisation as crypto-asset service providers by this date; passporting across the EEA requires authorisation. This marks the cutover from the national Blockchain Act regime to the EU-wide MiCA framework.

Work-permit applicants must earn at least 90% of the national median wage (SEK 33,390/month), up from 80%, and must hold full sickness insurance. Two new criminal offences — exploitation of foreign labour and trafficking in work permits — are also introduced; certain highly skilled and self-employed applicants gain a slightly expanded right to apply from within Sweden.

Published in Registro Oficial Fifth Supplement No. 290, Ecuador's first dedicated cybersecurity law became immediately operative — mandating a 78-hour incident notification deadline, critical-infrastructure protection duties, compulsory cybersecurity education in schools, and concentrating strategic governance under MINTEL.

Taiwan's Executive Yuan announced it will formally establish the National AI Strategy Special Committee, to be chaired by the Premier and tasked with setting the national AI development blueprint and coordinating AI governance across ministries. This is a mandatory implementation step under the January 2026 AI Basic Act.

The CRTC raised the base contribution rate for large foreign streaming services (Netflix, Disney+, Prime Video with $25M+ Canadian revenue) from 5% to 15% of annual Canadian revenues to fund Canadian and Indigenous content, intensifying a U.S. trade dispute and triggering Federal Court of Appeal challenges.

Minister Josephine Teo unveiled a refresh of NAIS at ATxSummit 2026, setting 10 priorities across industry, government, research, talent, compute, data, trust and international partnerships, with new National AI missions in advanced manufacturing, financial services, connectivity and healthcare. The update cements Singapore's ambition to become a global AI hub while deepening sectoral transformation.

Thailand's Cabinet voted to cancel the 60-day visa-exemption introduced in July 2024 and restore a tiered system: 30 days for 54 traditional tourism markets and 15 days for others, pending Royal Gazette publication. Officials cited exploitation of the longer window by illegal workers and cybercrime networks as the primary motivation.

GAFI announced a draft overhaul of company licensing and minimum-capital requirements aimed at equalising conditions for local and foreign investors and further easing incorporation. It signals the next phase of streamlining how businesses are started.

Mohammed bin Rashid formally approved a world-first federal framework to transition at least 50% of UAE government services and operations to Agentic AI within two years, covering citizens', residents', and business services across all ministries. The plan includes training 80,000 federal employees and creating entity-level Agentic AI implementation teams headed by each minister.

Nearly two years after launch, the Directorate General of Immigration reported 1,274 Golden Visas issued (top holders: US, China, Taiwan) drawing ~Rp 52.1 trillion (~US$3bn) in investment, signaling the program is now the centerpiece of Indonesia's long-term residency strategy.

Poland's lower house fast-tracked and passed a revised Crypto-Assets Market Act by 241 votes to 200, designating KNF as the national competent authority and aligning with MiCA's CASP licensing regime. The bill heads to the Senate and then to a president who has twice vetoed near-identical legislation, with the EU's July 1, 2026 MiCA transitional deadline looming.

Amendments to Mexico's Federal Labor Law and Federal Copyright Law take legal effect, banning AI-generated dubbing of foreign films into Spanish and requiring artist consent for AI exploitation of performers' voice and image. This marks Mexico's first enacted statutory law directly restricting AI applications.

The ICT Cabinet Secretary required major social media platforms including X to establish local offices, with the Communications Authority empowered to suspend non-compliant platforms, as part of a child-protection and content-moderation push.

BAKE, the Law Society of Kenya, Article 19 and the journalists' union petitioned the Supreme Court to strike surveillance provisions of the Computer Misuse and Cybercrimes Act as violating privacy (Art. 31) and expression (Art. 33).

The newly created CNC set mandatory requirements for public agencies running data centers or technological infrastructure—covering continuity of operations, disaster recovery and digital resilience. It is the first binding rule from the new national cyber authority, giving agencies a compliance window to harden systems.

The Thai Cabinet approved two draft instruments removing the Foreign Business Licence (FBL) requirement from nine categories of business under the Foreign Business Act, directly reducing a major bureaucratic barrier for foreign-led company formation in services and technology sectors.

The Law of 5 May 2026 on measures to ensure a high level of cybersecurity transposed EU Directive 2022/2555 (NIS2), expanding obligations (risk management, 24-hour incident reporting, management-body liability) from ~1,000 to an estimated 6,000–8,000 entities. ILR is the lead competent authority; fines reach €10M or 2% of worldwide turnover for essential entities.

The Council and Parliament reached a deal to simplify the AI Act and adjust its timeline; because the AI Act is EEA-relevant, this shapes the rules Liechtenstein will ultimately incorporate and apply.

Published in the Official Gazette, the rule formally regulates payment service providers that offer payment accounts through third parties, requiring identification of the sponsoring bank, prior authorization of partners, and tougher fit-and-proper and supervision standards. It is the most significant overhaul of the PSP licensing/registration regime since 2020.

The Act of 5 May 2026 (published in Journal officiel 6 May 2026, in force 10 May 2026) transposed EU Directive 2022/2555 (NIS2), repealing the 2019 NIS1 law. It imposes mandatory risk management, 24-/72-hour incident notification, and tiered supervision across 18 critical sectors; ILR is lead authority for most sectors, CSSF for financial infrastructure.

President António José Seguro signed amendments to Portugal's Nationality Law requiring most foreign nationals to hold 10 years of continuous legal residency before qualifying for citizenship (7 years for EU/CPLP nationals), up from the previous 5 years; the law also resets the residency clock to AIMA permit issuance date. The law awaits Official Gazette publication before entering into force and directly affects the long-term value proposition of the D7, D8, and Golden Visa pathways.

Law 32-23's third and final phase required small businesses, micro-firms, unclassified taxpayers, and remaining public entities to adopt the DGII's e-CF electronic invoicing system by May 15, 2026, completing the nationwide mandate. Every newly formed enterprise must now onboard the e-CF system as an operational prerequisite from day one.

A citizen petition exceeding 50,000 signatures forced South Korea's National Assembly to formally deliberate repealing the planned 22% crypto capital gains tax before its January 2027 start date; the main opposition party introduced a full-repeal bill, leaving the policy's fate unresolved as of May 2026.

New Information Privacy Principle 3A, introduced by the Privacy Amendment Act 2025, becomes enforceable: agencies that collect personal information indirectly (from third parties rather than the individual) must now inform affected individuals. This closes a transparency gap that existed since 1993.

Both amendment-and-validation acts take effect, introducing strict 'job-hopping' rules (new work-permit holders must stay with their sponsoring employer for two years or leave for one year), raising the residency requirement for Caymanian-status eligibility from 15 to 20 years, increasing dependent-sponsorship income thresholds, and lifting work-permit application fees from CI$100 to CI$500. The package is the most sweeping overhaul of the immigration framework in over a decade.

The Securities Commission Malaysia issued major revisions to its Guidelines on Recognized Markets, liberalising asset listings while tightening cold-storage (min. 90% offline), client-asset segregation and operator capital requirements. It finalised the enhancements proposed in the 2025 public consultation.

The Digital Transformation Strategy Task Force (under the National Coalition for Caymanians) opened public surveys running through 17 May 2026 to gather input for its national AI and digital-strategy recommendations. It marks the final public-engagement phase before policy advice is delivered to government.

BCB Resolution No. 561 bars authorized eFX providers from using stablecoins or other cryptoassets to settle overseas remittances (effective Oct 1, 2026), requiring FX transactions or non-resident real accounts instead. It closes the dominant USDT/USDC back-end rail for Brazilian cross-border flows over AML, tax and monetary-policy concerns.

The central bank ordered financial institutions and PSPs offering digital wallets to deploy mechanisms to detect suspicious or unusual user activity to mitigate fraud, strengthening consumer protection across virtual wallets. Entities were given a transition period to adapt their systems.

The Deputy Governor of the Central Bank of Armenia disclosed that a comprehensive new Law on Payment Services is in development, benchmarked against PSD2/PSD3 and targeting instant payments, open banking, and real-time settlement. It would replace the 2004 foundational law and overhaul the licensing taxonomy for payment organisations.

Luxembourg Parliament adopted Bill 8669 allowing SARL founders to defer actual payment of the €12,000 minimum share capital for up to 12 months after incorporation while still requiring full subscription at formation. This significantly lowers the day-one cash barrier for the country's most-used company form.

Minister Solly Malatsi withdrew the Draft National AI Policy just 17 days after gazette publication after journalists found at least six of its 67 academic citations were fabricated — the drafters had used a generative AI tool without verifying a single reference. The scandal triggered parliamentary censure and reset South Africa's formal AI policy process.

From this date, applications for temporary, permanent, and EU long-term residence permits must be submitted only through the electronic MOS portal (mos.cudzoziemcy.gov.pl); any paper or mailed application is legally invalid and will not be examined. This marks the completion of Poland's multi-year digitalization of its immigration administration.

After a public consultation on an initial 15-year threshold drew over 8,000 submissions, the Norwegian Government announced it will present a bill to Parliament setting the minimum social media age at 16 (aligning with Australia). Platforms will be responsible for age verification at login; exceptions apply for school-related and communication services.

The Dutch government published a draft Implementation Act establishing how the EU AI Act will be governed nationally, adopting a decentralised model with ten sectoral market surveillance authorities co-ordinated by the AP and the RDI. The consultation runs until 1 June 2026 and is the foundational step toward a binding national AI supervisory architecture.

A new route — widely labelled the 'Impatriate' programme — allows foreign professionals in science, industry, education, culture, and sport to obtain a 3-year temporary residence permit or direct permanent residency within 30 days, with no language test or immigration quota. The scheme explicitly targets an estimated 800,000-worker labour shortfall in manufacturing and is open to family members who may also work without a separate permit. Russia has no dedicated digital-nomad visa; this is the closest analogue for independent skilled workers.

Portugal published Law 12-A/2026 in the Diário da República, formally establishing the national framework for supervising and enforcing the EU Digital Services Act. ANACOM is confirmed as Digital Services Coordinator with power to impose fines up to 6% of global turnover; the media regulator ERC handles minor-protection and advertising provisions.

The Tweede Kamer passed the Cybersecurity Act (Cyberbeveiligingswet, Cbw), transposing the EU NIS2 Directive and replacing the 2018 Wbni; the bill was forwarded to the Senate (Eerste Kamer) targeting Q2 2026 entry into force. The law expands mandatory cybersecurity risk-management, incident-reporting, and board-training obligations to approximately 8,000 entities across 18 sectors.

The government approved the KI-Strategie der Liechtensteinischen Landesverwaltung, setting principles (responsible, human-centred, transparent, efficient) and action areas (people, organisation, governance, infrastructure) for public-sector AI use.

Signed 13 March 2026 and published in the Journal of Laws on 13 April 2026, the act amends the Central Business Register (CEIDG) and related statutes governing sole-trader registration procedures and administrative reporting obligations—the first significant CEIDG reform since the 2018 Business Constitution.

The Data Protection Authority published a 15-page citizen-facing brochure on AI's impact on privacy, the first in a new series explaining data rights when interacting with chatbots, apps and connected devices. It signals the DPA positioning itself as a key AI supervisor alongside GDPR enforcement.

The DCDT published a risk-based Draft National AI Policy in the Government Gazette (Notice 3880), establishing principles, governance priorities, and a phased road map toward binding legislation, with public submissions due 10 June 2026. Cabinet had approved the text on 25 March and 1 April 2026, but the document was subsequently withdrawn owing to fictitious citations.

Japan's cabinet approved FIEA amendments shifting crypto oversight from the Payment Services Act to the stricter securities-law framework, adding disclosure duties, insider-trading bans and tougher penalties for unregistered operators. It marks the biggest restructuring of crypto licensing since 2017, with effect targeted for fiscal 2027.

President Sheinbaum's initiative amending the Federal Labor Law and Federal Copyright Law cleared the Chamber of Deputies 335 to 129, prohibiting AI-generated dubbing and mandating performer consent for AI use of voice and likeness. Industry group AMITI warned the AI dubbing ban could complicate the 2026 USMCA review.

Japan's Cabinet approved and submitted to the Diet a bill that, for the first time in APPI history, would let the PPC impose direct administrative monetary penalties (surcharges) for serious violations. It marks the biggest structural change to enforcement since the law's 2003 enactment.

Newly disclosed forensic call logs reportedly tie Javier Milei to promoters of the failed $LIBRA token around its launch, deepening the federal fraud investigation ("Cryptogate"). It is the largest political-crypto scandal in Argentine history.

Acting Head of State Hun Sen signed the Royal Decree promulgating Cambodia's first dedicated anti-cybercrime statute, which takes immediate effect and imposes sentences of 2–30 years (life imprisonment where victims die) on scammers, gang leaders, and financiers of technology-based fraud including pig-butchering, crypto scams, and forced-labour compounds. Cambodia had previously lacked any legislation specifically targeting cybercrime.

Poland's amended Act on the National Cybersecurity System became fully operative, expanding mandatory cybersecurity obligations to an estimated 42,000 entities across 18 sectors and introducing a High-Risk Vendor (HRV) mechanism allowing the Minister of Digital Affairs to ban ICT suppliers deemed threats to national security—extended beyond telecoms to all NIS2-covered sectors.

Taiwan's Cabinet approved the FSC-drafted Virtual Asset Services Act and transmitted it to the Legislative Yuan for deliberation — the country's first dedicated crypto statute, covering VASP licensing, capital requirements, asset segregation, stablecoin issuance approval, and criminal penalties of up to seven years for unlicensed stablecoin issuers.

A joint ICP/GDRFA circular issued in January 2026 came fully into force in April 2026, raising the minimum monthly income for the Virtual Work Residence Permit from USD 3,500 to USD 5,000, extending the bank-statement proof period from three to six consecutive months, and increasing mandatory health-insurance cover from AED 150,000 to AED 500,000. The changes signal a deliberate shift to attract higher-earning remote workers.

Designated app distribution services — Apple App Store, Google Play Store, Huawei App Gallery, Microsoft Store and Samsung Galaxy Store — must implement age assurance measures that prevent users under 18 from accessing and downloading age-inappropriate apps. This is the most concrete age-verification requirement yet in Singapore's online safety architecture.

From 1 April 2026, every VAT-registered company in Poland—regardless of size—must issue invoices through the National e-Invoice System (KSeF), adding a mandatory digital-invoicing step to business set-up and day-one operations for all new entrants.

Luxembourg's data protection authority published a reflection on a decade of the GDPR, reaffirming its role enforcing the regulation and supporting compliance. It signals continuity of the GDPR-based framework as the country's core privacy regime.

Ahead of the law's entry into force, ILR launched the single self-registration portal for essential and important entities, with on-site inspections planned from January 2027. It operationalizes Luxembourg's NIS2 supervision framework.

The Office of the Director of Public Prosecutions filed a Supreme Court appeal seeking to reinstate Sections 22 and 23 of the Computer Misuse and Cybercrimes Act, keeping the scope of criminalised online 'false information' legally unsettled.

The Polish Council of Ministers formally adopted the draft Ustawa o systemach sztucznej inteligencji (Act on Artificial Intelligence Systems), submitting it to the Sejm for enactment. The bill designates a newly created, single-authority regulator — the Commission for the Development and Safety of Artificial Intelligence (KRiBSI) — as Poland's sole national market-surveillance authority under the EU AI Act, making Poland one of only two EU states (alongside Lithuania) to centralise oversight in a brand-new institution.

Poland's government approved a bill to create a dedicated national AI supervisory authority and transpose the EU AI Act into domestic law, forwarding it to Parliament for enactment. Poland is one of the first EU states to propose a single, purpose-built institution for AI oversight rather than assigning the role to an existing body.

Spain published the implementing regulation for the e-invoicing obligation embedded in the Ley Crea y Crece (Law 18/2022), requiring structured electronic invoices for all B2B transactions. Large companies (turnover > €8M) must comply within one year of the forthcoming ministerial order; all remaining businesses within two years, with penalties up to €10,000 per infraction.

The Sénat adopted a modified version of the proposition de loi to protect minors from social-media risks, sending it back to the National Assembly for a second reading; if enacted it would impose a hard age floor with mandatory age verification. It marks France's move from platform self-regulation toward a statutory under-15 ban.

Indonesia began enforcing GR 17/2025's tiered age limits, barring under-16s from high-risk digital platforms and requiring age verification and parental consent; regulators noted few platforms were fully compliant at the start. It marks Indonesia's first hard rollout of child-specific online access controls.

Germany's Digital Services Coordinator at the Bundesnetzagentur publicly welcomed the European Commission's new Digital Services Act proceedings against Snapchat and major pornographic platforms over minor protection and age verification, signalling intensified online-safety enforcement.

After substantive committee amendments, the cyber security bill (which enacts the Critical Cyber Systems Protection Act and amends the Telecommunications Act) cleared Third Reading in the House and proceeded to the Senate, the final step before Canada's first mandatory critical-infrastructure cyber regime becomes law.

Spain's Consejo Económico y Social (CES) approved Opinion 03/2026 endorsing the Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA, clearing a mandatory consultative hurdle before the bill returns to Cabinet for final approval and submission to the Cortes Generales.

The Operational and Analytical Centre (OAC) restricted access to Belarus-hosted websites from abroad for roughly 48 hours (20:00 March 24 – 08:00 March 26), citing a detected threat of destructive cyberspace actions; the blackout coincided with the opposition Day of Will commemoration. This was the first publicly confirmed use of OAC's 2021 network-suspension authority at infrastructure scale.

The HKSAR government gazetted amended Article 43 implementation rules authorizing authorities to require domestic and international internet service providers to remove identifying data and restrict services, alongside new powers to compel device passwords. It significantly broadens state control over online content removal.

The White House transmitted legislative recommendations to Congress proposing a uniform federal AI framework covering child safety, community protections, and innovation promotion, explicitly aimed at displacing the growing patchwork of state AI laws. Represents the first formal White House attempt to establish a statutory federal AI governance structure.

Russia's first omnibus AI bill — 'On the Fundamentals of State Regulation of the Application of Artificial Intelligence Technologies' — was released for public consultation, introducing statutory AI definitions, a sovereign/national/trusted model classification requiring FSB and FSTEC security certification, and operator obligations to test systems for legal violations. If adopted as written, it enters into force September 1, 2027.

Germany's first cross-sectoral law for the physical and organizational resilience of critical facilities, transposing the EU CER Directive (2022/2557); operators must adopt resilience plans, report incidents to BBK and BSI, and register by 17 July 2026. It complements the cyber-focused NIS2 regime with all-hazards (sabotage, natural disaster, terrorism) protection.

Law No. 15.211/2025 took effect six months after publication, obliging platforms, app stores and games accessed by minors to adopt secure age verification, default privacy settings, parental controls and content restrictions, with fines up to 10% of Brazilian revenue. It marks the operational start of Brazil's dedicated online child-protection regime.

Luxembourg's Administrative Court overturned the record €746 million fine, finding the CNPD had not analysed Amazon's intent/negligence nor whether a fine was proportionate, while upholding that Amazon's 'legitimate interests' basis and information practices breached the GDPR. The case was sent back to the regulator for reassessment.

South Korea promulgated the most consequential rewrite of PIPA since 2023, raising the maximum administrative fine ceiling to 10% of total turnover and introducing statutory personal liability for CEOs who fail to supervise data-protection compliance; board-level approval is now required for Chief Privacy Officer appointments. The law takes effect 11 September 2026.

The Saudi Cabinet officially designated 2026 as the 'Year of Artificial Intelligence,' with SDAIA issuing a national coordination framework on 26 March to align government, private, and non-profit entities across six pillars: ambition, competencies, policies, investment, innovation, and ecosystem. The declaration coincides with Saudi Arabia ranking 14th in the 2025 Global AI Index and hosting the fourth GAIN Summit.

The National Assembly passed a major PIPA overhaul on 12 February 2026, promulgated 10 March 2026 (effective September 2026; mandatory ISMS-P from 1 July 2027). Key changes include an aggravated administrative penalty of up to 10% of total annual turnover for serious or repeated violations, express CEO accountability, strengthened Chief Privacy Officer authority, and mandatory ISMS-P certification for data controllers meeting prescribed size/data-volume thresholds—converting a previously voluntary standard into a statutory obligation.

The CBN (circular BSD/DIR/PUB/LAB/019/002) mandated all deposit money banks and fintechs to deploy AI-powered automated anti-money laundering systems, with 18-month deadlines for DMBs and 24 months for other financial institutions. Institutions must submit implementation roadmaps within 90 days and face sanctions for non-compliance, aligning Nigeria with FATF recommendations.

Officials confirmed Cayman aims to bring forward a draft legislative framework for AI by Q2 2027, informed by the Digital Transformation Task Force's recommendations. It is the clearest signal yet that Cayman intends bespoke AI law rather than relying solely on existing statutes.

SAMA published revised oversight rules for payment system operators, aligning supervisory protocols with the 2022 Law of Payments and Payment Services. The update strengthens SAMA's monitoring powers over systemically important payment infrastructure and licensed fintechs.

In the BAKE appeal, the Court of Appeal declared the 'false publications' offences (Sections 22 and 23) unconstitutional as vague and a threat to legitimate online speech, a landmark win for digital rights.

In BAKE v Attorney General [2026] KECA 430, the Court of Appeal declared the provisions criminalising 'false' and 'misleading' publication unconstitutional for vagueness, narrowing the Act's reach over online speech.

The HKMA, SFC, Insurance Authority and MPFA jointly expanded the generative-AI sandbox to banking, securities, insurance, asset management and MPF, offering supervisory guidance and GPU compute for risk-controlled AI piloting. It signals a coordinated, cross-sector 'innovate-and-supervise' posture for finance.

Cuba published Decree-Law 114/2025 in Gaceta Oficial No. 24, creating the first legal framework in decades for joint ventures between state enterprises and private MSMEs — via mixed LLCs, equity stakes, or association contracts. The decree entered into force April 2, 2026, but requires Ministry of Economy approval for every deal and bars partnerships in health, education, and defense.

At Committee of Supply 2026, MOM announced a new ONE Pass (AI & Tech) sub-track to supersede Tech.Pass from January 2027, adding an equity-compensation pathway for founders, and confirmed the Employment Pass qualifying salary will rise to S$6,000/month (S$6,600 in financial services) for new applications from 1 January 2027.

Switzerland and the EU formally signed the comprehensive Bilateral III package, including an updated Agreement on the Free Movement of Persons that preserves EU/EFTA citizens' residency rights while adding a new safeguard clause Switzerland may invoke if net immigration exceeds defined thresholds. This is the first structural update to the free-movement framework — the backbone of EU/EFTA digital-nomad and remote-worker residency — since 2002.

The Governor appointed Gretchen Tucker, effective 2 March 2026, as Bermuda's second Privacy Commissioner and the first Bermudian and first woman to hold the post, succeeding founding commissioner Alexander White. Signals continuity of PIPA enforcement under new leadership.

Vietnam's dedicated AI Law became operative on 1 March 2026, making Vietnam the first country in Southeast Asia with a comprehensive AI law in effect. Existing AI system operators in most sectors were granted a 12-month compliance grace period (to 1 March 2027); health, education, and finance systems have until 1 September 2027.

Albania's government circulated a draft law on crypto-asset markets fully modelled on the EU's MiCA Regulation, extending supervisory jurisdiction jointly to the Financial Supervisory Authority (AMF) and the Bank of Albania and adding white-paper disclosure, authorisation of crypto-service providers, and market-manipulation prohibitions. The law is designed to replace Law 66/2020, which predated MiCA.

Ofcom imposed a £520,000 penalty on 4chan for failing to implement robust age checks required by the Online Safety Act 2023, part of a broader enforcement wave in which Ofcom also fined AVS Group £1.05m and 8579 LLC £1.35m. By end of January 2026, 77 of the top 100 pornography sites had age assurance in place.

Albania introduced a new draft law on crypto-assets modelled closely on the EU's Markets in Crypto-Assets Regulation (MiCA), requiring AFSA and Bank of Albania co-supervision, white-paper disclosure obligations, and categorisation of asset-referenced and e-money tokens. The move signals Albania's intent to harmonise with EU financial standards ahead of potential accession.

Following Project Hangang's initial pilot, the Bank of Korea added two more commercial banks to bring real-world CBDC testing partners to nine, signalling a transition from limited-user trials toward broader retail digital won infrastructure deployment.

The Ministry of Justice widened the Top-Tier Visa (F-2 residency for elite talent) to include professors and researchers at science and technology institutions, adding them to the existing category of corporate employees in eight strategic industries. The move deepens South Korea's demographic-crisis response by broadening direct-residency pathways for globally mobile knowledge workers.

SDAIA's quasi-judicial enforcement committees began issuing binding decisions including warnings, fines up to SAR 5 million, and remediation orders against non-compliant organisations. Signals the definitive end of the post-enactment tolerance period.

Government Decree No. 1667 (signed 27 Oct 2025) entered into force, transitioning RuNet isolation from a standby 'readiness' posture to a permanently active instrument valid through 2032. Roskomnadzor, the FSB, and the Ministry of Digital Development gained real-time authority to reroute or sever Russia's internet from the global web during cyberattacks, critical infrastructure failures, or undefined 'specific threats.'

Roskomnadzor, jointly with the FSB and Ministry of Digital Development, gained binding legal authority to reroute all internet traffic in real time and switch RuNet into isolation mode under Decree No. 1667, which remains in force until 2032. The decree operationalizes the most sweeping powers of the 2019 Sovereign Internet Law, including DPI-based traffic rerouting and binding orders to all ISPs and internet-exchange owners.

The Treasury, with CBK and CMA, issued draft Virtual Asset Service Providers Regulations (with a Regulatory Impact Statement) to operationalize the 2025 Act and align Kenya with FATF Recommendation 15; licensing of VASPs cannot begin until these implementing rules are finalized.

Minimum Annual Remuneration rises for every permit category (General Employment Permit €34,000→€36,605; Critical Skills €38,000→€40,904), the first step in a phased roadmap raising the bar for skilled-worker residency through 2030.

CERT-FR's annual threat report logged 1,366 confirmed incidents and 128 ransomware attacks in 2025 (down from 141 in 2024) while flagging a sharp rise in data-exfiltration cases, shaping ANSSI's defensive priorities.

Coordinated 2026 amendment bills clarified that issuance/transfer of tokenised equity or investment interests by regulated funds does not constitute a 'virtual asset' issuance under the VASP Act, removing dual-licensing uncertainty for tokenised funds. Matters because it lets fund managers tokenise interests without separate VASP authorisation.