A roundup of the most significant compliance developments from the final week of August 2025

Bottom Line Up Front

The final week of August 2025 has delivered several pivotal compliance developments that will reshape regulatory landscapes globally. The EU AI Actโ€™s General-Purpose AI obligations took effect August 2nd, marking a watershed moment for AI regulation. Meanwhile, major SEC enforcement actions continue under the new administration, and cross-border procurement restrictions signal increasing trade compliance complexities. Organizations must act swiftly to address these evolving requirements.

Global Privacy & Compliance Explorer

EU AI Act: General-Purpose AI Regulations Now in Force

The Game Changer

August 2, 2025 marked a critical deadline under the EU AI Act as obligations for providers of general-purpose AI (GPAI) models officially entered into force. This represents the most significant AI regulatory milestone to date for global technology companies.

The EU AI Act: Comprehensive Regulation for a Safer, Transparent, and Trustworthy AI Ecosystem

What Changed

The European Commission and EU AI Office released final Guidelines for providers of general-purpose AI models and completed a General-Purpose AI Code of Practice, with the Commission confirming the Codeโ€™s formal approval on August 1st. These frameworks provide:

  • Interpretative guidance for understanding GPAI model provider obligations- Specific compliance measures companies can implement to demonstrate regulatory adherence- Clear regulatory pathways for AI deployment in EU markets

Navigating the EU AI Act: A Comprehensive Guide for Deployers of High-Risk AI Systems

Business Impact

Organizations deploying AI models in EU markets must now ensure compliance with these new frameworks or risk significant penalties. The regulations particularly affect companies with AI models that have widespread applications across multiple use cases.

GeneratePolicy.com - AI Security Policy Generator

EU-China Trade Compliance: Medical Device Procurement Restrictions

Historic Enforcement Action

For the first time, the European Commission completed an investigation under the International Procurement Instrument (IPI) and implemented measures to limit the participation of economic operators from non-EU countries โ€“ specifically China โ€“ in the EU public procurement market.

DeviceRisk.health - HIPAA Risk Assessment

The New Rules

The EU responded with Implementing Regulation (EU) 2025/1197 that requires contracting authorities/entities in all EU member states to exclude Chinese suppliers โ€“ and to a certain extent products manufactured in China โ€“ from larger public procurement contracts for medical devices.

Digital Wealth Shield

Strategic Implications

This action signals:

  • Escalating trade tensions between EU and China- Supply chain diversification requirements for EU healthcare organizations- New due diligence obligations for procurement teams- Potential reciprocal actions from other jurisdictions

HIPAA Security Assessment Tool | Healthcare Cybersecurity Self-Assessment

Enforcement Strategy Shift

Under Chairman Atkins, the SEC filed 31 enforcement actions in Q2 2025, with a strong fraud focus and continued scrutiny of advisers and broker-dealers. The new administration has implemented several key changes:

AI Security Risk Assessment Tool

Notable Developments

  • Crypto-friendly approach: The SEC announced the formation of the Crypto Task Force on January 21, 2025, led by Commissioner Hester Pierce, dedicated to developing a comprehensive regulatory framework for crypto assets- Case dismissals: Several enforcement actions from the previous administration were dismissed as part of regulatory reform efforts- Focus refinement: Every case filed in district court alleged fraud, suggesting the SEC has refocused its limited enforcement resources on fraud cases involving more egregious conduct

Key Enforcement Areas

  1. Investment adviser compliance - Fee disclosures and conflict of interest violations2. Broker-dealer SAR filing failures - Continued emphasis on suspicious activity reporting3. Fraud-focused actions - Moving away from technical violations toward serious misconduct

EU Compliance Mapping Tool | Map Cybersecurity Standards Across Frameworks

Cybersecurity Compliance Intensifies

Regulatory Acceleration

The compliance landscape in 2025 is marked by aggressive regulatory momentum and cross-border enforcement alignments, with expanded reporting windows and stricter definitions of โ€œmaterial breachโ€.

Healthcare Under Siege

Cyberattacks on the healthcare sector surged 86% globally in 2024, with patient data exposure and ransomware incidents driving the majority of compliance violations. New 2025 regulations demand:

  • Airtight data governance protocols- Zero-trust security frameworks- Proactive breach response capabilities- Real-time incident reporting

Cross-Sector Impact

The SEC now requires publicly traded companies to report cyber incidents within four business days, while HHS has refined its HIPAA enforcement playbook to include explicit criteria for ransomware breach thresholds.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories

UK Education Compliance Overhaul

New BCA Requirements

Starting in September 2025, UK universities and colleges will face significantly higher compliance standards under the updated UK BCA rules 2025.

Stricter Thresholds

The revised requirements include:

  • Visa refusal rate: Must maintain below 5% (previously 10%)- Enrollment rate: Minimum 95% of issued CAS must result in actual enrollment- Course completion rate: At least 90% completion required (up from 85%)

Enforcement Mechanisms

The white paper calls for a public-facing Red-Amber-Green (RAG) banding system to clearly indicate each sponsorโ€™s compliance status and boost transparency.

US State Breach Notification Requirements Tracker

Internet Governance Complexity

Via the Internet, companies can publish information, offer contracts, deliver virtual items, and send payments to any country in the world, raising questions about what law governs transactions and activities involving businesses in multiple jurisdictions.

Practical Implications

Organizations operating globally must navigate:

  • Multi-jurisdictional compliance obligations- Conflicting regulatory requirements- Data localization mandates- Cross-border enforcement coordination

AI RMF to ISO 42001 Crosswalk Tool

Looking Ahead: Compliance Priorities for September 2025

Immediate Action Items

  1. AI Compliance Audit - Review AI deployments against new EU requirements2. Supply Chain Assessment - Evaluate medical device procurement processes for EU operations3. Cybersecurity Framework Review - Ensure incident response capabilities meet new timelines4. Cross-Border Operations Analysis - Map jurisdictional compliance obligations

Strategic Considerations

  • Technology integration with compliance monitoring systems- Enhanced due diligence for international business relationships- Regulatory change management processes- Cross-functional compliance team development

CMMC & NIST 800-171 Compliance Assessment Tool

Key Takeaway

The convergence of AI regulation, trade restrictions, cybersecurity mandates, and enforcement evolution creates an unprecedented compliance complexity that demands proactive, technology-enabled approaches. Organizations that adapt quickly to these regulatory shifts will gain competitive advantages, while those that lag risk significant penalties and operational disruptions.

For ongoing compliance updates and analysis, subscribe to our weekly compliance intelligence briefings.

GDPR & ISO 27001 Compliance Assessment Tool

This analysis is based on developments through August 23, 2025, and reflects publicly available regulatory information. Organizations should consult with qualified legal counsel for specific compliance guidance.

Zero Trust Maturity Evaluator | Free Assessment Tool for CISOs