Software Development Compliance Checklist (May 2026 Edition)

1. EU AI Act Compliance IN FORCE / NEGOTIATION

📌 Current status (May 19, 2026): The EU Digital Omnibus on AI reached provisional political agreement on May 7, 2026. If formally adopted before Aug 2, 2026, high-risk obligations under Annex III shift to Dec 2, 2027. Until adoption is confirmed, the original Aug 2, 2026 deadline remains binding. Plan for the original deadline. The Omnibus also adds a new prohibition on AI-generated non-consensual sexual or intimate content, reduces the synthetic content labelling grace period from 6 to 3 months (new deadline Dec 2, 2026), and softens AI literacy obligations from mandatory to encouraged.

📅 EU AI Act Implementation Timeline

Aug 1, 2024 ✅AI Act entered into force

Feb 2, 2025 ✅Prohibited AI practices banned; AI literacy obligations active

Aug 2, 2025 ✅GPAI governance rules and obligations active

Nov 19, 2025 ✅European Commission published Digital Omnibus proposal

May 7, 2026 ✅Political agreement on Digital Omnibus (pending formal adoption)

Aug 2, 2026High-risk AI systems (Annex III) deadline (binding unless Omnibus adopted in time)

Dec 2, 2026Transparency obligations for AI-generated content (proposed)

Aug 2, 2027AI regulatory sandboxes operational at national level

Dec 2, 2027Annex III high-risk deadline IF Omnibus adopted

Aug 2, 2028Embedded AI in Annex I regulated products compliance deadline

System Identification and Risk Classification

Is the software an AI system as per the EU AI Act? Yes No

Assign a risk category:

If high-risk, does the system fall under Annex III sectors?
Biometrics Employment Education Public services Law enforcement Migration / border Justice

Operator role under the Act:

Prohibited Practices Screening (Banned Feb 2, 2025)

⚠️ These practices are ILLEGAL in the EU. If any apply, cease operations. The Digital Omnibus adds a new prohibition on AI-generated non-consensual sexual or intimate content ("nudification" apps).

Does the AI system do any of the following?
Manipulate human behavior through subliminal techniques
Exploit vulnerabilities (age, disability, socioeconomic)
Untargeted scraping for facial recognition databases
Real-time biometric surveillance in public spaces (without exemption)
Social scoring of individuals
Emotion recognition in workplace or education (without consent or safety exemption)
Predictive policing based solely on profiling
Generate non-consensual sexual or intimate content (added by 2026 Omnibus)

If any above are checked, STOP. This system is prohibited. Fines up to €35M or 7% of global turnover.

AI Literacy Requirements (Active Feb 2, 2025)

The Digital Omnibus would soften AI literacy from a hard requirement to "encouragement". Until formal adoption, treat as mandatory.

Staff involved in AI development or deployment have completed AI literacy training

Training records documented and maintained

Refresh cadence defined (annual at minimum)

High-Risk AI Systems: Core Requirements

AI inventory complete (all deployed systems, providers, versions, data sources)

Annex III classification documented per system with justification

Risk management process documented and implemented (Art. 9)

Datasets are relevant, representative, and screened for bias (Art. 10)

Technical documentation per Annex IV (purpose, architecture, data, metrics, versioning)

Logging and traceability implemented and secure (Art. 12)

Clear user instructions and explanations of system decisions (Art. 13)

Human oversight (override or intervention) is possible and documented (Art. 14)

Accuracy, robustness, and cybersecurity validated (Art. 15)

Post-market monitoring system in place (Art. 72) with incident reporting and corrective measures

General-Purpose AI (GPAI) Model Compliance (Active Aug 2, 2025)

📋 GPAI Code of Practice published July 2025 provides voluntary compliance guidance for transparency, copyright, and safety.

GPAI provider identified and documented

Technical documentation prepared and maintained

Public summary of training data prepared using the EU template

Copyright compliance policy in place for training data

Output transparency in place (content labelling for synthetic media)

If systemic risk (greater than 10^25 FLOP): adversarial testing, incident reporting, cybersecurity measures

User-Facing Disclosures

Users clearly informed they are interacting with AI

Synthetic media and content (deepfakes) is labelled (Dec 2, 2026 deadline)

Use of emotion recognition, biometric categorization, or profiling disclosed

CE Marking and Conformity

CE marking applied and conformity assessment completed

System registered in the EU database

If required: Notified Body assessment completed

Non-EU providers: authorized EU representative designated

2. US State and Federal AI Laws IN FORCE / IN FLUX

🇺🇸 Current state of US AI regulation (May 19, 2026): Congress has not preempted state AI laws. Texas TRAIGA is in force. California's frontier AI law is in force. The Colorado AI Act's June 30, 2026 effective date is on hold under a federal court stay, and SB 26-189 (a narrower replacement) passed both chambers in May 2026. Executive Order 14365 directs federal challenges to state AI laws but does not itself preempt them. Compliance with applicable state laws is still required.

Federal AI Policy: Executive Order 14365

EO 14365 Timeline

Dec 11, 2025 ✅EO 14365 signed: "Ensuring a National Policy Framework for AI"

Jan 9, 2026 ✅DOJ AI Litigation Task Force formally established

Mar 11, 2026Commerce evaluation of state AI laws (deadline, status unconfirmed)

Mar 20, 2026 ✅National Policy Framework for AI published

OngoingFTC policy statement on AI bias mitigation as deceptive practice (directed by EO)

Federal AI policy developments monitored (DOJ Task Force actions, FTC policy statements, Commerce evaluations)

If receiving BEAD broadband funding: state AI law compliance status assessed

Child safety AI obligations honored (preserved carve-out under EO)

Jurisdiction Assessment

Which US state AI laws may apply? Select all that apply.
Colorado AI Act SB 24-205 (enforcement stayed April 2026, replacement pending)
Colorado SB 26-189 (replacement framework, passed chambers May 2026)
California SB 53 Frontier AI Act (effective Jan 1, 2026)
California CPPA ADMT Regulations (risk assessment Jan 1, 2026; consumer rights Jan 1, 2027)
Texas TRAIGA HB 149 (effective Jan 1, 2026)
Illinois HB 3773 AI in Employment (effective Jan 1, 2026)
Utah AI Policy Act (extended to July 2027)
NYC Local Law 144 (automated employment decisions, in force)
New York Frontier AI Transparency Law (effective Jan 1, 2027)

Colorado AI Act ENFORCEMENT STAYED

Status: On April 27, 2026, the U.S. District Court for the District of Colorado stayed enforcement of the Colorado AI Act pending resolution of a constitutional challenge (xAI v. Colorado; DOJ intervened). The Colorado AG has indicated it does not intend to enforce the law on the June 30, 2026 effective date. Senate Bill 26-189, a narrower replacement framework, passed the Colorado Senate (May 7) and House (May 9) and is on the Governor's desk. Companies should monitor whether the original law or the replacement governs going forward.

Does your AI system make "consequential decisions" in these areas?
Employment Education Financial / lending Housing Healthcare Insurance Essential government services

Monitoring Colorado legislative and regulatory developments (SB 26-189 status, AG rulemaking)

Impact assessment template prepared in case original CAIA takes effect

Consumer disclosure process prepared when AI is a substantial factor in decisions

Texas TRAIGA IN FORCE JAN 1, 2026

TRAIGA uses an intent-based liability framework. Disparate impact alone is not sufficient. NIST AI RMF compliance is an affirmative defense. Texas AG has exclusive enforcement authority; no private right of action. 60-day cure period for many violations. Penalties: $10,000 to $200,000 per violation; $2,000 to $40,000 per day for continued violations.

Does TRAIGA's jurisdictional trigger apply?
Conduct business in Texas Produce a product or service used by Texas residents Develop or deploy an AI system in Texas

Does the system fall under any TRAIGA prohibited categories (intent-based)?
Manipulate behavior to encourage self-harm, harm to others, or criminal activity
Intentional unlawful discrimination against protected classes
Produce or distribute child sexual abuse material or unlawful deepfakes
Infringe constitutional rights

NIST AI RMF (including Generative AI Profile) substantially adopted and documented (safe harbor)

Internal adversarial testing and red-team exercises documented

If healthcare: AI use disclosed to patients per SB 1188 (effective Sept 1, 2025)

If government-facing: clear AI interaction disclosure at or before point of interaction

California SB 53 Frontier AI Act IN FORCE JAN 1, 2026

If large frontier AI developer: public AI framework published outlining standards adoption

National and international AI standards integration documented

California ADMT Compliance (CPPA Regulations)

California ADMT Timeline

Jan 1, 2026 ✅Risk assessment requirements active

Jan 1, 2027ADMT consumer rights (opt-out, access) take effect

Dec 31, 2027Initial risk assessments due for existing processing

Apr 1, 2028Risk assessment attestation due to CPPA

Does your system use ADMT for "significant decisions"?
(Significant = decisions affecting employment, housing, education, lending, healthcare, insurance)
Yes No

Pre-use notice prepared for consumers

Consumer opt-out mechanism planned for Jan 1, 2027

Process for consumers to access information about ADMT decisions

Risk assessment conducted and documented (active now)

Illinois AI in Employment HB 3773 IN FORCE JAN 1, 2026

Notice provided to applicants and employees when AI used in employment decisions

AI system does not use zip codes as proxies for protected classes

AI system validated to not discriminate based on protected characteristics

AI Chatbot and Companion Disclosure

Multiple states require disclosure when consumers interact with AI chatbots, with additional safety duties for "companion chatbots". The federal EO carves out child safety, preserving state authority here.

AI chatbot interactions clearly disclose non-human nature

If "companion chatbot": self-harm detection and crisis resources implemented

Minor user protections in place where applicable

3. Regulatory and Legal Compliance

Identify Applicable Regulations

Where is your primary user base located?
United States EU / EEA United Kingdom Other / Global

Do you collect or process personal data?
Yes No

Which industries or groups apply? Select all that apply.
Healthcare Finance Children (under 13) Education None of the above

Data Privacy

Are you collecting sensitive data?
Health Financial Children Biometric Genetic

Do you have a privacy policy?
Yes No

Consent Mechanisms

Do you use consent banners or opt-in forms?
Yes No

Accessibility Standards (WCAG)

The EU Accessibility Act (EAA) became fully applicable on June 28, 2025. Affects digital products and services placed on the EU market. WCAG 2.2 AA is the current de facto baseline for new builds.

Which WCAG level are you targeting?

Have you run an accessibility audit?
Yes No

If EU market: EU Accessibility Act applicability assessed

4. Privacy Law Updates (2025-2026) CURRENT

COPPA Amendments (Effective June 23, 2025; Compliance April 22, 2026)

📋 COPPA 2025: The FTC finalized the first major amendments to COPPA since 2013. The compliance deadline of April 22, 2026 has passed. Confirm full implementation.

Separate opt-in consent obtained for targeted advertising to children

Biometric identifiers treated as personal information

Government-issued identifiers treated as personal information

Data retention policy documented and published (no indefinite retention)

Written information security program in place

Parental review and deletion processes operational

HIPAA Security Rule Update (Final Rule Pending)

⚠️ Status (May 19, 2026): The OCR Spring 2025 Unified Agenda targeted a May 2026 final rule. As of mid-May 2026, the final rule has not been published. When it is, organizations will have 240 days (180 days for covered entities plus 60 additional for BAA updates). Begin implementation work now since the eight-month window will be tight.

Multi-factor authentication implemented for all ePHI access

Encryption applied to ePHI at rest and in transit

Vulnerability scanning every 6 months, penetration testing annually

Network segmentation implemented to limit lateral movement

Systems can be restored within 72 hours of incident

Technology asset inventory and network map maintained

Access termination workflow within one hour of role change or termination

Business Associate Agreement update plan in place for post-final-rule update window

HIPAA Privacy Rule (Reproductive Health Care) and Part 2

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy. The remaining Notice of Privacy Practices modifications stayed in effect with a Feb 16, 2026 compliance deadline (now passed). Part 2 (substance use disorder) alignment with HIPAA also required compliance by Feb 16, 2026.

Notice of Privacy Practices modifications implemented (Feb 16, 2026 deadline passed)

Part 2 alignment with HIPAA complete (single consent, breach notification, penalties)

CCPA / CPRA Cybersecurity Audits (Effective Jan 1, 2026)

Does your processing present "significant risk" to California consumers?
(Applies if greater than 50% revenue from selling or sharing personal info, OR greater than $25M revenue plus 250K+ consumers, OR 50K+ sensitive PI records)
Yes No

Annual independent cybersecurity audit planned or conducted

Risk assessments conducted for high-risk processing activities

EU Digital Omnibus (GDPR, DORA, NIS 2, Data Act)

📋 Status: Beyond the AI Omnibus, the broader EU Digital Omnibus Package (proposed Nov 2025) consolidates and simplifies GDPR, DORA, NIS 2, and the Data Act, including a single incident reporting point and aligned breach notification thresholds. Still in ordinary legislative process; track for adoption.

Breach notification within 72 hours (current GDPR; Omnibus proposes alignment changes)

Data Protection Impact Assessments conducted for high-risk processing

Consent is freely given, specific, informed, and unambiguous

Digital Omnibus legislative status monitored for adoption

FERPA and Student Privacy

Online and cyber school students covered under FERPA protections

EdTech vendor agreements include data protection provisions

Cybersecurity measures in place for student records

If AI is used in EdTech: state-specific AI in education requirements assessed

Texas Genomic Privacy Act and State-Specific Privacy Laws

As of February 2026, the Texas Genomic Act applies; "foreign adversaries" list includes China, Cuba, Iran, North Korea, Russia, Venezuela. New comprehensive state privacy laws continue to take effect in 2026 (e.g., Iowa, Tennessee, Minnesota). Verify your jurisdiction-by-jurisdiction obligations.

State-by-state privacy law applicability mapped and tracked

If genetic data: Texas Genomic Act compliance assessed

5. Security Compliance OWASP 2025

🔒 OWASP Top 10:2025 released November 2025. Key additions include "Software Supply Chain Failures" (A03) and "Mishandling of Exceptional Conditions" (A10).

Secure Development Lifecycle (SDLC)

OWASP Top 10:2025 or equivalent SDLC guidelines adopted

Security reviews at each development phase

Threat modeling conducted during design phase

Secure defaults applied (least privilege, deny by default)

OWASP Top 10:2025 Coverage

A01 Broken Access Control: tested and verified

A02 Security Misconfiguration: hardening applied

A03 Software Supply Chain Failures: dependencies vetted, SBOM maintained

A04 Vulnerable Components: dependency scanning in CI/CD

A05 Cryptographic Failures: strong encryption, no weak algorithms

A06 Insecure Design: secure design principles followed

A07 Authentication Failures: strong auth, MFA where appropriate

A08 Software / Data Integrity Failures: integrity verification in place

A09 Security Logging and Alerting: comprehensive logging implemented

A10 Mishandling of Exceptional Conditions: error handling secure

Supply Chain Security (OWASP A03:2025)

Software Bill of Materials (SBOM) generated and maintained

Build artifacts signed

Third-party dependencies reviewed before adoption

CI/CD pipeline security hardened

Build provenance attestation (e.g., SLSA) implemented

Authentication and Authorization

Multi-factor authentication implemented

Role-based access control enforced

Session management hardened (timeouts, rotation, secure cookies)

Data Encryption

Data in transit protected (TLS 1.3 / HTTPS)

Sensitive data at rest encrypted (AES-256 or equivalent)

Key management process documented (rotation, revocation, escrow)

Incident Response

Incident response plan documented

Notification procedures defined (72-hour breach notification baseline)

Incident response plan tested or exercised

Incident response roles and responsibilities defined

6. Quality Assurance and Standards Compliance

Coding Standards

Coding guidelines enforced (PEP 8, MISRA, Google Style Guides, etc.)

Automated linters and code formatters used in CI/CD

Code reviews for standards and quality

Testing Requirements

Unit test coverage at or above 80% and documented

Integration, system, and acceptance tests implemented

Regression tests maintained and updated

Automated test execution in CI/CD pipeline

If AI/ML: adversarial testing, red-teaming, and model evaluation in place

Version Control

All code and docs in version control (Git)

Branching and merging strategy defined and enforced

Releases are tagged and release notes maintained

7. Intellectual Property and Ethical Compliance

Ownership and IP Rights

All code and assets are original, licensed, or under clear ownership agreements

Contributor and contractor IP assignment agreements on file

Open-Source Compliance

All open-source components tracked and documented (SBOM)

License obligations (attribution, source sharing) reviewed and met

Dependencies reviewed for license changes or vulnerabilities

AI Training Data Compliance

AI training data and copyright continues to be heavily litigated globally. The EU GPAI Code of Practice (July 2025) sets expectations on copyright compliance and training data transparency.

Training data sourced with appropriate rights or licenses

Copyright compliance policy for AI training data

Mechanisms to honor opt-out requests for training data (TDM reservations)

Training data summary prepared (EU template) where applicable

Ethical AI

AI and ML components assessed for bias, discrimination, or harm

Data sources, model training, and evaluation documented (model cards)

Recognized AI governance framework adopted (EU AI Act, NIST AI RMF, ISO/IEC 42001)

ISO/IEC 42001 AI Management System adoption considered or in progress

8. User and Stakeholder Compliance

Terms of Service and Privacy Policy

Clear, legally compliant terms of service and privacy policy provided to users

AI and automated decision-making disclosed in terms and privacy policy

Children's privacy provisions reflect COPPA 2025 amendments

User Training

Users trained on compliant use of the software

AI-specific user guidance available (limitations, intended use, when to escalate to humans)

Stakeholder Communication

Stakeholders informed about compliance status and risks

Board-level reporting on AI and security risk in place

9. Audit and Review

🔍 Audit Program: A mature compliance posture needs layered audits (internal, external, third-party), documented risk assessments, and certifications appropriate to your industry. CCPA/CPRA now mandates annual cybersecurity audits for high-risk processors as of Jan 1, 2026.

Internal Audits

Internal audit schedule defined (quarterly, semi-annual, or annual)

Audit scope covers code, processes, access controls, and data handling

Findings tracked to remediation with assigned owners and deadlines

Auditors independent from the team being audited

Audit reports reviewed by leadership and retained per records policy

External and Third-Party Audits

Which external audits apply to your organization? Select all that apply.
SOC 2 Type I or Type II
ISO/IEC 27001 (Information Security)
ISO/IEC 42001 (AI Management Systems)
PCI DSS (payment card data)
HITRUST CSF (healthcare)
FedRAMP (US federal cloud)
CCPA/CPRA Annual Cybersecurity Audit (active Jan 1, 2026)

External auditor credentials verified

Audit cadence meets regulatory or contractual requirements

Evidence collection process documented and repeatable

Risk Assessment

Risk assessment framework adopted (NIST RMF, ISO 31000, FAIR, etc.)

Risk register maintained with likelihood, impact, and mitigation status

Risk assessments performed at least annually and after major changes

AI-specific risk assessments completed (bias, robustness, misuse)

Third-party and vendor risk assessments conducted

Risk treatment decisions documented (accept, mitigate, transfer, avoid)

Certifications

Current or planned certifications:
ISO 9001 (Quality Management)
ISO/IEC 27001 (Information Security)
ISO/IEC 27701 (Privacy Information Management)
ISO/IEC 42001 (AI Management)
CMMI
SOC 2 Type II

Surveillance audits scheduled to maintain certifications

Certification scope documented and communicated to customers

Continuous Monitoring

Control effectiveness monitored on an ongoing basis, not just at audit time

Automated compliance monitoring tools in place where feasible

KPIs and metrics tracked for compliance posture

Regulatory tracking process in place (state laws, EU Omnibus, HIPAA final rule)

10. Documentation

Required Documentation

Do you have the following documents? Check all that apply.
Requirements and specifications Architecture diagrams User manuals API documentation Maintenance guides Operational runbooks

AI-Specific Documentation

Model cards for AI/ML models

Data sheets for datasets

AI impact assessments

System cards (AI system level documentation)

If EU high-risk AI: Annex IV technical documentation

Evaluation results and benchmarks documented

Compliance Documentation

Written compliance and information security policies

Data Protection Impact Assessments (DPIAs)

Records of processing activities (GDPR Art. 30)

Data retention and deletion schedule published

11. Maintenance

Maintenance Plan

Is there a documented maintenance plan for the software?
Yes No

SLAs defined and tracked

Support Resources

Are support resources available?
Yes No

Update and Patch Management

Is there a defined process for applying updates and patches?
Yes No

Patch cadence defined by severity (critical, high, medium, low)

Emergency patching process documented

Post-Market Monitoring (AI Systems)

Under the EU AI Act Art. 72, providers of high-risk AI systems must implement a documented post-market monitoring system after placing the system on the market.

Post-market monitoring system documented

Operational logging captured and reviewed

Incident reporting process to authorities defined

Corrective measure process documented

Model drift detection and retraining cadence defined

End-of-Life Policy

Is there an end-of-life (EOL) policy for the software?
Yes No

Data handling at end-of-life defined (export, deletion, transfer)

Customer communication plan in place

Software Development Compliance ChecklistMay 2026 Edition

📅 EU AI Act Implementation Timeline

EO 14365 Timeline

California ADMT Timeline

Applicable Regulations: