China’s new State Council Regulation on Outbound Investment takes effect July 1 and creates a centralized outbound-investment regime with national-security review, export-control limits, cross-border data-transfer constraints and countermeasures provisions.
Bloomberg Law reports that Vice Premier He Lifeng said China will add anti-sanctions and blocking provisions to financial legislation to counter what Beijing views as improper unilateral sanctions.
Lawfare’s review of The Web Beneath the Waves highlights undersea cables as critical digital infrastructure shaped by geopolitical fragmentation, Chinese cable actors, US blacklisting of Huawei and HMN Tech, Russia shadow-fleet concerns and China gray-zone tactics.
The European Commission's Cloud and AI Development Act policy page defines four sovereignty assurance levels for public bodies: Level 1 requires EU-located processing and storage, Level 2 adds independence from third countries and software supply-chain transparency, Level 3 requires EU ownership/control with additional criteria such as personnel citizenship, and Level 4 requires full software supply-chain transparency and no third-country interference.
Bruegel argues that the EU AI Act should move from a predominantly ex-ante product-safety model toward a hybrid model that lowers up-front burden for many suppliers while adding stronger AI liability, post-deployment monitoring, universal transparency, researcher access, near-miss reporting and a public incident registry.
JD Supra's analysis of the CADA proposal emphasizes that it should be read alongside the EU Data Act, NIS2, DORA, GDPR and the AI Act, and that it provides a blueprint for assessing digital-service sovereignty through exposure to third-country laws, ownership and control, software and hardware supply chains, operational resilience, security, compliance and the ability to prevent third-country interference.
The European Commission's Cloud and AI Development Act policy page defines four sovereignty assurance levels for public bodies: Level 1 requires EU-located processing and storage, Level 2 adds independence from third countries and software supply-chain transparency, Level 3 requires EU ownership/control with additional criteria such as personnel citizenship, and Level 4 requires full software supply-chain transparency and no third-country interference.
Bruegel argues that the EU AI Act should move from a predominantly ex-ante product-safety model toward a hybrid model that lowers up-front burden for many suppliers while adding stronger AI liability, post-deployment monitoring, universal transparency, researcher access, near-miss reporting and a public incident registry.
JD Supra's analysis of the CADA proposal emphasizes that it should be read alongside the EU Data Act, NIS2, DORA, GDPR and the AI Act, and that it provides a blueprint for assessing digital-service sovereignty through exposure to third-country laws, ownership and control, software and hardware supply chains, operational resilience, security, compliance and the ability to prevent third-country interference.
On 3 June 2026, the European Commission presented the European Technological Sovereignty Package, including: the Cloud and AI Development Act (CADA, COM(2026) 502), Chips Act 2.
A South Centre research paper published 29 May 2026 demonstrates that USMCA-model digital-trade rules impose the broadest constraints on governments' ability to mandate local data storage or regulate cross-border data flows, with the weakest exceptions of any major trade agreement model.
On 7 May 2026, EU co-legislators reached a provisional political agreement on the Digital Omnibus on AI, having overcome a stalled trilogue that collapsed on 28 April over conformity-assessment architecture for Annex I embedded systems.
On 7 May 2026, EU co-legislators reached a provisional political agreement on the Digital Omnibus on AI, having overcome a stalled trilogue that collapsed on 28 April over conformity-assessment architecture for Annex I embedded systems.
On 3 June 2026, the European Commission presented the European Technological Sovereignty Package, including: the Cloud and AI Development Act (CADA, COM(2026) 502), Chips Act 2.
A South Centre research paper published 29 May 2026 demonstrates that USMCA-model digital-trade rules impose the broadest constraints on governments' ability to mandate local data storage or regulate cross-border data flows, with the weakest exceptions of any major trade agreement model.
IAPP’s Canada Symposium session on cross-border data flows frames data transfers as a strategic issue shaped by EU adequacy, US national-security orders, emerging localization mandates and Canadian privacy obligations.
The Atlantic Council says the European Commission is scheduled to release a Tech Sovereignty Package on 3 June 2026, including a Cloud and AI Development Act, Chips Act update and formal definition of digital sovereignty.
CNAS’s sovereignty frame is useful for legal departments because it moves AI infrastructure negotiations beyond where data sits.
IAPP’s analysis of AI-discovered vulnerabilities argues that defenders need to share cybersecurity data across borders quickly, while data sovereignty and localisation laws may restrict that sharing.
Mayer Brown explains that the DOJ Data Security Program regulates transactions involving access to covered data by countries of concern, including China, Hong Kong, Macau, Cuba, Iran, North Korea, Russia and Venezuela.
The BIS AI-chip update requires attention to whether prohibited users can access chips remotely, including through infrastructure-as-a-service environments.
Reuters reports that US officials are considering AI-chip export rules built around licensing thresholds, government-to-government assurances, monitoring, site visits and possible foreign investment in US AI data centers.
Chatham House argues that chip controls are leaky, increasingly vulnerable to smuggling and less decisive as AI gains come from algorithmic efficiency, inference optimization and model design.
Mayer Brown highlights the combined effect of PADFAA, DOJ’s Data Security Program, state enforcement and class-action theories around cross-border data access.
IISD’s April 2026 report maps the tension between cross-border data flows, localization measures, public safeguards, economic security and trade-law commitments.
The European Commission’s 20th sanctions package includes crypto and digital-rouble measures alongside banking and trade restrictions.
The European Commission’s 20th sanctions package includes crypto and digital-rouble measures alongside banking and trade restrictions.
Alvarez & Marsal’s export-enforcement analysis points to remote access to controlled computing as a regulatory focus.
Alvarez & Marsal’s export-enforcement analysis points to remote access to controlled computing as a regulatory focus.