May 2026 global compliance update: 106 days to FCA NFM + EU AI ACT, EDPB, and DPDP
Future-proofing compliance ahead of major FCA and data privacy changes
The regulatory landscape is shifting at a new pace, with global changes being rolled out almost monthly. For every new high profile development such as the FCA regulations and the EU AI Act, additional lower profile but highly important updates are taking effect. In this blog, we’ll explore a few critical compliance updates every global employer should know.
4 new compliance developments
#1. 106 days until FCA non-financial misconduct changes take effect. Are you ready?
The Financial Conduct Authority (FCA) released the new guidance for Financial Services employers in December 2025 as part of their Policy Statement PS25/23. It effectively establishes brand new requirements in the industry which are considered revolutionary. Rather than requiring exclusively traditional pre-hire screening, it establishes a new requirement for ongoing monitoring or rescreening on key, high asset risk personnel.
These new rules will take effect on September 1, 2026, with an expectation that all that fall under the FCA purview will adhere. As these rules are new and strenuous, there is a general expectation that the FCA, as well as the PRA, will begin auditing practically right away. Organisations that were hoping to adopt a “wait and see” approach would find themselves in an extremely risky position, both in terms of non-compliance but also when it comes to the talent pool that would be left.
Organisations should be actively evaluating their policies, partners, and preparing their teams for the new era of compliance. For expert guidance, we have two upcoming webinars:
- Policy on Paper, Panic in the Moment
Speakers: Real Talk Studio’s Toby Sinclair and Fama’s Ben MonesAn overview of how to prepare your team for tough conversations as well as compliance screening practices roughly 100 days out from the 1 Sept deadline. - FCA Non-Financial Misconduct: A Playbook for HR & Compliance Leaders with HireRight’s Caroline Smith, Background Check Advisory’s Anton Watson, and Fama’s Ben Mones
A strategic playbook to help HR and Compliance leaders revamp policies and technologies to align with new regulatory standards.
#2. Talks stalled on the EU AI Act. What now?
Negotiations for reforming the EU AI Act were delayed as the EU Parliament and Council could not agree on the act’s overlap with existing sectoral regulations. As of now, the groups are deeply divided on whether to proceed with either a sector-by-sector AI regulatory framework or an EU-zone wide standard. A final decision has been postponed once again, threatening a decision by default if no consensus is reached by August.
The European Parliament voted for a strong mandate to simplify the AI Act, already setting the path forward off to a rocky start. In the meantime, organisations operating within the EU have to keep a close eye on industry specific and EU-wide regulations, as well as needing to be prepared in case a sudden shift is announced. With privacy being at the forefront of the concerns, organisations are expected to do their due diligence to both adhere to and provide evidence of compliance.
#3. European Data Protection Board launches enforcement action: What to know?
The European Data Protection Board (EDPB) has launched its Coordinated Enforcement Framework (CEF) goal for 2026. Celebrating the success of a year-long concentrated effort on the right of erasure in 2025, CEF has chosen its mission for 2026: compliance with the obligations of transparency and information under the GDPR.
So far, 25 Data Protection Authorities (DPAs) across Europe have signalled participation in this initiative. Active and ongoing investigations will be rolling out to evaluate the compliance of controllers in the region. Controllers, as defined by the GDPR, will soon be contacted to achieve phase 1) fact finding and enforcement. After that, phase 2 will involve all participating DPAs coming together to aggregate the results, evaluate them, and provide a final report for the EDPB.
This means that there are two core impacts:
1. Data controllers will be expected to fully cooperate with any and all DPAs.
2. Data controllers will also be required to provide evidence of full compliance.
Based on the findings of the DPAs, the industry should expect modifications to the GDPR regulations in 2027. Ensuring full compliance as well as proactively establishing evidence of said compliance will be key for the rest of 2026.
#4. India’s consent manager framework
India’s Digital Personal Data Protection (DPDP) was first established in 2023, but only truly finalised in November 2025. With it came India’s first comprehensive framework governing all aspects of digital personal data, as well as creating a stage-based framework for what was to come next.
Key for 2026, the Consent Manager Framework officially becomes operational. This system effectively establishes a process for organisations to register themselves as third-party intermediaries, allowing them to manage user consent and permission. This registration process is to be run by the Data Protection Board (DPB) established in Nov 2025.
With this new Consent Manager Framework, there will now be a very clear requirement for all Consent Managers to handle the complex technical task of syncing user preferences across all channels while also ensuring that there is a clear, legally required audit trail. Failure to do so can incur significant fines that reach up to 250 Crore, roughly equivalent to $30 mil USD.
The new central management process for all core data rights, such as right to correction, erasure, and contest, establishes new expectations similar to programmes like FCRA, PIPEDA, GDPR, PIPL and more.
Future-proofing compliance and social media screening
In a climate where behaviour risk, non-financial misconduct, and data privacy concerns are intensifying, the countdown to compliance is on. Around the globe, compliance is shifting from a reaction “wait and see” approach to one that requires proactivity and vigilance. Understanding how regulatory expectations align across jurisdictions is only part of the equation; organisations also need to ensure they are prepared for growing expectations of data subjects themselves.
High-profile incidents from the recent Alberta electoral list breach to ransomware attacks on healthcare providers and technical vulnerabilities in public systems are driving a noticeable shift in public trust. People are paying closer attention to how their data is handled, and expectations around transparency, accountability, and ethical use are rising with it.
This is where Fama comes in. As organisations look to balance effective risk mitigation, privacy-first practices, and compliance, Fama’s social media screening solutions are designed to surface relevant behaviour risks while respecting individual privacy and evolving regulatory standards. In a world of increasing scrutiny, building a compliant, responsible, and future-ready data mindset isn’t just good practice, it’s a competitive advantage.
Learn how Fama can keep you compliant. Request a demo.
