# Regulatory Urgency & Competitive Intelligence Tracker **Created:** 2026-03-20 **Last Updated:** 2026-04-06 **Purpose:** Track regulatory developments, competitive moves, enforcement actions, and their mapping to INeedTrust product features, backlog, and marketing collateral. Living document — updated by research loop and manual review. --- ## Table of Contents 1. [Regulatory Developments](#1-regulatory-developments) 2. [Competitive Intelligence](#2-competitive-intelligence) 3. [Enforcement Actions & Proof Points](#3-enforcement-actions--proof-points) 4. [US State Bill Tracker](#4-us-state-bill-tracker) 5. [Feature Coverage Matrix](#5-feature-coverage-matrix) 6. [Marketing Priority Matrix](#6-marketing-priority-matrix) 7. [Open Backlog Items (Not Yet in Epics)](#7-open-backlog-items-not-yet-in-epics) 8. [Decision Log](#8-decision-log) --- ## 1. Regulatory Developments ### Active / In Effect (Enforcement Happening Now) | Regulation | Jurisdiction | Effective | Trust Center Relevance | INeedTrust Coverage | Status | |---|---|---|---|---|---| | GDPR Arts. 12-14 (transparency) | EU | 2018, **2026 CEF audit** | Direct mandate for transparent processing disclosures | Epic 2 (controls), Epic 4 (subprocessors), Epic 5 (DSAR) | **Covered — needs marketing emphasis** | | EDPB CEF 2026 Transparency Audits | EU | **March 19, 2026** | 25 DPAs auditing transparency obligations NOW | Existing trust center features satisfy requirements | **Marketing urgency — add to collateral** | | CCPA/CPRA + ADMT rules | California | Jan 2026 (ADMT enforcement Jan 2027) | DSAR portal, opt-out, automated decision-making disclosure | Epic 5 (DSAR), Epic 14 (AI governance) | Partially covered — ADMT in Epic 14 | | EU AI Act — Prohibited practices | EU | Feb 2, 2025 | Banned AI categories | Epic 14 risk classification covers this | Covered | | EU AI Act — GPAI transparency | EU | Aug 2, 2025 | General-purpose AI model transparency | Epic 14 model cards | Covered | | California AI Transparency Act | California | Jan 1, 2026 | AI-generated content disclosure (1M+ monthly users) | Epic 14 (FR105 content labeling) | Covered | | California SB 243 (AI companions) | California | In effect | Chatbot interaction disclosure | **GAP — not in any epic** | Needs new item | | Colorado AI Act (CAIA) | Colorado | **Jun 30, 2026** | High-risk AI documentation for employment, housing, healthcare | Epic 14 (risk classification, transparency) | Partially covered | | South Korea AI Framework Act | South Korea | Jan 22, 2026 | Extraterritorial AI transparency, risk assessment | Epic 14 | Covered | | DORA | EU (financial) | Jan 17, 2025 | Third-party ICT risk, operational resilience | Epic 15 (FR112 DORA template) | Covered | | NIS2 Directive | EU | Transposed Oct 2024 | Supply chain security, incident reporting | Epic 15 (FR112 NIS2 template, FR110 incident page) | Covered | | Malaysia PDPA amendments | Malaysia | In effect | Mandatory DPO, breach notification, data portability | i18n future — no epic yet | Low priority | | Vietnam Data Protection Law | Vietnam | Jan 1, 2026 | Comprehensive privacy law | i18n future — no epic yet | Low priority | | Vietnam AI Law | Vietnam | Mar 1, 2026 | AI governance requirements | i18n future — no epic yet | Low priority | | DOJ Data Security Program | US | In effect | Restricts bulk data transfers to adversary nations | Not directly relevant to trust center features | No action | | India DPDPA Phase 2 | India | Nov 13, 2026 | Consent manager registration | i18n future | Medium priority | | Swiss FADP | Switzerland | Sep 1, 2023 | Expanded information obligations, personal liability | Covered by GDPR features | No additional action | ### Upcoming (Next 18 Months) | Regulation | Jurisdiction | Effective Date | Trust Center Relevance | INeedTrust Coverage | Priority | |---|---|---|---|---|---| | EU AI Act — Article 50 full application | EU | **Aug 2, 2026** | AI transparency obligations, content labeling mandates | Epic 14 (FR102-FR109, FR119-FR123) | **P0 — ship before date** | | EU AI Act — High-risk systems (Annex III) | EU | **Dec 2, 2027** (was Aug 2026, per Digital Omnibus) | High-risk AI documentation, risk assessments, fundamental rights impact | Epic 14 (FR119 risk assessments, Story 14.9) | **P0 — covered, deadline extended** | | EU AI Act Code of Practice v2 (C2PA/watermarking) | EU | Jun 2026 (final; 2nd draft published Mar 3, 2026) | C2PA metadata, pixel watermarking, "EU AI icon" for deepfakes | Epic 14 (Story 14.7 C2PA disclosure) | **Covered** | | Connecticut LLM training disclosure | Connecticut | **Jul 1, 2026** | Must disclose if data collected/used/sold for LLM training | Epic 14 (FR106) | **P0 — covered** | | Connecticut SB 5 (comprehensive AI) | Connecticut | **Signed Feb 4, 2026** | Chatbots, employment AI, synthetic content, whistleblower protections, AI regulatory sandbox | Epic 14 (Stories 14.4, 14.8, 14.11, 14.12) | **Covered** | | NIS2 full compliance deadline | EU | **Oct 2026** | All essential/important entities must comply | Epic 15 (FR112 NIS2 template) | **P0 — ship template** | | HIPAA Security Rule final | US | **Q2 2026 (est.)** | 72h incident notification, mandatory MFA, no "addressable" | Epic 15 (FR112 HIPAA template, FR110 incident page) | **P0 — ship template** | | Australia ADM transparency | Australia | **Dec 10, 2026** | Automated decision-making disclosure in privacy policies | Epic 14 (FR121, Story 14.11 ADM disclosure) | **Covered** | | CCPA ADMT enforcement | California | **Jan 2027** | Pre-use notices, opt-out, access to logic for automated decisions | Epic 14 (FR121, Story 14.11 ADM disclosure) | **Covered** | | Singapore Agentic AI Framework | Singapore | 2026 | First global framework for autonomous AI agent governance | Epic 14 (FR122, Story 14.12 agentic AI) | **Covered** | | India DPDPA Phase 3 (full compliance) | India | May 2027 | Complete data protection requirements | i18n future | P2 | | Japan APPI amendments | Japan | ~2027 | Administrative fines, AI rules | i18n future | P3 | | EU AI Act legacy systems | EU | Aug 2027 | All existing AI systems covered | Epic 14 | Already covered | | Oregon SB 1546 (AI companions) | Oregon | **Passed** | AI companion disclosure + private right of action | **GAP — chatbot disclosure** | P1 | | Washington HB 2225 (chatbots) | Washington | **Passed** | AI chatbot disclosure requirements | **GAP — chatbot disclosure** | P1 | | Utah HB 276 (digital content provenance) | Utah | **Passed** | C2PA/provenance standards | **GAP — C2PA disclosure** | P1 | | Maine consumer privacy law | Maine | **Passed Senate** | Comprehensive privacy law | Covered by existing privacy features | Monitor | | Alabama consumer privacy bill | Alabama | Advancing (legislature closes Mar 27) | Comprehensive privacy law | Covered by existing privacy features | Monitor | | Oklahoma SB 546 | Oklahoma | **Signed by Governor Mar 20, 2026** | 20th state comprehensive privacy law (Virginia-model, eff. Jan 2027) | Epic 15 compliance timeline | **OB-14 — add template** | | Georgia SB 540 (chatbot) | Georgia | **Passed Senate unanimously** | AI chatbot disclosure | Epic 14 (Story 14.8) | Covered | | Hawaii chatbot bills (HB 1782, SB 3001) | Hawaii | **Passed chambers** | AI chatbot disclosure | Epic 14 (Story 14.8) | Covered | | New Hampshire SB 657 (AI private right of action) | New Hampshire | Advancing | AI liability with private right of action | Epic 14 | Monitor | | Minnesota SF 4509 (frontier model) | Minnesota | Introduced | Frontier AI model regulation | Epic 14 | Monitor | | EU Cybersecurity Act 2 (CSA2) | EU | Jan 20, 2026 (trilogue early 2027) | Supply chain security, cyber-posture certificate, 7% turnover fines | Epic 15 (NIS2 template extends) | **OB-13 — new cert type** | | Trump Cyber Strategy for America | US | Mar 6, 2026 | Regulatory rollback signal, SEC incident rule may be revisited | Epic 15 (incident page) | Monitor | | Trump EO — Federal AI Policy Framework | US | Dec 11, 2025 | "Minimally burdensome" federal AI policy; Commerce Dept reviewing state AI laws (published Mar 11); DOJ AI Litigation Task Force can challenge state laws; FCC to initiate federal AI reporting standard preempting states | OB-10 (preemption tracker in compliance timeline) | **Monitor — preemption risk to state-by-state positioning** | | Oklahoma SB 1521 (chatbot age verification) | Oklahoma | **Passed Senate 43-0 Mar 23** | AI chatbot regulation with age verification | Epic 14 (Story 14.8) | Monitor | | Italy — OpenAI EUR 15M fine overturned | Italy | **Mar 18, 2026** | Court of Rome annulled Garante's ChatGPT GDPR fine | Marketing proof point — enforcement landscape shifting | Informational | --- ## 2. Competitive Intelligence ### Vendor Landscape (as of March 2026) | Vendor | Recent Moves | Positioning | INeedTrust Differentiator | |---|---|---|---| | **Drata + SafeBase** | Deepened integration post-acquisition. HubSpot/DocuSign/Ironclad/Salesforce integrations. AI questionnaire automation (98% time reduction claim). Tiered trust centers (Foundation/Advanced/Enterprise). | All-in on **sales enablement** + questionnaire automation | INeedTrust has **regulatory intelligence** angle no one else touches. AI governance pillar is unique. | | **Vanta** | Bundling trust center into compliance plans (Plus+). 300+ integrations. Speed-to-value for Series B/C. | Volume play — compliance-as-a-service with trust center as add-on | INeedTrust is purpose-built for trust centers, not an add-on. Lower price point. | | **Conveyor** | Doubling down on AI-driven security review automation. Self-serve trust portals for sales-driven teams. | AI questionnaire answering as primary value prop | INeedTrust AskMe (Epic 10) competes here. Conveyor doesn't do AI governance or regulatory compliance. | | **Secureframe** | Positioning as "easy button" for non-technical buyers. Real-time alerts + trust portal. | Simplicity for mid-market | INeedTrust's health score and staleness detection compete. Secureframe lacks AI governance. | | **OneTrust** | Unified trust center for regulated enterprises. Privacy automation + risk intelligence analytics. | Enterprise privacy-first | INeedTrust targets SMB/mid-market that OneTrust ignores. | ### Key Competitive Insight **All competitors are framing trust centers as sales enablement tools.** None are positioning around regulatory compliance intelligence, AI governance transparency, or living compliance documentation. This is INeedTrust's whitespace. --- ## 3. Enforcement Actions & Proof Points ### For Marketing Collateral (sorted by impact) | Action | Amount | Date | Relevance | Use In | |---|---|---|---|---| | TikTok (GDPR data transfers) | EUR 530M | 2025 | Subprocessor/transfer transparency | Website tiles, LinkedIn, /for-eu | | Meta (GDPR consent manipulation) | EUR 479M | 2025 | Consent management, transparency | Website tiles, LinkedIn | | Walmart (FTC) | $100M | Feb 26, 2026 | Data handling transparency | Landing page, email sequences | | Cumulative GDPR fines | EUR 7.1B (or 5.88B per alternate source) | Since 2018 | General urgency | **Already on website** | | SHEIN (France CNIL cookie consent) | EUR 150M | 2025 | Cookie/consent transparency | /for-eu page | | California DELETE Act daily fines | $200/day per unfulfilled deletion | Jan 31, 2026 | DSAR portal urgency | US-focused marketing | | UK ICO - Imgur (children's data) | GBP 247,590 | 2026 | Transparency failures | UK-focused marketing | | South Korea NRF breach | KRW 703M | 2026 | Breach notification inadequacy | APAC marketing | | Netherlands municipalities | Fines (amount TBD) | 2026 | Transparency + data minimization | EU marketing | ### Aggregated Proof Points for Copy - **EUR 7.1B** cumulative GDPR fines since 2018 - **$100M** Walmart FTC judgment (Feb 2026) - **EUR 530M** TikTok fine for data transfer violations - **$200/day** California DELETE Act fines per unfulfilled request - **25 DPAs** actively auditing transparency in 2026 (EDPB CEF) - **42% higher** win rates with trust centers (TrustCloud) - **70-90% faster** deal cycles with self-serve security portals - **300+ hours/month** burned on manual questionnaire responses - **$4.44M** average breach cost (IBM 2025) - **31%** of organizations already have trust centers - **181+** state privacy/AI bills tracked in US legislatures (2026) --- ## 4. US State Bill Tracker ### Passed / In Effect | State | Bill | Topic | Effective | Impact on INeedTrust | |---|---|---|---|---| | California | SB 243 | AI companion chatbot disclosure | In effect | Chatbot disclosure feature needed | | Oregon | SB 1546 | AI companion + private right of action | Passed | Same — chatbot disclosure | | Washington | HB 2225 | Chatbot disclosure | Passed | Same — chatbot disclosure | | Washington | HB 1170 | AI provenance | Passed | C2PA/provenance disclosure | | Utah | HB 276 | Digital content provenance (C2PA) | Passed | C2PA adoption disclosure | | Maine | Privacy law | Comprehensive consumer privacy | Passed Senate | Covered by existing features | | Indiana, Kentucky, Rhode Island | Privacy laws | Comprehensive privacy | Jan 1, 2026 | Covered by existing features | | Connecticut | Privacy amendments | LLM training disclosure + neural data | Jul 1, 2026 | FR106 covers this | ### Advancing (Watch List) | State | Bill | Topic | Status | Action Needed | |---|---|---|---|---| | Alabama | Privacy bill | Comprehensive privacy | Passed House, Senate committee | Monitor — legislature closes Mar 27 | | Connecticut | SB 5 | Comprehensive AI (chatbots + employment) | Filed | Monitor — may need chatbot feature | | Vermont | HB 814 | Mental health chatbot regulation | Advancing | Monitor | | Vermont | Data broker bill | DELETE Act-like requirements | Advancing | Covered by DSAR portal | | Hawaii, MA, CO, NJ, MN | Surveillance pricing | Algorithmic pricing transparency | Advancing | New marketing angle for AI governance | | GA, HI, TN, NJ, NY | Chatbot bills | AI interaction disclosure | Crossing chambers | Supports chatbot disclosure feature | ### Key Trend **2026 = "Year of the Chatbot Bill."** Multiple states passing AI interaction disclosure laws. This creates a new product requirement for chatbot/AI companion transparency policies. --- ## 5. Feature Coverage Matrix Maps regulations to product features. **GREEN** = covered, **YELLOW** = partial, **RED** = gap. | Capability | Regulation(s) | Epic/FR | Status | Priority | |---|---|---|---|---| | Privacy policy portal | GDPR, CCPA, LGPD, PIPA, FADP, DPDPA, all US states | Epic 2 (public trust center) | GREEN | Shipped | | Subprocessor registry + notifications | GDPR Art. 28, UK GDPR, FADP, LGPD | Epic 4 (FR44a-e), Epic 15 (FR114) | GREEN | In backlog | | Subprocessor objection workflow | GDPR Art. 28 | Epic 15 (FR114, Story 15.5) | GREEN | In backlog | | DSAR portal | GDPR, CCPA, all US states | Epic 5 (FR69) | GREEN | In backlog | | Breach/incident status page | GDPR, HIPAA, NIS2, DORA, 14+ jurisdictions | Epic 15 (FR110, Story 15.1) | GREEN | In backlog | | Incident subscriber notifications | NIS2 (24h early warning), GDPR (72h) | Epic 15 (FR111, Story 15.2) | GREEN | In backlog | | AI system inventory | EU AI Act, Colorado AI Act, NIST AI RMF | Epic 14 (FR103, Story 14.2) | GREEN | In backlog | | Model transparency cards | EU AI Act Art. 50, NIST AI RMF | Epic 14 (FR104, Story 14.3) | GREEN | In backlog | | AI content labeling policy | EU AI Act Art. 50, California AI Transparency Act | Epic 14 (FR105, Story 14.4) | GREEN | In backlog | | LLM training data disclosure | Connecticut (Jul 2026), CCPA ADMT | Epic 14 (FR106, Story 14.4) | GREEN | In backlog | | Compliance certification badges | SOC 2, ISO 27001, PCI DSS, HIPAA | Epic 2 (FR83-85) | GREEN | In backlog | | Industry vertical templates | HIPAA, DORA, NIS2, GDPR/CCPA | Epic 15 (FR112, Story 15.3) | GREEN | In backlog | | Regulatory compliance timeline | Multi-regulation | Epic 15 (FR113, Story 15.4) | GREEN | In backlog | | AI governance framework mappings | EU AI Act, NIST AI RMF, ISO 42001 | Epic 14 (FR109, Story 14.6) | GREEN | In backlog | | C2PA/content provenance disclosure | EU AI Code of Practice, Utah HB 276, WA HB 1170 | Epic 14 (Story 14.7) | **GREEN** | Added to backlog | | Chatbot/AI companion disclosure | CA SB 243, OR SB 1546, WA HB 2225, CT SB 5, GA SB 540, NY A 3411 | Epic 14 (Story 14.8) | **GREEN** | Added to backlog | | GDPR transparency self-assessment | EDPB CEF 2026 | Epic 15 (Story 15.6) | **GREEN** | Added to backlog | | **US state law applicability checker** | 21+ US state privacy laws | **NOT IN ANY EPIC** | **YELLOW** | **P2 — differentiation (OB-04)** | | **EU CSA2 cyber-posture certificate** | EU Cybersecurity Act 2 (Jan 2026) | **NOT IN ANY EPIC** | **YELLOW** | **P2 — monitor trilogue (OB-13)** | | AI risk/impact assessments | EU AI Act Art. 27, NIST AI RMF, GDPR Art. 35 | Epic 14 (FR119, Story 14.9) | **GREEN** | Added to backlog | | Third-party AI vendor registry | EU AI Act supply chain transparency, AI vendor due diligence | Epic 14 (FR120, Story 14.10) | **GREEN** | Added to backlog | | Automated decision-making disclosure | CCPA ADMT, Australia Privacy Act, GDPR Art. 22, PIPA | Epic 14 (FR121, Story 14.11) | **GREEN** | Added to backlog | | Agentic AI disclosure | Singapore Agentic AI Framework, emerging EU guidance | Epic 14 (FR122, Story 14.12) | **GREEN** | Added to backlog | | AI governance reference data (NIST AI RMF, MITRE ATLAS, SCF AAT) | Multi-framework | Epic 14 (FR123, Story 14.13) | **GREEN** | Added to backlog | | Cookie/consent management | ePrivacy Directive, CCPA | Not in scope (separate product category) | N/A | Not pursuing | --- ## 6. Marketing Priority Matrix ### What to add to website / marketing collateral NOW | Item | Where | Priority | Effort | Rationale | |---|---|---|---|---| | EDPB CEF 2026 launched March 19 | Website urgency bar, /for-eu, LinkedIn | **P0** | Low (copy change) | Happened YESTERDAY. Freshest possible urgency hook. | | Walmart $100M FTC judgment | Website proof points, email sequences | **P0** | Low (copy change) | Massive enforcement action, Feb 2026. Concrete number. | | California DELETE Act $200/day fines | /for-founders landing page, email | **P0** | Low (copy change) | Hits small companies hardest — our exact ICP. | | "Year of the Chatbot Bill" narrative | LinkedIn thought leadership, blog | **P1** | Medium (content) | Fresh angle nobody else is talking about. Positions INeedTrust as ahead of the curve. | | AI governance pillar as differentiator | Homepage feature card, /for-eu, /vs-safebase | **P1** | Low (copy exists) | No competitor has native AI governance. Category creation moment. | | C2PA / content provenance angle | Blog post, LinkedIn, AI governance page | **P1** | Medium (content) | EU Code of Practice finalizing Jun 2026. Early thought leadership. | | Drata+SafeBase consolidation counter-narrative | /vs-safebase page, LinkedIn | **P1** | Medium (copy) | They're going sales enablement; we're going regulatory intelligence. | | Colorado AI Act June 30 deadline | Urgency ticker, email sequences | **P2** | Low (copy change) | Less relevant to our EU-heavy ICP but useful for US market. | | "181+ state bills tracked" stat | Website, investor deck | **P2** | Low (copy change) | Impressive number showing regulatory complexity. | | Surveillance pricing bills narrative | Blog, LinkedIn | **P3** | Medium (content) | Emerging angle — too early for conversion messaging. | ### Added from Loop Run 3 | Item | Where | Priority | Effort | Rationale | |---|---|---|---|---| | "78 chatbot bills in 27 states" stat | LinkedIn, AI governance feature launch, website | **P0** | Low (copy) | Nobody else quoting this. Powerful urgency stat for AI governance positioning. | | Gartner: $492M AI governance market, $1B by 2030 | Investor deck, positioning materials, /for-eu | **P0** | Low (copy) | Gartner validation of Epic 14 investment. "3.4x more effective with AI governance platforms." | | OneTrust raised min ACV to $10K — SMB displacement | /vs-competitors page, LinkedIn, cold email | **P1** | Medium (copy) | Direct competitive opportunity. "OneTrust is pricing out SMBs. We start at $150/mo." | | Oklahoma = 21st state | Update all "20 states" references to "21 states" | **P0** | Low (find/replace) | **DONE** — updated website + landing page copy. | | CNIL vs. Optimove EUR 1M (processor liability) | /for-eu, subprocessor feature marketing | **P1** | Low (copy) | "Even your subprocessors get fined extraterritorially." | | Comstar $515K coordinated state+federal HIPAA | HIPAA template marketing, email sequences | **P1** | Low (copy) | "State AGs are now co-enforcing HIPAA alongside HHS." | | EU CSA2 supply chain rules + 7% turnover fines | /for-eu, NIS2 template marketing | **P2** | Medium (content) | Trilogue early 2027 — thought leadership now, product later. | | White House AI framework hot take | LinkedIn, blog | **P1** | Medium (content) | "Will federal preemption kill the state patchwork? What SaaS companies should do now." | | "AI governance for your prospects" vs. Vanta/OneTrust | All competitive messaging, /vs-safebase | **P0** | Low (positioning) | Core differentiator. Competitors do internal GRC; we publish externally for evaluators. | ### What NOT to prioritize in marketing (product first) | Item | Why Not Marketing Yet | |---|---| | Chatbot disclosure feature | Feature doesn't exist yet. Don't market what we can't deliver. | | C2PA provenance feature | Feature doesn't exist yet. Thought leadership is fine, product claim is not. | | US state law checker | Feature doesn't exist yet. Can reference the problem, not the solution. | | GDPR transparency self-assessment | Feature doesn't exist yet. Reference EDPB audits, not our checker. | --- ## 7. Open Backlog Items (Not Yet in Epics) ### P1 — Should be added to Epic 14 or 15 | ID | Item | Regulatory Driver | Proposed Epic | Proposed Story | |---|---|---|---|---| | OB-01 | **C2PA / Content Provenance Disclosure** — Let customers declare C2PA adoption status, AI content watermarking approach, and provenance metadata policies in their trust center | EU AI Act Code of Practice (Jun 2026), Utah HB 276, Washington HB 1170 | Epic 14 (extend) | Story 14.7: Add C2PA content provenance disclosure to AI governance pillar | | OB-02 | **Chatbot / AI Companion Disclosure Module** — Structured disclosure page for companies using AI chatbots (support, sales, companions) covering interaction disclosure, data handling, and opt-out | California SB 243, Oregon SB 1546, Washington HB 2225, Connecticut SB 5 | Epic 14 (extend) | Story 14.8: Add chatbot/AI interaction disclosure to AI governance pillar | | OB-03 | **GDPR Transparency Self-Assessment Checklist** — Interactive self-assessment against GDPR Arts. 12-14 transparency obligations, aligned with EDPB CEF 2026 audit questionnaire format | EDPB CEF 2026 | Epic 15 (extend) | Story 15.6: Add GDPR transparency audit readiness checklist | ### P2 — Differentiation (plan for later) | ID | Item | Driver | Proposed Epic | Notes | |---|---|---|---|---| | OB-04 | **US State Privacy Law Applicability Checker** — Interactive tool that determines which state privacy laws apply based on company size, revenue, data types, and customer geography | 21+ US state laws, 181+ bills | New Epic or Epic 15 extension | Significant feature — could be lead magnet or paid feature | | ~~OB-05~~ | ~~**Automated Decision-Making (ADM) Disclosure Page**~~ | ~~CCPA ADMT (Jan 2027), Australia (Dec 2026)~~ | ~~Epic 14~~ | **RESOLVED — Story 14.11 (FR121)** | | OB-06 | **EU AI Act Template Alignment** — Align model card format with EU AI Office official template when finalized Q2 2026 | EU AI Act implementing acts | Epic 14 (update Story 14.3) | Monitor EU AI Office publications; update when template released | ### P3 — Monitor / Future | ID | Item | Driver | Notes | |---|---|---|---| | OB-07 | APAC language support (Japanese, Korean, Vietnamese) | APPI, PIPA, Vietnam laws | i18n infrastructure exists; templates need localization | | OB-08 | India DPDPA consent management portal | DPDPA Phase 2/3 | Wait for Phase 2 (Nov 2026) to clarify requirements | | OB-09 | Surveillance pricing disclosure | State bills advancing | Too early; monitor for 2027 | ### P1 — Added from Loop Run 2 (2026-03-20 evening) | ID | Item | Regulatory Driver | Proposed Epic | Notes | |---|---|---|---|---| | OB-10 | **Federal AI preemption tracker** — Flag regulations as "at risk of preemption" in compliance timeline when federal legislation threatens to override state laws | White House AI Framework (Mar 20, 2026) | Epic 15 (extend Story 15.4) | Compliance timeline should show preemption risk status per regulation | | OB-11 | **EU AI Act deadline uncertainty display** — Show proposed vs. current dates with status indicator when Omnibus moves deadlines | EU Council Digital Omnibus (Mar 13, 2026) — may push high-risk from Aug 2026 to Dec 2027 | Epic 15 (extend Story 15.4) | Critical for credibility — don't show stale deadlines | | OB-12 | **New York GenAI warning law compliance** — Validate chatbot disclosure feature (Story 14.8) covers NY A 3411 requirements | New York A 3411 (passed legislature) | Epic 14 (validate Story 14.8 scope) | No new story needed if 14.8 covers it | ### P2 — Added from Loop Run 3 (2026-03-20 late) | ID | Item | Regulatory Driver | Proposed Epic | Notes | |---|---|---|---|---| | OB-13 | **EU CSA2 cyber-posture certificate tracking** — New entity-level certification artifact. Customers will need to demonstrate compliance with supply chain security framework. Fines up to 7% turnover. | EU Cybersecurity Act 2 (Jan 20, 2026). Trilogue early 2027. | Epic 15 (extend) | New compliance artifact type — not product-level but entity-level. Post-quantum crypto timelines (2030/2035) also notable. | | OB-14 | **Oklahoma privacy law template** — 21st state with comprehensive privacy law. Virginia-model, no private right of action. | Oklahoma SB 546 (passed both chambers Mar 17, sent to Governor) | Epic 15 (template library) | Effective Jan 1, 2027. Low effort — Virginia-model template reuse. | | OB-15 | **Australia ADM transparency template** — International regulatory template for automated decision-making disclosures. AUD 66K per contravention. | Australia Privacy Act ADM amendments (effective Dec 10, 2026) | Epic 14 or 15 | Aligns with AI governance pillar. APAC expansion signal. | --- ## 9. Enforcement Actions — Updated (Loop Run 2 + 3) ### Proof points for marketing collateral | Action | Amount | Date | Jurisdiction | Best Use | |---|---|---|---|---| | CNIL vs. Free Mobile + Free | **EUR 42M** | Jan 13, 2026 | France | Incident page urgency — breach + inadequate security | | CalPrivacy vs. Tractor Supply | **$1.35M** | 2026 | California | CCPA enforcement beyond tech — expanding scope | | CNIL vs. Optimove | **EUR 1M** | 2026 | France (vs. Israeli company) | Processor liability — extraterritorial GDPR enforcement | | Comstar HIPAA settlement | **$515K** | Mar 2026 | US (HHS + MA/CT AGs) | HIPAA template urgency — coordinated state+federal | | CalPrivacy vs. Datamasters | **$45K** | Jan 8, 2026 | California | Delete Act enforcement — health data exploitation | | CalPrivacy vs. Todd Snyder | **$345K** | 2026 | California | CCPA non-tech retailer fine | | Reddit UK fine | **GBP 14M** | 2026 | UK | Children's privacy — less relevant to B2B | | EU Commission vs. X (Twitter) | **EUR 120M** | Dec 2025 | EU | First DSA transparency fine — establishes precedent | ### Updated Aggregate Proof Points (add to marketing) - **EUR 42M** CNIL fine for one breach (Free Mobile, Jan 2026) - **EUR 1M** CNIL fine on Israeli processor — GDPR is extraterritorial (Optimove, 2026) - **$1.35M** first major retailer CCPA fine (Tractor Supply) - **$515K** coordinated state+federal HIPAA enforcement (Comstar) - **$200/day** California DELETE Act fines per unfulfilled request - State AGs are now co-enforcing HIPAA alongside HHS — not just federal anymore - **78 chatbot bills in 27 states** — "Year of the Chatbot Bill" (Troutman Pepper, Mar 2026) - **$492M** AI governance platform market in 2026, **$1B by 2030** (Gartner, Feb 2026) - **3.4x** more likely to achieve high governance effectiveness with AI governance platforms (Gartner) --- ## 10. Competitive Intelligence — Updated (Loop Run 2) ### NEW vendor moves | Vendor | Development | Date | Impact on INeedTrust | |---|---|---|---| | **Vanta** | Launched "Vanta Agents" — 24/7 agentic compliance, enterprise adaptive scoping by business unit/region, privacy automation integrated into GRC | Mar 19, 2026 | Going upmarket with agentic AI. Privacy automation encroaches on trust center territory. INeedTrust differentiates on transparency + regulatory intelligence, not full GRC. | | **Drata** | Hit $100M ARR, 190% YoY enterprise growth. Coalfire strategic partnership for "always-on" continuous assurance. Platform UX redesign incoming. | Mar 10, 2026 | Drata scaling fast. Coalfire partnership validates continuous compliance. UX redesign may close gaps. Watch for changes. | | **OneTrust** | New CEO John Heyman (Feb 9). Expanded AI governance: real-time AI monitoring, guardrail enforcement, AWS Bedrock/Azure/Databricks/Vertex integrations. | Feb-Mar 2026 | OneTrust building enterprise AI governance control plane. INeedTrust's Epic 14 is lighter-weight, SMB-focused — good differentiation. Position as "AI governance for the rest of us." | | **Secureframe** | Launched CMMC compliance platform for defense contractors. Hosting National Cybersecurity Summit (May 11-13). | Mar 10, 2026 | Going federal/defense vertical. Less direct competition with INeedTrust's B2B SaaS focus. | | **Conveyor** | AI agent answering customer questionnaires. 400+ customers including Carta, Netflix, Zapier. | 2026 | Direct competition with AskMe Q&A (Epic 10). Validates direction. | ### Updated Competitive Positioning **Key shift:** Vanta and OneTrust are both adding AI governance features, but positioned for enterprise GRC buyers. INeedTrust's angle should be: - "AI governance transparency for your prospects" (trust center visitor-facing) vs. "AI governance controls for your compliance team" (internal tooling) - The distinction: INeedTrust publishes AI governance for external consumption. Vanta/OneTrust manage it internally. --- ## 8. Decision Log | Date | Decision | Rationale | |---|---|---| | 2026-03-20 | Created Epic 14 (AI Governance) and Epic 15 (Regulatory Compliance Accelerators) | Research identified AI governance as category-creating differentiator with no competitor coverage. Regulatory compliance features driven by 2026 deadline convergence. | | 2026-03-20 | Added 9-tile "Why Now" section and regulatory ticker to website | KPI-backed urgency messaging to drive conversion. Sources cited for credibility. | | 2026-03-20 | Identified 3 P1 gaps (C2PA, chatbot disclosure, GDPR self-assessment) | Research loop found recently-passed state laws and EDPB audit launch not covered by existing epics. | | 2026-03-20 | Positioned INeedTrust as "regulatory intelligence" vs competitor "sales enablement" | All competitors (Drata, Vanta, Conveyor) positioning on sales velocity. Regulatory compliance angle is unoccupied whitespace. | | 2026-03-20 | Decided NOT to pursue cookie/consent management | Separate product category (OneTrust, Cookiebot territory). Stay focused on trust center core. | | 2026-03-20 | EU AI Act high-risk deadline may shift to Dec 2027 (Council Omnibus) | Monitor trilogue (Apr/May 2026). Keep marketing urgency on Article 50 transparency (still Aug 2, 2026) but add caveat for high-risk systems. | | 2026-03-20 | White House federal AI preemption is real risk to state-by-state positioning | Don't over-invest in state-specific features. Build compliance timeline to handle preemption scenarios. Federal law could simplify or complicate requirements. | | 2026-03-20 | Refined competitive positioning: "AI governance for your prospects" vs. Vanta/OneTrust "AI governance for your compliance team" | Vanta Agents (Mar 19) and OneTrust AI governance expansion (Mar 10) are internal compliance tools. INeedTrust publishes AI governance externally for evaluators. Different buyer, different value prop. | | 2026-03-20 | Gartner validates AI governance market ($492M 2026, $1B 2030) | Use in investor deck and positioning materials. Traditional GRC tools "not equipped" for AI risks — validates Epic 14 investment. | | 2026-03-20 | OneTrust raised min ACV to $10K — SMB displacement opportunity | Customers below $10K being migrated out. Direct opportunity for INeedTrust's $150/mo positioning. | | 2026-03-20 | EU CSA2 introduces "cyber-posture certificate" concept | New entity-level certification type. Monitor trilogue (early 2027). May need new compliance artifact support in Epic 15. | | 2026-03-20 | Oklahoma becomes 21st state with comprehensive privacy law | SB 546 sent to Governor Mar 17. Virginia-model. Add to template library. | | 2026-04-06 | EU Digital Omnibus confirmed: high-risk AI deadline pushed to Dec 2, 2027 | Both Council (Mar 13) and Parliament IMCO/LIBE (Mar 18) adopted positions. Trilogue underway. Article 50 transparency still Aug 2, 2026. | | 2026-04-06 | Connecticut SB 5 signed into law (Feb 4, 2026) | Comprehensive AI law: chatbots, employment AI, synthetic content, whistleblower protections, AI regulatory sandbox. Covered by Stories 14.4, 14.8, 14.11, 14.12. | | 2026-04-06 | Oklahoma SB 546 signed by Governor (Mar 20, 2026) | 20th state with comprehensive privacy law. Virginia-model. OB-14 template needed. | | 2026-04-06 | Commerce Dept published state AI law review (Mar 11) | Identifies "burdensome" state AI laws. DOJ AI Litigation Task Force can challenge in federal court. Federal preemption risk is real. | | 2026-04-06 | Italy OpenAI EUR 15M fine overturned (Mar 18) | Court of Rome annulled Garante's ChatGPT GDPR fine. Enforcement landscape shifting. | | 2026-04-06 | Epic 14 expanded: 5 new stories (14.9-14.13), 5 new FRs (FR119-FR123) | Added AI risk assessments, AI vendor registry, ADM disclosure, agentic AI disclosure, AI governance reference data seeder. Resolves OB-05. Driven by market research showing Credo AI, OneTrust, Holistic AI feature sets and regulatory gaps. | | 2026-04-06 | AI governance platform adoption surged from 14% to ~50% (ModelOp 2026 Benchmark) | Validates urgency of Epic 14. Commercial platform adoption accelerating rapidly. | | 2026-04-06 | Parseable AI framework sources identified | NIST AI RMF (JSON/CSV on GitHub), MITRE ATLAS (STIX JSON on GitHub), SCF AAT controls (existing pipeline), EU AI Act annexes (EUR-Lex XML), Hugging Face Model Card (JSON Schema), CycloneDX MLBOM (JSON Schema). Story 14.13 covers ingestion. | --- ## Run 5 Watchlist (Next Loop) - **EU Digital Omnibus trilogue progress** — plenary vote expected late April/May 2026; confirms high-risk deadline shift - **EU AI Act Code of Practice final** — expected June 2026; impacts Story 14.7 C2PA guidance - **Georgia AI bills** — SB 540 (chatbot), SB 444 (insurance AI), SR 789 (AI study) on Governor's desk - **Oklahoma SB 1521** — chatbot regulation with age verification (passed Senate 43-0) - **Alabama SB 63** — AI in healthcare coverage; session ends Apr 16 - **SEC AI disclosure** — Investor Advisory Committee recommendation still pending; SEC 2026 exam priorities include AI - **NIST Cyber AI Profile (NISTIR 8596)** — initial public draft expected 2026 - **Singapore Agentic AI Framework updates** — implementation guidance expected - **Federal preemption developments** — FCC AI reporting standard proceeding; DOJ challenges to state laws - **Credo AI / Holistic AI product updates** — competitive feature tracking --- ## Research Loop Schedule - **Frequency:** Every 30 minutes (job `7536b02b`) - **Scope:** Regulations, competitor moves, enforcement actions, state bills - **Output:** Updates to this document - **Auto-expires:** 3 days from 2026-03-20 - **Last run:** 2026-04-06 (Run 4 — manual deep research: AI governance market landscape, legislation updates, parseable frameworks)