The European Union is advancing its digital identity ambitions through the revised eIDAS Regulation (eIDAS 2.0), formally known as the European Digital Identity Framework. Regulation (EU) 2024/1183 entered into force in May 2024 and mandates that all 27 EU Member States make at least one EU Digital Identity Wallet (EUDI Wallet) available to citizens, residents, and businesses by the end of 2026.
This wallet serves as a secure, user-controlled mobile application for storing and sharing identity credentials, official documents (e.g., driver’s licenses, diplomas), and electronic attestations, enabling seamless cross-border authentication and transactions while prioritizing privacy and data minimization.
Key Features and Timeline
•  Mandatory Availability: By December 2026, every Member State must offer a certified EUDI Wallet built to common technical specifications for interoperability.
•  Acceptance Obligations: From late 2027, certain private-sector entities (e.g., banks, large online platforms) must accept EUDI Wallets for strong customer authentication.
•  Core Principles: User consent, selective disclosure of attributes, and high security standards to reduce fraud and enhance trust in digital services.
Implications for the UK Post-Brexit
As a non-EU country, the UK is not required to implement the EUDI Wallet. However, British citizens and businesses engaging with the EU will encounter new realities:
•  EU services may increasingly require or prefer EUDI-compliant identification for cross-border activities such as travel, banking, employment verification, or accessing public services.
•  UK organizations targeting EU markets should prepare for potential integration needs, particularly in regulated sectors.
•  The UK is developing its own national digital ID scheme, announced in 2025 and under consultation in 2026, aimed at improving access to public services and right-to-work checks. While voluntary in design, it reflects a parallel push toward digital identity but lacks the EU’s harmonized cross-border framework.
This divergence highlights ongoing post-Brexit challenges in digital trust and interoperability between the UK and EU. Businesses operating across both jurisdictions should assess alignment opportunities and monitor developments in data adequacy and mutual recognition agreements.
Organizations should begin gap analyses and pilot integrations in anticipation of the 2026–2027 milestones. 

Connecticut has taken a proactive yet measured approach to regulating artificial intelligence through amendments to its comprehensive consumer privacy framework and new targeted AI legislation. The state’s flagship law, the Connecticut Data Privacy Act (CTDPA), was significantly amended in 2025, with key provisions taking effect on July 1, 2026. These changes expand applicability thresholds, broaden sensitive data definitions, and introduce specific AI-related disclosures.
In May 2026, the legislature passed Senate Bill 5 (the Connecticut Artificial Intelligence Responsibility and Transparency Act), a comprehensive measure addressing AI in employment, synthetic content, chatbots, and frontier models. Governor Ned Lamont is expected to sign it, with most provisions effective October 1, 2026.
Key Features of Connecticut’s Framework
•  Privacy Law Enhancements (CTDPA): Controllers must disclose in privacy notices whether they collect, use, or sell personal data to train large language models (LLMs). The law also strengthens consumer rights regarding profiling and automated decisions with legal or significant effects, including expanded opt-out rights and impact assessments for certain processing.
•  AI-Specific Obligations (SB 5): Focuses on Automated Employment Decision Technology (AEDT) with notice, disclosure, and adverse action explanation requirements. It includes protections against discriminatory use, requirements for synthetic digital content labeling, safeguards for AI chatbots (especially for minors), and whistleblower protections for frontier model developers.
•  Enforcement and Balance: Primarily enforced by the Attorney General, with cure periods available. The approach leverages existing privacy and consumer protection laws while adding targeted transparency measures, reflecting challenges like algorithmic bias, data privacy in training, and risks to vulnerable users.
Connecticut’s strategy aims to protect consumers—particularly in employment and for minors—while fostering responsible AI innovation. Businesses should review their data practices, update privacy notices by mid-2026, and prepare for AEDT compliance obligations.
Businesses operating in or targeting Connecticut residents are encouraged to monitor Attorney General guidance and begin compliance planning. 

In 2024, Colorado became the first U.S. state to enact comprehensive legislation regulating artificial intelligence with the passage of Senate Bill 24-205, known as the Colorado AI Act (or Consumer Protections for Artificial Intelligence). The law initially focused on “high-risk” AI systems used in consequential decisions—such as employment, housing, credit, education, and healthcare—aiming to prevent algorithmic discrimination through duties of reasonable care, impact assessments, risk management, and consumer disclosures.
However, the law faced significant industry pushback regarding its compliance burden. This led to multiple adjustments: a delay of the effective date to June 30, 2026, followed by a substantial rewrite. On May 14, 2026, Governor Jared Polis signed Senate Bill 26-189, which repeals and replaces much of the original framework with a more targeted, transparency-focused approach centered on Automated Decision-Making Technology (ADMT).
Key Features of the Revised Law
•  Narrower Scope: Shifts emphasis from broad risk management and bias audits to transparency, notice requirements, recordkeeping, and consumer rights (e.g., notice before use, adverse action explanations, and meaningful human review).
•  Effective Date: January 1, 2027, giving businesses additional time to prepare.
•  Business-Friendly Adjustments: Removes several original obligations, such as mandatory governance frameworks and certain reporting requirements, while maintaining protections against unfair automated decisions.
This evolution reflects Colorado’s effort to balance consumer protection with innovation and economic growth. The revised law is expected to be signed and implemented, providing clearer guidelines for organizations deploying AI in the state.
Businesses operating in Colorado should monitor Attorney General rulemaking and begin assessing their ADMT usage in preparation for 2027 compliance.
Stay tuned for updates as regulations develop.