regulatory updates · refreshed quarterly

What changed, and what it means for your screening programme

A reverse-chronological log of regulatory changes affecting background verification, data protection, and vendor-management compliance across the corridors we operate in. Every entry has a primary-source link and a "what this means for you" interpretation.

About this feed. Updates are sourced from official regulators, government gazettes, or first-party publications by recognised law firms. Where a deadline or requirement may shift, we say so explicitly. Refreshed quarterly; significant items added inline as they happen. If a change affects an active programme commitment, we will also notify clients directly through their account contact.
Regulatory timeline 2024-2027
Hover any milestone for detail. The gold fill reflects time elapsed; pulsing dots are upcoming deadlines.
Aug '24
EU AI Act enters into force
Aug '24
ANPD Resolution 19: Brazilian SCCs adopted (with grace period)
Jan '25
India DPDP draft Rules issued for consultation
Feb '25
EU AI Act prohibitions + AI literacy obligations apply
Aug '25
Brazil SCCs grace period ends; international transfers must use approved mechanism
Nov '25
India DPDP Rules notified; Data Protection Board live
Aug '26
EU AI Act high-risk obligations become enforceable; recruitment AI in scope
Nov '26
India DPDP consent manager provisions effective
May '27
India DPDP: all substantive obligations effective: notice, breach reporting, data principal rights, transfers
2024 H2 2025 H1 2025 H2 2026 H1 2026 H2 2027 H1
Days until next compliance deadline
Live countdown to enforceable dates. Recalculated on page load.
EU / UK
EU AI Act high-risk system obligations enforceable
-
days remaining
Deadline: 2 August 2026
India
DPDP Act consent-manager provisions effective
-
days remaining
Deadline: 13 November 2026
India
DPDP Act all substantive obligations effective
-
days remaining
Deadline: 13 May 2027
Jurisdiction
13 Nov 2025
India High impact

India notifies the DPDP Rules, 2025: phased implementation begins

The Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection Rules, 2025 in the Official Gazette on 13-14 November 2025, alongside notifying the substantive provisions of the DPDP Act, 2023 itself. The Data Protection Board of India was established with four members and is operational immediately.

Implementation is phased: provisions establishing the Data Protection Board took effect immediately. Consent-manager provisions take effect 13 November 2026. All other substantive compliance obligations: including consent notices, breach reporting, data principal rights workflows, cross-border transfer mechanisms, and compliance for "Significant Data Fiduciaries": take effect 13 May 2027.

What this means for your screening programme Programmes processing Indian candidate data have a defined runway: about 18 months: to operationalise consent capture, data principal rights handling (access, correction, erasure, grievance), retention rules, and breach response. Vendors should already be aligning their DPAs to the DPDP-Rules framework. The Rules also formalise breach notification expectations to the Data Protection Board, so your incident response playbook needs an India-specific path.
2 Aug 2026 (deadline)
EU / UK High impact

EU AI Act high-risk system obligations become enforceable

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689) was published in the Official Journal on 12 July 2024 and entered into force on 1 August 2024. Application is staged: prohibited AI practices and AI literacy obligations have applied since 2 February 2025; most provisions for "high-risk" AI systems become enforceable on 2 August 2026.

Under Annex III of the Act, AI systems used for recruitment, selection, decisions affecting work-related contractual relationships, performance evaluation, or task allocation are classified as high-risk. This includes CV screening tools, automated candidate ranking, and certain BGV automation. High-risk systems require risk-management systems, data-governance, technical documentation, transparency, human oversight, accuracy and robustness, and registration in the EU database.

The Commission has separately consulted on an "AI Act Digital Omnibus" package that could defer some application dates by up to 16 months conditional on availability of harmonised standards: but this remains a proposal and the underlying deadlines stand until amended.

What this means for your screening programme If a BGV vendor uses AI/ML for any decision-influencing function: automated candidate scoring, risk-classification, automated red-flag detection that surfaces directly to clients without human review: you should ask explicitly whether they fall under Annex III and what their compliance posture is. This is a TPRM line item now, not a future concern. Our position: human QA review of every report is intentionally non-automated: see compliance brief FAQ #9.
15 Aug 2025 (effective)
Brazil Medium impact

End of grace period for Brazilian Standard Contractual Clauses

The ANPD (Brazilian Data Protection Authority) approved Standard Contractual Clauses for international transfers of personal data through Resolution CD/ANPD No. 19, of 23 August 2024, with a one-year grace period. The grace period ended in August 2025: international transfers from Brazil now require either a recognised mechanism (SCCs, BCRs, adequacy, specific consent) or fall under one of the exceptions in LGPD Article 33.

What this means for your screening programme BGV vendors transferring Brazilian candidate data outside Brazil: for processing, hosting, or sub-processor use: need ANPD-approved SCCs in place. If your DPA was signed before August 2024 without an SCC mechanism, request a refreshed addendum. We use the ANPD-approved SCCs by default for all Brazil candidate data transfers.
2025: ongoing
Brazil Medium impact

ANPD enforcement intensifies: total fines reach R$98M (US$20M)

The Brazilian DPA has transitioned from a "moderately active" to a "very active" enforcer, with cumulative LGPD fines reported at approximately R$98 million between 2023 and 2025 across multiple sectors including healthcare, finance, and AI-driven tech. The ANPD's 2025-2026 Regulatory Agenda prioritises data subject rights, DPIAs, biometric data, AI processing, and high-risk processing.

Maximum penalty under LGPD Article 52 remains 2% of the Brazilian economic group's net turnover, capped at R$50 million per violation.

What this means for your screening programme ANPD enforcement risk in Brazil is no longer notional. Vendor due diligence should include current ANPD investigation history (publicly searchable). For programmes that include biometric verification or AI-assisted screening on Brazilian candidates, expect more granular questions from your TPRM team: and ensure your vendor can produce a DPIA on request.
2 Feb 2025 (effective)
EU / UK Medium impact

EU AI Act: prohibited practices and AI literacy obligations live

The first wave of EU AI Act provisions became enforceable on 2 February 2025: outright prohibitions on certain AI practices (manipulative systems, exploitation of vulnerabilities, social scoring, certain biometric categorisation), and the obligation on providers and deployers to ensure adequate AI literacy among staff dealing with the AI systems they operate.

What this means for your screening programme AI literacy obligations apply to vendors operating in the EU: staff handling AI-assisted screening tools must be trained. None of the prohibited AI practices applies to standard BGV, but if your vendor's product roadmap includes social-scoring-style aggregations or biometric categorisation beyond identity matching, that's a pre-procurement question worth asking.
3 Jan 2025 (consultation)
India Medium impact

Draft DPDP Rules issued for public consultation

MeitY released the draft Digital Personal Data Protection Rules, 2025 for public consultation on 3 January 2025, with a comment window through 18 February 2025. Substantive content (notice, consent, breach reporting, data principal rights, transfer mechanisms, Significant Data Fiduciary obligations) was carried into the final Rules notified in November 2025 with limited material change. Documented here for archival completeness: see the November 2025 entry above for the operative text.

1 Aug 2024 (in force)
EU / UK Medium impact

EU AI Act enters into force: clock starts on staged application

Regulation (EU) 2024/1689 entered into force on 1 August 2024, twenty days after publication in the Official Journal. The full provisions of the Act apply from 2 August 2026, with prohibitions and AI literacy applying earlier (Feb 2025), governance and general-purpose AI rules from August 2025, and certain provisions for products covered by EU sectoral law from August 2027.

What this means for your screening programme The starting gun for EU AI Act compliance has fired. Procurement and TPRM should add "AI Act readiness" to vendor scorecards now, even though enforcement of the high-risk obligations is some way out. Vendors that say "we'll address AI Act when it applies" are signalling that they will be late.
23 Aug 2024 (resolution)
Brazil Medium impact

ANPD approves Standard Contractual Clauses for international transfers

ANPD Resolution CD/ANPD No. 19, of 23 August 2024 introduced Brazilian SCCs as an authorised mechanism for international transfers of personal data under LGPD Article 33. The Resolution included a 12-month grace period for organisations to align existing contracts. The grace period ended August 2025 (see entry above).

2024: ongoing
India Low impact

NAD coverage expanding: more universities issuing degrees digitally

The National Academic Depository operated by NSDL Database Management Limited continues to expand institutional coverage. Where universities have onboarded NAD, education verification turnaround drops from 5-10 days (registrar email) to near-instant (digital lookup) for participating institutions and digitised cohorts.

What this means for your screening programme For Indian education verification, NAD coverage for the candidate's specific institution and graduation year is the single most important determinant of TAT. Vendors should be querying NAD first by default for Indian degrees and only falling back to registrar verification when NAD is silent.
Continuous
Global Medium impact

OFAC and EU consolidated sanctions list updates accelerate

OFAC SDN list, EU consolidated financial sanctions list, and UK OFSI sanctions list have all seen elevated update frequency through 2024 and 2025 driven by ongoing geopolitical events. Sanctions screening as part of BGV for finance, executive, and regulated-industry hires must therefore be performed against current lists at the point of decision, not against a cached snapshot.

What this means for your screening programme If your sanctions screening process re-checks candidates only at hiring, you have a stale-data risk for candidates in long pipelines. Vendors should refresh sanctions screening at the point of report finalisation: not at intake. Ours does.