U.S. Shifts AI Regulatory Approach: New Executive Order on AI Safety and Cybersecurity Signed
- What was proposed and what changed?
- Key Provisions
- Business Implications
- Contact a lawyer for further information
On June 2, 2026, President Donald Trump signed the Executive Order “Promoting Advanced Artificial Intelligence Innovation and Security.” The document resolves the regulatory uncertainty that arose following the withdrawal of the previous draft on May 21, 2026, but takes a fundamentally different approach: rather than establishing a prior government review mechanism, the Order introduces a voluntary industry engagement framework and shifts the regulatory focus to cybersecurity.
What was proposed and what changed?
The draft withdrawn in May had required mandatory submission of frontier models to federal agencies for up to 90 days prior to public release, with the Department of Commerce as the coordinating authority. Industry objected: established technical expertise in cybersecurity is concentrated in CISA and NIST, not the Department of Commerce. Furthermore, the 90-day submission window would have precluded parallel testing by allied governments, and the mechanism duplicated voluntary testing already conducted through the Department of Commerce's AI Safety Institute.
The signed Order takes the opposite position. It expressly provides that none of its provisions may serve as a basis for imposing mandatory licensing, prior approval, or permitting requirements on the development, publication, or distribution of AI models, including frontier models.
Key Provisions
- Cybersecurity as a Regulatory Priority. Within 30 days of signing, the Department of Defense, Department of Homeland Security, and several other agencies are required to implement cybersecurity measures for their information systems. CISA is directed to expand access to AI tools for federal agencies, state and local authorities, and critical infrastructure operators, including regional hospitals, banks, and utilities.
- Voluntary frontier model assessment framework. Within 60 days, the Department of Commerce, NSA, and CISA must develop:
- a classified benchmarking process to assess AI model capabilities and establish the threshold at which a model qualifies as a covered frontier model;
- and a voluntary engagement framework under which companies may, at their own initiative, approach the government for model evaluation and, if they choose, provide federal entities access to the model for up to 30 days before its release to trusted partners. Participation is voluntary; the Order expressly prohibits using this mechanism as a basis for mandatory permitting procedures.
- Enforcement. The Attorney General is directed to increase criminal prosecution of individuals who use AI for unauthorized access to computer systems, data destruction, and other unlawful activity.
Business Implications
The absence of a mandatory pre-release disclosure mechanism means developers and distributors of frontier models operate without a federal authorization requirement. That said, voluntary participation in the assessment framework may carry practical value for companies operating under federal contracts or serving critical infrastructure operators, as early engagement with the regulator supports relationship-building in those sectors.
The expansion of CISA's mandate creates both new opportunities and heightened cybersecurity expectations for AI tool vendors in the critical infrastructure segment.
The heightened enforcement focus on AI misuse shifts liability considerations from the reputational to the criminal plane. This is material for any organization involved in the development, distribution, or integration of AI systems.
The European Dimension Remains Unchanged. The EU AI Act continues to apply. Under the political agreement of May 7, 2026, the full set of obligations for autonomous high-risk AI systems enters into force on December 2, 2027; for systems embedded in regulated products, the deadline is extended to August 2, 2028. Transparency obligations, including labeling of AI-generated content, apply from December 2, 2026. The Regulation's extraterritorial scope follows the logic of the GDPR: compliance is mandatory for any organization whose AI systems are used within the EU or produce outputs affecting EU residents, regardless of the jurisdiction of incorporation.
For international businesses, the continuing divergence between the U.S. and European approaches means that compliance architecture must be designed to accommodate both regimes simultaneously, without the ability to rely on a single federal standard on the U.S. side.
How REVERA Can Help
The REVERA team advises companies on the development, deployment, and commercialization of AI solutions, including:
- AI compliance and preparation for EU AI Act requirements
- Contractual structuring of AI projects
- Regulatory risk assessment
- Development of internal AI governance policies
- Dispute resolution in matters involving AI systems
If your company is assessing the impact of the new U.S. Executive Order or EU AI Act requirements on your products, business processes, or contractual documentation, REVERA's specialists are available to assist.
Author: Hleb Shumilau, Stanislav Tarmola.
Contact a lawyer for further information
Contact a lawyer
