Category: Policy & Funding News

Reporting and briefings on external policy, regulatory, and funder developments affecting the research community worldwide.

  • NYC Local Law 144: Bias Audits for Hiring AI Tools

    New York City’s Local Law 144 of 2021 requires employers and employment agencies that use certain hiring algorithms to commission an annual bias audit. Enforcement began on 5 July 2023, making it one of the earliest US measures to place concrete, testable obligations on AI used in employment. This article explains what the law covers and what the audit involves. It is informational and not legal advice.

    What the law covers

    Local Law 144 applies to automated employment decision tools (AEDTs) — broadly, computational tools that substantially assist or replace discretionary decision-making in hiring or promotion. Where an AEDT is used to screen candidates or employees for a position in New York City, the law imposes audit, notice and publication duties. The official guidance is published by the city’s Department of Consumer and Worker Protection (DCWP).

    What the bias audit requires

    At the centre of the law is the audit itself. Key features, as described in the city’s rules, include:

    • The audit must be independent and impartial, conducted by an auditor that is not involved in using or developing the tool.
    • It must be carried out no more than one year before the tool is used.
    • It tests the AEDT for disparate impact — assessing how selection or scoring outcomes differ across categories such as sex, and race or ethnicity, and intersections of those categories.
    • It typically reports metrics such as selection rates and impact ratios across groups, drawing on the tool’s historical data or test data.

    The audit is descriptive: it surfaces and quantifies differences in outcomes rather than certifying a tool as fair or unfair. The result is a defined set of figures that must then be disclosed.

    Notice and publication duties

    Beyond the audit, the law imposes transparency obligations:

    • Employers must publish a summary of the most recent bias-audit results, and the tool’s distribution date, in a clear and conspicuous place on their website.
    • Candidates and employees who live in New York City must be notified at least ten business days before an AEDT is used, including notice of the job qualifications and characteristics the tool will assess.

    These notice duties connect Local Law 144 to broader debates about disclosing the use of automated systems, a theme we track under generative-AI disclosure even though AEDTs are not necessarily generative.

    Enforcement and penalties

    The law is enforced by the DCWP. Reported penalty structures include a civil penalty for a first violation and escalating penalties for subsequent violations, with each day of non-compliant use potentially treated as a separate violation. The enforcement posture has been the subject of public scrutiny, including review of how actively the requirements are being enforced.

    How it fits the wider landscape

    Local Law 144 is narrow by design: it targets a specific use of AI — employment screening in a single city — rather than AI broadly. That makes it a useful contrast with comprehensive frameworks. Where the EU AI Act classifies employment AI as high-risk within a sweeping regime, Local Law 144 takes a single, audit-and-disclose mechanism and applies it precisely. Organisations operationalising bias testing often reference voluntary tools such as the NIST AI RMF and management standards like ISO/IEC 42001 to structure the surrounding governance, although neither defines the city’s specific audit requirements.

    What “independent” and “impartial” mean here

    The independence requirement is central to the law’s credibility, and the city’s rules address what disqualifies an auditor. Broadly, an auditor should not have been involved in using, developing or distributing the tool, and should not have a financial interest that would compromise objectivity. The practical effect is that the bias audit cannot simply be a vendor’s self-assessment; it must be carried out by a party with sufficient distance from the tool. This independence is part of what distinguishes a Local Law 144 audit from internal fairness testing that organisations may already perform.

    The role of test data and small samples

    An operational challenge the rules confront is what to do when an employer lacks sufficient historical data about a particular tool’s outcomes. The rules permit the use of test data in defined circumstances, and they address how to handle categories with too few data points to produce a meaningful figure. These provisions matter because the headline metrics — selection rates and impact ratios across groups — depend on having enough data to compute them reliably. The framework therefore acknowledges that an audit’s quality is bounded by the data available, a recurring theme in algorithmic-fairness measurement.

    Why it matters

    As one of the first laws to require a concrete, recurring, publicly disclosed algorithmic audit, Local Law 144 became a reference point in discussions about how to make AI accountability measurable. Its emphasis on independent testing, quantified disparate-impact metrics and candidate notice illustrates a disclosure-and-audit model distinct from outright prohibition. It also prompted debate about the limits of the model: critics asked whether disclosure of impact ratios alone changes employer behaviour, while supporters pointed to the value of forcing measurement and transparency where previously there was none. Readers new to terms such as disparate impact, impact ratio or selection rate may find plain-language explanations in our dictionary.

    In summary

    NYC Local Law 144 requires annual independent bias audits of automated employment decision tools, public disclosure of summary results, and advance notice to candidates. It is a targeted, audit-based approach to AI accountability in hiring. This article describes the requirements as published by the city; it is not legal advice, and employers should consult qualified advisers and the official DCWP guidance.

  • Texas TRAIGA and the US State AI-Law Patchwork

    The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted as House Bill 149, took effect on 1 January 2026. It is one of the more comprehensive entries in a rapidly expanding patchwork of US state AI laws, in which different states regulate different aspects of AI in different ways. This article explains TRAIGA’s main features and how state approaches diverge. It is informational and not legal advice.

    What TRAIGA does

    TRAIGA establishes a framework governing the development and deployment of AI systems in Texas. Reported features include:

    • A broad definition of AI systems, covering machine-based systems that infer from inputs how to generate outputs such as content, decisions, predictions or recommendations — not only generative AI.
    • Prohibited uses, including AI developed or deployed for unlawful behavioural manipulation, certain forms of unlawful discrimination, and specified harmful content.
    • Obligations on government entities, such as disclosure to consumers that they are interacting with an AI system, and restrictions on social-scoring and certain biometric uses.
    • A duty for healthcare providers to disclose to patients where AI is used in their care.
    • A regulatory sandbox for testing AI systems and an AI advisory council to inform policy.

    Enforcement is reserved to the Texas Attorney General, with civil penalties and a cure period before action, and the law does not create a private right of action. The statute and analyses are summarised in published legal commentary; the bill itself is available through the Texas Legislature.

    Scope and reach

    TRAIGA is reported to apply broadly: to those conducting business in Texas, offering products or services to Texas residents, or developing or deploying AI systems in the state. That framing can pull in out-of-state organisations whose systems reach Texas residents, a common feature of state-level technology laws. As enacted, the law was described as a pared-back version of earlier, more expansive drafts, with some of the broadest proposed duties narrowed before passage. This trajectory — an ambitious initial proposal trimmed during the legislative process — is itself characteristic of how several state AI bills have moved from introduction to law.

    The patchwork problem

    TRAIGA’s significance is amplified by its context. In the absence of a single comprehensive federal AI statute, US states have moved at different speeds and along different conceptual lines. The result is a patchwork in which the same AI system can face materially different rules depending on where it is used. Broad themes include:

    • Comprehensive risk frameworks. The Colorado AI Act (SB24-205) pioneered a developer-and-deployer model centred on algorithmic discrimination in consequential decisions, though its effective date was repeatedly deferred.
    • Targeted use-case rules. NYC Local Law 144 regulates a single use — automated employment decision tools — through mandatory bias audits and disclosure.
    • Transparency and disclosure laws. Several states have enacted measures focused on disclosing AI-generated content, chatbots or deepfakes, themes we follow under generative-AI disclosure.
    • Broad governance statutes. TRAIGA itself blends prohibited-use rules, government-specific duties, sectoral disclosure and a sandbox.

    For a structured comparison of these regimes, see our overview of US AI laws by state.

    What differs state to state

    The divergence runs along several axes. States differ on who is regulated (developers, deployers, government, specific sectors), on what triggers obligations (consequential decisions, employment screening, content generation, biometric use), on core mechanisms (impact assessments, bias audits, consumer notices, prohibited-use lists), and on enforcement (attorney-general action versus, in some cases, other routes). Even shared concepts like “high-risk” or “consequential decision” can carry different statutory meanings. This variability is the defining operational challenge of the patchwork.

    The sandbox and advisory council

    Two features distinguish TRAIGA from purely prohibitive approaches. The regulatory sandbox is intended to let participants develop and test AI systems under a relaxed regulatory posture, with the aim of encouraging innovation while gathering information about emerging uses. The AI advisory council is positioned to inform the legislature and state agencies on AI policy, the use of AI within government, and improvements to the sandbox. Together these reflect a model that pairs enforcement with structured experimentation and ongoing policy review — an approach that contrasts with measures focused solely on prohibitions or audits.

    Federal-state tension

    The patchwork exists against a backdrop of debate about whether AI should be governed primarily at the federal or state level. Proposals to limit or pre-empt state AI regulation have surfaced in national policy discussions, and the outcome of that debate would directly affect how durable individual state laws prove to be. For organisations, this adds a layer of uncertainty: the rules in force today reflect a particular moment in an unsettled allocation of authority, and the balance between state initiative and federal coordination remains an open question that could reshape the landscape.

    How organisations respond

    Faced with multiple overlapping regimes, many organisations build a governance baseline using voluntary frameworks and then layer state-specific obligations on top. The NIST AI RMF is frequently used to structure risk management, and ISO/IEC 42001 to provide an auditable management system; international comparisons are also drawn with the EU AI Act. None of these substitutes for a given state’s legal requirements, but they offer common scaffolding across jurisdictions. Readers encountering terms such as deployer, consequential decision or regulatory sandbox may find our dictionary helpful.

    In summary

    TRAIGA, effective 1 January 2026, adds a broad governance statute to a US state AI-law patchwork that already spans comprehensive risk frameworks, targeted use-case rules and transparency measures. The practical consequence is divergence: scope, triggers, mechanisms and enforcement vary by state. This article is a neutral overview, not legal advice; organisations should consult qualified counsel and the relevant statutes for their own circumstances.

  • NIH Public Access Policy 2025: No-Embargo Free Access

    The US National Institutes of Health updated its Public Access Policy so that peer-reviewed manuscripts arising from NIH-supported research are made freely available in PubMed Central (PMC) immediately on the official date of publication, with no embargo period. The revised policy took effect in 2025 and replaced a long-standing arrangement under which deposited manuscripts could remain behind an access delay of up to twelve months. This article describes what changed and what it means in practice; it is a neutral explainer and not legal or compliance advice.

    What the policy actually requires

    Under the updated policy, authors of papers that result from NIH funding must ensure that the accepted, peer-reviewed manuscript is deposited in PubMed Central and made publicly accessible without an embargo. The central change is timing: where the earlier 2008-era policy allowed the freely available version to appear up to a year after publication, the version now in force removes that delay so the manuscript is available to readers at the point of publication.

    The requirement attaches to the funding rather than to the journal. A paper that acknowledges NIH support, or that reports work conducted under an NIH award, falls within scope regardless of where it is published. The policy concerns the author-accepted manuscript — the peer-reviewed text after revisions but typically before the publisher’s final typeset formatting — which is what is deposited and surfaced through PMC.

    Why NIH made the change

    The update aligns NIH practice with the wider US federal direction on access to publicly funded research. Federal science-policy guidance has pushed agencies toward making the results of taxpayer-funded research freely and immediately available, and the removal of the optional embargo brings the largest US biomedical funder into line with that direction. For readers tracing the policy lineage, the broader federal context is set out in our explainer on the OSTP Nelson memo.

    NIH has framed the change as advancing public access to the literature it funds and improving the speed at which findings reach clinicians, researchers and the public. The agency administers the deposit workflow through established systems rather than through any new submission portal, so the operational mechanics for authors are largely familiar.

    What changes for authors and administrators

    For investigators, the practical shift is that they can no longer rely on a publisher embargo to delay free availability. Manuscript deposit must be arranged so that the public version appears on publication. Many authors handle this through the journal’s deposit service where one exists, or by submitting the accepted manuscript themselves through the NIH Manuscript Submission system.

    • Scope check: determine whether a paper acknowledges NIH funding — that is the trigger for the policy.
    • Version control: identify the peer-reviewed accepted manuscript, which is the version deposited.
    • Timing: ensure the deposit and public-release settings reflect immediate availability rather than a delayed release.
    • Identifiers: a PMC identifier (PMCID) continues to be used to demonstrate compliance, including in progress reports and future applications.

    Research administrators frequently track compliance because a PMCID is referenced when citing prior NIH-funded work in applications and reports. Removing the embargo does not change that reporting relationship; it changes the moment at which the deposited version becomes publicly readable.

    How it interacts with publishing choices

    The policy does not require authors to publish in any particular journal or to pay an article-processing charge. Depositing the accepted manuscript in PubMed Central is a route to compliance that is independent of whether the journal itself is open access. Authors may still publish in subscription journals provided the accepted manuscript is made freely available through PMC on the publication date. For background on the underlying concept, see our plain-language note on open access in the standards dictionary.

    Because the deposited version is the author-accepted manuscript rather than the publisher’s final formatted article, the freely available copy may differ cosmetically from the version of record. The scholarly content is the peer-reviewed text; pagination, branding and final typesetting may vary.

    Rights and licensing considerations

    A frequent question concerns the rights under which the deposited manuscript is made available. Depositing the accepted manuscript in PubMed Central is a matter of public accessibility — readers can find and read it — and authors continue to navigate publication agreements with their chosen journals. Some authors retain rights to deposit the accepted manuscript through the terms of their publishing agreement, while institutions and funders increasingly encourage authors to secure such rights up front. The policy’s focus is on free public availability through PMC; the precise licensing of any individual deposit depends on the agreement between author and publisher.

    This distinction matters for reuse. Free to read is not always the same as free to reuse under an open licence. Authors who want their work to be reusable under a specific licence typically address that through their publication choices, while the funder requirement guarantees, at minimum, immediate free access for readers via PubMed Central.

    What to watch next

    Implementation detail continues to be clarified through NIH guidance, including how deposit workflows operate for different journal arrangements and how the policy is reflected in award terms. Institutions generally update internal guidance and library support services to reflect the no-embargo expectation. Many libraries offer author support to help investigators identify the correct manuscript version, complete deposits and obtain the PMCID that documents compliance. Readers seeking the authoritative text should consult NIH’s own published policy pages rather than secondary summaries, since operational specifics can be refined over time.

    The headline is straightforward: NIH-funded peer-reviewed papers are now free to read in PubMed Central from the day they are published, without the previous waiting period. For the systems and terminology behind US research funding more broadly, our CRediT contributor-role overview and funding explainers provide neutral, definitional context.

  • The OSTP Nelson Memo Deadline: Free Federal Research

    The 2022 memorandum from the US Office of Science and Technology Policy (OSTP), widely known as the Nelson memo after the then-acting director who signed it, directed federal agencies that fund research to make the resulting peer-reviewed publications and their supporting data freely available to the public without an embargo. Agencies were asked to develop and implement updated public-access plans, with the milestone for full effect set for the end of 2025. This article is a neutral description of the policy and its rollout, not compliance advice.

    What the memo directed

    The Nelson memo built on earlier US public-access policy but extended and tightened it in two notable ways. First, it removed the previously permitted twelve-month embargo, so that publications arising from federal funding should be free to read immediately on publication. Second, it explicitly brought supporting research data into scope, asking agencies to ensure that data underlying published, peer-reviewed findings are made publicly accessible.

    Crucially, the memo also widened applicability. Earlier guidance had focused on the largest funding agencies; the Nelson memo applied across federal agencies that fund research, including smaller agencies that had not previously operated formal public-access programmes. Each agency was asked to publish its own implementation plan within a common framework.

    The end-of-2025 milestone

    The memo set a phased timeline. Agencies were expected to update their public-access policies and then bring them fully into effect no later than 31 December 2025. In practice this meant that, across federal science funders, publications and associated data tied to awards should be subject to immediate free-access expectations by that date.

    The most visible early mover was the National Institutes of Health, whose revised arrangement is described in our companion explainer on the NIH Public Access Policy. NIH’s removal of the embargo is a concrete instance of the broader direction the Nelson memo set for the whole federal research system.

    How agency rollouts took shape

    Because the memo delegated implementation to each agency, the rollout was not a single switch but a set of staggered agency plans sharing common principles. Typical features of agency public-access plans include:

    • Immediate access to the peer-reviewed publication, removing the prior embargo window.
    • Data sharing expectations for the data underlying the published findings, with appropriate handling of sensitive or restricted data.
    • Persistent identifiers and metadata to make outputs findable and to link publications, data and awards.
    • Designated repositories or repository criteria through which compliant deposits are made.

    Identifiers feature heavily in these plans because they make compliance auditable and outputs discoverable. For background, see our notes on persistent identifiers in the standards dictionary, which explain how DOIs and related identifiers support linking across the scholarly record.

    Why data was the harder part

    Making publications free to read is operationally well-understood, building on a decade of deposit infrastructure. Extending public access to data is more complex. Datasets vary enormously in size, format and sensitivity, and not all data can be openly shared — human-subjects data, for example, may carry privacy and consent constraints. Agency plans therefore tend to frame data sharing around the principle of being as open as possible and as closed as necessary, with documented justifications where access must be restricted.

    This is where the policy intersects with established data-stewardship principles. The expectation is generally that shared data are described with sufficient metadata to be reusable, echoing the widely cited FAIR principles (findable, accessible, interoperable, reusable) referenced in our explainer on FAIR data.

    Persistent identifiers and infrastructure

    A practical thread running through agency public-access plans is the use of persistent identifiers and structured metadata. Identifiers such as DOIs for publications and datasets, ORCID iDs for researchers, and award and organisation identifiers make it possible to link an output back to the award that funded it and the person who produced it. This linking is what turns a pile of free documents into a navigable, auditable record of what public funding produced.

    That emphasis aligns the memo with infrastructure the scholarly community already uses. Our explainers on the DOI and the ORCID iD describe two of the building blocks agencies lean on. The broader point is that immediate access is not only about removing a paywall; it is about making outputs findable, attributable and connected.

    What changed for researchers and institutions

    For researchers, the practical consequence is that the funder-driven expectation of free, immediate access now extends across more agencies and now reaches data as well as papers. Award terms, data-management planning and deposit workflows reflect those expectations. Data-management and sharing plans became a more prominent part of the application and award lifecycle, prompting researchers to think early about which data will be shared, where, and under what conditions. Institutions commonly updated library guidance, data-repository support and compliance tracking in response, and many expanded research-data services to help investigators meet the data-sharing element rather than only the publication element.

    Equity and the cost question

    One theme the memo raised explicitly is equity in publishing. Removing embargoes increases free access for readers, but the costs of publishing do not disappear — they may shift, for example toward article-processing charges in some open-access models. The memo asked agencies to consider how their public-access approaches affect different communities of researchers, including those with fewer resources, so that the move to open access does not inadvertently disadvantage smaller institutions or early-career researchers who may struggle with publication fees. This is part of why depositing the accepted manuscript in a repository — a route that does not require paying a fee — remains an important compliance pathway alongside open-access journals.

    The practical upshot is that immediate access can be achieved through more than one route, and agencies have generally been careful not to mandate a single business model. The goal is free public access to the output, with flexibility in how that access is delivered.

    The bottom line

    The Nelson memo is best understood as a framework rather than a single rule: it set the destination — immediate, free public access to federally funded publications and their underlying data — and asked each agency to chart its own route there by the end of 2025. Readers seeking authoritative detail should consult each agency’s published public-access plan and OSTP’s own guidance at whitehouse.gov/ostp.

  • OMB 2024 Uniform Guidance: $1M Audit, 15% Indirect

    In 2024 the US Office of Management and Budget (OMB) issued a substantial revision to the Uniform Guidance — the government-wide rules at 2 CFR Part 200 that govern how federal grants and cooperative agreements are administered. Two changes drew particular attention in the research-administration community: the Single Audit threshold rose to $1 million, and the de-minimis indirect-cost rate rose to 15 percent. This article describes the revisions at a high level and is a neutral explainer, not accounting or compliance advice.

    What the Uniform Guidance is

    The Uniform Guidance consolidates federal requirements for cost principles, administrative requirements and audit into a single framework that applies across agencies. It governs questions such as which costs are allowable on an award, how indirect costs are recovered, what records recipients must keep, and when an organisation must undergo an audit of its federal spending. For context on how it fits the wider compliance landscape, see our overview of the Uniform Guidance.

    Because the guidance is government-wide, a change to it ripples across every federal funding agency at once, which is why periodic OMB revisions matter so much to universities, hospitals, non-profits and other recipients.

    The Single Audit threshold rises to $1 million

    The Single Audit — sometimes called a Uniform Guidance audit — is the annual audit that a non-federal entity must obtain when it expends federal awards above a defined threshold in a year. The 2024 revision raised that threshold to $1 million in federal expenditure, up from the previous lower figure. Entities spending below the threshold in a given year are not required to obtain a Single Audit for that year, though they remain subject to records and monitoring expectations.

    The practical effect is that some smaller recipients fall below the audit trigger, while larger research institutions — which routinely expend well above $1 million — continue to require a Single Audit. For the mechanics of the audit itself, see our explainer on the Single Audit.

    The de-minimis indirect rate rises to 15 percent

    Indirect costs (also called facilities and administrative, or F&A, costs) are real costs of supporting research — buildings, utilities, administration — that are not attributable to a single project. Organisations may negotiate an indirect-cost rate with the federal government, but those without a negotiated rate may instead elect a de-minimis rate applied to a defined cost base.

    The 2024 revision raised the de-minimis rate to 15 percent, up from the long-standing 10 percent. This gives recipients that have not negotiated a rate — often smaller organisations and some subrecipients — a higher default recovery of indirect costs without the administrative burden of a rate negotiation.

    • Who benefits: recipients and subrecipients without a current negotiated indirect-cost rate.
    • How it applies: as a flat percentage on a defined modified-total-direct-cost base, per the guidance.
    • What it does not change: organisations with negotiated rates continue to use those negotiated rates.

    Other themes in the 2024 revision

    Beyond the two headline numbers, the OMB revision aimed broadly at reducing administrative burden and improving clarity. Reported themes include plainer drafting, raised thresholds in several places to reduce low-value paperwork, and adjustments intended to make the rules easier to apply consistently. The detailed text governs in any specific case, and recipients generally read the revised 2 CFR Part 200 alongside their agency’s implementing guidance.

    Effective dates and applicability

    A practical question for any regulatory revision is when it applies. OMB’s revised guidance carried an effective date in 2024, and agencies implement the government-wide text through their own award terms. In general, the terms and conditions attached to a given federal award determine which version of the rules govern that award, so recipients commonly check the version referenced in their specific agreements rather than assuming the newest text applies retroactively to everything. New awards and new audit periods are the typical points at which the revised figures take practical effect.

    This is why research-administration teams pay attention not only to the headline numbers but to the transition: an institution may have awards under both the prior and revised guidance running concurrently, and applying the correct version to each is part of careful grants management.

    Why government-wide rules carry weight

    It is worth underlining why a single OMB revision commands so much attention. Because the Uniform Guidance is government-wide, the same baseline rules apply whether an institution is funded by a health agency, a science agency, a defence research office or any other federal source. A change to the de-minimis rate or the audit threshold therefore propagates across an institution’s entire federal portfolio at once, rather than agency by agency. That breadth is what makes periodic OMB revisions a planning event for finance and research-administration offices, rather than a narrow technical adjustment affecting only one funding stream.

    What research administrators should take away

    For research-administration teams, the revisions translate into concrete operational questions: whether the higher Single Audit threshold changes an entity’s audit obligation in a given year; whether budgets and subaward terms should reflect the higher de-minimis indirect rate; whether financial systems and chart-of-accounts mappings correctly capture federal expenditures for the Single Audit determination; and whether internal policies, templates and training need updating to match the revised language. Many offices also revisit subrecipient risk assessments and monitoring procedures, since the rules governing pass-through entities are part of the same framework.

    Subrecipient monitoring is one area where both changes intersect, because pass-through entities must apply the rules consistently to those they fund. The higher de-minimis rate in particular often appears in subaward budgeting discussions.

    The two figures are easy to remember — a $1 million Single Audit threshold and a 15 percent de-minimis indirect rate — but the authoritative source is the revised regulation itself at whitehouse.gov/omb and the codified text in 2 CFR Part 200, which institutions consult for definitive application. For neutral background on related grants terminology, see our standards dictionary.

  • NSPM-33 Research Security: Disclosure & Programmes

    National Security Presidential Memorandum 33 (NSPM-33) set US policy on strengthening protections for federally funded research and development. It directs federal funding agencies to standardise and clarify disclosure requirements for participants in research, and it asks certain research institutions to establish research-security programmes. This article is a neutral explainer of what NSPM-33 covers; it is not legal or compliance advice, and the binding detail lives in each agency’s implementing rules.

    What NSPM-33 is trying to do

    NSPM-33 responds to concerns about the integrity of the research enterprise — chiefly around undisclosed conflicts of interest and commitment, and the risk of inappropriate transfer of federally funded research results. Its core principle is that openness and security can coexist: it reaffirms that fundamental research should remain open while asking the system to be more transparent about affiliations, support and commitments so that risks can be identified and managed.

    Importantly, the memorandum directs agencies to act consistently. A recurring frustration before NSPM-33 was that different agencies asked for disclosures in different formats and used different definitions. A central aim is to harmonise those expectations across the federal government.

    Standardised disclosure requirements

    The disclosure element asks that researchers consistently report information relevant to identifying conflicts of interest and conflicts of commitment. In broad terms this includes current and pending research support, professional appointments and positions, and other affiliations and resources that could bear on the integrity of the research.

    • Current and pending support: all sources of research funding, foreign and domestic.
    • Appointments and positions: including foreign appointments and titles.
    • Other support and in-kind resources: resources that benefit the research effort.
    • Consistency: common forms and definitions so disclosures are comparable across agencies.

    The emphasis is on completeness and accuracy rather than on prohibiting international collaboration. Disclosure makes relationships visible so that genuine conflicts can be evaluated and managed.

    Research-security programmes: the four elements

    NSPM-33 also contemplates that covered institutions receiving federal science funding above a defined level maintain a research-security programme. As described in implementation guidance, such programmes are generally built around four elements:

    • Cybersecurity: protecting research data and systems.
    • Foreign-travel security: tracking and supporting security for international research travel.
    • Research-security training: educating researchers on risks and obligations.
    • Export-control training: ensuring awareness of export-control responsibilities.

    The export-control element connects research security to a separate, long-standing legal regime. For background on how export controls treat openly published research, see our explainer on the fundamental-research exclusion, which is central to understanding what NSPM-33 does and does not restrict.

    Openness and security as complementary goals

    A theme worth drawing out is that NSPM-33 frames openness and security not as opposites but as goals to be balanced. The US research enterprise has long derived strength from international collaboration and the open exchange of ideas, and the memorandum is explicit that it does not seek to undermine that openness or to discourage legitimate international partnership. Instead, it aims to make the system more resilient to a narrow set of risks — undisclosed conflicts and inappropriate transfer of results — while leaving the open, collaborative character of fundamental research intact. The emphasis on transparency rather than prohibition is the practical expression of that balance.

    The fundamental-research principle

    A key point of reassurance in NSPM-33 is that it does not seek to close off basic and applied research that is ordinarily published and shared. Long-standing US policy treats such fundamental research as outside many export-control restrictions precisely because it is openly disseminated. NSPM-33 operates alongside that principle: it improves transparency about who is involved and how they are supported, rather than reclassifying open research as controlled.

    This is why disclosure, not restriction, is the dominant tool. The aim is informed risk management — knowing the affiliations and support behind a project — rather than blanket limits on collaboration. Our broader research-compliance overview situates these expectations within the wider grants framework.

    Conflicts of interest versus conflicts of commitment

    NSPM-33’s disclosure emphasis turns on two related but distinct concepts that are worth separating. A conflict of interest arises when an external financial or personal interest could bias the design, conduct or reporting of research. A conflict of commitment arises when outside obligations — such as an undisclosed appointment at another institution — compete with the time and intellectual commitments a researcher owes to their primary employer and to a funded project.

    Much of the concern that motivated NSPM-33 involved undisclosed conflicts of commitment, where affiliations or support were not reported. The disclosure framework is designed to surface both kinds of conflict so they can be evaluated. Disclosure does not by itself imply wrongdoing; it is the mechanism that allows institutions and agencies to distinguish benign, well-managed relationships from genuine problems.

    What institutions did in practice

    In response, many research institutions reviewed and updated their conflict-of-interest and conflict-of-commitment policies, refreshed disclosure processes, and built or formalised research-security functions covering the four programme elements. Some appointed designated research-security officials or points of contact, expanded training, and integrated disclosure checks into proposal and award workflows. Because the requirements are implemented through individual agency rules and award terms, the specific obligations an institution faces depend on which agencies fund it and at what level, and institutions track the rules of each relevant funder rather than assuming a single uniform standard.

    The headline is a balance: NSPM-33 pairs clearer, standardised disclosure with structured research-security programmes, while preserving the openness of fundamental research. For authoritative detail, institutions consult the implementing guidance from the relevant federal agencies and OSTP at whitehouse.gov/ostp. For related terminology, see our standards dictionary.

  • ICH E6(R3) Good Clinical Practice: GCP Modernised

    ICH E6(R3) is the revised version of the international Good Clinical Practice (GCP) guideline, developed through the International Council for Harmonisation (ICH). GCP is the ethical and scientific quality standard for designing, conducting, recording and reporting clinical trials that involve human participants. The R3 revision modernises the guideline around quality-by-design, risk-based approaches and flexibility for contemporary trial designs and data sources. This article is a neutral explainer and not clinical, regulatory or legal advice.

    What Good Clinical Practice is

    GCP exists to protect the rights, safety and wellbeing of trial participants and to ensure that trial data are credible and reliable. It sets expectations for ethics oversight, informed consent, the responsibilities of sponsors and investigators, documentation, and data integrity. Regulators around the world reference ICH GCP, which is why a revision to the core guideline matters internationally. For the wider context, see our overview of clinical-trials regulation and the focused explainer on Good Clinical Practice.

    Why GCP needed modernising

    The previous version, E6(R2), added an addendum to a guideline whose structure dated to the 1990s. Since then, clinical research has changed: trials use electronic data systems, decentralised and remote elements, real-world and diverse data sources, and increasingly complex designs. The earlier text, written for a more uniform model of site-based trials, did not always map cleanly onto these newer approaches. E6(R3) was developed to be more principles-based and adaptable, so that the same quality expectations can apply across a wider range of trial types.

    Quality-by-design: building quality in

    A central theme of E6(R3) is quality-by-design (QbD): the idea that quality should be designed into a trial from the start rather than inspected in afterwards. Under this thinking, sponsors identify the factors that are truly critical to quality — the aspects of a trial that, if compromised, would undermine participant safety or the reliability of the results — and focus attention and resources there.

    • Critical-to-quality factors: the elements that genuinely matter for safety and reliability.
    • Proportionate effort: attention concentrated where the risk to those factors is greatest.
    • Avoiding low-value activity: not treating every data point and process as equally important.

    The practical implication is fewer one-size-fits-all checklists and more deliberate judgement about where rigour adds value.

    Risk-based and proportionate

    Closely related is the risk-based orientation that runs through the guideline. Rather than prescribing identical, exhaustive procedures for every trial, E6(R3) emphasises identifying, assessing and managing risks in proportion to their importance. This extends to monitoring: risk-based monitoring focuses oversight on the data and processes most likely to affect participant safety and result credibility, which may combine on-site and centralised approaches.

    This proportionality is intended to make trials both more efficient and more robust, by concentrating effort where it protects participants and data integrity most.

    Flexibility for modern trials and data

    E6(R3) is written to accommodate a broader range of trial designs and data sources, including the use of varied technologies and the realities of decentralised elements. By framing requirements in terms of underlying principles and outcomes rather than rigid prescriptions, the guideline aims to remain relevant as methods evolve. Throughout, the emphasis on data integrity and a clear, reliable record remains central — modern tools do not relax the expectation that data be attributable, legible, contemporaneous, original and accurate.

    Participant protection stays at the heart of the guideline. Informed consent, ethics oversight and the duty of care to participants are reaffirmed, not diluted, by the modernisation. For neutral definitions of related terms, see our standards dictionary.

    Roles, responsibilities and the structure of the guideline

    E6(R3) restates the responsibilities of the main parties in a trial. Sponsors are responsible for the overall quality system, trial design, risk management and oversight, including oversight of any parties to whom activities are delegated. Investigators are responsible for the conduct of the trial at their site, the care of participants, informed consent and the integrity of the data they generate. The guideline is structured around principles supported by more detailed expectations, with the intent that the principles guide judgement when specific situations are not spelled out.

    This principles-first structure is a deliberate response to the pace of change in clinical research. By anchoring expectations in durable principles — participant protection and reliable results — rather than in an exhaustive list of procedures, the guideline is intended to remain applicable as trial methods and technologies continue to evolve.

    What it means in practice

    For sponsors, investigators and clinical-operations teams, E6(R3) signals a shift in mindset: from procedure-led compliance toward thoughtful, risk-proportionate quality management tailored to each trial. Organisations generally review their quality systems, monitoring strategies and standard operating procedures to align with the principles-based approach. Teams often revisit how they document critical-to-quality factors, how they justify monitoring intensity, and how they evidence oversight of delegated activities. Regulators, in turn, adopt the revised guideline into their own frameworks, so the practical timing of when E6(R3) applies in a given country depends on that jurisdiction’s adoption process. Sponsors operating across multiple regions therefore track adoption status region by region, since the same global guideline may take legal effect at different times in different jurisdictions, and transitional arrangements may govern trials already underway when a region adopts the revised text.

    The essence of E6(R3) is that good clinical practice is achieved by designing quality in, focusing on what is critical, and managing risk proportionately — applied flexibly across the diverse trials of today. The authoritative text is published by ICH, and readers should consult the official guideline and adopting regulators for binding detail. Our EU Clinical Trials Regulation explainer describes how one major jurisdiction frames trial conduct alongside these GCP principles.

  • EU CTR and CTIS Now Mandatory: Harmonised Trials

    The EU Clinical Trials Regulation (Regulation (EU) No 536/2014, the CTR) is now in full effect, and the Clinical Trials Information System (CTIS) is the single, mandatory entry point for clinical-trial applications across the European Union and the European Economic Area. The CTR replaced the earlier Clinical Trials Directive, moving from a country-by-country model to a harmonised one. This article is a neutral explainer of how the system works following the end of the transition period; it is not legal or regulatory advice.

    From directive to regulation

    The previous framework, the Clinical Trials Directive, was a directive — meaning each EU member state transposed it into national law, producing variation in how trials were authorised and overseen. Sponsors running multinational trials had to submit separately to each country, with differing requirements and timelines. The CTR is a regulation, applying directly and uniformly across member states, and was designed specifically to harmonise the assessment and supervision of clinical trials. For the focused overview, see our explainer on the EU Clinical Trials Regulation.

    What CTIS does

    CTIS is the IT backbone of the regulation. It provides a single online portal and database through which sponsors submit one application to run a trial in one or several EU/EEA countries, and through which regulators and ethics bodies coordinate their assessment. It also includes a public-facing component that improves transparency about authorised trials.

    • Single submission: one dossier for a trial spanning multiple member states.
    • Coordinated assessment: a reporting member state leads the scientific assessment shared across the countries concerned.
    • Two-part evaluation: a jointly assessed scientific part and a national part covering country-specific and ethical aspects.
    • Transparency: a public portal with information on authorised trials.

    The coordinated model means sponsors no longer duplicate a full application in every country; instead, a shared assessment is combined with country-specific evaluation.

    The transition period has ended

    The regulation became applicable in January 2022, but it included a phased transition to give the system and its users time to adapt. During that window, sponsors could in some cases still start trials under the old directive, and existing trials had a defined period to transition to the regulation and into CTIS. That transition has now concluded: CTIS is the mandatory route, and trials that were approved under the old directive were required to be brought under the CTR framework within the transition timeline.

    The end of the transition is significant because it means there is now a single regime in operation. New trials are authorised exclusively through CTIS under the CTR, and the legacy directive pathway is closed.

    How an application flows

    At a high level, a sponsor compiles a single application dossier and submits it through CTIS, indicating the member states in which the trial is to run. A reporting member state coordinates the scientific assessment (Part I), which is shared across the participating countries, while each member state evaluates the national and ethical aspects relevant to its territory (Part II). Defined timelines structure the process, and the outcome is a single decision per member state delivered through the system. Substantial changes and safety reporting during the trial are also managed within the same platform.

    This single-platform approach is intended to make multinational trials more predictable and to reduce duplicative administration, while maintaining rigorous scientific and ethical assessment in each country.

    Transparency and public access to trial information

    A notable feature of the CTR and CTIS is the emphasis on transparency. The system includes a public component through which information about authorised trials is made available, and the regulation sets expectations around the publication of trial information and, in time, results. This responds to long-standing calls to reduce so-called publication bias — the under-reporting of trials whose findings are inconvenient or negative — by making the existence and outcomes of trials more visible. Certain commercially confidential information and personal data are protected, so transparency operates within defined limits rather than as unrestricted disclosure.

    For the research community, this public visibility supports independent scrutiny and helps ensure the evidence base reflects the trials that were actually conducted, not only those that reported favourable results. It connects clinical-trials regulation to the broader open-science direction seen elsewhere in research policy.

    How it fits with GCP and global standards

    The CTR governs authorisation and oversight within the EU, while the conduct of trials continues to follow Good Clinical Practice. The modernised international GCP guideline is described in our explainer on ICH E6(R3) Good Clinical Practice, and the two operate together: the regulation defines how trials are approved and supervised in Europe, and GCP defines the quality and ethical standards for running them.

    The transparency dimension also connects to broader open-science expectations, since CTIS publishes information about authorised trials, supporting public visibility of clinical research. For neutral definitions of related terms, see our standards dictionary.

    What it means for sponsors and sites

    For sponsors, the end of the transition removes the option of the legacy pathway and concentrates all trial activity in one system, which favours organisations that have built familiarity with CTIS and its document and timeline requirements. For sites and investigators, the harmonised model means the ethical and national assessment of a trial in their country proceeds within a coordinated EU process rather than in isolation. Sponsors running trials in several member states benefit most from the single submission, but even single-country trials in the EU now flow through CTIS. As with any large system, users continued to adapt their internal processes — document preparation, role management within the portal, and response to assessment questions — to work efficiently within the platform.

    The takeaway

    The EU has moved decisively to a single, harmonised system for clinical trials: one regulation applying directly across member states, one mandatory portal in CTIS, and a coordinated assessment that replaces country-by-country duplication. With the transition period over, CTIS is the only route for trial applications in the EU and EEA. Authoritative detail is published by the European Medicines Agency and the European Commission at ema.europa.eu, which sponsors and investigators consult for binding requirements.

  • GDPR Enforcement 2025: How DPAs Applied the Rules

    The EU General Data Protection Regulation (GDPR) has been in force since 2018, and its enforcement is carried out by independent national data-protection authorities (DPAs) across the EU and EEA, coordinated through the European Data Protection Board (EDPB). This article offers a neutral, aggregate recap of the themes that characterised GDPR enforcement through 2025. It deliberately discusses patterns and principles rather than naming particular organisations or framing specific outcomes as accusations, and it is not legal advice.

    How GDPR enforcement is structured

    GDPR is enforced primarily by national DPAs, each supervising organisations within its jurisdiction. For cross-border processing, the regulation uses a one-stop-shop mechanism: a lead supervisory authority, usually where the organisation has its main establishment, coordinates with other concerned authorities. Where authorities disagree, the EDPB can issue binding decisions to ensure consistent application. For the underlying framework, see our overview of the GDPR.

    This structure matters because it shapes how enforcement unfolds: many significant cross-border matters involve coordination between a lead authority and others, and EDPB consistency mechanisms help align interpretation across countries.

    Recurring themes in enforcement

    Across the body of enforcement activity, several themes recur as areas where authorities have focused. Described in aggregate, these include:

    • Lawful basis and transparency: whether organisations correctly identify and communicate the legal basis for processing, and whether privacy information is clear and accessible.
    • Consent: whether consent, where relied upon, is freely given, specific, informed and unambiguous, and as easy to withdraw as to give.
    • Data-subject rights: how organisations handle requests for access, erasure, rectification and objection within required timeframes.
    • Security and breach handling: whether appropriate technical and organisational measures are in place, and whether breaches are notified appropriately. See our explainer on data breaches.
    • International transfers: the safeguards applied when personal data move outside the EEA.

    These themes reflect the GDPR’s core principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — and enforcement activity tends to cluster around them.

    The role of the EDPB and consistency

    A defining feature of recent years has been the EDPB’s role in promoting consistent interpretation. Through guidelines, opinions and, where necessary, binding decisions in dispute-resolution procedures, the Board has helped align how authorities approach questions such as the calculation of administrative fines and the assessment of cross-border cases. The EDPB has, for example, issued guidance intended to harmonise the methodology authorities use when determining the level of fines, supporting a more consistent approach across the bloc.

    This coordination is significant for organisations operating in multiple member states, because it reduces — though does not eliminate — divergence in how the same rules are applied in different countries.

    Tools beyond fines

    Administrative fines attract the most attention, but DPAs have a wider toolkit. Authorities can issue warnings and reprimands, order an organisation to bring processing into compliance, impose temporary or definitive limitations on processing (including bans), and order the rectification or erasure of data. In many matters, corrective orders — requiring changes to how data are handled — are as consequential as monetary penalties, because they directly alter business practices. Describing enforcement only in terms of fine totals therefore understates the range of regulatory action.

    What organisations took from it

    In aggregate, the enforcement picture through 2025 reinforced the importance of demonstrable accountability: maintaining records of processing, conducting data-protection impact assessments where required, ensuring a valid lawful basis, honouring data-subject rights promptly, and being able to evidence appropriate security measures. The accountability principle — being able to show compliance, not merely assert it — runs through the regulation and through how authorities assess organisations.

    For those seeking to understand the rules themselves rather than commentary on outcomes, the authoritative sources are the regulation’s own text, national DPA guidance, and EDPB materials published at edpb.europa.eu. Neutral definitions of related privacy terms are collected in our standards dictionary.

    Reading enforcement data carefully

    A final neutral note concerns how enforcement statistics should be read. Aggregate figures — numbers of decisions, total penalty amounts, or counts of complaints — circulate widely, but they require context. A high total in one period may reflect a small number of large matters rather than a broad pattern; a low total may reflect a focus on corrective orders rather than fines. Differences between member states can stem from caseload, the nature of the organisations established in a jurisdiction, or procedural timing rather than from differing strictness. For this reason, responsible analysis treats enforcement data as one input among several and avoids inferring conclusions about any individual organisation from aggregate trends. The constructive takeaway for organisations is forward-looking: align practices with the regulation’s principles and maintain the documentation needed to demonstrate that alignment.

    The accountability principle in focus

    If a single idea characterises how authorities approach assessment, it is accountability. The GDPR does not merely require organisations to comply; it requires them to be able to demonstrate compliance. In practice this means maintaining a record of processing activities, documenting the lawful basis for each processing purpose, conducting and recording data-protection impact assessments for higher-risk processing, and keeping evidence of the technical and organisational measures in place. When authorities examine an organisation, the ability to produce this documentation is often as important as the underlying practices themselves.

    Accountability also shapes governance. Many organisations are required to designate a data-protection officer, and the regulation encourages structured governance such as data-protection-by-design and by-default, where privacy considerations are built into systems from the outset. These structural expectations recur across enforcement themes because they underpin every other obligation — a lawful basis, honoured rights and adequate security all depend on having the governance to manage them.

    A neutral bottom line

    GDPR enforcement in 2025 is best understood not through individual headline cases but through the patterns: sustained attention to lawful basis, transparency, consent, data-subject rights, security and international transfers; growing consistency driven by the EDPB; and a corrective toolkit that extends well beyond fines. The regulation’s principles remained the constant reference point against which authorities assessed organisations.

  • EU AI Act: Prohibited AI Practices Take Effect Feb 2025

    On 2 February 2025, the first substantive obligations of the European Union’s Artificial Intelligence Act began to apply. Six months after the Regulation entered into force on 1 August 2024, two early provisions switched on: the prohibitions on certain AI practices set out in Article 5, and the AI-literacy duty in Article 4. This article describes what changed on that date. It is a news explainer, not legal advice.

    What Article 5 prohibits

    Article 5 lists categories of AI use that the EU considers incompatible with fundamental rights and Union values, and therefore bans from the EU market. According to the published text of the Regulation, the prohibited practices include:

    • Manipulative or deceptive techniques that materially distort behaviour and cause significant harm.
    • Exploitation of vulnerabilities linked to age, disability or a specific social or economic situation.
    • Social scoring by public or private actors leading to detrimental or disproportionate treatment.
    • Individual criminal-risk prediction based solely on profiling or personality traits.
    • Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases.
    • Emotion recognition in workplaces and educational institutions, subject to narrow exceptions.
    • Biometric categorisation inferring sensitive attributes such as race, political views or sexual orientation.
    • Real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes, subject to limited, authorised exceptions.

    These are bright-line prohibitions rather than risk-managed permissions. For a fuller treatment of how the Act’s tiers fit together, see our pillar overview of the EU AI Act.

    The AI-literacy duty in Article 4

    Alongside the bans, Article 4 introduced an obligation that applies far more broadly. Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy among staff and others operating systems on their behalf. The duty is framed proportionately: organisations must consider the technical knowledge, experience and training of the people involved, the context of use, and the individuals or groups the system is used on.

    Unlike Article 5, the literacy duty is not limited to high-risk or prohibited systems. The European Commission has published questions and answers describing how the obligation is intended to operate. The terminology around AI systems, providers and deployers is defined in the Regulation itself; readers new to these distinctions may find our dictionary useful.

    Why this date mattered

    The 2 February 2025 milestone was the first point at which any part of the AI Act created direct, applicable obligations. It signalled the start of phased application that continues across subsequent years. The dates were fixed relative to entry into force: prohibitions and literacy at six months, general-purpose AI obligations at twelve months, and the bulk of high-risk requirements later still.

    Scope and reach

    The AI Act applies to providers placing systems on the EU market and to deployers using them within the Union, regardless of where the provider is established. This extraterritorial reach means organisations outside the EU can fall within scope where their systems are used in the Union. The Regulation positions itself as a product-safety-style framework layered on top of existing rights protections rather than a replacement for them.

    How it relates to wider AI governance

    The EU’s approach is binding law, but it sits within a broader landscape of voluntary frameworks that organisations use to structure internal governance. Many map their controls against instruments such as the NIST AI Risk Management Framework or the management-system standard ISO/IEC 42001. These do not satisfy EU legal obligations on their own, but they are widely referenced when firms operationalise principles such as risk assessment and human oversight.

    The exceptions that shape the bans

    Several of the Article 5 prohibitions are not absolute but carry carefully bounded carve-outs, and the detail matters. The ban on real-time remote biometric identification in public spaces for law enforcement, for example, is subject to narrow exceptions for specified objectives such as searching for certain victims of crime, preventing a substantial and imminent threat to life, or locating suspects of serious offences — and those uses are themselves wrapped in authorisation and safeguard conditions. Similarly, the emotion-recognition prohibition focuses on workplace and educational settings while leaving room for limited medical or safety purposes. Understanding the bans therefore means reading the qualifications alongside the headline category, which is one reason the Commission has issued supplementary guidance.

    Guidelines on the prohibited practices

    Recognising that the bans took effect before every boundary was self-evident, the European Commission published guidelines on the prohibited practices to help interpret Article 5. These materials work through the categories with examples and clarifications, addressing recurring questions such as how to distinguish lawful persuasion from prohibited manipulation, and where everyday biometric features end and prohibited biometric categorisation begins. The guidelines are not themselves binding law — the Regulation’s text governs — but they are an authoritative reference point for organisations interpreting scope.

    What observers noted

    Commentators highlighted that the prohibitions and literacy duty arrived before detailed guidance and harmonised standards for later stages were finalised, leaving organisations to interpret some boundaries using the legislative text and Commission materials. The Commission has continued to publish guidance to clarify scope as later phases approach. Analysts also noted the breadth of the literacy duty relative to the bans: while only a defined set of systems is prohibited, the literacy expectation touches almost any organisation that builds or uses AI, making it the more widely felt of the two early obligations in practice.

    Penalties and enforcement architecture

    The AI Act backs its prohibitions with a tiered penalty structure, and breaches of Article 5 sit at the most serious end, attracting the highest potential fines under the Regulation. Enforcement is allocated to national authorities designated by member states, coordinated at Union level through the European Artificial Intelligence Office and a board of member-state representatives. The phased application dates determine when each obligation becomes enforceable, which is why the February 2025 milestone — switching on the bans and literacy duty — was the first point at which any enforcement exposure under the Act could arise.

    In summary

    The 2 February 2025 date marked the point at which the EU AI Act stopped being purely prospective. Article 5’s prohibitions removed a defined set of AI uses from the EU market, and Article 4’s literacy duty placed a general, proportionate expectation on organisations that build or use AI. The official consolidated timeline is maintained on the European Commission’s digital-strategy site. Readers should treat this as a factual summary of the events and consult qualified advisers for application to their own circumstances.