DOJ Prosecution Playbook, MiCAR Deadline & Enhanced CIRMP Rules (07/10/2026)

July 10, 2026
DOJ Prosecution Playbook, MiCAR Deadline & Enhanced CIRMP Rules (07/10/2026)
Key Intel / TL;DR
  • The DOJ's 2025-2026 policy reset makes corporate declinations more predictable, narrows monitors, and sharpens the focus on individual accountability.
  • The MiCAR transitional period is closing for crypto-asset service providers, and the EU's AMLA has flagged money-laundering risks tied to the deadline.
  • Australia's Enhanced CIRMP rules formally raise risk-management obligations for critical infrastructure operators.
  • Aitkin County Health and Human Services in Minnesota disclosed an email breach affecting 81,000 people, triggering HIPAA notification duties.
  • The DoD opened rulemaking toward a certification framework restricting certain printed circuit boards in defense systems.

Three deadlines landed this week that change what an operator has to prove, not just what they have to promise. The DOJ published clearer rules for when it charges a company and when it walks away, the EU’s crypto-asset rules move from transition to enforcement, and a fresh 81,000-person health breach shows how fast a single email compromise turns into a reportable event. Each one starts with the same question: can you show the controls were in place before the incident, or only after.

Top 5 Critical Compliance Alerts

1. DOJ Publishes a New Playbook for Charging Corporations

The Department of Justice’s 2025-2026 policy reset makes declinations more predictable, narrows the use of corporate monitors, and sharpens enforcement around individual accountability, government-program fraud, and national security exposure (JD Supra). More predictable declinations reward the companies that can document a real compliance program, so the value of a program you can evidence just went up.

Operator Note: A declination now favors firms that can produce records of controls, training, and self-reporting. Start with an assessment that captures that evidence, before you need it in front of a prosecutor.

2. MiCAR Transitional Period Closes for Crypto-Asset Service Providers

The transitional window under the EU’s Markets in Crypto-Assets Regulation (MiCAR) is expiring for crypto-asset service providers, and the EU’s Anti-Money Laundering Authority (AMLA) issued an advisory on the money-laundering and terrorist-financing risks tied to the deadline (JD Supra: MiCAR, JD Supra: AMLA). Firms that operated under grandfathered status now need full authorization and the anti-money-laundering controls that come with it, and the regulator has already named the gap it will be watching.

3. Australia’s Enhanced CIRMP Rules Raise the Bar on Critical Infrastructure

Australia registered the Enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules 2026 on June 9, formally amending the obligations that critical infrastructure operators must build into their risk programs (JD Supra). For any operator with assets in scope, this is a documentation and governance uplift, and the responsible-entity board is the one that has to attest the program is real.

4. Aitkin County Health Breach Affects 81,000 People

Aitkin County Health and Human Services in Minnesota disclosed a breach of its email environment affecting roughly 81,000 individuals (HIPAA Journal). An email compromise at a Health and Human Services agency crosses into protected health information fast, and once it does, the HIPAA breach-notification clock and the state reporting duties both start running.

Operator Note: A single mailbox compromise at a HIPAA-covered entity is a reportable-breach risk, not just an IT cleanup. The notification timeline is the obligation, and it does not wait for your investigation to finish.

5. DoD Moves Toward Certifying Printed Circuit Boards in Defense Systems

The Department of Defense issued an advance notice of proposed rulemaking toward a Defense Federal Acquisition Regulation Supplement (DFARS) rule that would restrict certain printed circuit boards in defense systems through a certification framework (JD Supra). For defense-industrial-base suppliers, this is another layer of supply-chain provenance to prove, and the contractors who map their board sourcing now will not scramble when the rule lands.

Additional Compliance Alerts

Regulatory Updates

  • SEC Updates Municipal Advisor Registration FAQs: The SEC’s Office of Municipal Securities refreshed its Registration of Municipal Advisors FAQs to clarify registration and recordkeeping expectations. SEC
  • Education Department Finalizes Title IV Earnings Rule: The US Department of Education issued a final rule on earnings accountability for Title IV programs, tying program eligibility to graduate earnings outcomes. JD Supra

Third-Party Risk & Due Diligence

  • Accenture Confirms Intrusion After 35GB Breach Claim: Accenture confirmed a security breach after an actor claimed to have stolen 35GB of data, a reminder that your largest vendors are also your largest concentrated third-party risk. HIPAA Journal

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.

Distribute Intel
Dusten Trounce
Director of Physical Security
Dusten Trounce
The Growth Architect.

A leader defined by a 'bias for action,' Dusten specializes in physical security assessments that impact profitability and facility resilience.

View Profile →
Press & Media

Media Inquiries

For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.

Initialize Terminal

Initiate
Deployment.

Whether you need a full adversarial facility audit or an executive resilience protocol for your leadership team.

Secure the Facility (Assessments)
Secure the Mind (Coaching/Speaking)