DOJ Prosecution Playbook, MiCAR Deadline & Enhanced CIRMP Rules (07/10/2026)
- › The DOJ's 2025-2026 policy reset makes corporate declinations more predictable, narrows monitors, and sharpens the focus on individual accountability.
- › The MiCAR transitional period is closing for crypto-asset service providers, and the EU's AMLA has flagged money-laundering risks tied to the deadline.
- › Australia's Enhanced CIRMP rules formally raise risk-management obligations for critical infrastructure operators.
- › Aitkin County Health and Human Services in Minnesota disclosed an email breach affecting 81,000 people, triggering HIPAA notification duties.
- › The DoD opened rulemaking toward a certification framework restricting certain printed circuit boards in defense systems.
Three deadlines landed this week that change what an operator has to prove, not just what they have to promise. The DOJ published clearer rules for when it charges a company and when it walks away, the EU’s crypto-asset rules move from transition to enforcement, and a fresh 81,000-person health breach shows how fast a single email compromise turns into a reportable event. Each one starts with the same question: can you show the controls were in place before the incident, or only after.
Top 5 Critical Compliance Alerts
1. DOJ Publishes a New Playbook for Charging Corporations
The Department of Justice’s 2025-2026 policy reset makes declinations more predictable, narrows the use of corporate monitors, and sharpens enforcement around individual accountability, government-program fraud, and national security exposure (JD Supra). More predictable declinations reward the companies that can document a real compliance program, so the value of a program you can evidence just went up.
Operator Note: A declination now favors firms that can produce records of controls, training, and self-reporting. Start with an assessment that captures that evidence, before you need it in front of a prosecutor.
2. MiCAR Transitional Period Closes for Crypto-Asset Service Providers
The transitional window under the EU’s Markets in Crypto-Assets Regulation (MiCAR) is expiring for crypto-asset service providers, and the EU’s Anti-Money Laundering Authority (AMLA) issued an advisory on the money-laundering and terrorist-financing risks tied to the deadline (JD Supra: MiCAR, JD Supra: AMLA). Firms that operated under grandfathered status now need full authorization and the anti-money-laundering controls that come with it, and the regulator has already named the gap it will be watching.
3. Australia’s Enhanced CIRMP Rules Raise the Bar on Critical Infrastructure
Australia registered the Enhanced Critical Infrastructure Risk Management Program (CIRMP) Rules 2026 on June 9, formally amending the obligations that critical infrastructure operators must build into their risk programs (JD Supra). For any operator with assets in scope, this is a documentation and governance uplift, and the responsible-entity board is the one that has to attest the program is real.
4. Aitkin County Health Breach Affects 81,000 People
Aitkin County Health and Human Services in Minnesota disclosed a breach of its email environment affecting roughly 81,000 individuals (HIPAA Journal). An email compromise at a Health and Human Services agency crosses into protected health information fast, and once it does, the HIPAA breach-notification clock and the state reporting duties both start running.
Operator Note: A single mailbox compromise at a HIPAA-covered entity is a reportable-breach risk, not just an IT cleanup. The notification timeline is the obligation, and it does not wait for your investigation to finish.
5. DoD Moves Toward Certifying Printed Circuit Boards in Defense Systems
The Department of Defense issued an advance notice of proposed rulemaking toward a Defense Federal Acquisition Regulation Supplement (DFARS) rule that would restrict certain printed circuit boards in defense systems through a certification framework (JD Supra). For defense-industrial-base suppliers, this is another layer of supply-chain provenance to prove, and the contractors who map their board sourcing now will not scramble when the rule lands.
Additional Compliance Alerts
Regulatory Updates
- SEC Updates Municipal Advisor Registration FAQs: The SEC’s Office of Municipal Securities refreshed its Registration of Municipal Advisors FAQs to clarify registration and recordkeeping expectations. SEC
- Education Department Finalizes Title IV Earnings Rule: The US Department of Education issued a final rule on earnings accountability for Title IV programs, tying program eligibility to graduate earnings outcomes. JD Supra
Third-Party Risk & Due Diligence
- Accenture Confirms Intrusion After 35GB Breach Claim: Accenture confirmed a security breach after an actor claimed to have stolen 35GB of data, a reminder that your largest vendors are also your largest concentrated third-party risk. HIPAA Journal
The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.
A leader defined by a 'bias for action,' Dusten specializes in physical security assessments that impact profitability and facility resilience.
View Profile →Media Inquiries
For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.