Insights

On May 5, 2026, CISA announced CI Fortify — an initiative directing critical infrastructure owners and operators to prepare for geopolitical conflict in which OT networks are actively targeted while communications infrastructure is simultaneously degraded.

On May 6, 2026, the Federal Aviation Administration (FAA) published a long-awaited Notice of Proposed Rulemaking (NPRM) that would create a formal process for designating drone-free zones — known as Unmanned Aircraft Flight Restrictions (UAFRs) — over critical infrastructure facilities. The proposed rule has significant implications for the entire drone ecosystem. Facility operators across a broad range of industries would gain a potential pathway to restrict unauthorized drone access to their airspace, while commercial drone operators and companies that rely on UAS services face new compliance obligations, operational constraints, and potential criminal liability in designated zones.

On May 7, 2026, the Department of War issued the long-awaited Proposed Rule to implement Section 847 of the FY 2020 National Defense Authorization Act (NDAA) regarding Foreign Ownership, Control or Influence (FOCI) requirements for contractors. The proposed rule would expand the applicability of FOCI reviews, requiring contractors and subcontractors on unclassified “covered contracts” — defense contracts and subcontracts valued in excess of $5 million that are not for commercial products and services — to submit FOCI disclosures to the Defense Counterintelligence and Security Agency (DCSA) for FOCI risk assessment (and as applicable, mitigation) as part of contract award. This would effectively require DCSA assessment and adjudication of FOCI considerations prior to contract award. Thus, both cleared and uncleared defense contractors would be subject to the rigorous DCSA disclosure requirements, scrutiny, and FOCI mitigation. Crowell discussed the Section 847 requirements in a prior alert.

Businesses affected by the Strait of Hormuz crisis are likely to be navigating both sides of the contractual liability equation: seeking to enforce protections while simultaneously trying to limit their own exposure. This balancing act will feel familiar to those who managed supply chain disruptions during the Covid pandemic or in response to Russian sanctions. But the scale of uncertainty and the severity of the current situation make it particularly challenging to chart a clear path forward. This note provides an overview of the English-law issues that have arisen in this current crisis and is relevant for companies and legal counsel seeking to understand and mitigate contractual risk in their supply chains, including for shipping, energy, commodities, and construction.

The president of the Competition Appeal Tribunal (CAT) has signalled a more rigorous approach to scrutinising opt-out collective actions at the certification stage, with particular attention to whether the financial benefits of such claims flow to the claimant class or primarily to their lawyers and funders. Coming at a time when the UK Law Commission is consulting on expanding the scope of the opt-out regime, this development warrants careful consideration by all those with interests in the UK litigation funding market.

In our ninth alert in this EU Pharma Package Series, we discussed the proposals of the Commission, Council, and Parliament with respect to advertising of medicinal products.

On April 29, 2026, the New York Department of Financial Services (NYDFS) announced the finalization of a $2.25 million settlement with Delta Dental of New York and Delta Dental Insurance Co., resolving allegations that the affiliated companies failed to comply with the state’s stringent cybersecurity, consumer data protection, and incident reporting requirements. For health insurers, managed care organizations, and their third-party service providers operating in New York, the announcement comes as the latest signal that the NYDFS intends to aggressively enforce its cybersecurity regulations — which are widely considered the strictest in the nation following a 2023 overhaul. These regulations, codified at 23 NYCkRR 500 (Cybersecurity Requirements for Financial Services Organizations), apply to any entity licensed under New York insurance law, including health insurers, managed care organizations, and their third-party service providers.

The ICCU is poised to become one of the most significant international compensation mechanisms of this generation. Crowell & Moring has the experience to help with your claim.

This news bulletin is provided by the International Trade Group of Crowell & Moring. If you have questions or need assistance on trade law matters, please contact Anand Sithian or Simeon Yerokun or any member of the International Trade Group.

On April 30, 2026, USPTO Director John A. Squires issued an updated memorandum superseding the December 4, 2025, guidance on Best Practices for Submission of Rule 132 Subject Matter Eligibility Declarations (SMEDs). The USPTO has also created a new position — Deputy Commissioner for Patents focusing on AI Policy, Practice, and Operations — and has welcomed longtime practitioner and private-sector AI expert Barry Schindler to this role. This alert summarizes the key updates and actionable guidance for patent applicants and practitioners.

Consistent with recent FDA initiatives directed at leveraging AI technologies and improving early-phase clinical trial conduct, the FDA has issued a Request for Information (RFI) for input on a proposed AI-enabled optimization pilot program for early-phase clinical trials. The issues for which FDA is requesting information fall into two categories:  (A) Pilot program design and implementation and (B) Program evaluation metrics and success criteria.

On 29 April 2026, the European Commission adopted the Middle East Crisis Temporary State Aid Framework (METSAF), a temporary framework relaxing the conditions under which EU Member States can support companies in sectors particularly affected by fuel, fertilizer, and electricity price surges driven by the Middle East crisis.

Employers should be aware of several California laws that were recently enacted or went into effect. These laws expand the scope of care recipients that can trigger paid family leave obligations, extend the statute of limitation for survivors of sexual assault, strengthen protections for tipped workers’ wages, increase minimum wage statewide, provide collective bargaining and organization rights to rideshare workers, and prohibit “stay-or-pay” clauses in employment contracts. 

On April 13, 2026, President Trump signed into law the Small Business Innovation and Economic Security Act, which reauthorized the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs.  These programs are Small Business Administration-sponsored initiatives intended to encourage small business contractors to conduct early-stage research and development (R&D) and help foster technological innovation related to U.S. government needs across several federal agencies, including the Department of War, Department of Energy, National Aeronautics and Space Administration, and National Institutes of Health.  SBIR/STTR are sometimes referred to as “America’s Seed Fund.”  Consistent with that characterization, SBIR contractors performing in the defense and technology space are often the focus of venture capital and private equity interest and investment.

The appropriate use of AI tools during the claims review process continues to be a major topic of debate within the health care industry — but in recent weeks, emerging litigation has inspired critics to turn their attention specifically to the technology’s application within federal health programs. On March 25, 2026, the Electronic Frontier Foundation (EFF) filed a lawsuit against the Centers for Medicare and Medicaid Services (CMS), citing the agency’s alleged failure to answer a Freedom of Information Act (FOIA) request for records the EFF believes will provide crucial insight into the design, safeguards, vendor relationships, and real-world performance of the Medicare Wasteful and Inappropriate Service Reduction (WISeR) Model, CMS’s  AI-driven prior authorization pilot program for certain Medicare services.

On April 15, 2026, a federal jury found Live Nation and its subsidiary Ticketmaster liable on every antitrust count submitted, including monopolization of primary ticketing markets and illegal bundling of its promotions and venue business lines. The jury found the defendants liable for $1.72 for each primary concert ticket sold pursuant to the anticompetitive conduct.[1] The trial opened March 2, 2026, before Judge Arun Subramanian in the Southern District of New York, as a case brought by the federal government and a coalition of states. The case, however, was rocked by an early-trial settlement between the Department of Justice (DOJ) and the defendants. Although the DOJ and six of the plaintiff states (Arkansas, Iowa, Mississippi, Nebraska, Oklahoma, South Dakota) exited the trial, 33 states and the District of Columbia rejected the settlement, brought in a law firm, and moved forward with the trial. Next up for the case: (1) a statutorily required Tunney Act review of the DOJ’s settlement; (2) defendants’ Rule 50 and Rule 59 motions; (3) determination by the Court of how many tickets are subject to the $1.72 damage award (before trebling as per the Clayton Act); and (4) a remedy phase where the Court will consider plaintiffs’ likely proposal to sever Ticketmaster from Live Nation.

The EU AI Act defines ‘AI literacy’ as the skills, knowledge and understanding to enable the informed use and operation of AI systems and increase awareness of the opportunities, risks and possible harm that AI systems may present — with the ultimate purpose being to ensure that staff (and other relevant individuals) are able to take informed decisions in relation to AI, such as how to interpret AI output and decision-making processes and their impact on natural persons.

In our eighth alert in this EU Pharma Package Series, we took a “detour” to discuss the interplay between the measures proposed in the Pharma Package and those contained in other important EU initiatives such as the proposed Critical Medicines Act (CMA), and the Medicinal Countermeasures and EU Stockpiling Strategies.

Several recent class actions filed against Tempus AI, Inc., a health care technology company that combines AI with molecular and clinical data to develop precision medicine services, are the latest in a series of cases illustrating a fast-growing legal risk: the repurposing of genetic and clinical data — collected for diagnostic or treatment purposes — for artificial intelligence (AI) model training, analytics, and downstream commercialization following corporate acquisitions. At the same time, state genetic privacy regulation is expanding rapidly, with Utah and South Dakota being the most recent states to enact new statutes, and legislation advancing in several additional states. Organizations holding genetic datasets need to treat data governance as a core enterprise risk issue, not a downstream compliance matter.

A recent Illinois appellate decision has narrowed a key protection that state and local government contractors have long been able to rely on under Illinois’ Biometric Information Privacy Act (BIPA). In Thomas v. Cornerstone Services, Inc., the Illinois Appellate Court held that BIPA’s government contractor exemption does not provide blanket immunity to contractors simply because they hold a contract or subcontract with a state agency or local unit of government. The ruling carries important compliance implications for contractors and subcontractors operating across both government and private-sector markets.