Texas, Colorado, and the EU Just Diverged on AI Law. Here's the New Map.
By Matt Bertram ·
Last reviewed June 26, 2026
Colorado just rewrote the AI compliance map. On May 14, 2026, Governor Polis signed SB 26-189, repealing the state’s original AI Act (SB 24-205) and replacing it with a narrower framework built around disclosure and consumer rights — no impact assessments, no duty of care. That repeal reshapes how Texas decision-makers should think about the three dominant AI legal regimes and where they diverge.
The new landscape at a glance
| TRAIGA (Texas) | Colorado SB 26-189 | EU AI Act | |
|---|---|---|---|
| Effective date | Jan 1, 2026 | Jan 1, 2027 | Phased: Feb 2025–Aug 2027+ |
| Framework | Prohibition-based (intent required) | Disclosure + consumer rights | Risk-based tiered |
| Enforcer | TX AG exclusively | CO AG exclusively | National authorities + EU AI Office |
| Disclosure duties | Gov agencies + healthcare providers only | All covered ADMT in 7 domains | Varies by risk tier |
| Impact assessments | No | No (eliminated) | Yes (high-risk systems) |
| Max penalty | $200,000/violation (uncurable) | Not yet specified | EUR 35M or 7% global revenue |
| NIST safe harbor | Yes (explicit) | No | No |
What changed — and why Colorado pivoted
The original SB 24-205 mirrored the EU’s risk-tiered model, with deployer impact assessments and a duty-of-care standard. It was delayed twice, then stayed by a federal court in April 2026 after xAI sued and the DOJ intervened — a challenge triggered in part by a December 2025 White House executive order that specifically criticized Colorado’s approach.
SB 26-189 passed 34–1 in the Colorado Senate and 57–6 in the House. What survives: consumer notice at point of AI interaction, post-adverse-outcome notice within 30 days, consumer rights to access data and request human review, and AG enforcement with a 60-day cure period. What was dropped: impact assessments, deployer risk management programs, and the algorithmic discrimination duty of care. Seven sectors remain in scope — education, employment, housing, financial services, insurance, healthcare, and government services — but the compliance burden is substantially lighter.
Where Texas stands
TRAIGA has been in effect since January 1, 2026. Its logic differs from both Colorado and the EU: it targets intent, not risk tiers. Core prohibitions — behavioral manipulation designed to incite self-harm, constitutional rights infringement, intentional unlawful discrimination (disparate impact alone is insufficient), and child sexual content — apply to any entity. Government agencies must disclose AI interactions to consumers before or at the time of contact. Healthcare providers must disclose AI use in treatment on the date of service. Private non-healthcare businesses face no disclosure requirement.
Penalties are tiered: $10,000–$12,000 for curable violations, $80,000–$200,000 for uncurable, and $2,000–$40,000 per day for continuing violations. An explicit NIST AI RMF safe harbor is available. No publicly reported TRAIGA enforcement actions had been filed as of May 2026.
The EU’s next deadline: August 2
Most high-risk AI system obligations under the EU AI Act — Annex III systems, transparency rules — take effect August 2, 2026. That is six weeks out. Prohibited AI practices have been enforceable since February 2025; GPAI model rules since August 2025. A political agreement to streamline certain obligations was reached May 7, 2026, but formal EU Parliament and Council adoption had not been confirmed as of publication.
For Texas-based companies with EU operations or EU customers, August 2 is a live deadline.
The bottom line
Three regimes, three theories of harm. Texas prohibits bad intent. Colorado mandates disclosure and consumer rights in defined sectors. The EU imposes tiered conformity obligations. None creates a private right of action. All three rely on government enforcement with cure windows before penalties attach. A compliance posture built around any one regime will leave gaps in the others — which means the starting point is still the same: know exactly which AI systems you run and where.
Frequently asked questions
Why did Colorado repeal its original AI Act rather than simply amend it?
The original SB 24-205 faced compounding opposition: a December 2025 White House executive order specifically criticized Colorado’s risk-tiered approach, the DOJ established an AI Litigation Task Force in January 2026, xAI sued the state, and a federal magistrate stayed SB 24-205 on April 27, 2026. The replacement bill — SB 26-189 — passed the Colorado Senate 34-1 and the House 57-6, signaling broad legislative consensus that the original framework needed to be abandoned rather than patched.
Does Colorado’s new SB 26-189 require impact assessments the way the original law did?
No. Impact assessments, deployer risk management programs, and the algorithmic discrimination duty of care were all eliminated in the replacement law. Colorado SB 26-189, effective January 1, 2027, relies instead on consumer notice at the point of interaction, post-adverse-outcome notice within 30 days, and consumer rights to access data and request human review — a substantially lighter compliance structure than its predecessor.
Disclosure: Texas AI Report is published by Matt Bertram, who also leads ModalPoint, an AI-governance advisory. See our editorial standards.
Analysis and commentary, not legal advice.