Insights

On September 30, 2025, the Food and Drug Administration (FDA) issued a Request for Public Comment (“Request”) inviting stakeholders to share practical experience and recommendations for measuring and evaluating the real-world performance of AI-enabled medical devices, including those powered by GenAI. According to FDA, the Request is not intended to communicate new guidance or regulatory expectations but aims to advance the conversation on how best to assure the safety, effectiveness, and reliability of AI-driven technologies in clinical practice.

On September 29, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a sweeping Interim Final Rule (IFR), (the “Affiliates Rule”) expanding which entities qualify as Entity List or Military End-User entities, thereby subjecting those entities to elevated export control restrictions under the Export Administration Regulations (EAR). U.S. export restrictions applicable to entities on the Entity List, Military End-User (MEU) List, and Specially Designated Nationals and Blocked Persons (SDN List) now apply to foreign affiliates that are, in the aggregate, owned 50% or more by one or more of the aforementioned entities. An entity that becomes subject to these restrictions because of its ownership structure will be subject to the most restrictive controls that attach to any of its parent entities, regardless of ownership stakes.

On September 18, EPA announced that it will prioritize Toxic Substances Control Act (“TSCA”) review for “new chemicals related to data centers and artificial intelligence (“AI”) projects,” in an effort to “streamline permitting and regulations to accelerate American data center development.”

On September 24, 2025, the California Air Resources Board (“CARB”) issued a preliminary list of reporting/covered entities under California’s climate disclosure laws SB 253 (the Climate Corporate Data Accountability Act) and SB 261 (the Climate-Related Financial Risk Act) (the “Climate Disclosure Laws”) (both as modified by SB 219).

Responding to the D.C. Circuit’s deadline to inform the court how it wishes to proceed in litigation challenging the agency’s listing of two types of per- and polyfluoroalkyl substances (PFAS) as hazardous substances under Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA), the Environmental Protection Agency (EPA) stood behind its rule. In a September 17, 2025 filing, EPA told the court that the Trump administration had completed its review and would ultimately keep the Biden-era CERCLA final rule in place. The agency also requested that the court remove—i.e. pause—the abeyance placed on the proceedings, so that the lawsuit could move forward and be adjudicated.

The Department of Education (DOE) announced on September 10, 2025, that it will end discretionary funding to several Minority-Serving Institution (MSI) grant programs that, it stated, “discriminate by conferring government benefits exclusively to institutions that meet racial or ethnic quotas.”[1] The agency stated that it would “us[e] its statutory authority to reprogram discretionary funds to programs that do not present such concerns.”[2] This announcement follows a July 2025 decision by the Department of Justice to no longer defend the constitutionality of a provision of the Higher Education Act of 1965 (HEA) that authorizes grant funding to Hispanic-Serving institutions, after determining that such programs “violate the equal-protection component of the Fifth Amendment’s Due Process Clause.”[3]

Although the Supreme Court’s 2014 decision in Alice v. CLS Bank and its progeny affected the issuance and enforcement of software patents and led to a major shift in U.S. patent policy, software patents still have value today and such protection therefore should be pursued.

On September 9, 2025, the California Privacy Protection Agency (“CPPA”), along with California Attorney General Rob Bonta, Colorado Attorney General Phil Weiser, and Connecticut Attorney General William Tong, (collectively the “Coalition”) announced a joint investigative sweep (the “Sweep”) into businesses refusing to honor consumers' requests to opt-out of the sale of their personal information submitted via Global Privacy Controls (“GPCs”). This Sweep is another action in a growing trend of multi-state cooperation in data privacy enforcement activities. Given the continued lack of a federal data privacy law, state cooperation and enforcement activities are expected to continue.

On September 5, 2025, the Federal Trade Commission (“FTC”) withdrew its appeals of decisions issued by Texas and Florida federal district courts, which enjoined the FTC from enforcing a nationwide rule banning almost all noncompete employment agreements. Companies, however, should not read this decision to mean that their noncompete agreements will no longer be subjected to antitrust scrutiny by federal enforcers. In a statement joined by Commissioner Melissa Holyoak, Chairman Andrew Ferguson stressed that the FTC “will continue to enforce the antitrust laws aggressively against noncompete agreements” and warned that “firms in industries plagued by thickets of noncompete agreements will receive [in the coming days] warning letters from me, urging them to consider abandoning those agreements as the Commission prepares investigations and enforcement actions.”

The Best Lawyers in America 2026 Recognizes 43 Crowell & Moring Attorneys, One Selected as Lawyer of the Year

In 2023, California passed two landmark laws—SB 253, the Climate Corporate Data Accountability Act; and SB 261, the Climate-Related Financial Risk Act—that will require large public and privately-held entities doing business in California to comply with sweeping disclosure requirements regarding their direct and indirect greenhouse gas emissions and their climate-related financial risks. California subsequently passed SB 219, which updated certain deadlines and requirements of the laws (collectively, the “Climate Disclosure Laws”).

On August 29, 2025, the Department of Justice (DOJ) and the Department of Homeland Security (DHS) launched a cross-agency Trade Fraud Task Force to expand efforts to target importers and other parties committing trade-related fraud. As stated in a press release issued on August 29, the Task Force will augment the existing coordination mechanisms within the DOJ and DHS, for instance through partnerships with CBP and Homeland Security Investigations, to “aggressively” take enforcement measures against parties that commit tariff evasion or attempt to smuggle prohibited goods into the U.S.

On August 19, 2025, the Office of Personnel Management (OPM) informed insurers participating in the Federal Employees Health Benefits or Postal Service Health Benefits programs that gender-affirming care would no longer be covered for federal workers starting in 2026. This coverage decision is the Trump Administration’s latest action stemming from Executive Order 14187 which aims to prevent certain treatments, such as gender-affirming hormone therapy, surgeries, and puberty blockers for those under the age of 19. As previously discussed, the Administration has also signaled its intent to use various law enforcement tools against gender-affirming care, including  Section 5 of the Federal Trade Commission Act to police false or unsupported claims by medical professionals about gender-affirming treatments.

On August 21, the Supreme Court, in National Institutes of Health v. American Public Health Association, granted the government’s application for a stay of the district court’s order vacating NIH’s termination of various research grants. The Court denied the government’s application with respect to the district court’s vacatur of related internal guidance documents. The Court’s order impacts federal government grantees who wish to challenge grant terminations in federal court.

In the last few months, both Washington State and Pennsylvania enacted significant legislation addressing the malicious use of deepfakes—artificial intelligence-generated or manipulated media. These new laws reflect a growing national and state-level trend to regulate AI-generated content, especially when used to harm individuals or mislead the public.

On August 11, 2025, the U.S. Department of Justice (“DOJ”) announced that it had unsealed an indictment against two Mexican businessmen for alleged violations of the Foreign Corrupt Practices Act (“FCPA”).  DOJ asserts that the defendants, both Mexican nationals living in Texas, paid bribes to officials at Petróleos Mexicanos (“PEMEX”), and its subsidiary, PEMEX Exploración y Producción (“PEP”) to secure contracts worth an estimated $2.5 million.  These charges come amidst a period of uncertainty regarding FCPA enforcement following the Trump administration’s temporary pause on FCPA enforcement and the subsequent issuance of new investigation and enforcement guidelines.

In an effort to update and modernize the FDA’s regulation of sunscreen, Representative John Joyce (R-Ohio) and a group of bipartisan members of Congress introduced in June the Supporting Accessible, Flexible, and Effective Sunscreen (SAFE) Standards Act.  If enacted, the bill would establish a more flexible regulatory scheme at the FDA, decrease the cost in the approval process and expand the array of sunscreen available for purchase.

On July 23, 2025, the Internal Revenue Service (“IRS”) issued interim guidance for Large Business & International Division (“LB&I”) audit procedure. The IRS announced three major changes: (1) the Acknowledgement of Facts Information Document Request (“AOF IDR”) will be eliminated; (2) Accelerated Issue Resolution (“AIR”) applies to Large Corporate Compliance (“LCC”) cases; and (3) the IRS must conduct additional review before denying a taxpayer’s request to participate in the Fast Track Settlement (“FTS”). These changes reflect the IRS’s continued push to make its examinations “more efficient and current.”

On July 28, 2025, Cadence Design Systems Inc. (“Cadence” or “the Company”), a global electronic design automation (“EDA”) technology company based in San Jose, California, agreed to plead guilty in a settlement with the U.S. Department of Justice’s National Security Division (“NSD”) and the U.S. Attorney’s Office for the Northern District of California. Through its guilty plea, Cadence agreed to resolve charges that it committed criminal violations of export controls by selling EDA hardware, software, and semiconductor design intellectual property (“IP”) technology to the National University of Defense Technology (“NUDT”), a Chinese military university on the U.S. Entity List since 2015 due to its involvement in military and nuclear simulation activities. In addition, Cadence simultaneously resolved a civil enforcement action brought by the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) related to the same underlying conduct.

On August 7, 2025, the FAR Council issued a final rule amending FAR 52.204-7 to clarify that, effective immediately, an offeror’s failure to maintain continuous System for Award Management (SAM) registration between proposal submission and contract award does not render the offeror ineligible for award, so long as the offeror was registered in SAM at the time of proposal submission and is registered at the time of contract award. The final rule should address situations like TLS Joint Venture, LLC, B-422275, Apr. 1, 2024, 2024 CPD ¶ 74, where an offeror’s SAM registration lapsed for a single day between the proposal submission and award dates, and GAO found the offeror ineligible for award.