- Product @ k-ID
- Posts
- Skill for neimo: Regulatory Watch
Skill for neimo: Regulatory Watch
A skill that takes any compliance document you already have and tells you, with citations and a severity flag, exactly what no longer matches current rules
Kieran Donovan
June 03, 2026
Today we're shipping regulatory-watch — a skill that takes any compliance document you already have and tells you, with citations and a severity flag, exactly what no longer matches the latest regulatory data in neimo.
Point it at a control register, a DPIA, a jurisdiction pack. It reads every rule you wrote down, checks each one against the current regulatory data, and hands you back a change report: what's new, what's changed, what's gone stale, what's been superseded.
You can download it here and run it on your own artefacts in minutes.
Here's why we built it, what it does, and how to use it.
The problem regulatory-watch solves
Compliance for digital youth has an expiry date nobody prints on the box. The day you finish it is the day it starts to rot.
You stand up an age gate, wire parental consent, write the control register — the whole binder of evidence that says we did this right. It's correct on the day you ship it. Then a regulator issues guidance, a bill gets royal assent, a settlement reshapes what "reasonable" means, and your binder — still in the same folder, still saying the same thing — is quietly wrong. Documents don't know when the world moved underneath them.
That leaves teams with two (not ideal) options: re-audit everything by hand every few weeks, or trust the binder until an enforcement hits. Regulatory-watch is the third option. It's the standing mechanism that re-checks your work against reality, continuously, so the gap between what your document says and what the latest regulatory data says is measured in days instead of in the interval between manual audits.
What it does, step by step
Run regulatory-watch on an artefact and it does four things:
Ingests your document into checkable units. It takes
.xlsx,.csv,.docx, or.mdand extracts every (control, jurisdiction, cited instrument) triple — one record per controllable row. It auto-detects your column names; you don't reformat anything to fit it.Checks each row against neimo. Every claim is verified against neimo, k-ID's regulatory knowledge base spanning 200-plus markets — age thresholds, parental consent, data protection, enforcement, plus the Legal Horizons archive of recent and future developments. Every finding traces to a neimo citation. Nothing comes from guesswork.
Confirms against the primary source. Where your document cites a named instrument — COPPA, the Online Safety Act, ECA Digital — it runs a targeted check against the regulator's own page to corroborate and date the change.
Emits a severity-flagged change report. New requirements, amended thresholds, now-stale rows, deprecated instruments — each one with the source URL a lawyer can audit, a severity flag so you fix the enforcement-backed ones first, and a suggested edit to the control.
It never rewrites your document silently. It proposes; a human applies.
What a finding looks like
Here's the shape of the output. Say your register has this row:
United States · Profiling & Advertising · Permitted. Updated September 2025
Regulatory-watch returns something like:
Control | Jurisdiction | Class | What changed | Source | Suggested edit |
|---|---|---|---|---|---|
US | United States | AMENDED (High) | The 2026 COPPA Rule amendment now treats targeted advertising as non-integral — it requires separate, opt-in parental consent and cannot be a condition of service. Compliance deadline April 22, 2026. | Reclassify targeted ads as a non-integral permission gated behind standalone parental consent; add third-party recipient list to privacy policy. | |
BR | Brazil | AMENDED (High) | ANPD draft age-assurance guidance (consultation closing July 9, 2026) states that a CPF tax-ID number alone is equivalent to self-declaration and won't hold in high-risk scenarios. | Replace "CPF check" as primary verification with a privacy-preserving age token + backup mechanism. | |
GB | United Kingdom | NEW (horizon) (Medium) | Children's Wellbeing and Schools Bill carries powers that could raise the digital age of consent from 13 to 16. Not yet in force; implementation expected early 2027. | Flag every control keyed to age 13 for review pending Secretary of State regulations. |
Three rows, three classes, three citations, three suggested fixes.
Where it's most valuable
Regulatory-watch earns its keep anywhere a compliance artefact has to stay current across moving markets. The places teams feel it most:
The market is moving under you in four directions at once. The last few months alone: the US COPPA amendment hit its April 22, 2026 compliance deadline, reclassifying targeted ads to children. Brazil's ECA Digital is in force and the ANPD is mid-consultation on age-assurance rules that write CPF-only checks out of the rulebook. The UK ICO went public on May 21, 2026 saying it doesn't have confidence the right measures are in place and is ready to open proceedings. Australia's eSafety Commissioner published compliance guidance naming the specific implementation failures it's hunting for. Four jurisdictions, four clocks, none of them synced to the release calendar. No human re-reads a binder against all of that on schedule — the skill does.
You manage compliance for a portfolio. One register per game, per app, per market multiplies the surface area until manual review is a struggle. Regulatory-watch runs the same logic across all of them and re-baselines on a cadence.
You're handing evidence to a regulator or an acquirer. A change report with every claim traced to a citation is the difference between "we think we're current" and "here is the dated, sourced proof that we are."
Self-declaration is still in your stack somewhere. It used to be a defensible way to keep under-13s out. The bar moved — regulators now treat asking as not the same as knowing. In February 2026 the ICO issued a £14.47 million fine in a case where the controls still rested on self-declaration after the standard had shifted. Regulatory-watch is built to catch exactly that row before it bites.
How to run it
Install the skill, then point it at a file in plain language:
"Run regulatory-watch on our UK control register."
"Is this DPIA still current? Diff it against neimo."
"What's changed since we last updated the app for Brazil?"
It works as a one-off check, or as a scheduled task: a monthly full sweep of every row in every market, plus a lighter weekly pass over the fast-moving instruments where something is most likely to land before you'd otherwise notice. Set it once and the watch runs on its own.
Where it fits
Regulatory-watch is one half of a pair. neimo is the part of k-ID that knows the rules — the structured, sourced, 200-plus-market record of what's required, where, and as of when. Regulatory-watch is the part that never stops checking your work against it. Together they close the gap that quietly opens between the day you got compliance right and today. It's the same engine behind the CDK that powers more than 44 million users every day.
That's what we're shipping: a way to keep watch over the rules for digital youth, so the protection never goes stale.
Download it here and run it on your own register today. Starting with the literal kind of watch.
-- Kieran
Buildable 03 — A k-ID series on making AI buildable for digital youth, and for the teams shipping to them