The United Kingdom’s National Cyber Security Centre (NCSC) has released its Annual Review for 2025. As in 2024, the report covers the UK’s cyber security position as well as the country’s readiness to deal with those threats....more
Boards in the United States, United Kingdom, and European Union face increasing pressure to oversee cybersecurity risks amid evolving regulatory expectations. Our Privacy, Cyber & Data Strategy Team highlights key resources,...more
On October 15, 2025, the UK’s Information Commissioner’s Office (ICO) fined Capita plc and Capita Pension Solutions Limited (collectively “Capita”) £14 million (~$18.8 million) for failing to implement adequate security...more
10/23/2025
/ Corporate Counsel ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Data Security ,
Enforcement Actions ,
Incident Response Plans ,
Information Commissioner's Office (ICO) ,
Ransomware ,
Risk Management ,
UK ,
UK GDPR
The EU’s sweeping Data Act is now in force. In this part of our series highlighting the Data Act’s key issues, our Privacy, Cyber & Data Strategy Team highlights new obligations for companies whose connected products collect...more
9/22/2025
/ Connected Cars ,
Data Collection ,
Data Privacy ,
EU ,
Internet of Things ,
Manufacturers ,
New Legislation ,
Portability ,
Regulatory Requirements ,
Right-To-Access ,
Transparency
The EU officially adopted the Data Act in January 2024, and it came into force on September 12, 2025. The Data Act builds on existing laws like the General Data Protection Regulation and the Data Governance Act. Now that the...more
This advisory is part of a series that summarises the key issues arising from the introduction of the Data Act. See: On September 12, 2025, the obligations introduced under the EU’s Data Act (Regulation 2023/2854) become...more
9/18/2025
/ Cloud Service Providers (CSPs) ,
Contract Terms ,
Data Management ,
Data Transfers ,
Digital Assets ,
Enforcement Actions ,
EU ,
Information Technology ,
New Legislation ,
Regulatory Requirements ,
Transparency
As data protection regulations evolve and employee rights awareness grows, organisations are seeing a significant uptick in Data Subject Access Requests (DSARs). Pursuant to Article 15 of the UK and EU General Data Protection...more
7/10/2025
/ Collaboration ,
Compliance ,
Data Privacy ,
Data Protection ,
Data Security ,
Data Subject Access Requests ,
Disclosure ,
Document Review ,
Employee Rights ,
Employment Litigation ,
General Data Protection Regulation (GDPR) ,
Innovative Technology ,
Legal Technology ,
Privacy Laws ,
Risk Management ,
Training
On June 5, 2025, the UK’s Information Commissioner’s Office (ICO) fined 23andMe £2.31 million (~$3.1 million). The fine was for failing to implement adequate security measures to protect the personal data of over 155,000 UK...more
The European Union Agency for Cybersecurity (ENISA) has launched the European Vulnerability Database (EUVD), a tool designed to enhance digital security across the EU. The EUVD is available here....more
Cyber security supply chain risks are growing, and attacks on vendors and other third parties cause severe disruption to businesses. For example, in recent years we have seen many incidents that have involved threat actors...more
On April 14, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined DPP Law (“DPP”) £60,000 (approximately $80,000) following a ransomware incident. In its penalty notice, the ICO found...more
The UK Serious Fraud Office (SFO) has issued new guidance to encourage companies to self-report suspected corporate criminal conduct and cooperate fully with investigations. Our transatlantic White Collar, Government &...more
On April 8, 2025, the UK government published the Cyber Code of Practice (the “Code”) to support board directors in governing cybersecurity risks. The Code is available online. The UK’s data protection regulator is actively...more
On March 26, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined Advanced Computer Software Group Ltd (“Advanced”) £3.07 million (approximately $4 million). In 2022, Advanced suffered...more
On March 18, 2025, the European Commission proposed to extend its adequacy decision in favor of the United Kingdom (‘UK’) for an additional six-month period. This would allow free flows of personal data from the EU to the UK...more
3/25/2025
/ Data Privacy ,
Data Protection ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
New Legislation ,
Personal Data ,
Regulatory Reform ,
UK
On January 14, 2025, the United Kingdom government published a consultation on ransomware proposing new measures to increase incident reporting and reduce ransom payments (the “Consultation”). The Consultation outlines three...more
The United Kingdom’s National Cyber Security Centre (NCSC) has released its Annual Review for 2024. As in prior years, the report covers the UK’s cyber security position, both in terms of threats to the public and private...more
Our Privacy, Cyber & Data Strategy Team discusses the new Cyber Resilience Act (CRA) that affects manufacturers and distributors of connected devices that are in use anywhere in the European Union....more
12/12/2024
/ Compliance ,
Cyber Threats ,
Cybersecurity ,
Cybersecurity Framework ,
Distributors ,
EU ,
European Commission ,
Importers ,
Manufacturers ,
Regulatory Oversight ,
Reporting Requirements ,
Risk Assessment ,
Risk Management
Our White Collar, Government & Internal Investigations Team discusses the UK’s new guidance on the “failure to prevent fraud” offense. The guidance addresses the “failure to prevent fraud” offense created by the Economic...more
In the July 2024 King’s Speech, the UK government announced its intention to introduce a Cyber Security and Resilience Bill (the “Bill”) to improve the UK’s cyber defenses and protect essential public services. The...more
EU Member States had until today, October 17, 2024, to transpose the Network and Information Security (NIS) 2 Directive into their national laws. As Directives are not directly applicable in EU Member States, the EU...more
On October 7, 2024, the European Data Protection Board (“EDPB”) adopted an opinion on obligations following from the use of processors and sub-processors (the “Opinion”). The EDPB is the body that seeks to ensure harmonised...more
On October 1, 2024, the Department of Justice (“DOJ”) unsealed an indictment against Aleksandr Viktorovich Ryzhenkov (Александр Викторович Рыженков), a member of the ransomware group Evil Corp. The indictment charges...more