The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in collaboration with the United Kingdom’s National Cyber Security Centre and other international partners,...more
11/4/2025
/ Critical Infrastructure Sectors ,
Cybersecurity ,
EU ,
Government Agencies ,
Industrial Sector ,
Information Technology ,
Infrastructure ,
International Harmonization ,
Network Security ,
New Guidance ,
Popular ,
Regulatory Requirements ,
Risk Management ,
Supply Chain ,
Third-Party Risk ,
UK ,
United States
The Court of Justice of the European Union (ECJ) has issued a landmark decision in European Data Protection Supervisor v Single Resolution Board (C-413/23 P), narrowing the circumstances in which pseudonymised data is...more
11/3/2025
/ Data Management ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Transfers ,
Data-Sharing ,
EU ,
European Court of Justice (ECJ) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Popular ,
Privacy Laws ,
Regulatory Requirements ,
Transparency
On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster. The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The...more
11/3/2025
/ Class Action ,
Collective Actions ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Damages ,
Data Breach ,
Data Protection ,
EU ,
EU Directive ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Privacy Laws ,
Private Right of Action ,
UK ,
UK GDPR
On 12 September 2025, the European Data Protection Board (EDPB) issued draft guidelines (Guidance) on the interplay between the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DSA), the latter of...more
10/31/2025
/ Algorithms ,
Automated Decision Systems (ADS) ,
Cybersecurity ,
Data Protection ,
Digital Platforms ,
Digital Services ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Online Platforms ,
Personal Data ,
Privacy Laws
Under the EU General Data Protection Regulation (GDPR), the European Commission can issue “adequacy” decisions allowing data to be transferred from the EU to a non-EEA country without additional security measures such as...more
9/10/2025
/ Adequacy Requirement ,
Appeals ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
European Court of Justice (ECJ) ,
General Court of the European Union (GCEU) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Privacy Laws
The FTC’s letters highlight the commission’s concern that tech companies may adopt content moderation or data security policies that, while designed to meet foreign legal requirements, could impermissibly infringe upon U.S....more
9/5/2025
/ Censorship ,
Consumer Privacy Rights ,
Data Security ,
Digital Services ,
Encryption ,
EU ,
Federal Trade Commission (FTC) ,
FTC Act ,
Online Platforms ,
Regulatory Requirements ,
Section 5 ,
UK ,
Unfair or Deceptive Trade Practices
- What is new: On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance documents setting out security measures that regulated organisations should have in place to comply with the EU’s critical...more
- What is new: The EU AI Act’s obligations on general-purpose AI providers have now come into force alongside the publication of guidance, a code of practice and a disclosure template that flesh out GPAI model providers’...more
- What is new: The ICO is proposing to relax its enforcement of cookie consent requirements, meaning user consent would not be required for lower-risk advertising cookies.
- Why it matters: The proposals aim to address...more
8/6/2025
/ Advertising ,
Consent ,
Cookies ,
Corporate Counsel ,
Data Privacy ,
Data Protection ,
Information Commissioner's Office (ICO) ,
New Guidance ,
Privacy Laws ,
UK ,
Web Tracking
- What is new: The EU’s Delegated Regulation on Subcontracting has come into force, completing the legal framework of the Digital Operational Resilience Act (DORA). Attention will now turn to enforcement.
- Why it matters:...more
In recent weeks, the EU and UK have both introduced changes to their respective versions of Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). These reforms mark the first substantial...more
7/11/2025
/ Compliance ,
Cookies ,
Data Privacy ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
Member State ,
New Legislation ,
Personal Data ,
Regulatory Agenda ,
Regulatory Reform ,
Regulatory Requirements ,
UK
On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU...more
7/9/2025
/ Compliance ,
Cybersecurity ,
Data Privacy ,
Enforcement ,
EU ,
National Security ,
Outer Space ,
Privacy Laws ,
Proposed Legislation ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management
- On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. The regulation establishes a comprehensive framework for health-data sharing and access in the EU, with the dual aim of supporting the...more
6/26/2025
/ Compliance ,
Data Privacy ,
Data Security ,
Data-Sharing ,
Electronic Protected Health Information (ePHI) ,
EU ,
Health Care Providers ,
Healthcare ,
Healthcare Reform ,
Intellectual Property Protection ,
Life Sciences ,
Noncompliance ,
Personal Data ,
Regulatory Agenda ,
Regulatory Requirements ,
Shareholders
Recent months have seen a spate of high-profile cyber incidents that have affected UK companies and disrupted supply chains, keeping cybersecurity on the front pages and at the top of UK companies’ agendas. In response to the...more
6/26/2025
/ Corporate Governance ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Data Privacy ,
EU ,
Legislative Agendas ,
New Legislation ,
Proposed Legislation ,
Regulatory Reform ,
Reporting Requirements ,
Supply Chain ,
Technology ,
UK
Executive Summary -
The EU Data Act, whose requirements apply from 12 September 2025, establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive...more
6/24/2025
/ Cloud Computing ,
Competition ,
Contract Terms ,
DATA Act ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Enforcement ,
EU ,
General Data Protection Regulation (GDPR) ,
New Legislation ,
Regulatory Requirements ,
UK
As companies shift their thinking from “if” a cyberattack will happen to “when” an attack hits, the key differentiator in how a company emerges from an attack is often dictated by preparation and strategic planning in order...more
On 27 March 2025, the UK Information Commissioner’s Office (ICO) issued a £3.07 million fine to an IT services provider following a ransomware attack in 2022 that affected the company’s health care business.
The ransomware...more
Key Points -
- Accelerated M&A activity by financial sponsors is expected in the near term due to improved market conditions and deregulation under the Trump administration.
- With the rapid development of new AI use...more
1/20/2025
/ Acquisitions ,
Artificial Intelligence ,
Capital Markets ,
Compliance ,
Cybersecurity ,
Data Privacy ,
Mergers ,
Private Equity ,
Regulatory Requirements ,
Risk Management ,
Technology Sector
On 13 December 2024, the UK Information Commissioner’s Office (ICO) published the report of outcomes from its consultation on generative AI (genAI). The report sets out key themes that emerged from responses to the ICO’s...more
1/8/2025
/ Artificial Intelligence ,
Compliance ,
Consumer Privacy Rights ,
Data Privacy ,
Data Protection ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Machine Learning ,
Regulatory Agenda ,
Transparency ,
UK
The EU’s Digital Operational Resilience Act (DORA) becomes binding on 17 January 2025. As the compliance deadline approaches, EU financial regulators (ESAs) have issued a flurry of statements on the act, including:
- An...more
1/6/2025
/ Cybersecurity ,
Digital Operational Resilience Act (DORA) ,
EIOPA ,
Enforcement ,
EU ,
European Banking Authority (EBA) ,
European Supervisory Authorities (ESAs) ,
Financial Institutions ,
Financial Services Industry ,
Information and Communication Technology (ICT) ,
Investment Management ,
Policies and Procedures ,
Risk Management
On 30 September 2024, the UK Department of Science, Innovation and Technology announced that the Cyber Security and Resilience Bill (Bill) will be introduced to Parliament in 2025. The Bill was first announced in the King’s...more
10/15/2024
/ Artificial Intelligence ,
Critical Infrastructure Sectors ,
Cybersecurity ,
Digital Services ,
EU ,
Incident Response Plans ,
Intellectual Property Protection ,
Legislative Agendas ,
New Legislation ,
Popular ,
Regulatory Agenda ,
Regulatory Reform ,
Risk Management ,
Technology Sector ,
UK
The deadline for EU countries to transpose the expanded cybersecurity directive, NIS 2, into national law is 17 October 2024, but the implementation status varies significantly from country to country. Some of the member...more
10/14/2024
/ Corporate Governance ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Deadlines ,
EU ,
National Security ,
Popular ,
Risk Management ,
Technology Sector
With the EU’s AI Act having entered into force on August 1, 2024, companies now need to focus on its implementation. Although the AI Act will not be fully enforceable until August 2, 2027, some obligations will become binding...more
In this edition of Insights, we take a closer look at the megadeals and sponsor transactions driving recent M&A activity, the importance of staying ahead of the risks in AI development and deployment, and other diverse...more
9/30/2024
/ Acquisitions ,
Administrative Procedure Act ,
Artificial Intelligence ,
Chevron Deference ,
Corner Post Inc v Board of Governors of the Federal Reserve System ,
Corporate Governance ,
Delaware General Corporation Law ,
Federal Bans ,
Federal Trade Commission (FTC) ,
Final Rules ,
Government Agencies ,
Judicial Authority ,
Loper Bright Enterprises v Raimondo ,
Machine Learning ,
Mergers ,
Non-Compete Agreements ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Authority ,
Regulatory Requirements ,
SCOTUS ,
SEC v Jarkesy ,
Securities and Exchange Commission (SEC) ,
Shareholder Litigation ,
Shareholders ,
Technology Sector
As AI systems become more complex, companies are increasingly exposed to reputational, financial and legal risks from developing and deploying AI systems that do not function as intended or that yield problematic outcomes....more
9/30/2024
/ Artificial Intelligence ,
Corporate Governance ,
Cybersecurity ,
Data Privacy ,
NIST ,
Popular ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Risk Management ,
Technology Sector ,
U.S. Commerce Department