The United States’ Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI), in collaboration with the United Kingdom’s National Cyber Security Centre and other international partners,...more
11/4/2025
/ Critical Infrastructure Sectors ,
Cybersecurity ,
EU ,
Government Agencies ,
Industrial Sector ,
Information Technology ,
Infrastructure ,
International Harmonization ,
Network Security ,
New Guidance ,
Popular ,
Regulatory Requirements ,
Risk Management ,
Supply Chain ,
Third-Party Risk ,
UK ,
United States
The Court of Justice of the European Union (ECJ) has issued a landmark decision in European Data Protection Supervisor v Single Resolution Board (C-413/23 P), narrowing the circumstances in which pseudonymised data is...more
11/3/2025
/ Data Management ,
Data Privacy ,
Data Protection ,
Data Protection Authority ,
Data Transfers ,
Data-Sharing ,
EU ,
European Court of Justice (ECJ) ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Popular ,
Privacy Laws ,
Regulatory Requirements ,
Transparency
On 22 August 2025, the UK Court of Appeal issued its judgment in Farley v Paymaster. The case related to the Sussex Police, whose pension scheme members’ “annual benefit statements” were posted to out-of-date addresses. The...more
11/3/2025
/ Class Action ,
Collective Actions ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Damages ,
Data Breach ,
Data Protection ,
EU ,
EU Directive ,
General Data Protection Regulation (GDPR) ,
Personal Data ,
Privacy Laws ,
Private Right of Action ,
UK ,
UK GDPR
On 12 September 2025, the European Data Protection Board (EDPB) issued draft guidelines (Guidance) on the interplay between the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DSA), the latter of...more
10/31/2025
/ Algorithms ,
Automated Decision Systems (ADS) ,
Cybersecurity ,
Data Protection ,
Digital Platforms ,
Digital Services ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Online Platforms ,
Personal Data ,
Privacy Laws
Under the EU General Data Protection Regulation (GDPR), the European Commission can issue “adequacy” decisions allowing data to be transferred from the EU to a non-EEA country without additional security measures such as...more
9/10/2025
/ Adequacy Requirement ,
Appeals ,
Corporate Counsel ,
Court of Justice of the European Union (CJEU) ,
Data Privacy ,
Data Protection ,
EU ,
European Commission ,
European Court of Justice (ECJ) ,
General Court of the European Union (GCEU) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Privacy Laws
The FTC’s letters highlight the commission’s concern that tech companies may adopt content moderation or data security policies that, while designed to meet foreign legal requirements, could impermissibly infringe upon U.S....more
9/5/2025
/ Censorship ,
Consumer Privacy Rights ,
Data Security ,
Digital Services ,
Encryption ,
EU ,
Federal Trade Commission (FTC) ,
FTC Act ,
Online Platforms ,
Regulatory Requirements ,
Section 5 ,
UK ,
Unfair or Deceptive Trade Practices
- What is new: On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance documents setting out security measures that regulated organisations should have in place to comply with the EU’s critical...more
- What is new: The EU AI Act’s obligations on general-purpose AI providers have now come into force alongside the publication of guidance, a code of practice and a disclosure template that flesh out GPAI model providers’...more
- What is new: The EU’s Delegated Regulation on Subcontracting has come into force, completing the legal framework of the Digital Operational Resilience Act (DORA). Attention will now turn to enforcement.
- Why it matters:...more
In recent weeks, the EU and UK have both introduced changes to their respective versions of Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). These reforms mark the first substantial...more
7/11/2025
/ Compliance ,
Cookies ,
Data Privacy ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
Member State ,
New Legislation ,
Personal Data ,
Regulatory Agenda ,
Regulatory Reform ,
Regulatory Requirements ,
UK
On 25 June 2025, the European Commission announced its proposal for a “Space Act” that would introduce a new regulatory framework for EU space activities. The proposed framework includes cyber-resilience obligations for EU...more
7/9/2025
/ Compliance ,
Cybersecurity ,
Data Privacy ,
Enforcement ,
EU ,
National Security ,
Outer Space ,
Privacy Laws ,
Proposed Legislation ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management
- On 26 March 2025, the European Health Data Space (EHDS) Regulation entered into force. The regulation establishes a comprehensive framework for health-data sharing and access in the EU, with the dual aim of supporting the...more
6/26/2025
/ Compliance ,
Data Privacy ,
Data Security ,
Data-Sharing ,
Electronic Protected Health Information (ePHI) ,
EU ,
Health Care Providers ,
Healthcare ,
Healthcare Reform ,
Intellectual Property Protection ,
Life Sciences ,
Noncompliance ,
Personal Data ,
Regulatory Agenda ,
Regulatory Requirements ,
Shareholders
Executive Summary -
The EU Data Act, whose requirements apply from 12 September 2025, establishes new rights for businesses and consumers to access data they generated using “connected devices,” limiting the exclusive...more
6/24/2025
/ Cloud Computing ,
Competition ,
Contract Terms ,
DATA Act ,
Data Privacy ,
Data Protection ,
Data-Sharing ,
Enforcement ,
EU ,
General Data Protection Regulation (GDPR) ,
New Legislation ,
Regulatory Requirements ,
UK
On April 23 and 24, 2025, regulators, industry leaders and data privacy leaders from across the globe convened in Washington, D.C. for the 2025 International Association of Privacy Professionals (IAPP) Global Privacy Summit....more
5/5/2025
/ Artificial Intelligence ,
California Consumer Privacy Act (CCPA) ,
Corporate Counsel ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Enforcement Actions ,
EU ,
General Data Protection Regulation (GDPR) ,
Machine Learning ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
State Privacy Laws ,
Technology ,
UK
On February 21, 2025, President Donald Trump issued a presidential memorandum (the Memorandum) signaling that his administration intends to take action with respect to tax and regulatory measures affecting U.S. digital...more
The EU’s Digital Operational Resilience Act (DORA) becomes binding on 17 January 2025. As the compliance deadline approaches, EU financial regulators (ESAs) have issued a flurry of statements on the act, including:
- An...more
1/6/2025
/ Cybersecurity ,
Digital Operational Resilience Act (DORA) ,
EIOPA ,
Enforcement ,
EU ,
European Banking Authority (EBA) ,
European Supervisory Authorities (ESAs) ,
Financial Institutions ,
Financial Services Industry ,
Information and Communication Technology (ICT) ,
Investment Management ,
Policies and Procedures ,
Risk Management
As we approach the end of the year, so too do fintechs approach the impending deadline for implementing the raft of requirements under the EU’s Digital Operational Resilience Act (DORA). Cybersecurity and data privacy counsel...more
The deadline for EU countries to transpose the expanded cybersecurity directive, NIS 2, into national law is 17 October 2024, but the implementation status varies significantly from country to country. Some of the member...more
10/14/2024
/ Corporate Governance ,
Cybersecurity ,
Data Privacy ,
Data Protection ,
Data Security ,
Deadlines ,
EU ,
National Security ,
Popular ,
Risk Management ,
Technology Sector
With the EU’s AI Act having entered into force on August 1, 2024, companies now need to focus on its implementation. Although the AI Act will not be fully enforceable until August 2, 2027, some obligations will become binding...more
In this edition of Insights, we take a closer look at the megadeals and sponsor transactions driving recent M&A activity, the importance of staying ahead of the risks in AI development and deployment, and other diverse...more
9/30/2024
/ Acquisitions ,
Administrative Procedure Act ,
Artificial Intelligence ,
Chevron Deference ,
Corner Post Inc v Board of Governors of the Federal Reserve System ,
Corporate Governance ,
Delaware General Corporation Law ,
Federal Bans ,
Federal Trade Commission (FTC) ,
Final Rules ,
Government Agencies ,
Judicial Authority ,
Loper Bright Enterprises v Raimondo ,
Machine Learning ,
Mergers ,
Non-Compete Agreements ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Authority ,
Regulatory Requirements ,
SCOTUS ,
SEC v Jarkesy ,
Securities and Exchange Commission (SEC) ,
Shareholder Litigation ,
Shareholders ,
Technology Sector
As AI systems become more complex, companies are increasingly exposed to reputational, financial and legal risks from developing and deploying AI systems that do not function as intended or that yield problematic outcomes....more
9/30/2024
/ Artificial Intelligence ,
Corporate Governance ,
Cybersecurity ,
Data Privacy ,
NIST ,
Popular ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Risk Management ,
Technology Sector ,
U.S. Commerce Department
Across industries, companies are facing new and uncertain regulatory pressures and demands in areas including artificial intelligence, sustainability, algorithmic pricing and fintech-bank relations. In this issue of The...more
9/10/2024
/ Algorithms ,
Antitrust Division ,
Artificial Intelligence ,
Banking Sector ,
Board of Directors ,
Competition ,
Corporate Governance ,
Department of Justice (DOJ) ,
Disclosure Requirements ,
Enforcement Actions ,
EU ,
Financial Institutions ,
FinTech ,
Multinationals ,
Price-Fixing ,
Regulatory Agenda ,
Regulatory Requirements ,
Reporting Requirements ,
Risk Management ,
Sustainability ,
Technology Sector ,
UK
As AI systems become more complex, companies are increasingly exposed to reputational, financial and legal risk from developing and deploying AI systems that do not function as intended or that yield problematic outcomes. The...more
9/4/2024
/ Artificial Intelligence ,
Corporate Governance ,
Cybersecurity ,
Data Privacy ,
EU ,
Machine Learning ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Requirements ,
Risk Assessment ,
Risk Management ,
Technology Sector ,
UK
As implementation of the EU’s Digital Operational Resilience Act (DORA) approaches, financial market participants and their technology service providers (both in and out of Europe) face a critical compliance deadline. The new...more
7/19/2024
/ BaFin ,
Cybersecurity ,
Data Privacy ,
EU ,
Financial Conduct Authority (FCA) ,
Financial Institutions ,
Financial Markets ,
Financial Regulatory Reform ,
Financial Services Industry ,
Regulatory Agenda ,
Technology Sector ,
UK
Earlier this year, a dedicated policy prepared by the European Central Bank (ECB) came into effect requiring bank management bodies to broaden their collective understanding of and proficiency in identifying and dealing with...more