United Kingdom

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI

AI agents have arrived. Although the technology is not new, agents are rapidly becoming more sophisticated—capable of operating with greater autonomy, executing multi-step tasks, and interacting with other agents in ways that were largely theoretical just a few years ago. Organizations are already deploying agentic AI across software development, workflow automation, customer service, and e-commerce, with more ambitious applications on the horizon. As these systems grow in capability and prevalence, a pressing question has emerged: can existing legal frameworks—generally designed with human decision-makers in mind—be applied coherently to machines that operate with significant independence?

In January 2026, as part of its Tech Futures series, the UK Information Commissioner’s Office (“ICO”) published a report setting out its early thinking on the data protection implications of agentic AI. The report explicitly states that it is not intended to constitute “guidance” or “formal regulatory expectations.” Nevertheless, it provides meaningful insight into the ICO’s emerging view of agentic AI and its approach to applying data protection obligations to this context—insight that may foreshadow the regulator’s direction of travel.

The full report is lengthy and worth the read. This blog focuses on the data protection and privacy risks identified by the ICO, with the aim of helping product and legal teams anticipate potential regulatory issues early in the development process.Continue Reading ICO Shares Early Views on Agentic AI & Data Protection

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

In this blog post we set out key practical steps for technology-focused deal-making, having regard to the regulatory, antitrust and foreign investment screening issues identified in our earlier blogs here and here.

Key impacts of technology regulation on deal outcomes

The evolving regulatory landscape is having a significant impact on deal outcomes, including (i) longer timelines due to complex regulatory approval requirements; (ii) higher diligence burden, especially around data, AI and ownership transparency; (iii) greater risk allocation pressure in deal terms; and (iv) increased use of creative structures to mitigate regulatory exposure. Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 3: Recommendations for Tech M&A and Strategic Transactions

Until the last year, merger control in the UK has been fairly hostile towards tech deals, with a highly interventionist competition authority taking an uncompromising line on global deals; even where those deals had only a limited nexus to the UK. The EU has generally taken a more pragmatic approach, clearing Google’s acquisition of Fitbit in 2020, and Microsoft’s acquisition of Activision in May 2023, following the acceptance of remedies by the tech firms. However, it, too, has taken some more hardline positions, such as prohibiting the Booking.com/etraveli merger based on a novel theory of harm related to the Booking.com travel ecosystem. 

This has all taken place against the backdrop of an explosion of tech regulation (see our prior blog post here). The wave of new rules also introduced new merger filing requirements for those tech firms who have been designated as gatekeepers in the EU (under the Digital Markets Act (DMA) (2022)), or firms with strategic market status in the UK (under the Digital Markets Competition and Consumers Act (DMCCA) (2024)). Just this month the CMA designated Google with strategic market status (SMS) in general search and search advertising services. This comes, almost to the day, two years after the EU’s designation of Google’s parent company and five others as gatekeepers. More tech regulation is on the horizon, for example the remaining parts of the AI Act, on general-purpose AI, are due to enter into force in the EU in August 2026.Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 2: Antitrust/FDI Environment for Tech

Technology-focused deals are driving many of the largest global M&A and strategic transactions—whether digital infrastructure, artificial intelligence (AI), digital services or gaming. The successful execution of these transactions and ultimate success of the business opportunities promised by them, depends on understanding how emerging technology, regulation and market norms are evolving. In this three-part blog series, from an EU and a UK perspective, we will cover: (1) the new regulatory landscape for tech, (2) the evolving antitrust and foreign investment screening environment and (3) recommendations for planning, structuring and executing technology-focused M&A and other strategic transactions.Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 1: The New Regulatory Landscape for Tech

On August 27, 2025, the imageboard website 4chan Community Support LLC (“4chan”) and discussion forum Lolcow, LLC (dba “Kiwi Farms”) (together, the “Plaintiffs”)  filed a claim in the U.S. District Court of the District of Columbia (“Court”) asking the Court to declare, in effect, that the UK’s Online Safety Act 2023 (“OSA”) is unenforceable against the Plaintiffs. The claim was filed against Ofcom, the UK’s communications services regulator tasked with regulating and enforcing the OSA.

The Plaintiffs allege that the enforcement of the OSA against American companies is unconstitutional and that Ofcom’s actions to enforce the OSA are “intended to deliberately undermine the First Amendment and American competitiveness” (para. 113). As part of their claim, the Plaintiffs seek two permanent injunctions: one prohibiting Ofcom from enforcing the OSA against the Plaintiffs, and the other prohibiting Ofcom from issuing any further orders or demands to the Plaintiffs without “proper service” under the U.S.-UK Mutual Legal Assistance Treaty.Continue Reading 4chan and Kiwi Farms ask federal US court to declare unenforceability of the Online Safety Act

Ofcom announced on 9 July 2025 that it has contacted certain providers of “user-to-user” and “search” services that are “likely to be accessed by children”, requesting that they submit records of their children’s risk assessments (“CRA”) by 7 August 2025 or face enforcement action.

As noted in our previous blogpost here, in-scope providers have until 24 July 2025 to complete their first CRA—meaning that Ofcom is initiating enforcement on risk assessments early.Continue Reading Ofcom launches early enforcement of children’s risk assessment duties  

On June 5, 2025, the UK’s Information Commissioner’s Office (“ICO”) launched its new AI and biometrics strategy. The strategy aims to increase its scrutiny of AI and biometric technologies focusing on three priority situations, namely where: stakes are high; there is clear public concern for the technology; and regulatory clarity can provide immediate impact.

The ICO identified three areas of focus in its strategy:

  1. Transparency and explainability, i.e., when and how the technologies affect people;
  2. Bias and discrimination, particularly where the technologies have been trained on “flawed, incomplete or unrepresentative information”; and
  3. Rights and redress, i.e., making sure that systems are accurate, appropriate safeguards are in place to protect people’s rights, and that there are ways to challenge and correct outcomes that result in harm.

Continue Reading The ICO’s AI and biometrics strategy