United Kingdom

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

In this blog post we set out key practical steps for technology-focused deal-making, having regard to the regulatory, antitrust and foreign investment screening issues identified in our earlier blogs here and here.

Key impacts of technology regulation on deal outcomes

The evolving regulatory landscape is having a significant impact on deal outcomes, including (i) longer timelines due to complex regulatory approval requirements; (ii) higher diligence burden, especially around data, AI and ownership transparency; (iii) greater risk allocation pressure in deal terms; and (iv) increased use of creative structures to mitigate regulatory exposure. Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 3: Recommendations for Tech M&A and Strategic Transactions

Until the last year, merger control in the UK has been fairly hostile towards tech deals, with a highly interventionist competition authority taking an uncompromising line on global deals; even where those deals had only a limited nexus to the UK. The EU has generally taken a more pragmatic approach, clearing Google’s acquisition of Fitbit in 2020, and Microsoft’s acquisition of Activision in May 2023, following the acceptance of remedies by the tech firms. However, it, too, has taken some more hardline positions, such as prohibiting the Booking.com/etraveli merger based on a novel theory of harm related to the Booking.com travel ecosystem. 

This has all taken place against the backdrop of an explosion of tech regulation (see our prior blog post here). The wave of new rules also introduced new merger filing requirements for those tech firms who have been designated as gatekeepers in the EU (under the Digital Markets Act (DMA) (2022)), or firms with strategic market status in the UK (under the Digital Markets Competition and Consumers Act (DMCCA) (2024)). Just this month the CMA designated Google with strategic market status (SMS) in general search and search advertising services. This comes, almost to the day, two years after the EU’s designation of Google’s parent company and five others as gatekeepers. More tech regulation is on the horizon, for example the remaining parts of the AI Act, on general-purpose AI, are due to enter into force in the EU in August 2026.Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 2: Antitrust/FDI Environment for Tech

Technology-focused deals are driving many of the largest global M&A and strategic transactions—whether digital infrastructure, artificial intelligence (AI), digital services or gaming. The successful execution of these transactions and ultimate success of the business opportunities promised by them, depends on understanding how emerging technology, regulation and market norms are evolving. In this three-part blog series, from an EU and a UK perspective, we will cover: (1) the new regulatory landscape for tech, (2) the evolving antitrust and foreign investment screening environment and (3) recommendations for planning, structuring and executing technology-focused M&A and other strategic transactions.Continue Reading Technology Industry Trends and M&A Outlook in the EU and UK, Part 1: The New Regulatory Landscape for Tech

On August 27, 2025, the imageboard website 4chan Community Support LLC (“4chan”) and discussion forum Lolcow, LLC (dba “Kiwi Farms”) (together, the “Plaintiffs”)  filed a claim in the U.S. District Court of the District of Columbia (“Court”) asking the Court to declare, in effect, that the UK’s Online Safety Act 2023 (“OSA”) is unenforceable against the Plaintiffs. The claim was filed against Ofcom, the UK’s communications services regulator tasked with regulating and enforcing the OSA.

The Plaintiffs allege that the enforcement of the OSA against American companies is unconstitutional and that Ofcom’s actions to enforce the OSA are “intended to deliberately undermine the First Amendment and American competitiveness” (para. 113). As part of their claim, the Plaintiffs seek two permanent injunctions: one prohibiting Ofcom from enforcing the OSA against the Plaintiffs, and the other prohibiting Ofcom from issuing any further orders or demands to the Plaintiffs without “proper service” under the U.S.-UK Mutual Legal Assistance Treaty.Continue Reading 4chan and Kiwi Farms ask federal US court to declare unenforceability of the Online Safety Act

Ofcom announced on 9 July 2025 that it has contacted certain providers of “user-to-user” and “search” services that are “likely to be accessed by children”, requesting that they submit records of their children’s risk assessments (“CRA”) by 7 August 2025 or face enforcement action.

As noted in our previous blogpost here, in-scope providers have until 24 July 2025 to complete their first CRA—meaning that Ofcom is initiating enforcement on risk assessments early.Continue Reading Ofcom launches early enforcement of children’s risk assessment duties  

On June 5, 2025, the UK’s Information Commissioner’s Office (“ICO”) launched its new AI and biometrics strategy. The strategy aims to increase its scrutiny of AI and biometric technologies focusing on three priority situations, namely where: stakes are high; there is clear public concern for the technology; and regulatory clarity can provide immediate impact.

The ICO identified three areas of focus in its strategy:

  1. Transparency and explainability, i.e., when and how the technologies affect people;
  2. Bias and discrimination, particularly where the technologies have been trained on “flawed, incomplete or unrepresentative information”; and
  3. Rights and redress, i.e., making sure that systems are accurate, appropriate safeguards are in place to protect people’s rights, and that there are ways to challenge and correct outcomes that result in harm.

Continue Reading The ICO’s AI and biometrics strategy

On 24 April 2025, Ofcom published a statement on the protection of children online (“Statement”). The Statement includes Ofcom’s final Children’s Risk Assessment Guidance (“Guidance”). Publication of the Guidance triggers the deadline for service providers regulated by the Online Safety Act 2023 (“OSA”) to complete their first “children’s risk assessment” (“CRA”)—specifically, 24 July 2025.  The Statement also confirms that the draft Protection of Children Codes of Practice for user-to-user and search services (“Codes”) have been laid before Parliament. Subject to completion of the Parliamentary process, providers must comply with the OSA’s “safety duties protecting children” from 25 July 2025.

Who do the Codes and Guidance apply to?

The Codes and Guidance apply to providers of “user-to-user” and “search” services that are “likely to be accessed by children”, which is determined based on a test set out in the OSA. In-scope providers were required to have completed an assessment—known as a “children’s access assessment”— by 16 April 2025 to determine if their services satisfy this test.Continue Reading Ofcom publishes statement on the protection of children online

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:

  • “deceptive or absent choice” regarding non-essential cookies and tracking technologies;
  • “uninformed choice,” which refers to organizations not providing appropriate information to individuals;
  • “undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
  •  “irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.

Having identified these areas of concern, the ICO states that it will take the following actions in 2025:Continue Reading ICO announces its online tracking strategy for 2025