A key benefit of quantum computing is that it may, in the future, enable a very substantial increase in computing power.  This could create significant benefits, in the life sciences and financial services sectors (see our prior posts on the potential implications for these sectors here and here).  However, it also creates potential risks.  In particular, it could lead to the breaking of many of the encryption methods currently used by governments and businesses alike.  As commercially-viable quantum computers become an increasing reality, organisations must prioritise “quantum readiness” and specifically migration to post-quantum cryptography (“PQC”).

In this post, we set out a brief overview of the main steps that regulators and industry bodies (including the U.S. National Institute of Standards and Technology (“NIST”), the UK National Cyber Security Centre (“NCSC”), and the EU Agency for Cybersecurity (“ENISA”)) have indicated businesses should take to move towards PQC and protect their data and systems from the risks posed by quantum computing.

Continue Reading Post-Quantum Cryptography: A Practical Guide

Since our prior post on Singapore’s Model AI Governance Framework for Agentic AI, Singapore’s Infocomm Media Development Authority (“IMDA”) has published an updated version (Version 1.5) (the “Updated Framework”), incorporating feedback from over 60 organizations.

The Updated Framework, published on May 20, 2026, retains the same four-pillar structure—(1) assess and bound the risks upfront, (2) make humans meaningfully accountable, (3) implement technical controls and processes, and (4) enable end-user responsibility—but expands the guidance in several notable respects. These include a new discussion of multi-agent systemic risks, more granular guidance on technical controls, and real-world case studies illustrating how the Framework can be applied across sectors. We summarize some of the key updates below.

Continue Reading Singapore Updates Model AI Governance Framework for Agentic AI

On May 26, 2026, the French data protection authority (“CNIL”) published updated versions of its Reference Methodology 001 (“MR-001”, available here in French) and Reference Methodology 003 (“MR-003”, available here in French), two key frameworks governing the processing of personal data in the context of health research.

Continue Reading CNIL Updates Two Standards For Health Research (MR-001 and MR-003)

As the election season intensifies, companies face a rapidly evolving landscape of regulatory, compliance, and reputational considerations. With heightened scrutiny on political engagement, lobbying, campaign finance, and communications, organizations must be prepared to navigate complex and fast-moving legal requirements.

Drawing on our deep experience in election and political law, public

Continue Reading Covington Launches Election Year Toolkit

On June 12, 2026, the European Commission (“Commission”) launched its public consultation on guidelines (“Guidelines”) that will significantly shape the implementation of the EU’s Corporate Sustainability Due Diligence Directive (“CSDDD;” more details about the CSDDD available here). The consultation, presented in the form of a detailed questionnaire, is open

Continue Reading European Commission Seeks Public Input on CSDDD Guidelines: What to Watch

On May 26, 2026, the Spanish Data Protection Agency (“AEPD”) published details of its decision to fine Amadeus IT Group, S.A. (“Amadeus”), a Madrid-headquartered technology provider for the global travel and tourism industry, EUR 18 million in connection with GDPR violations involving Amadeus’s Global Distribution System (“GDS”). Amadeus voluntarily paid the fine, less a 20% reduction, on May 29, 2025, thereby terminating the proceedings without admitting liability. The fine, one of the largest the AEPD has imposed, highlights the enforcement risks associated with repurposing personal data such as passenger data without appropriate transparency or a valid legal basis under the GDPR.

Continue Reading Amadeus IT Group Receives GDPR Fine

The UK Government today announced that it intends to ban social media platforms from offering services to children under 16, alongside wider restrictions on certain online functionalities that the Government has identified as harmful to children.

The announcement follows the conclusion of the Department for Science, Innovation and Technology’s (“DSIT”) consultation, “Growing up in the online world,” which received more than 116,000 responses (we originally wrote about that consultation here). The Government intends to bring the first regulations to Parliament before the end of the year using powers created by the Children’s Wellbeing and Schools Act 2026 (“CWSA”), with protections expected to come into force in Spring 2027. Today’s announcement is the latest in a series of significant developments reshaping the UK’s online safety framework. We summarize some of these latest developments below.

Continue Reading Online Safety in the UK: Social Media Ban for Under 16s and Other Recent Developments

A federal court recently addressed whether plaintiffs alleging misleading commercial email practices in violation of Washington’s Commercial Electronic Mail Act (“CEMA”) have Article III standing to pursue claims. The ruling suggests that alleged violations of CEMA, standing alone, could constitute a concrete injury for Article III standing, where the asserted harm aligns with the statute’s purpose.

Continue Reading Washington Anti-Spam Law Decision Addresses Article III Standing in CEMA Cases

On 3 June 2026, the European Commission (“Commission“) published its proposal for a Regulation establishing a framework of measures for strengthening Europe’s cloud and AI ecosystem—the Cloud and AI Development Act (“CADA Proposal“). The CADA Proposal sits at the heart of the Commission’s broader Tech Sovereignty Package (which we describe at a high level here), and aims to address what the Commission perceives as two critical vulnerabilities in the EU’s digital landscape: a structural deficit in data centre capacity and a dependence on a limited number of non-EU cloud computing service providers.

Continue Reading The EU Cloud and AI Development Act in Depth

On 20 May 2026, Brazil adopted Presidential Decree No. 12,976, establishing a comprehensive framework to address violence against women online. Adopted alongside a parallel decree (No. 12,975) reforming intermediary liability, it reflects a more assertive approach to regulating online harms, including those driven or amplified by AI. Together, these measures will require companies to reassess internal processes to ensure rapid content removal and more proactive monitoring, including for AI‑enabled services.

Continue Reading Brazil Steps Up Regulation of Violence Against Women in the Digital Environment