United Kingdom

AI agents have arrived. Although the technology is not new, agents are rapidly becoming more sophisticated—capable of operating with greater autonomy, executing multi-step tasks, and interacting with other agents in ways that were largely theoretical just a few years ago. Organizations are already deploying agentic AI across software development, workflow automation, customer service, and e-commerce, with more ambitious applications on the horizon. As these systems grow in capability and prevalence, a pressing question has emerged: can existing legal frameworks—generally designed with human decision-makers in mind—be applied coherently to machines that operate with significant independence?

In January 2026, as part of its Tech Futures series, the UK Information Commissioner’s Office (“ICO”) published a report setting out its early thinking on the data protection implications of agentic AI. The report explicitly states that it is not intended to constitute “guidance” or “formal regulatory expectations.” Nevertheless, it provides meaningful insight into the ICO’s emerging view of agentic AI and its approach to applying data protection obligations to this context—insight that may foreshadow the regulator’s direction of travel.

The full report is lengthy and worth the read. This blog focuses on the data protection and privacy risks identified by the ICO, with the aim of helping product and legal teams anticipate potential regulatory issues early in the development process.Continue Reading ICO Shares Early Views on Agentic AI & Data Protection

Consumer protection law across EMEA continues to evolve rapidly in response to digitalization, emerging technologies (particularly AI) and the continued expansion of online commerce. As we move into 2026, regulators are preparing significant reforms that will reshape business obligations and strengthen consumer‑protection enforcement. Below is an overview of the most important developments to watch this year.Continue Reading What to Watch in 2026: Key Developments in EMEA Consumer Protection

When the UK Modern Slavery Act (“MSA”) came into force in 2015, it was hailed as a landmark for supply chain transparency on a key human rights risk. Today, there is widespread recognition among stakeholders that the UK may have fallen behind in its approach to corporate human
Continue Reading UK Business and Human Rights Landscape: 2026 Outlook

On December 18, 2025, the UK Government passed the Employment Rights Bill, which will now be referred to as the Employment Rights Act 2025 (the “Act“). This represents the “biggest upgrade in employment rights for a generation” and introduces a wide-ranging suite of reforms to be

Continue Reading UK Employment Rights Act Finally Becomes Law

The Employment Rights Bill (“ERB”), first introduced in October 2024 as part of the new Labour government’s “Make Work Pay” initiative (see our previous article on this here), is edging closer to becoming law. Once passed, the ERB will implement radical changes affecting all UK employers for many years to

Continue Reading New UK Employment Rights Bill

As the UK Government has recognized, cyber incidents—such as Jaguar Land Rover, Marks and Spencer, Royal Mail and the British Library—are costing UK businesses billions annually and causing severe disruption. The Government recognizes that cybersecurity is a critical enabler of economic growth (“we cannot have growth without stability”), and that the current laws have “fallen out of date and are insufficient to tackle the cyber threats faced by the UK.” Accordingly the UK Government this week published its long-awaited Cyber Security and Resilience Bill (the “Bill”), which will amend the existing Network and Information Systems Regulations 2018 (the “NIS Regulations”), and grant new powers to regulators and the Government in relation to cybersecurity.

The NIS Regulations are the UK’s pre-Brexit implementation of Directive (EU) 2016/1148 (the “NIS Directive”), which established a “horizontal” cybersecurity regulatory framework covering essential services in five sectors (transport, energy, drinking water, health, and digital infrastructure) and some digital services (online marketplaces, online search engines, and cloud computing services). EU legislators replaced NIS Directive in 2022 with the “NIS2” Directive, which Member States were meant to transpose into national law by October of last year (although many are still late in doing so. See our post on NIS2 here for an overview of the requirements of NIS2).

The Bill is the UK’s effort at modernizing the framework originally set out in the NIS Directive. In its current form, the Bill will:

  • Significantly expand the scope of the NIS Regulations—to cover, among other things, data centers and managed service providers—and impose additional substantive obligations on covered organizations.
  • Increase potential fines—up to GBP 17m or 4% of the worldwide turnover of an undertaking—and extend the powers of competent authorities to share information with one another, issue guidance, and take enforcement action.
  • Establish a framework for future changes to the NIS Regulations, mechanisms for competent authorities to impose specific cybersecurity requirements on covered organizations, and greater Government direction of cybersecurity matters.

Below, we set out further detail on five major changes in UK cybersecurity regulation arising from the Bill.Continue Reading Five major changes to the regulation of cybersecurity in the UK under the Cyber Security and Resilience Bill

On 18 July 2025, the Council of the European Union (the “Council”) adopted its 18th package of economic sanctions against Russia, following extensive negotiations among the EU Member States. This latest package introduces new asset-freezing sanctions designations, and a wide range of trade restrictions targeting key sectors of the

Continue Reading EU Imposes Additional Sanctions Against Russia and Belarus; EU and UK Agree to Tightening of Russian Oil Price Cap

The UK Parliament has passed emergency legislation to enable the government to direct the use of assets of British Steel, and to take control of assets if directions are not followed.

The government’s stated intention is “continuing the support of steel production in the UK [which] involves preserving current production capacity to ensure resilience in the production of steel”. The new law creates new powers for the government to intervene in relation to steelmaking businesses whose assets are at risk of ceasing to be used. If the operation of a steelmaking blast furnace, such as those operated by British Steel, is stopped, restarting its operation can be prohibitively expensive and it may be permanently unusable.

Following negotiations with its current owners (the Chinese steelmaker Jingye Group) on the future of British Steel, the government announced on Friday its intention to recall Parliament the following day to introduce a draft bill and complete the full legislative process within a single day. The bill was passed by both Houses of Parliament and received royal asset on Saturday 12 April, coming into force on the same day, as the Steel Industry (Special Measures) Act 2025 (the “Act”).

This is the first time that Parliament has responded to a perceived crisis in a UK industry by extending the government’s powers to intervene in specific industries for “public interest” reasons since 2008, in the context of the Global Financial Crisis. In that case, Parliament passed legislation to enable the government to nationalise the Northern Rock bank (and subsequently other banks), and later that year the government’s public interest intervention powers under the Enterprise Act 2002 were expanded in order to allow the government to override competition concerns in the Lloyds/HBOS merger. In contrast to previous measures that provide the government with powers to acquire businesses and to intervene in potential mergers and acquisitions between businesses, the new Act applies outside of the context of a transaction or takeover. Specifically, the new Act applies where specific assets may cease (or have ceased) to be used in a steel manufacturing business but the government considers that it is in the public interest that the use of the assets should continue.

New powers to give directions on use of assets and take control of assets

The Act gives the government the power to issue a notice to a steel manufacturing business to direct how assets (in England and Wales) used by this business are to be used. This power is available when (a) it appears to the government that the assets concerned have ceased to be used or are at risk of ceasing to be used by the business, and (b) where the government considers that it is in the public interest that the use of specified assets should resume or continue. Directions can include requirements to use (or not to use) the assets in a specified way, or requirements for the undertaking to take (or not to take) steps to secure the continued and safe use of the assets. Notably this can include requirements to enter into agreements and contracts of employment, the appointment of officers, management decisions, making payments, and preventing insolvency proceedings.Continue Reading UK passes emergency legislation to authorize “public interest” directions on use of British Steel assets

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus

Continue Reading ICO announces its online tracking strategy for 2025

On January 10, 2025, the U.S. Department of the Treasury and U.S. Department of State intensified sanctions against Russia with new measures targeting Russia’s energy sector. According to the Treasury Department’s press release, these measures are intended “to fulfill the G7 commitment to reduce Russian revenues from energy” and “substantially increase the sanctions risks associated with the Russian oil trade.”

The new U.S. sanctions include a determination by the U.S. Department of the Treasury authorizing the imposition of property-blocking sanctions against any person who is determined by the Treasury Secretary or Secretary of State (in consultation with one another) to operate or have operated in the Russian energy sector, and a determination issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) prohibiting—effective February 27, 2025—the provision of “petroleum services” from the United States or by a U.S. person to any person located in Russia. In addition, OFAC and the U.S. Department of State collectively designated for property-blocking sanctions more than 400 individuals, entities, and vessels from various countries involved in Russia’s energy sector, including two of Russia’s most significant oil producers and exporters—Public Joint Stock Company Gazprom Neft (“Gazprom Neft”) and Surgutneftegas, along with more than two dozen of their subsidiaries. The designations included more than 180 vessels, many of which are part of Russia’s “shadow fleet” of vessels involved in the trade of Russian oil, as well as several Russian energy executives, oil traders, oilfield service providers, and financial and insurance entities associated with Russia’s energy sector. The designations also covered two active Russian liquefied natural gas (“LNG”) projects and a Russian oil project.

On January 15, 2025, the U.S. Department of the Treasury and U.S. Department of State designated or re-designated under additional sanctions authority nearly 250 individuals and entities for property-blocking sanctions, including actors based in China.

OFAC also issued multiple general licenses related to the above designations, including a general license authorizing until February 27, 2025, transactions ordinarily incident and necessary to the wind down of transactions involving Gazprom Neft and Surgutneftegas, their designated subsidiaries, and entities that they own 50 percent or more, directly or indirectly, individually or in the aggregate, subject to certain conditions. In addition, OFAC revoked a general license that had authorized transactions with certain vessels subject to U.S. property-blocking sanctions due to their ownership, and amended two existing general licenses. One of these amended general licenses, General License 8L (which supersedes General License 8K), significantly narrows the scope of permissible energy transactions involving certain blocked financial institutions to include only wind-down transactions until March 12, 2025.Continue Reading New U.S. and UK Sanctions, Including Related to Russia’s Energy Sector