Insights for In-house Counsel Spring 2024 - AI, data and cybersecurity

Now Reading

The UK's approach to AI regulation

Governments across the globe are still grappling with how to balance promoting innovation and economic growth with protecting citizens' privacy, safety and other human rights.

By contrast to the approach adopted by the European Union (the AI Act has recently been adopted by the European Parliament), last year's UK AI White Paper proposed relying on the existing regulatory framework to address the risks posed by AI, with regulators being guided by five cross-sectoral principles.

A year on, and the UK Government is still in no rush to regulate. Overall, the Government continues to believe that a non-statutory, context-based approach to regulating AI is the best way forward because it offers "critical adaptability" but acknowledges that the risks posed by general-purpose AI could still fall through the cracks. Read this update.

Smart AI Regulation

Our Smart AI Regulation series of briefings explores the UK's approach to the regulation of AI, highlighting its key differences from the EU's proposed AI Act.

EU Data Act now in force: what's the impact for data holders?

The EU Data Act (EDA) sets out new data-sharing rules in respect of connected products and came into force in January 2024. While its provisions are not yet applicable, businesses are advised to plan for the impact that the EDA will have on their product designs, commercially sensitive information, terms and conditions, costs and GDPR compliance. Read this briefing for more.

Cybersecurity update

As the digital economy and emerging technologies, continue to grow at an exponential rate, so do cyber security risks.

Earlier this year, the UK Government called for views on its Cyber Governance Code of Practice, urging boards and directors to place the same importance on governing cyber risk as they do with other principal risks. The EU's "NIS2" aims to strengthen cybersecurity for essential services and infrastructure and will be implemented by member states by October 2024. There has been no similar progress on the UK equivalent - the Network and Information System Regulations - initially announced by the Government in November 2022. However, cyber resilience for connected products is making headway, with the publication of regulations under the Product Security and Telecommunications Infrastructure Act in the UK for consumer connectable products (see our briefing) and the EU reaching political agreement on the Cyber Resilience Act, which covers similar ground.

As well as gearing up to comply with new legislation, businesses should focus on their cyber incident response plans. Find out more about responding to cyber incidents and data breaches with our Mitigating a Data Breach: Insider Threats podcast series.

DORA: Cybersecurity for financial entities in the EU

EU asset management firms and companies providing tech services to them should be factoring in new measures, coming into force in January 2025, designed to improve the operational resilience of the financial services industry.

Under the EU Regulation on Digital Operational Resilience (DORA), "critical" providers of ICT services to financial services firms will also be subject to EU oversight and UK and other non-EU entities may face restrictions in providing these services to EU financial firms. Firms have a substantial "to do" list to prepare for DORA over the coming months and, to be ready in time, they should be identifying and triaging their ICT contracts, reviewing them against those requirements and negotiating with service providers any contract amendments necessary to comply. Read our briefing for more.

Read Louisa Chambers Profile