AI, data and cybersecurity 

Both the AI literacy requirement (an obligation to educate and train staff interacting with AI) and the ban outlawing unacceptable systems under the EU AI Act now apply. Effective from 2 February 2025, read our briefing for details of what and who are in scope. 

The extensive obligations on new high-risk systems and transparency requirements do not apply until 2 August 2026 but organisations will need time to prepare to meet these requirements.

There is still no UK AI Bill. Given the current geopolitical climate (see The Trump effect on tech regulation below), the Bill looks likely to be delayed until the summer and - if it emerges at all - we can expect it to focus on the largest general-purpose AI models.

At the start of the year, the UK Government announced a new drive in its AI Opportunities Action Plan to accelerate the UK’s AI development economy and to promote broader and more rapid AI adoption by the public and private sectors.

While we may not see specific AI legislation in the UK for some time, there is nevertheless a steady flow of AI guidance emerging from UK regulators to help organisations develop and use the technology in compliance with existing laws. For example, from a data protection law perspective, in recent months the Information Commissioner's Office published its response following an extensive consultation on generative AI models, specific guidance on AI's use in recruitment, and its views in response to the Government's consultation on data scraping.

The Data (Use and Access) Bill (DUAB) is currently making its way through Parliament. It sets out limited data protection reforms, scaling back on some of the reforms from the previous government's Data Protection and Digital Information Bill. It is likely to require few changes to data protection compliance on the ground but introduces greater flexibility to rules around automated decision-making to support AI adoption and innovation. It also aligns the penalties under the Privacy and Electronic Communications Regulations (marketing and cookie laws) with those under the GDPR. Our briefing describes the key changes from a data protection perspective.

The EU's adequacy decisions in favour of the UK, which allow the free flow of personal data from the EU to the UK, were due to expire on 27 June 2025. The Commission has proposed to extend the effect of the decisions until 27 December 2025 to allow the UK time to finalise the Data (Use and Access) Bill.

For businesses within the scope of the Online Safety Act, achieving compliance and swiftly adapting to extensive new guidance is a significant challenge. Compliance deadlines are coming thick and fast – in-scope organisations had until 16 March 2025 to complete their initial illegal harms risk assessment and begin implementing illegal content safety duties and they have until 16 April 2025 to complete their child access assessment. The summer will usher in further key milestones. Our briefing looks at the OSA’s scope, its phased rollout, key duties for providers, enforcement measures and the broader geopolitical backdrop.

In January 2025, the UK Government launched a consultation on three measures, which aim to undermine the ransomware business model – making UK businesses less profitable for cybercriminals to target - and improve the Government's intelligence around ransomware threats. The proposals are:

1. a targeted ban on ransomware payments, covering public sector bodies and owners/operators of critical national infrastructure (although the consultation asks if the ban should cover essential suppliers to those sectors too);
   
   
2. a payment prevention regime which requires ransomware victims to report their intention to pay a ransom to enable to Government to prohibit certain payments; and
   
   
3. a mandatory incident reporting regime.

Our briefing describes the proposals and their implications in more detail.

Yet to appear, but promised for 2025, the Cyber Security and Resilience Bill is due to reform the Network Information Security Regulations 2018 (NISRs) and extend cyber defence rules to more essential digital services and supply chains.

The emphasis on deregulation under the Trump administration and the threat of tariffs has undoubtedly impacted tech regulation on this side of the Atlantic too.

• AI: At the AI Action Summit in Paris in February 2025, the US and the UK refused to sign the AI Declaration on “inclusive and sustainable” AI. US Vice President, JD Vance, decried Europe's "excessive regulation" of AI at the summit. The UK representative referred to a lack of clarity on global governance and national security issues. In the wake of the summit, the EU also withdrew the AI Liability Directive from its 2025 work programme. The delay to the UK's AI Bill has also been attributed to "the Trump effect".
  
  
• Data transfers: There is some concern that the future actions of the Trump administration could undermine the Data Privacy Framework (DPF). The DPF is important because it allows personal data to flow freely from the EU to US companies that have signed up to the DPF. The UK has implemented a similar framework for UK to US transfers, which "piggy backs" on the DPF. The concern stems from certain measures that are perceived to chip away at the independence of oversight bodies. No steps have been taken so far which are likely to be sufficiently fundamental to cause the invalidation of the DPF and it is in the US' commercial interests too that the DPF is preserved.
  
  
• Big Tech: Days into the Trump administration, major US social media companies watered down or abandoned their content moderation systems dealing with harmful material. In February 2025, the White House threatened to impose tariffs on European countries that had implemented a digital services tax and mentioned, as potentially also giving rise to retaliatory measures, “regulations imposed on United States companies by foreign governments that could inhibit the growth or intended operation of United States companies”. So far, the UK has downplayed suggestions of amendments to online safety laws in return for a favourable deal on tariffs.

The Court of Appeal's decision in Thatcher v Aldi is welcome news for owners of brands with a strong reputation, who have had the foresight to register their packaging and labelling designs as trade marks, combatting lookalike products. Aldi's sign for its TAURUS lemon cider was found to have taken unfair advantage of, and therefore infringe, Thatchers' registered trade mark in respect of the designs for its lemon cider cans and packaging. The court was presented with persuasive evidence that Aldi achieved substantial sales despite not having spent anything on marketing, and that Aldi deliberately benchmarked against Thatchers' products. This is another example of the courts reining in lookalikes - in 2024, Tesco was forced to rebrand its Clubcard after losing in the Court of Appeal to Lidl in respect of the well-known yellow circle in a blue square design. Tesco was found (amongst other things) to have taken unfair advantage of Lidl's trade mark to convey an erroneous price matching message.