Insights

On 12 November, the highly anticipated Cyber Security and Resilience (Network and Information Systems) Bill (“Bill”) was introduced to Parliament, representing a significant expansion and modernisation of the UK’s cyber security rules. Building on the foundation set by the Network & Information Systems Regulations 2018 (“NIS”), the Bill aims to enhance national security and safeguard essential services. The Department for Science, Innovation and Technology (“DSIT”) has published a policy paper detailing the Bill’s objectives.

The UK’s cyber threat landscape continues to evolve, with the rapid emergence of new technologies introducing novel risks across all sectors and attacks escalating in frequency and sophistication. Regulatory bodies and the UK Government have intensified their focus on cyber security and resilience, as evidenced by the latest National Cyber Security Centre (NCSC) 2025 annual review (Review) and the proposed UK Cyber Security and Resilience Bill (Bill), alongside recent developments in ransomware regulation.

The United States, European Union, and United Kingdom have significantly escalated Russia-related sanctions the past month, including the Trump Administration’s first sanctions directly imposed on Russia. These coordinated actions—which particularly target the Russian energy sector—indicate that Russia sanctions remain on the geopolitical agenda and require multinational companies to remain vigilant in their compliance with those sanctions.

Researchers have identified a new wave of cybersecurity attacks against European drone makers by the Lazarus Group, a well-known and sophisticated threat actor group, allegedly sponsored by the North Korean government.

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) brings major changes to UK company law and the operation of Companies House. Whether you are a UK business, an LLP, or an international organisation with UK operations, these reforms will affect your compliance obligations and the way you manage company records. The ECCTA aims to strengthen the UK’s response to corporate and economic crime by improving transparency and accountability across all entities registered or operating in the UK.

The UK’s increased defence spending and zero-tariff trade on aircraft parts with the US is generating broad interest in the UK defence sector.

Last year, the California General Assembly passed the California AI Transparency Act (CAITA), which Governor Gavin Newsom signed into law on September 19, 2024, and goes into effect on January 1, 2026. This may change because this year, the same General Assembly passed AB 853, an amendment to CAITA with potentially far-reaching implications.

On 18 September, during the anticipated state visit, the leaders of the UK and the US signed the Technology Prosperity Deal, which promises to boost investment and cooperation to foster innovation, security, and economic prosperity. This is being lauded in the UK as a hugely significant milestone in transatlantic cooperation. The governments of both countries have released a Memorandum of Understanding (“Memo”) which covers a number of ambitious plans in strategic science and technology fields, including artificial intelligence (“AI”), nuclear energy, fusion, and quantum technologies.

On August 28, 2025, France, Germany, and the UK (the E3) initiated the process to reinstate (or snapback) UN sanctions on Iran. The snapback mechanism (which was set to expire on October 18, 2025) is outlined in UN Security Council Resolution 2231 (UNSCR 2231).

A charity will be in scope of the new failure to prevent fraud offence if they meet two of the three following criteria:

On 8 August, the UK Department for Science, Innovation & Technology (“DSIT”) published a report titled “Emerging technologies and their effect on cyber security” (the “Report”). It examines how the convergence of AI, IoT, Quantum, Edge Computing, Blockchain and other emerging technologies is transforming the cyber threat landscape. We’ve summarised below some of their key findings and takeaways. In the pursuit of growth and efficiencies many companies are considering how to adopt emerging technology into their operational processes, and the Report provides a useful guide as to emerging cyber risks and where the UK Government’s attention is focused as it launches the Cyber Resilience Bill later this year.

On 1 August 2025, the UK’s Arbitration Act 2025 (the “Act”) came into force. It applies to arbitrations and arbitration-related court proceedings commenced on or after that date and reinforces London’s status as a leading hub for international arbitration.

On 11 July 2025, the European Data Protection Supervisor, (“EDPS”), the independent supervisory authority, which oversees the processing of personal data by EU institutions, bodies, offices and agencies, (“EUIs”) confirmed that the European Commission, (“Commission”) has succeeded in bringing its use of Microsoft 365 within the requirements of applicable European data protection rules thanks to additional measures adopted by both the Commission and Microsoft.

The case of Jardine Strategic Limited v Oasis Investments II Master Fund Ltd and 80 others (No 2) (Bermuda) [2025] UKPC 34 addresses significant issues regarding shareholder rights and legal professional privilege in corporate transactions. In particular, the case concerned the Shareholder Rule. This was a principle shareholders relied on to prevent companies from asserting privilege over documents, thus requiring companies to hand privileged documents over to them. On 24 July 2025, the Privy Council unanimously held that the Shareholder Rule no longer applies. Although the case concerned the law of Bermuda, the Privy Council issued a declaration (known as a Willers v Joyce direction) that its decision is binding on English courts as well. In so doing, it overturned an aspect of English law in force for almost 140 years.

Ofcom, the UK’s communications and appointed online safety regulator, is following through on its commitment to protect children online. From 25 July 2025, Ofcom will enforce its Protection of Children Codes of Practice (the “Code”) under the Online Safety Act 2023 - a significant milestone for digital safety in the UK.

On 2 June 2025, the UK Government unveiled its 2025 Strategic Defence Review titled the “Plan for Change for Defence” (the “2025 SDR”), heralding it as the dawn of a new era in British defence and security. Hailed as a landmark by the Prime Minister, the 2025 SDR underscores the urgent need to address daily cyber threats and embrace the rapid evolution of technology that is reshaping the battlefield. It also emphasises both the necessity of and the opportunities that this approach affords to create a new partnership with industry and radically reform procurement, leading to the creation of a “defence dividend” of jobs, wealth and opportunity throughout the UK.

Ransomware attacks have escalated in frequency and sophistication, posing a significant threat to national security and critical national infrastructure (“CNI”). Cybersecurity has emerged as a core pillar of the UK’s national defence strategy, as set out in the recent Strategic Defence Review. The Government has recognised cyber as a crucial area for modern conflict. Ransomware attacks are a significant method of attack, as a form of cybercrime which involves malicious software encrypting data and a ransom demand for its restoration or to prevent its publication. The UK has experienced a notable rise in such incidents, including attacks on Synnovis (an NHS diagnostics service provider) and Southern Water (a water company providing water to a region of the UK), both in 2024.

On June 30, 2025, President Trump issued Executive Order 14312 effectively lifting (or beginning the process of lifting) most of the sanctions on Syria. Executive Order 14312 cites the leadership changes and the policies of the new Syrian government under President Ahmed al-Sharaa as the reasons for the removal of sanctions. On the same day, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Department of State took steps to implement the termination of the program by, among other actions, delisting appropriate individuals and entities from the List of Specially Designated Nationals and Blocked Persons (SDN List). These actions followed the initial sanctions relief provided on May 23, 2025 by OFAC, the Financial Crimes Enforcement Network (FinCEN), and the State Department.

On this 4thof July, Britain was also celebrating. The first country to secure a trade deal with the Trump Administration, the U.K. can indeed celebrate the so-called Special Relationship.

In a previous client alert on a recent Civil Justice Council (“CJC”) report on litigation funding in England and Wales we discussed the issue of whether payment waterfalls providing funders with payment priority are compliant with the Damages-Based Agreements Regulations 2013 (“DBA Regulations”), the issue being a matter to be heard on appeal in June 2025. Funders will be pleased to hear that the answer is “yes”. The Court of Appeal has held that the DBA Regulations focuses on whether a funding agreement determines the amount of a funder’s fees by reference to the damages awarded to the successful litigant. The fact that a funder may receive its fees from the proceeds is not enough in itself for the arrangement to fall under the DBA Regulations.