Insights

The EU Cyber Resilience Act (CRA) is an EU product cybersecurity law for connected products (formally, “products with digital elements” under the CRA) commercialized in the EU; it entered into force on 10 December 2024, with direct application across the EU. Full application begins 11 December 2027, but one of its most operationally demanding provisions takes effect in just under 100 days, on 11 September 2026: the mandatory vulnerability and incident reporting under Article 14 CRA.

Introduced to Parliament on 19 May 2026, the Commercial Payments Bill represents a significant reform to payment legislation. Targeting a problem that costs the economy £11 billion per year, the Bill introduces a package of hard-edged protections that businesses cannot avoid through contract.

The International Chamber of Commerce (ICC) has released its revised 2026 Arbitration Rules (the 2026 Rules), which entered into force on 1 June 2026. The revisions represent a significant update to the 2021 ICC Rules (the 2021 Rules) and reflect a clear institutional focus on efficiency, procedural flexibility, and expedited dispute resolution.

The UK has successfully concluded a milestone free trade agreement (FTA) with the Gulf Cooperation Council (GCC) countries. We set out below a high-level comment on the FTA’s chapters and some of the key provisions.

The first applications to lift an automatic suspension under the Procurement Act 2023 (the Act) have recently been decided. In Parkingeye Limited v Velindre University NHS Trust & Anor [2026] EWHC 1019 (TCC), handed down on 1 May 2026, HHJ Keyser KC dismissed applications by two NHS contracting authorities to lift the suspension preventing them from concluding a car park management services contract. This is the first judicial consideration of the new test under section 102(2) of the Act.

Businesses affected by the Strait of Hormuz crisis are likely to be navigating both sides of the contractual liability equation: seeking to enforce protections while simultaneously trying to limit their own exposure. This balancing act will feel familiar to those who managed supply chain disruptions during the Covid pandemic or in response to Russian sanctions. But the scale of uncertainty and the severity of the current situation make it particularly challenging to chart a clear path forward. This note provides an overview of the English-law issues that have arisen in this current crisis and is relevant for companies and legal counsel seeking to understand and mitigate contractual risk in their supply chains, including for shipping, energy, commodities, and construction.

The president of the Competition Appeal Tribunal (CAT) has signalled a more rigorous approach to scrutinising opt-out collective actions at the certification stage, with particular attention to whether the financial benefits of such claims flow to the claimant class or primarily to their lawyers and funders. Coming at a time when the UK Law Commission is consulting on expanding the scope of the opt-out regime, this development warrants careful consideration by all those with interests in the UK litigation funding market.

The ICCU is poised to become one of the most significant international compensation mechanisms of this generation. Crowell & Moring has the experience to help with your claim.

In March 2026, the UK Information Commissioner (ICO) published guidance on the new lawful basis for processing personal data introduced by the Data (Use and Access) Act 2025 (DUAA): the recognised legitimate interest (RLI) lawful basis. Controllers may now rely upon one of five pre-approved conditions, each focused on specific public-interest justifications, for personal data processing.

The EU has adopted its 20th package of sanctions in connection with Russia's ongoing war against Ukraine, resolving a prolonged internal political deadlock that had been caused by vetoes from Hungary and Slovakia. The package amends Regulations 833/2014, 269/2014, and 765/2006 and the respective Council Decisions and Implementing Regulations. The texts entered into force on 24 April 2026. They are available through this link.

The UK’s Office of Financial Sanctions Implementation (OFSI) has published details of a £390,000 penalty it imposed on ADI, an Irish subsidiary of Apple Inc., on 19 March 2026. The penalty relates to two payments totalling approximately £635,000 made in 2022 to Okko LLC, a sanctioned Russian app developer, for App Store revenue. Although the underlying facts are relatively simple, there are several interesting takeaways from OFSI’s penalty notice.

At the European Patent Office (EPO), a recent referral of case T 873/24 from the Technical Board to the Enlarged Board of Appeal may clarify whether last summer’s decision in case G 1/24 on claim interpretation may be extended to the analysis of Added Subject-Matter. Already G 1/24 is impacting the assessment of patentability at the EPO, but should this referral be allowed, G 1/24’s effect on the assessment of added matter could result in a real shake up of the EPO’s notoriously strict assessment of support. Nonetheless, a review of how we got here highlights the value of late arguments during the EPO appeal process.

In a significant ruling on the application of data protection law in the United Kingdom, on 19 February 2026, the UK’s Court of Appeal (CA) ruled in favour of the UK Information Commissioner (ICO) in its appeal against the decision of the Upper Tribunal (UT) in the case of DSG Retail Ltd v The Information Commissioner [2026] EWCA Civ 140. This ruling clarifies the scope of data controllers’ security obligations with pseudonymised personal data and confirms that a controller’s duty to safeguard personal data is not diminished merely because a cyber attacker who exfiltrates that data would be unable to re-identify the individuals concerned.

On 12 March 2026, the USTR self-initiated Section 301(b) investigations against 60 of the United States' largest trading partners, including the United Kingdom. The investigations will examine whether each economy's acts, policies, and practices relating to the failure to impose and effectively enforce a ban on goods produced with forced labour are unreasonable or discriminatory and burden or restrict U.S. commerce.

[1] In a recent development, the UK Supreme Court ruled that Artificial Neural Networks (ANNs) are not excluded from patentability due to being a computer program “as such.” In doing so, the Court set out the framework of a new test for the UK Intellectual Property Office (IPO) to use when evaluating the patentability of computer. The ruling breaks down barriers to the patenting of AI algorithms in the UK and paves the way for a wider change in the UK IPO’s approach to assessing excluded subject matter.

In March 2026, the UK Government published its Fraud Strategy 2026–2029, part of a broader economic-crime policy package building on the Economic Crime Plan 2 (March 2023) and the Anti-Corruption Strategy, published in December 2025. The strategy's headline message for fraud victims is striking: do not wait for the state to act, but rather, seek redress from the court yourself.

On 26 February 2026, the EU published Directive (EU) 2026/470 (the Omnibus I Directive). Adopted as part of the European Commission's (Commission) simplification agenda and after a year of debates and negotiations between the Commission, the Council, and the European Parliament, this text effectuates far-reaching changes to both the Corporate Sustainability Reporting Directive (CSRD) and the Corporate Sustainability Due Diligence Directive (CS3D).

Clinical trial sponsors and all other stakeholders involved in conducting commercial clinical trials of investigational medicinal products (IMP) in the UK.

From 1 April 2026, a major new transparency requirement under the Procurement Act 2023 will take effect pursuant to the Procurement Act 2023 (Commencement No. 4) Regulations 2025.

The UK’s Office of Financial Sanctions Implementation (OFSI) has launched a call for evidence concerning the "ownership and control" test within UK financial sanctions. The call for evidence, running until 11:59 p.m. on 13 April 2026, seeks stakeholder views on the challenges and implementation of the "control" limb, with particular focus on its hypothetical element.