Insights

Last year, the California General Assembly passed the California AI Transparency Act (CAITA), which Governor Gavin Newsom signed into law on September 19, 2024, and goes into effect on January 1, 2026. This may change because this year, the same General Assembly passed AB 853, an amendment to CAITA with potentially far-reaching implications.

Marking a significant milestone toward the broad deployment of commercial drones over American skies, the Federal Aviation Administration (“FAA”) and Transportation Security Administration issued a proposed rule in August that would streamline how drones can operate when they fly beyond the visual line of sight of their operators.

On September 9, 2025, the Ninth Circuit Court of Appeals affirmed a district court’s denial of a preliminary injunction as to certain provisions of California’s Protecting Our Kids from Social Media Addiction Act. This interlocutory ruling is significant for two reasons. First, it demonstrates why and how state laws can withstand and avoid First Amendment challenges. Second, it showcases the potential difficulties in establishing associational standing on behalf of member technology and digital commerce companies.

On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA). This landmark legislation represents California’s most significant regulation to date of AI developers.

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On September 26, the White House invited the public to submit comments on Federal laws, rules, and policies that “unnecessarily hinder” the development or deployment of artificial intelligence (AI) technologies in the United States. This request marks one of the Trump Administration’s most substantial moves yet to reduce the regulatory burden on AI. Respondents may submit comments through a government website until October 27, 2025.

The states of the Persian Gulf are moving rapidly to establish themselves as global centers of investment and innovation in artificial intelligence (AI). The Kingdom of Saudi Arabia, the United Arab Emirates (UAE), and the State of Qatar are making substantial outlays in technology and infrastructure as they seek to diversify their economies away from oil. As important, their governments are implementing digital regulations and AI strategies in a bid to attract foreign investment and develop technology companies that can go toe-to-toe with American and European competitors. 

On 18 September, during the anticipated state visit, the leaders of the UK and the US signed the Technology Prosperity Deal, which promises to boost investment and cooperation to foster innovation, security, and economic prosperity. This is being lauded in the UK as a hugely significant milestone in transatlantic cooperation. The governments of both countries have released a Memorandum of Understanding (“Memo”) which covers a number of ambitious plans in strategic science and technology fields, including artificial intelligence (“AI”), nuclear energy, fusion, and quantum technologies.

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

On September 18, 2025, the Director of National Intelligence (DNI) issued the first order under the authority conferred by the Federal Acquisition Supply Chain Security Act (FASCSA), requiring exclusion and removal of products and services by an identified source.[1]

California Governor Gavin Newsom has until October 12, 2025, to sign into law a first-in-the-nation bill that will, if enacted, likely impose significant regulatory obligations and litigation risk on companies deploying AI chatbots in California.

On September 10, 2025, the Department of Defense (DoD) published a final rule (CMMC Clause Rule) that will apply its much-anticipated Cybersecurity Maturity Model Certification program (CMMC) to DoD contractors and subcontractors. Under the CMMC Clause Rule, starting on November 10, 2025, DoD can include CMMC requirements—potentially including third-party cybersecurity assessments—in contracts that require the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

On September 9, 2025, the California Privacy Protection Agency (“CPPA”), along with California Attorney General Rob Bonta, Colorado Attorney General Phil Weiser, and Connecticut Attorney General William Tong, (collectively the “Coalition”) announced a joint investigative sweep (the “Sweep”) into businesses refusing to honor consumers' requests to opt-out of the sale of their personal information submitted via Global Privacy Controls (“GPCs”). This Sweep is another action in a growing trend of multi-state cooperation in data privacy enforcement activities. Given the continued lack of a federal data privacy law, state cooperation and enforcement activities are expected to continue.

On 8 August, the UK Department for Science, Innovation & Technology (“DSIT”) published a report titled “Emerging technologies and their effect on cyber security” (the “Report”). It examines how the convergence of AI, IoT, Quantum, Edge Computing, Blockchain and other emerging technologies is transforming the cyber threat landscape. We’ve summarised below some of their key findings and takeaways. In the pursuit of growth and efficiencies many companies are considering how to adopt emerging technology into their operational processes, and the Report provides a useful guide as to emerging cyber risks and where the UK Government’s attention is focused as it launches the Cyber Resilience Bill later this year.

On 11 July 2025, the European Data Protection Supervisor, (“EDPS”), the independent supervisory authority, which oversees the processing of personal data by EU institutions, bodies, offices and agencies, (“EUIs”) confirmed that the European Commission, (“Commission”) has succeeded in bringing its use of Microsoft 365 within the requirements of applicable European data protection rules thanks to additional measures adopted by both the Commission and Microsoft.

Threat actors have targeted insurance companies in a recent string of cyber-attacks, exposing patients’ personal information, including Social Security numbers, claims information, and health reports.

Ofcom, the UK’s communications and appointed online safety regulator, is following through on its commitment to protect children online. From 25 July 2025, Ofcom will enforce its Protection of Children Codes of Practice (the “Code”) under the Online Safety Act 2023 - a significant milestone for digital safety in the UK.

On 2 June 2025, the UK Government unveiled its 2025 Strategic Defence Review titled the “Plan for Change for Defence” (the “2025 SDR”), heralding it as the dawn of a new era in British defence and security. Hailed as a landmark by the Prime Minister, the 2025 SDR underscores the urgent need to address daily cyber threats and embrace the rapid evolution of technology that is reshaping the battlefield. It also emphasises both the necessity of and the opportunities that this approach affords to create a new partnership with industry and radically reform procurement, leading to the creation of a “defence dividend” of jobs, wealth and opportunity throughout the UK.

Ransomware attacks have escalated in frequency and sophistication, posing a significant threat to national security and critical national infrastructure (“CNI”). Cybersecurity has emerged as a core pillar of the UK’s national defence strategy, as set out in the recent Strategic Defence Review. The Government has recognised cyber as a crucial area for modern conflict. Ransomware attacks are a significant method of attack, as a form of cybercrime which involves malicious software encrypting data and a ransom demand for its restoration or to prevent its publication. The UK has experienced a notable rise in such incidents, including attacks on Synnovis (an NHS diagnostics service provider) and Southern Water (a water company providing water to a region of the UK), both in 2024.

Open source data and software play a foundational role in software development, artificial intelligence (AI), education, and research. Open source AI refers to systems where the source code, model parameters, and related components are freely available for anyone to use, study, modify, and distribute.