Insights

President Trump is preparing to sign an Executive Order that would seek to forestall state regulation of artificial intelligence (AI) by threatening federal lawsuits and the withholding of some federal funds. The draft, unsigned six-page Executive Order, “Eliminating State Law Obstruction of National AI Policy” (EO), the text of which has been circulating publicly since November 19, would declare it the policy of the Administration “to sustain and enhance America’s global AI dominance through a minimally burdensome, uniform national policy framework for AI.”

On November 14, 2025, the U.S. Department of Justice (DOJ) announced a sweeping series of enforcement actions, including four guilty pleas and more than $15 million in civil forfeitures against the  Democratic People’s Republic of Korea (DPRK or North Korea) for remote information technology (IT) worker schemes. These actions underscore the federal government’s escalating focus on the exposure of U.S. companies to North Korean IT worker infiltration, following a series of U.S. Government action against the DPRK.

On 12 November, the highly anticipated Cyber Security and Resilience (Network and Information Systems) Bill (“Bill”) was introduced to Parliament, representing a significant expansion and modernisation of the UK’s cyber security rules. Building on the foundation set by the Network & Information Systems Regulations 2018 (“NIS”), the Bill aims to enhance national security and safeguard essential services. The Department for Science, Innovation and Technology (“DSIT”) has published a policy paper detailing the Bill’s objectives.

In a stunning revelation following last month’s jewel heist at the Louvre Museum in Paris, France, a 2014 audit resurfaced, spreading rumors that the password to the museum’s video surveillance system was still “Louvre.”

In the first few years following the public launch of generative artificial intelligence (AI) in the autumn of 2022, litigation related to AI focused primarily on claims of copyright infringement. Suits revolved around allegations that the data on which AI models train, and/or the output they produce, infringe upon the intellectual property rights of others. (While some of these cases have settled or reached preliminary judgments, many remain ongoing.)

The UK’s cyber threat landscape continues to evolve, with the rapid emergence of new technologies introducing novel risks across all sectors and attacks escalating in frequency and sophistication. Regulatory bodies and the UK Government have intensified their focus on cyber security and resilience, as evidenced by the latest National Cyber Security Centre (NCSC) 2025 annual review (Review) and the proposed UK Cyber Security and Resilience Bill (Bill), alongside recent developments in ransomware regulation.

A new series of lawsuits have been filed in California courts alleging violations of the state’s Business and Professions Code § 17529.5 (the “Anti-Spam Law”). These cases target companies that send marketing and promotional emails to California residents, and they could present serious legal and financial risks for businesses engaged in email marketing.

Researchers have identified a new wave of cybersecurity attacks against European drone makers by the Lazarus Group, a well-known and sophisticated threat actor group, allegedly sponsored by the North Korean government.

Ransomware attacks continue to evolve in frequency, sophistication, and impact. Threat actors are now leveraging artificial intelligence to enhance phishing campaigns, automate data exfiltration, and execute double extortion schemes—where data is both encrypted and stolen for leverage.

Last year, the California General Assembly passed the California AI Transparency Act (CAITA), which Governor Gavin Newsom signed into law on September 19, 2024, and goes into effect on January 1, 2026. This may change because this year, the same General Assembly passed AB 853, an amendment to CAITA with potentially far-reaching implications.

Marking a significant milestone toward the broad deployment of commercial drones over American skies, the Federal Aviation Administration (“FAA”) and Transportation Security Administration issued a proposed rule in August that would streamline how drones can operate when they fly beyond the visual line of sight of their operators.

On September 9, 2025, the Ninth Circuit Court of Appeals affirmed a district court’s denial of a preliminary injunction as to certain provisions of California’s Protecting Our Kids from Social Media Addiction Act. This interlocutory ruling is significant for two reasons. First, it demonstrates why and how state laws can withstand and avoid First Amendment challenges. Second, it showcases the potential difficulties in establishing associational standing on behalf of member technology and digital commerce companies.

On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA). This landmark legislation represents California’s most significant regulation to date of AI developers.

On September 30, 2025, the Department of Justice (DOJ) announced that Georgia Tech Research Corporation (GTRC) agreed to pay $875,000 to settle allegations that it violated the False Claims Act (FCA) and federal common law by failing to meet cybersecurity requirements under certain Air Force and Defense Advanced Research Projects Agency (DARPA) contracts.  The settlement adds to the growing list of recoveries under DOJ’s Civil Cyber-Fraud Initiative and is yet another example of DOJ’s ongoing enforcement focus on cybersecurity obligations for federal contractors handling sensitive government information.  The settlement also provides insight into how government contractors may challenge FCA liability when faced with allegations of cybersecurity noncompliance.

On September 26, the White House invited the public to submit comments on Federal laws, rules, and policies that “unnecessarily hinder” the development or deployment of artificial intelligence (AI) technologies in the United States. This request marks one of the Trump Administration’s most substantial moves yet to reduce the regulatory burden on AI. Respondents may submit comments through a government website until October 27, 2025.

The states of the Persian Gulf are moving rapidly to establish themselves as global centers of investment and innovation in artificial intelligence (AI). The Kingdom of Saudi Arabia, the United Arab Emirates (UAE), and the State of Qatar are making substantial outlays in technology and infrastructure as they seek to diversify their economies away from oil. As important, their governments are implementing digital regulations and AI strategies in a bid to attract foreign investment and develop technology companies that can go toe-to-toe with American and European competitors. 

On 18 September, during the anticipated state visit, the leaders of the UK and the US signed the Technology Prosperity Deal, which promises to boost investment and cooperation to foster innovation, security, and economic prosperity. This is being lauded in the UK as a hugely significant milestone in transatlantic cooperation. The governments of both countries have released a Memorandum of Understanding (“Memo”) which covers a number of ambitious plans in strategic science and technology fields, including artificial intelligence (“AI”), nuclear energy, fusion, and quantum technologies.

U.S. Government and private sector sources continue to report efforts by Democratic People’s Republic of Korea (DPRK) nationals to infiltrate companies around the world by posing as information technology (IT) professionals, in order to get hired by U.S. and other businesses and gain access to sensitive company systems. Crowdstrike, a U.S. cybersecurity company, has reported a 220% increase in the number of companies infiltrated by North Korean threat actors over the last 12 months. In particular, a DPRK-affiliated group known as “Famous Chollima” has leveraged artificial intelligence and deepfake technology to generate synthetic identities, as well as resumes and CVs, draft communications, and conduct job interviews. Enforcement actions brought by the U.S. Department of Justice identify victims in the cryptocurrency sector, including decentralized finance (“DeFi”) projects. In addition, media reports indicate that North Korean hackers are purportedly offering fake job offers targeting employees in the cryptocurrency sector, with the goal of stealing crypto.

On September 18, 2025, the Director of National Intelligence (DNI) issued the first order under the authority conferred by the Federal Acquisition Supply Chain Security Act (FASCSA), requiring exclusion and removal of products and services by an identified source.[1]

California Governor Gavin Newsom has until October 12, 2025, to sign into law a first-in-the-nation bill that will, if enacted, likely impose significant regulatory obligations and litigation risk on companies deploying AI chatbots in California.