Subscribe
Share
Share
Embed
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Rohan Massey: Welcome, and thank you for joining us on the latest installment of The Data Day from Ropes & Gray, a podcast series brought to you by the data, privacy and cybersecurity practice here at Ropes & Gray. In this episode, we will be celebrating the 19th World Data Protection Day, or World Privacy Day, depending on which side of the Atlantic you’re on. The purpose of the day is not only to mark the signing of the Convention 108, the first legally binding treaty on the protection of privacy in the digital age, but also, to educate and raise awareness about the importance of protecting personal information in a digital society. And on that theme of awareness, we want to discuss today what’s on the horizon in the UK and EU across 2026, looking at data, AI, and digital rules.
For today’s discussion, I am delighted to be joined by three colleagues from Ropes & Gray’s London team: Edward Machin, Cat Keeling, and Suzie Wilson. So, welcome to the three of you. 2025 was a year in which the headlines were frequently focused on cybersecurity breaches. Not only did we see attacks that were stealing data or locking networks, we saw attacks that disrupted health care and telecommunication systems, aviation travel, and, in fact, even entire supply chains. Cybersecurity attacks have become a growing menace. In fact, in a recent poll of UK business leaders, we saw that nearly 60% identified cyber attacks as being the most significant worry that they have in their business. And interestingly, of those, 42% worried about the reputational attack of a data breach, 28% worried about the spreading of misinformation online, and 24% worried about negative media coverage. Interestingly, nobody mentioned fines or financial loss. But it’s clearly an area of importance to business, and, I think, it’s also one that is important to regulators. Edward, based on the fact patterns that I’ve just discussed about cybersecurity and security breaches, what do we see the changes are likely to be in regulation in 2026?
Edward Machin: Thanks, Rohan. Yes, I agree that cyber is at the forefront of many of our clients’ conversations and thinking, both in 2025 and already this year. And there are overlapping laws and obligations that we are seeing taking effect throughout this year, primarily in the EU but also in the UK in the form of the UK’s upcoming cyber bill that organizations should be thinking about. So many in the financial services sector listening to the podcast will be familiar with DORA, the Digital Operational Resilience Act, and although that Act has already kicked in, and many of the obligations of big and small companies that have been spending a significant amount of time standing up their compliance programs, one of the key milestones for this year is the preparation and submission to national regulators of the register of information, so much like a souped-up Article 30 record of processing. And whilst that is not directly cyber-related, one of the core obligations of DORA is understanding who is holding your data, where the data is going, so that if you do have cyber incidents, you’re able to map those accordingly. So, that’s been a very, very big undertaking for many organizations, and various stages through March and either side of that month, organizations need to have that register in place.
Later on in the year, in September, organizations that are subject to the Cyber Resilience Act—manufacturers of digital and connected products and software—will need to report actively exploited vulnerabilities and severe incidents within 24 hours of that happening. And then, like I mentioned, the UK cyber bill, which is currently working its way through Parliament and is very similar to NIS2 in the EU, reflects some of those obligations, so advanced and aggressive reporting timelines and operational resilience, generally. So, for organizations that are thinking about cyber and cyber incidents, it is both an EU and a UK consideration.
Rohan Massey: Interesting, the need to mention a lot of different pieces of legislation there covering the cybersecurity space. How do the EU regimes fit together? Is there anything that organizations can do to be leveraging business operations across the platform to comply with these various pieces of legislation?
Edward Machin: Absolutely. So, for most businesses, particularly those based outside of Europe but that are looking to do business in Europe, they are targeting both the EU and the UK. And so, the question is often, “How do you have a single compliance program that meets the requirements of both laws?” And the clients and companies that we see doing this best are those that use what they have as their existing compliance programs and leveraging those for compliance with new laws, so it’s not reinventing the wheel every time. It does mean that there are certain requirements of, for example, DORA that are different for incident response to GDPR. But it is much easier to use the platform that you have already and then build onto that, rather than having to start from scratch from each law, which is timely and cost effective, and not particularly efficient. I mentioned the Article 30 record of processing: can you leverage that for your DORA register? Can you leverage your existing breach and incident protocol rules for CRA notifications, NIS2 notifications, GDPR notifications, and UK cyber bill notifications? So, it’s thinking about it in a holistic way rather than in a vacuum.
Rohan Massey: Right. And that holistic bubble, do you think includes the UK as well as Europe? Are we still seeing an alignment there?
Edward Machin: As with most things around digital policy and law, the UK is taking a slightly different approach post-Brexit, not withstanding that I said the cyber bill is similar to NIS2, the UK landscape is not as aggressively regulated as Europe. One of the interesting things that we had seen last year that hasn’t appeared in the bill was the potential inclusion of a ransomed license regime in the UK, which would go further than the EU, in which certain entities would be prohibited from paying ransoms, critical infrastructure, NHS, and so on. And then, for private sector organizations, the government had muted introducing a regime whereby, although ransom payments weren’t prohibited, the company had to inform the government that they were intending to pay the ransom. That hasn’t made it into the bill. It will be interesting to see whether that does come out in the wash in 2026. So, the UK is generally not as restricted and regulated as the EU, but if that provision or those provisions were to make their way onto the statute book, it will be a much more aggressive stance than even in Europe.
Rohan Massey: Interesting, thank you. Obviously, a lot happening in cybersecurity legislation, but also, when we think about cybersecurity, one of the other things I’ve been hearing a lot about over the last 12 months, at least, is the use of AI, whether that was the attackers getting more sophisticated using AI, or those in defense using AI to bolster the depth and breadth of their protection. Cat, what’s the regulatory outlook for AI in 2026?
Catherine Keeling: Thanks, Rohan. Yes, there are continuous AI obligations to focus on in 2026, and that continue to be at the forefront of most clients’ minds, as well as cyber. So, from a European perspective, firstly there are a number of key dates under the EU AI Act this year. There’s some expected guidance and codes that will be released. For example, by June 2026, the EU Commission is expected to finalize its code of practice, which will cover topics such as labeling of AI-generated content and transparency guidelines. But for most businesses, the key date this year will be the 2nd of August, 2026, because on that date, the majority of the remaining provisions of the EU AI Act will take effect, and that includes those relating to high-risk AI systems, most importantly, and general-purpose AI models and transparency around AI-generated content. So, from this date, most high-risk AI systems will be subject to a range of obligations, and that includes those relating to human oversight, data governance, transparency, and instant reporting.
In terms of the UK outlook, in contrast with the EU, there’s obviously no comprehensive legal framework on AI in the UK at the moment. We have a sector-specific guidance regime at the moment. There’s been discussion of AI legislation in some form since 2023 in the UK, with the UK’s AI Bill first being proposed back in 2024, but there have been various delays to that bill. In June of last year, it was announced that the UK AI Bill won’t be introduced until the second half of this year at the earliest. There’s a potential that the UK AI Bill announcement might come in The King’s Speech this year, which is anticipated to be in May, but it could be that this date just comes too early for anything to be announced, so it will be interesting to see how that progresses this year.
Rohan Massey: Thanks, Cat. That’s a comprehensive overview, and, obviously, a lot changing there. Looking at the EU AI Act, what are the high-risk cases that are going to be most relevant to our listeners and our clients?
Catherine Keeling: I think for our listeners, the most relevant use cases of high-risk AI are likely to be in the HR context. So, the August 2026 obligations will cover systems that are used in employment contexts, both AI systems used in recruitment—for example, placing of targeted job adverts, or the analyzing and filtering of candidates during recruitment. And then, also, during the employment relationship itself—for example, monitoring of employees and systems that are used for decision-making, e.g., promotions, terminations, work allocation, things like that. Another use case that might be relevant is that high-risk obligations will apply to systems used to carry out credit checks and assessing risk and pricing for health and life insurance. It’s also important to note that many of the obligations that I’ve mentioned also apply to users of these systems as well as providers, so users will still be subject to requirements such as human oversight and transparency.
Rohan Massey: Fantastic. And just to take it back on one last point—you mentioned that there may be a UK AI Bill in The King’s Speech in the middle of the year. If there is one, do you think the UK will take an approach that will diverge from the EU position and that comprehensive legislation that we’ve seen with the EU AI Act?
Catherine Keeling: Yes, it’s an interesting one. The current details of the UK AI Bill, both in scope and timing, are quite scarce, but it’s generally not expected that the UK will marry the same approach as the EU AI Act. It’s expected that the UK will take a slightly less restrictive approach than the EU have. The UK AI Bill is likely to be lighter touch and focus more on pro-innovation than what we’re seeing in Europe. The Labour government’s original proposals back in 2024 appeared to be fairly prescriptive with a focus on AI safety and protection of fundamental rights, essentially ensuring that there’s responsible AI innovation, and whilst that’s likely to remain, the government has, in recent months, indicated that they’re also focusing on growth of the AI sector in the UK—for example, the government announced the introduction of the AI Growth Zones and AI Growth Labs at the end of last year. And it therefore remains to be seen whether the UK will take the approach that’s more akin to the light touch U.S.-style regulation that we’re seeing under the Trump administration. I think either way, it’s unlikely that the UK will wholesale copy or focus on the same kind of onerous restrictions that we are seeing under the EU AI Act, but it will be interesting to see where it ends up.
Rohan Massey: Thank you for that. Interesting to see how politics, economics, and law all join together, and different jurisdictions look at issues in different ways. Now, I’d like to move to one final topic before we run out of time. These days, we have data protection, we have privacy, we’ve talked about cybersecurity, we’ve talked about AI—it’s this idea of all things digital within data, as well as we live and work more and more in a digital society. So, Suzie, looking at a broader digital issue, what have we got on the horizon for 2026 in your perspective?
Suzie Wilson: Thanks, Rohan. So, we’re using the term “digital regulation” here as an umbrella term to cover the UK’s Data (Use and Access) Act (“DUAA”), the EU Data Act, and then, also, the European Commission’s Digital Omnibus package. The Omnibus proposal is likely the one that organizations are most looking forward to in 2026. The draft legislation published late last year suggests that the package will offer some simplifications in the EU across several of those regulations and topics, which we’ve already discussed. But turning first to the UK and the Data (Use and Access) Act, DUAA hasn’t created any significant divergences from the GDPR, and it largely codifies existing positions and guidance so that organizations have clearer standards going forward. Several of the DUAA changes came into effect when the act received Royal Assent in June 2025, and others are due to be rolled out through secondary legislation in 2026, including the Part 5 changes, which are expected to come into effect very early this year. So, those changes include the extension of the PECR (Privacy and Electronic Communications Regulations) soft opt-in for charities, and also, introduce limited consent exemptions for certain cookies where they’re necessary for things like communication or essential for providing a service requested by the user. But perhaps the biggest milestone for a DUAA perspective isn’t coming up until around June 2026, when organizations will be required to have a formal data protection complaints process in place.
Rohan Massey: Okay, thanks. So, this idea of complaints you mentioned, what is the process for those complaints? What does that look like?
Suzie Wilson: The complaints process needs to be transparent; it needs to be accessible and publicized in a way that the data subjects are reasonably able to locate it. So, we would suggest, for example, linking it on the website or linking it on privacy notices. Once the process is established, controllers must acknowledge complaints within 30 days, take appropriate steps without undue delay, and then, also, communicate the outcome to the data subject without undue delay. So, there’s no fixed deadline beyond the 30-day acknowledgment, but organizations must actively investigate, keep the complainant updated, and give an outcome as soon as reasonably possible.
Rohan Massey: So, having in place a process a bit like a DSAR (Data Subject Access Request) process may be helpful here.
Suzie Wilson: Exactly. Moving on to the EU then, 12th of September, 2026 is one of the key dates under the EU Data Act, when providers of connected products and related services will have to ensure that data is readily accessible for users. This applies to any products placed on the EU market that are capable of generating or collecting data—think smart home devices, smart watches, connected vehicles, and IOT sensors. And so, by the 12th of September, 2026, any data your device collects—like your smart watch tracking your steps, or your smart fridge tracking your inventory—will need to be readily accessible and downloadable by users.
And then, the last milestone for this podcast, but definitely not the least, is the EU Digital Simplification Package, often referred to as the Digital Omnibus, which is a bit of a pivotal step in the EU’s push towards harmonizing and streamlining the digital regulatory framework across a lot of those areas we’ve discussed, including AI, data access, and cybersecurity. The goal is really to have fewer overlaps, clearer interplays, and streamlined reporting obligations. Some of the key proposed changes are targeted amendments to the EU AI Act provisions and oversight, AI literacy, documentation, and registration—and also, postponed entry to the application for high-risk AI provisions which, as Cat mentioned, are due to come into effect in August this year. I think these points are so interesting, and it shows you how quickly the pace changes in these areas, and the step change that the EU is taking, that they’ve proposed amendments to legislations which haven’t even come into effect yet.
Rohan Massey: Interesting point there, Suzie. These haven’t come into effect—it is the word “proposal.” How does an organization balance complying with the laws that Cat and Edward have discussed, the milestones that have come up this year, and balance that commercially with proposals that may change those at the end of this year? Do you have any idea of the balance there?
Suzie Wilson: That’s likely a thought that has crossed the minds of a lot of our listeners, but ultimately, the EU rules that we discussed earlier—the EU AI Act, the Data Act, NIS2—are already real and live compliance issues for organizations. What we have with the Omnibus proposal is just that—it’s high-level proposals which, in some aspects, are relatively controversial and will be subject to scrutiny and debate, and as a result, may also be subject to change. So, because of that, while we do suggest keeping an eye on those consultations as they progress, it’s probably not a good idea to delay implementation of an AI strategy on the basis that high-risk AI obligations may be postponed, because if that proposal was to get dropped in July 2026, for example, it doesn’t give your organization much time to get their AI practices compliant for the deadline.
Rohan Massey: Fantastic. Well, thank you very much. That’s fascinating. For each of the panelists—Edward, Cat, Suzie—thank you very much. Certainly, a lot covered and a lot to think about for our listeners. So, with those milestone dates, we will leave you thinking about your compliance programs, hoping that they can be simplified in the future, and wishing you, of course, a very happy World Data Protection/World Privacy Day. Thank you very much. A big thank you to everyone who tuned into this episode of The Data Day from Ropes & Gray. If you enjoyed the show, please subscribe—you can listen to the series wherever you regularly get your podcasts, including on Apple and Spotify. Thank you very much.