The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2026-05-05 12:35:302026-05-05 12:38:34Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Francesca Blythehttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngFrancesca Blythe2026-04-29 11:47:182026-04-29 11:47:18European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement) that it would not object to certain technology providers — referred to as “Covered User Interface Providers” — creating, offering, and/or operating software interfaces that allow users to prepare and submit transactions in crypto asset securities without registering as broker-dealers.
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Leonard Nghttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngLeonard Ng2026-04-16 09:03:322026-04-15 17:14:06UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_A-20.jpg606833William RM Longhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngWilliam RM Long2026-04-15 13:30:572026-04-15 13:30:57Chambers 2026 Global Practice Guide for Cybersecurity
The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.png00Andrew R. Hollandhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngAndrew R. Holland2026-04-14 11:01:052026-04-14 11:06:19Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting
On March 31, 2026, the Office of the United States Trade Representative (“USTR”) furnished its annual National Trade Estimate Report, which identifies foreign trade barriers affecting U.S. companies, including several developments relating to India’s digital regulatory frameworks. The Report arrives at a time when India is assuming an increasingly central role in the global strategies of U.S. companies, reflecting sustained growth in its digital economy, a rapidly expanding middle class, and deeper U.S.-India trade engagement. At the same time, India’s regulatory framework governing digital platforms, data, and content is evolving in ways that are increasingly consequential for companies operating in the market. The Report highlights several of these developments, including content moderation requirements, data governance measures affecting cross-border flows, and ongoing concerns regarding intellectual property protection.
https://datamatters.sidley.com/wp-content/uploads/sites/2/2025/05/MN-24013-Data-Matters-Blog-Imagery-Refresh_B_4.jpg606833David Lashwayhttps://datamatters.sidley.com/wp-content/uploads/sites/2/2022/09/sidleyLogo-e1643922598198.pngDavid Lashway2026-04-13 12:12:592026-04-13 12:12:59India’s Digital Regulation in Focus: Implications of the 2026 United States Trade Representative Report for American Companies
Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026
The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.
Francesca Blythe
London
fblythe@sidley.com
William RM Long
London
wlong@sidley.com
Eleanor Dodding
London
edodding@sidley.com
U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities
The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update.
(more…)
Ranah Esmaili
Washington, D.C., New York
resmaili@sidley.com
Jonathan M. Wilan
Washington, D.C.
jwilan@sidley.com
Victoria A. Anglin
Los Angeles
vanglin@sidley.com
European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials
On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials.
(more…)
Francesca Blythe
London
fblythe@sidley.com
Josefine Sommer
Brussels
jsommer@sidley.com
U.S. SEC Clears Path for Decentralized Crypto Asset Security Trading With Broker Registration Exception for User Interfaces
On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement) that it would not object to certain technology providers — referred to as “Covered User Interface Providers” — creating, offering, and/or operating software interfaces that allow users to prepare and submit transactions in crypto asset securities without registering as broker-dealers.
(more…)
Lilya Tessler
Dallas, Miami
ltessler@sidley.com
Andrew P. Blake
Washington, D.C.
ablake@sidley.com
Kate Lashley
Miami, New York
klashley@sidley.com
Andrew J. Sioson
Washington, D.C.
asioson@sidley.com
Charles A. Sommers
Washington, D.C.
csommers@sidley.com
Nicole K. Chipi
Miami
nchipi@sidley.com
Alec J. Silvester
Miami
asilvester@sidley.com
UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
(more…)
Leonard Ng
London, Singapore
lng@sidley.com
James Phythian-Adams
London
jphythianadams@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Arjun Lakhani
London
arjun.lakhani@sidley.com
Andrea M. Hynes
London
ahynes@sidley.com
Qalid Mohamed
London
qmohamed@sidley.com
Julie Rodriguez
London
julie.rodriguez@sidley.com
Chambers 2026 Global Practice Guide for Cybersecurity
The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.
(more…)
William RM Long
London
wlong@sidley.com
Francesca Blythe
London
fblythe@sidley.com
Eleanor Dodding
London
edodding@sidley.com
Matthias Bruynseraede
London
mbruynseraede@sidley.com
Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting
The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool.
(more…)
Andrew R. Holland
New York
aholland@sidley.com
Stephanie H. Dobecki
Chicago
sdobecki@sidley.com
Sara N. Africano
Chicago
safricano@sidley.com
Ellen M. Dunn
New York
edunn@sidley.com
Michael L. Rosenfield
Los Angeles
mrosenfield@sidley.com
Jacob A. Grossman
Chicago
jgrossman@sidley.com
Lucas J. Grisham
Chicago
lgrisham@sidley.com
Ian Schmidt
Chicago
ian.schmidt@sidley.com
India’s Digital Regulation in Focus: Implications of the 2026 United States Trade Representative Report for American Companies
On March 31, 2026, the Office of the United States Trade Representative (“USTR”) furnished its annual National Trade Estimate Report, which identifies foreign trade barriers affecting U.S. companies, including several developments relating to India’s digital regulatory frameworks. The Report arrives at a time when India is assuming an increasingly central role in the global strategies of U.S. companies, reflecting sustained growth in its digital economy, a rapidly expanding middle class, and deeper U.S.-India trade engagement. At the same time, India’s regulatory framework governing digital platforms, data, and content is evolving in ways that are increasingly consequential for companies operating in the market. The Report highlights several of these developments, including content moderation requirements, data governance measures affecting cross-border flows, and ongoing concerns regarding intellectual property protection.
(more…)
David Lashway
Washington D.C.
dlashway@sidley.com
Michael C. Hochman
Washington, D.C.
michael.hochman@sidley.com
Ash Nagdev
Palo Alto
anagdev@sidley.com
Ben Cross
Chicago
bcross@sidley.com
Upcoming Events
Resources