UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now
The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.
Geopolitics and Cybersecurity: Japan and the UK Announce Strategic Cyber Partnership Among Growing Global Focus on Privacy and Cyber Risks Posed by Foreign Actors
On January 31, 2026, the governments of Japan and the United Kingdom announced they were strengthening their cybersecurity collaboration through a bilateral Strategic Cyber Partnership (Partnership).
UK Data Privacy and Cybersecurity Outlook for 2026: What Financial Services Firms Need To Know
Last year saw many developments across the international data privacy and cybersecurity landscape, and this momentum shows no sign of slowing.
EU Court of Justice Issues Landmark Judgment on Concept of “Personal Data”
On 4 September 2025, the EU Court of Justice (the “CJEU”) issued a landmark ruling in SRB v. EDPS confirming that pseudonymous data is not automatically personal data in all cases (the “SRB Case”). Instead, the key question is whether the controller can realistically re-identify the individual. This judgment is expected to have a significant impact on instances where effective technical and/or organisational measures prevent re-identification by the controller. Importantly, although the ruling arose under EU Regulation 2019/1725 – i.e., the EU data protection law applicable to EU Institutions (such as the Commission) – the CJEU confirmed that the same interpretation applies under the General Data Protection Regulation (the “GDPR”).
EU Consults on Digital Fairness Act: Big Changes Ahead for Consumer-Facing Platforms
The European Commission (Commission) has launched a public consultation on a proposed new law — the Digital Fairness Act (DFA) — aimed at strengthening consumer protection in digital markets. The goal is to fill perceived regulatory “gaps” left by recent EU digital regulations, including the Digital Services Act (DSA) and Digital Markets Act (DMA).
Financial Entities in the EU: Time to Register Your ICT Third-Party Service Providers under DORA
The European Union’s (“EU”) Digital Operational Resilience Act (“DORA”) became effective on 17 January 2025. Since then, financial entities (such as banks, insurance companies and investment firms) and their ICT third-party service providers operating in the EU have been – directly or indirectly – subject to the new regime. One of the first key DORA compliance deadlines, for financial entities to register their ICT service providers with competent EU Member State authorities, is coming into effect across most of the member states this month.
EU Commission Publishes AI Continent Action Plan and Seeks Input
On April 9, 2025 the European Commission adopted a communication on the so-called AI Continent Action Plan – its strategy to shape the next phase of AI development in Europe, with consultation to follow. The Commission’s declared objective is to transform the EU into a global leader in AI by fostering innovation, ensuring trustworthy AI, and enhancing competitiveness while safeguarding democratic values and cultural diversity. Keep monitoring Data Matters for more on the Commission’s consultation, when available. (more…)
New UK Consumer Rules Herald Stricter Enforcement and Significant Fines
Consumer protection is rising to the top of the regulatory agenda worldwide. The UK consumer protection regime is undergoing a major shift: The Competition and Markets Authority (CMA) now has powerful new tools under the Digital Markets, Competition, and Consumers Act (DMCCA) (see our Sidley Update here), including the ability to directly enforce consumer law and fine companies up to 10% of global annual turnover for serious infringements. (more…)
Chambers 2025 Global Practice Guide for Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published. Sidley lawyers have contributed to: Cybersecurity 2025. (more…)
EIOPA Publishes Consultation on Opinion on AI Governance and Risk Management
On February 12, 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a consultation on its draft opinion on artificial intelligence (“AI”) governance and risk management (the “Opinion”).
