The main form of protection for software is through copyright, which applies to the software code (whether source code or any compiled version), any algorithms, graphics, video and audio recordings, and any documents, specifications, user manuals and other materials associated with it. Copyright arises automatically in the UK on creation of an original work, and there is no need to register this. Copyright generally protects against copying – there is no protection against independent creation of similar software or materials, where actual copying is not reasonably evident.

The functional aspects of any software application are not generally protectable in the UK unless it can be shown that a software with similar functionality came about as a result of copying of any code, specification or design materials.

Software code “as such” is not patentable in the UK, but a software-related invention might be patentable depending on the context, i.e. where the contribution made by the software-related invention has a technical effect (such as where software is used to drive equipment, or improve performance of a computing system).

The “look and feel” of any software application may be protected by registered design in the UK, which can be a quick and cost-effective way to protect unique aspects of the user interface.

Software is often exploited in such a way that the source code and design materials are not disclosed to any licensee or user of the software. To the extent source code and design materials are kept confidential and reasonable steps have been taken to prevent disclosure to third parties, the laws of confidence and/or trade secrets will allow the software owner to protect and enforce their rights in that confidential information.

The first owner of copyright is the author or creator of the copyright work. Where a software developer, consultant or contractor creates software for a customer, then the software developer, consultant or contractor will own the copyright in the software code and in any documents, specifications, graphics or other materials in the software.

The same is true for any invention or concept which may give software its technical effect. Rights to any invention will remain with the software developer, consultant or contractor, who will be entitled to apply for patent protection. If it is intended that the customer owns all rights in software, it is, therefore, important to ensure that such rights, including in any inventions, concepts or ideas, and any software code, documentation or materials, are assigned to the customer under a written agreement which is signed by the software developer, consultant or contractor.

The position becomes more complex where, for example, a software developer uses its own proprietary code, templates or specifications to build software for its customer for efficiency and to control costs. The software developer is unlikely to agree to assign its own proprietary materials to the customer, in which case the customer should seek an assignment of any software and materials created specifically for it, together with a non-exclusive, perpetual licence to use the software developer’s own proprietary software and materials insofar as is necessary for the use and exploitation of the newly created software.

Liability for harm caused by software and computer systems is governed predominantly by contract law or the law of negligence. Where a business provides software to a consumer, Chapter 3 of the Consumer Rights Act 2015 sets out various implied contractual terms that govern such supply of software, including that it is of satisfactory quality, fit for purpose and as described; Chapter 3 also provides remedies if those statutory rights are not adhered to.

Whilst the new Data Use and Access Act 2025 does not directly regulate software defects or performance failures, it does introduce new obligations and liabilities where software processes personal data in ways that affect individuals’ rights or expectations.

The Computer Misuse Act 1990 criminalises unauthorised access to computer systems and data that has not been authorised by the systems’ owner(s).

Generally speaking, there are no technology-specific laws that govern the provision of software between a software vendor and customer, and no specific laws that govern the use of cloud technology.

Where the customer is a regulated financial services firm (hereafter referred to as a “regulated firm”), however, certain rules and guidance may apply, depending on factors such as: the vendor’s role in practice, what the regulated firm’s activities are, and the impact that the service may have on those regulated activities.

In general, the rules and guidance issued by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority (“PRA”) are intended to be technology-neutral. The rules and guidance are not, therefore, “technology-specific”, but apply in situations where the services provided are supported by technology, including cloud services.

Specific rules and guidance apply in two circumstances: (1) outsourcing, and (2) activities which may affect a regulated firm’s operational resilience (i.e. the ability of the firm and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions (these could include disruptions caused by the failure of technology on which the regulated firm depends)).  In such circumstances, one or more of the following may be relevant:

1. The FCA’s rules and guidance in Chapter 8 of the Senior Management Arrangements, Systems and Controls handbook (“SYSC”) within the FCA Handbook. SYSC 8.1 applies to outsourcing, meaning it can apply to SaaS. Depending on what activities the regulated firm carries out, SYSC 8 applies either as guidance or as rules.
2. The FCA’s Finalised Guidance FG16/5 for firms outsourcing to the cloud and other third-party IT services.
3. The European Banking Authority (“EBA”) Guidelines on Outsourcing Arrangements dated 25 February 2019 (EBA/GL/2019/02). The FCA and the PRA expect firms to continue to comply with the Guidelines, to the extent they remain relevant post-Brexit.
4. The PRA’s Supervisory Statement of March 2021 (SS2/21) on Outsourcing and Third Party Risk Management. Although directed to PRA-regulated firms such as banks, building societies, PRA-designated investment firms, insurance and reinsurance firms, the PRA’s drafting was reviewed by the FCA and the FCA’s approach aligns with the PRAs. The Supervisory Statement is a useful tool in understanding how the EBA Guidelines are likely to be interpreted and applied by UK regulators.
5. The FCA’s rules and guidance relating to operational resilience, in SYSC. The main rules appear in SYSC 15A.
6. The rules and guidance in the Operational Resilience sections of the PRA Rulebook. This is supplemented by PRA guidance in its Supervisory Statement of March 2022 (SS1/21) on Impact Tolerances for Important Business Services.

In some instances, a regulated firm may have to consider the impact of technology on its activities even where the provision of services does not amount to outsourcing, or is not considered relevant to the regulated firm’s operational resilience. For example, the PRA’s SS2/21 also discusses third party arrangements which do not involve outsourcing. Moreover, where a regulated firm is subject to the FCA’s Consumer Duty, it will have to consider the impact of the services it receives from third parties on its ability to comply with the Consumer Principle and deliver good outcomes for retail customers.

In addition, sector-specific conduct rules may affect the services the regulated firm receives. For example, if a regulated mortgage lender uses a technology platform to support the provision of documentation to applicants and potential borrowers, it will have to ensure that the documentation produced complies with requirements set out in the Mortgages and Home Finance: Conduct of Business sourcebook. Similarly, a consumer credit lender who outsources tracing of debtors or debt recovery activity must take account of the rules on data accuracy and outsourced activities in the Consumer Credit sourcebook.

In short, where the service recipient is a regulated firm then, depending on the services and the impact of those services of the firm’s activities, a complex variety of rules and guidance could apply. Regulated firms should seek specialist guidance in this area, as there is no one-size-fits-all roadmap or solution for determining how to comply with the requirements.

Cloud service providers should be especially conscious of the extraterritorial effect of certain EU laws, including Regulation (EU) 2023/2854 (EU Data Act), which contains provisions designed to avoid customers becoming “locked in” to vendors’ cloud services. From 12 September 2025, certain provisions become directly applicable that will require cloud providers to support their customers in switching service providers in certain scenarios, and to reflect these terms into their customer contracts.

The EU Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) became effective on 17 January 2025. It applies to EU-based financial institutions, and obliges institutions to ensure that their arrangements with information and communication technology (ICT) service providers are robust and support the institutions’ digital operational resilience. The measures involve pre-contractual diligence; ongoing supervision and monitoring; business continuity planning; incident response and management; and resilience testing (including threat-led penetration testing). DORA also prescribes contractual provisions which must be included in agreements with ICT service providers.

As DORA applies to financial institutions, most TMT firms will not be directly subject to DORA themselves. However, TMT firms providing ICT services to EU financial institutions will feel the effect of DORA in their contracts with those institutions, even if the TMT firms are based outside the EU. Moreover, ICT providers who are designated by the European Supervisory Authorities as being “critical ICT third-party service providers” (also known as “Critical Third-Party Providers” or “CTTPs”) will be subject to direct supervision under DORA. This means, for example, that a CTTP based outside the EU must establish a subsidiary within the EU within 12 months of being designated a CTTP, so that the EU authorities can exercise adequate oversight and enforcement.

It is typical for a software vendor to cap its maximum financial liability to a customer in a software transaction, although there may be certain areas of liability that are excluded from this cap (please see the response to Question 7 for further information on these excluded areas of liability).

There is no market standard level of cap in the UK, as a liability cap will depend on a range of factors unique to each transaction, including the respective negotiating positions of the customer and software vendor. That said, it is not unusual for the level of cap to range between 100% to 150% of the annualised or total value of the contract.

1. Confidentiality breaches – No typical position – deal specific. A customer will generally push for this area of liability to be excluded from any financial cap, whereas a software vendor will typically resist this position and will require confidentiality breaches to either be subject to the general cap on liability or to a separate enhanced cap.
2. Data protection breaches – Same position as for confidentiality breaches (covered at (a)).
3. Data security breaches (including loss of data) – Same position as for confidentiality breaches (covered at (a)).
4. IPR infringement claims – In the absence of unique deal-specific reasons, this area of liability is typically excluded from any financial cap (usually linked to an IPR infringement indemnity).
5. Breaches of applicable law – Same position as for confidentiality breaches (covered at (a)); although it is not uncommon for breaches, specifically of the Bribery Act 2010 and/or Modern Slavery Act 2015, by the software vendor to be excluded from any financial caps.
6. Regulatory fines – Same position as for confidentiality breaches (covered at (a)).
7. Wilful or deliberate breaches – In the absence of unique deal-specific reasons, this area of liability is typically excluded from any financial cap. Please note, however, that although English case law aids interpretation, there is no single, settled legal definition of what constitutes a “wilful or deliberate breach”, so the customer and software vendor may wish to consider including an agreed definition of these terms within the contract.

It is not uncommon for source codes to be held in escrow for the benefit of the software licensee, particularly where the software is either bespoke (and the software licensor has retained ownership of IP in the software) or performs critical operations for the software licensee.

Although less common, escrow providers now offer escrow services for cloud-based software as well as for traditional “on premise” software. Options available for cloud may include access continuity for single-tenanted environments, where access credentials and documentation may be deposited in escrow to allow the licensee continued access to the cloud environment in the event of a software vendor failure. Where the cloud environment is a “one to many” unrestricted cloud environment, the escrow provider may hold a separately hosted, mirrored instance of the cloud production environment (including source codes, deployment scripts and databases) to allow temporary continuity in the environment if the software vendor no longer supports the original service environment. Due to the complexity involved, there may be cost implications for this kind of escrow arrangement.

Commonly used escrow providers in the UK include Escrow London, Iron Mountain, LE&AS, NCC Group, and SES.

The UK controls the export of software used in the military and of “dual use” software that can be adapted for military use. The UK government website lists items that are restricted by category. Anyone looking to export restricted items will require an export licence. It is a criminal offence to breach the export regulations. Businesses looking to export less obvious “dual use” items (in particular) should check the “consolidated list of strategic military and dual-use items that require export authorisation” on the government website (which can change from time to time), or seek legal advice.

Complex issues arise when dealing with the export of software to certain jurisdictions, especially Iran, Syria, China, and Russia, in respect of sanctions rather than export controls. Sanctions can be applied against individuals, activities, states and organisations and can vary in nature from being asset freezes, to bans on dealing, to bans on providing financial support and banking facilities. Anyone looking to export to a country where sanctions apply should consult the relevant regulations. Several jurisdictions besides the UK (including the US and EU) have their own sanctions lists and export controls which may vary from those in the UK.

Many global businesses with trade or employees in certain jurisdictions (e.g. China) have ‘Overseas IT Policies’ which may restrict the taking and use of work and personal mobile devices, laptops, etc in foreign territories.

There are no specific laws governing IT outsourcing in the UK.

The Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) provide the following significant protection for employees in an IT outsourcing situation:

• TUPE’s primary purpose is to automatically transfer the employment of individual staff from their current employer to a third party IT outsource provider on the same date that the service they perform is transferred to the third party IT outsourcing provider.
• The starting point under TUPE is that the individual employees transfer to the third party IT outsourcing provider on the same terms and conditions of employment (the name of their employer will change and they will also join or have the option of joining the pension scheme offered by the third party IT provider).
• The transfer of employment takes place automatically by operation of law and is not something that parties can choose to ignore.
• TUPE provides enhanced protection to employees in outsourcing situations as the dismissal of an employee with at least 2 years’ continuous service where the sole or principal reason for the dismissal is the transfer itself is automatically unfair. The third party IT outsourcing provider must be able to show the dismissal was for an economic, technical or organisational reason that entailed a change in the workforce to avoid an automatic unfair dismissal finding, and even then, the dismissed employee can still challenge the fairness of their dismissal under general unfair dismissal law.
• The third party IT outsourcing provider is prevented from changing the terms and conditions of employees that transfer to it under TUPE if the sole or principal reason for the change is the transfer itself. The third party IT outsourcing provider must be able to show that any changes are made for an economic, technical or organisational reason entailing changes in the workforce or that the employment contract permits the change in question.
• TUPE requires the current employer to inform the employees about the proposed transfer and to consult with appropriate representatives of the employees if the third party IT outsourcing provider proposes to take any measures/make changes to their employment terms after the transfer. The penalty for failing to comply with this obligation is a protective award of up to 13 weeks’ uncapped pay to each affected employee

The primary legislation governing the UK telecommunications sector is the Communications Act 2003, as supplemented by the Wireless Telegraphy Act 2006.

The Communications Act 2003 established Ofcom as the independent regulatory body responsible for overseeing the telecommunications industry in the UK, and set out Ofcom’s duties. Together with the Wireless Telegraphy Act 2006, the Act gives Ofcom broad regulatory powers, including the ability to grant general authorisations and licences, enforce compliance, and impose penalties. The framework aims to protect consumers, promote competition, and ensure efficient use of spectrum and infrastructure.

Further laws that supplement the governance of the telecommunications sector in the UK include:

(1) The European Electronic Communications Code (“EECC”), which was transposed into UK law in late 2020. The EECC looks to improve service quality by making investment in infrastructures more attractive to companies, and to protect consumers by placing price limits on international calls, providing affordable services, and promoting better security;

(2) The Telecommunications (Security) Act 2021 (the “TSA”), which enhances the resilience of UK public telecoms networks and services against cyber threats and other security risks. The TSA imposes security duties directly on telecoms providers and gives Ofcom powers to monitor and enforce compliance.

The TSA is supported by the Electronic Communications (Security Measures) Regulations 2022, which set out specific technical and organisational measures that public telecoms providers must implement to comply with the Act. These measures include controls on access management, monitoring of network activity, risk assessments, and the need for ongoing reviews of security arrangements.

The TSA and Regulation’s requirements are codified in the Telecommunications Security Code of Practice (the “TSA Code”), a statutory code issued by the Secretary of State under section 105E of the Communications Act 2003. The TSA Code provides guidance on meeting the duties imposed under the TSA, including requirements for asset management, supply chain security, and incident response. Ofcom enforces compliance with the TSA and related regulations, with powers to issue information requests, enforcement directions, and financial penalties for non-compliance.

(3) The Open Internet Access (EU Regulation) Regulations 2016 (SI 2016/607) as known as the “Net Neutrality Regulations”, which are derived from retained EU law, specifically the Open Internet Access (EU Regulation) 2015/2120, continue to apply post-Brexit. The Net Neutrality Regulations require Internet Service Providers (ISPs) to treat all traffic equally, prohibiting practices such as blocking, throttling, or prioritisation of specific content or services, except in limited circumstances (e.g., traffic management, compliance with legal orders, or security).

(4) The Product Security and Telecommunications Infrastructure Act 2022 (“PSTI”) introduces two key regimes relevant to the telecommunications sector. First, it amends the EECC to improve operators’ rights of access to land, particularly for upgrading or sharing apparatus, with the aim of facilitating faster deployment of gigabit-capable broadband and 5G infrastructure. Second, PSTI establishes a cybersecurity regime for “connectable products”, which includes telecoms-related consumer equipment such as customer premises equipment (CPE) (e.g., routers, modems, and smart hubs). Under PSTI, manufacturers, importers, and distributors of such products must that any in-scope connectable products which they make available to UK consumers conform to established baseline cybersecurity requirements.

(5) The Online Safety Act 2023 was given Royal Assent on 26 October 2023 and aims to protect the public online. The Act obliges technology companies to be more responsible for users’ safety online including duties to implement processes and systems to reduce the overall risks that can occur. Additionally, the Act provides more control for users as to the content that users wish to see online and finding the best ways to report issues when they arise. Ofcom has been provided with extra enforcement powers such as the ability to fine companies up to £18 million or 10% of qualifying worldwide revenue (whichever is greater) and to take criminal action against senior managers who fail to ensure compliance;

(6) The UK General Data Protection Regulation, which sets out how organisations must collect, store, and use individuals’ data (see also Question 18); and

(7) The Privacy and Electronic Communications Regulations, which impose sector-specific obligations on providers of public electronic communications services. Notable provisions relevant to telecommunications include:

• Regulation 7: restrictions on the processing and storage of traffic data, which may only be retained where necessary for transmission, billing, or marketing with consent.
• Regulation 8: requirements for the protection and erasure of location data when it is not traffic data.
• Regulation 9: duties to protect subscriber data, including confidentiality of communications and directory listings.

Finally, Ofcom plays a central role in administering, interpreting, and enforcing telecommunications law in the UK. Ofcom issues detailed guidance documents, codes of practice, and consultations that shape compliance across the sector. This guidance is also supplemented through contributions from other quasi-bodies, such as the Office of the Telecommunications Adjudicator (OTA2), which facilitates process standardisation and switching arrangements between providers, particularly in the context of regulated access products (e.g., wholesale line rental).

In the UK, providers of public electronic communications networks (PECNs) or public electronic communications services (PECSs) operate under a general authorisation regime administered by Ofcom, in accordance with the Communications Act 2003. Under that regime, in-scope providers must ensure that their services are provided in accordance with Ofcom’s General Conditions of Entitlement. The General Conditions set out legally binding rules on areas such as consumer protection, network integrity, numbering, switching, access and interconnection, and emergency services.

In essence, the UK regime does not operate on a pre-authorisation basis, and no individual licence is required to provide such services, provided that the provider complies with the General Conditions of Entitlement. The General Conditions apply automatically to all providers falling within scope and are enforced by Ofcom under its statutory powers.

Outside Ofcom’s general licensing regime, the operation of Commercial Multi‑User Gateways (COMUGs) is subject to authorisation and requires a licence from Ofcom. Similarly, formal licensing is also required for certain satellite communications, including the licensing of earth stations (ground segment) and spectrum access.

Access to communications data by UK law enforcement agencies and public authorities is principally governed by the Investigatory Powers Act 2016 (“IPA”), which replaced the majority of the UK’s prior lawful intercept regime, established under the Regulation of Investigatory Powers Act 2000 (“RIPA”).

RIPA, however, remains valid law and still applies to certain lower-level surveillance activities, including directed surveillance (e.g., covert monitoring of individuals in public places).

Under the IPA, a range of authorised public bodies may request access to communications data, including law enforcement agencies (e.g., police forces, the National Crime Agency), intelligence agencies, and certain regulators, including the UK’s tax authority (HMRC), the Financial Conduct Authority, and the Home Office.

The types of data typically accessible include:

• Communications data: Metadata such as the time, duration, origin, and destination of a communication (but not its content).
• Internet connection records (ICRs): A record of internet services a device connects to, retained by service providers under the IPA.
• Subscriber information: Data identifying the user of a service (e.g., name, billing address, IP address).
• Intercepted content: The actual content of communications (calls, emails, messages), subject to stricter controls and typically reserved for intelligence or national security cases.

In addition to responding to lawfully served IPA warrants, UK telecommunications providers are also mandated under the IPA to maintain ICRs for up to 12 months.

The powers available to enforcement agencies under the IPA are broadly summarised as follows:

• Targeted interception: Used to obtain the content of communications for a specific individual or premises.
• Bulk interception and equipment interference: Involves the interception of large volumes of communication without necessarily targeting specific individuals at the point of collection.
• Technical Capability Notices (TCNs) and Technical Assistance Notices (TANs): Compel providers to build or maintain the ability to facilitate lawful interception or data access, often involving encryption or system-level access.

From a procedural and oversight perspective, the investigatory powers regime includes several legal and procedural safeguards. Firstly, the IPA operates a dual-authorisation regime for many surveillance powers, which requires both Secretary of State and judicial approval (known as the “double-lock”).

In addition, the Investigatory Powers Commissioner (IPC) provides independent judicial oversight of the use of powers under both IPA and residual RIPA provisions, with the Investigatory Powers Tribunal (IPT) hearing complaints from individuals and organisations who believe they have been subject to unlawful surveillance.

For those powers deemed the most invasive, namely bulk interception, TCNs, and TANs, the double-lock applies in such a way that such warrants may only be served with Secretary of State and Judicial Commissioner approval.

Finally, while responding to a lawfully served IPA warrant is a legal obligation, communications providers do have a duty to ascertain the validity and, in some cases, the proportionality of a warrant and may challenge its validity via judicial review.

For companies or individuals in the UK implementing wireless communication technologies or keen to participate in the development of the relevant standards, there are several key standard development organisations (“SDOs”) to consider:

• The European Telecommunications Standards Institute (“ETSI”) supports the development, ratification and testing of standards for ICT-enabled systems, applications and services, including 4G and 5G mobile communications, and is global in its reach.
• The International Telecommunication Union (“ITU”) whose Telecommunication Standardization Sector (ITU-T) defines standards for ICT networks and devices including the Optical Transport Network and advanced broadband access technologies such as Fibre to the Home and G.fast. In collaboration with IEC and ISO, ITU is also responsible for developing standards for video coding, with video accounting for the majority of all Internet traffic.
• The Institute of Electrical and Electronics Engineers (“IEEE”) Standards Association develops global standards in a broad range of technologies including computer networking standards for both wired and wireless networks.

These SDOs are also developing new standards specifically for the Internet of Things, digital health, and connected vehicles. For example, there is a working group within IEEE for wireless speciality networks such as wireless personal area networks, Bluetooth, Internet of Things networks, body area networks and wearables. Meanwhile, ETSI developed new standards for connectivity within vehicles.

Other organisations have developed new standards for particular connected technologies that implementers in the UK should also be aware of. For example, the Society of Automotive Engineer’s Standard J2735 covers standardised messages to facilitate emergency breaking. Work to develop and outline requirements for sixth-generation wireless communication technology (6G) standards is underway, with such technology expected to reach the deployment stage around 2030. 6G is expected to play a critical role in enabling and supporting the ecosystem of emerging connected technologies.

Technical standards which facilitate interoperability between connected devices mean that parties developing connected technologies which utilise a technology such as 5G or Bluetooth will need to consider patents which have been declared “essential” to those technologies – so-called standard essential patents (“SEPs”).

Any member of a standard development organisation (“SDO”) such as ETSI is required to declare any patent which it owns which is essential or potentially essential to one or more of the SDO’s technical standards. A patent will generally be ‘essential’ either if the claimed invention of the patent must be used to comply with the standard or if commercially and practically it is the only way to comply.

If a patented technology becomes part of a technical standard and it is mandatory to implement the feature, the resulting SEP will be infringed by anyone implementing a solution which complies with the standardised technology.

Balancing the patent holder’s monopoly rights against the need to ensure technologies can be implemented and prevent ‘hold up’ by a patent owner, the members of an SDO such as ETSI, in declaring their patent as standard essential, undertake to grant a licence to the SEP to any ‘willing licensee’ on ‘fair, reasonable and non-discriminatory’ (“FRAND”) terms.

Implementers of services or manufacturers of devices in the UK which use wireless connectivity technologies therefore need a licence to those patents declared essential to the relevant standard and which they must necessarily implement to comply with the standard.

Such licensing may be negotiated with patent holders individually, as has been the model for the mobile phone industry, or through patent pools where those are available, for example in the automotive industry or for IoT.

The UK Intellectual Property Office is currently consulting on proposed changes to the SEP regime. The consultation, open until October 2025, aims to increase transparency in relation to licensing costs and patent ‘essentiality’, as well as improve the efficiency of the dispute resolution process whilst ensuring that the UK remains the forum of choice for SEP-related dispute.

PRESENT

IMPENDING (as of June 2025)

In addition, the DPA 2018 includes provisions for criminal offences related to data protection, including:

• unlawful obtaining, disclosing, or selling of personal data. It is a criminal offence to intentionally or recklessly obtain, disclose, or sell personal data without lawful authority. This offence can be punishable by a fine or imprisonment.
• re-identification of de-identified personal data. Re-identifying previously de-identified personal data without lawful authority is a criminal offence, subject to fines or imprisonment.
• alteration of personal data to prevent disclosure. Knowingly altering, defacing, blocking, erasing, or destroying personal data with the intention of preventing its disclosure is an offence under the DPA 2018.

Offences committed by a person in an organisation

The DPA 2018 introduces the concept of “offences by bodies corporate.” This means that if an offence under the DPA 2018 is committed by an organisation, such as a company, partnership, or government body, the organisation can be held criminally liable. This includes offences related to data protection principles, appointment of a data protection officer, etc. Criminal penalties in the DPA 2018 apply to processing under the LED by competent law enforcement authorities.

In relation to the EU GDPR, yes, especially as a result of the extraterritorial effect of the EU GDPR.

References to other third country data protection laws (such as the CCPA) are not typically included in contracts, unless they are directly applicable to the processing carried out as part of the services provided under the contract.

Cybersecurity obligations specific to UK telecommunications providers exist across multiple frameworks which sit alongside general data protection obligations under the UK GDPR and the Data Protection Act 2018.

Firstly, the Communications Act 2003 (as amended by the TSA) requires providers of public electronic communications networks and services to take appropriate and proportionate measures to identify and reduce the risks of security compromises, and to ensure service availability and resilience. Where an incident occurs that adversely affects the network or service, and meets certain materiality thresholds (e.g. risks to public safety or service continuity), the provider must notify Ofcom “as soon as reasonably practicable.” Recent amendments introduced by the Telecommunications (Security) Act 2021 (“TSA”) has expanded this notification duty to include relevant “security compromises” (e.g., critical vulnerabilities) that may impact a network or service (see s. 105K, CA 2003).

Separately, the Network and Information Systems Regulations 2018 (“NIS Regulations”) apply to operators of essential services, including certain digital infrastructure providers such as domain name system (DNS) service providers, internet exchange points, and top-level domain name registries. These entities must implement “appropriate and proportionate” security measures to protect their network and information systems, and must notify the relevant competent authority (in the case of telecommunications providers, Ofcom) of any incident having a significant impact on the continuity of essential services.

Finally, the TSA significantly expands the scope of telecoms-specific cybersecurity duties. It imposes a layered regime of general and specific obligations, including requirements for network and supply chain risk assessments, internal security governance, access control, vulnerability patching, and incident response planning. These requirements are supplemented in the Electronic Communications (Security Measures) Regulations 2022 and collectively codified in the Telecommunications Security Code (the “Code”). The Code represents a significant overhaul of cybersecurity and operational resiliency requirements for the UK’s telecommunications sector, and Ofcom is currently in the process of compelling each in-scope entity to provide submissions relating to the steps it is taking to bring its cybersecurity governance and operational resiliency in line with the Code’s requirements.

Under the Communications Act, Ofcom has powers to investigate non-compliance and impose civil penalties of up to £10 million, or, in the case of continuing contraventions, £100,000 for each day the breach continues. Ofcom may also elect to sanction under its General Conditions of Entitlement, which provide for fines of up to 10% of a provider’s turnover.

The NIS Regulations allow for administrative fines of up to £17 million, depending on the severity and impact of the breach.

Under the TSA, Ofcom is empowered to audit compliance, request information, and enforce through penalties of up to 10% of relevant turnover, or £100,000 per day for continuing contraventions.

From an enforcement perspective, Ofcom is considered an active enforcer of UK laws and regulations and has a strong track record of imposing sanctions and fines for non-compliance. For example, in 2021, BT was fined £17.5 million for failures in managing its emergency call handling infrastructure, following a network failure that resulted in over 190,000 calls to 999 not being connected. Ofcom found BT in breach of its obligations to ensure network availability and integrity under the General Conditions.

As of June 2025, there is no single body responsible for the regulation of artificial intelligence (AI) in the UK. The Artificial Intelligence (Regulation) Bill, a private members bill, was introduced into the House of Lords in 2025 and it proposes to create a formal AI authority. This bill is still under consideration so has not yet become law.

The AI Policy Directorate, which sits within the Department for Science, Innovation & Technology, issues papers and guidance on the UK approach to AI regulation, but is not responsible for regulation. Instead, the Government will rely on existing regulators to manage AI development and deployment within their sector, to ensure (through existing powers) that AI is used safely and ethically. The Department for Science, Innovation & Technology issued Initial Guidance for Regulators in February 2024, which mentioned several key regulators who have already issued guidance on AI, including:

• The Advertising Standards Agency, which has issued guidance confirming that existing regulation on how advertisements are made applies to advertisements using AI;
• The Competition and Markets Authority, which has issued guidance detailing how end users need to be informed of the limitations of AI foundational models to maintain an environment of healthy competition;
• The Information Commissioner’s Office, which has issued best practice guidance on data protection-compliant AI, and is engaging with the Government on further proposals for regulatory reform that will support the Government’s pro-innovation approach to AI regulation;
• The Financial Conduct Authority, which in April 2024 issued a response to the Government’s AI White Paper, outlining its strategy for promoting the safe and responsible use of AI in UK financial markets; and
• The Medicines and Healthcare products Regulatory Agency, which has published guidance on how AI systems can be used in healthcare and medical devices.

Certain other organisations in the UK are also working to develop standards and best practices for the use of AI, including the Alan Turing Institute. Such organisations may play an advisory role in future regulation of AI in the UK.

As of June 2025, there are no laws dealing directly with artificial intelligence in the UK comparable with, for example, the EU’s AI Act. Instead, the principal laws governing the deployment and use of AI are existing laws relating to issues such as data protection, equality and discrimination, intellectual property ownership and unfair competition, as well as certain sector-specific guidelines issued by existing regulators, as discussed in Question 21.

It seems likely that new laws and regulations such as the proposed Artificial Intelligence (Regulation) Bill, or modifications to existing laws and regulations, will be promulgated as the regulation of AI develops and evolves.

As of June 2025, there are no laws dealing directly with the deployment and use of Large Language Models and/or generative AI. The proposed Artificial Intelligence (Regulation) Bill, however, specifically addresses LLMs and Frontier AI. This includes in its definition of high-risk AI systems, introduction of mandatory pre-deployment testing, and registration requirements.

The Department for Science, Innovation & Technology’s recent White Papers have made extensive reference to Large Language Models (LLMs), and “Frontier AI”. Following the 2024 UK general election, the government has adopted an arguably more structured and proactive regulatory approach. In July 2024, the Labour government indicated it would establish legislation applicable to those developing the most powerful AI models. This is yet to be introduced, however, and the 2025 AI Opportunities Action Plan suggests that the focus will remain on fostering a regulatory environment that is pro-innovation and investment.

Although template clauses to address AI clauses are emerging, they are not yet established. Issues or risks to consider when approaching such types of provisions include broader intellectual property licensing and ownership, whether the AI will be consumer-facing, whether there is a sector-specific regulatory angle, and whether emerging regulatory frameworks (potentially including overseas regulation with extraterritorial application such as the EU AI Act) apply, and what rights or prohibitions apply to the information that can be input into or used in conjunction with the relevant generative AI platform.

Given AI is now widely adopted and integrated within software applications, it is becoming more common to see contractual provisions around ownership and access to rights in the outputs of AI.

The outcome of various case law and legislative changes is expected to have a strong bearing on standards or best practice within contracts going forward. Arguments raised in the high profile case of Getty vs Stability AI, may influence reforms on how AI models are trained and used, which may impact the ownership or use of generated output, notwithstanding that the complaint of primary copyright infringement was dropped during the trial for jurisdictional reasons. A consultation by the UK government, which is ongoing as at June 2025, is expected to form the UK’s legal framework for use of copyright materials in an AI context, and this is also expected to influence best practice.

For the time being it remains good practice when contracting for AI systems, particularly ones which create outputs which may be subject to further commercial exploitation by either party, be useful in training, or be shared or published externally, to carefully consider the rights in and ownership of any materials generated through AI.

The regulatory regime covering digital assets in the UK (including tokens, cryptocurrencies, NFTs and new forms of organisational structures (e.g. Decentralised Autonomous Organisations (“DAOs”)) is different to the EU’s Markets in Crypto Assets (“MiCA”) Regulation. MiCA treats “crypto assets” as an entirely new asset-class. In contrast, the UK’s approach has been to treat certain digital assets as within scope of the existing rules and others outside its perimeter.

The Financial Services and Markets Act 2023 (and statutory instruments promulgated under it) will bring some digital assets within the perimeter in 2025, with others to follow later. To offer products and services in those assets inside the existing regulatory perimeter, a firm would need to be authorised and regulated in the usual way.

The perimeter of current rules is blurred to an extent: it is possible that some firms which offer products and services outside the scope of traditional regulation still operate their business in a way which requires them to become authorised and regulated under, for example, Payment Services Regulation or the Electronic Money rules, or registered with the FCA for money laundering purposes (sometimes known as a VASP registration). HM Treasury published the draft Financial Services and Markets Act 2000 (Regulated Activities and Miscellaneous Provisions) (Cryptoassets) Order 2025 in April 2025, in which the UK is bringing cryptoassets into the FSMA securities law framework rather than having a lighter touch framework. The detail is postponed to FCA handbooks and not in the statute itself and the drafting is not as dense as MiCA. The main points are:

• Expanded Territorial reach expands. Non-UK firms serving UK retail clients will need UK permissions. The overseas persons exemption will apply only to certain B2B relationships.
• Six new regulated activities introduced. New regulated activities include running crypto trading platforms, custody services, dealing, and arranging cryptoasset transactions with bespoke definitions tailored to crypto markets.
• Sterling stablecoins treated like securities. UK-issued fiat-backed stablecoins will be regulated as if they were securities which will require prospectus-style disclosure, prudential backing, and redemption governance.
• Fast Implementation. Firms can begin applying from late 2025. The regime may go live as early as Q2 2026. Those not authorised by the deadline must wind down or exit the UK retail market.

The FCA has focused its efforts on publishing information for consumers about the risks of dealing with digital assets and with unauthorised firms (e.g. those based outside the UK).

The Bank of England is in the final stages of launching a new “Digital FMI Sandbox”. This will permit firms which want to provide depository services for digital assets (other than unbacked spot cryptocurrencies) to do so within a ring-fenced regulatory environment. This environment will permit firms to conduct (some) business while the regulatory authorities determine what rules (a) need to be changed to permit that business to be conducted outside the Sandbox and (b) will be deemed not to apply to the firms while they are in the Sandbox. This project requires input from HM Treasury, the Bank of England, the PRA and the FCA.

A notable absentee from any current proposal is an update to the market abuse rules to cover digital assets specifically. In March 2024, the FCA announced that its strategy included amending the market abuse regime to include manipulation on and abuse of digital assets markets. This is likely to go hand-in-hand with bringing digital assets within the regulatory perimeter.

Search Engines and Marketplaces: 

Electronic Commerce (EC Directive) Regulations 2002, as amended by the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 following Brexit (E-Commerce Regulations): The E-Commerce Regulations apply to virtually every commercial website, including search engines and marketplaces which are considered “information society services”. The E-Commerce Regulations place specific obligations on search engine and marketplace operators, including requirements to provide users with mandatory information and to ensure the platform includes certain prescribed features and functions.

Platform to Business Regulations (Retained Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services (also known as the UK Platform-to-business Regulation or UK P2B Regulation) as amended by the Online Intermediation Services for Business Users (Amendment) (EU Exit) Regulations 2020, SI 2020/796 (P2B Regulations): The P2B Regulations regulate the relationship between business users online intermediation services (such as search engines and marketplaces) that use them to sell products or services. The P2B Regulations seek to ensure that the platforms operated by these types of intermediaries deal with their business users fairly and in a transparent manner. The rules ban certain unfair practices, such as changing online terms and conditions without cause, and mandate transparency over the ranking of search results.

Online Safety Act 2023 (OSA): The OSA is now in force and being implemented in phases. It imposes statutory duties on any services, such as search engines and marketplaces, that: allow users to generate, upload or share content; enable users to search other websites or databases; or that publish or display pornographic content. Affected services are required to mitigate the risk of illegal and harmful content appearing on their platforms and must now: remove illegal content; safeguard children from harmful content; update their terms of service to reflect users’ rights; conduct and publish risk assessments; and provide user-friendly reporting mechanisms. With key deadlines already having passed – including the illegal content risk assessment (due on 16 March 2025) and the children’s access assessment (due on 16 April 2025) – platforms must prioritise transparency, user protection, and proactive moderation as further deadlines approach and full implementation is expected in 2026.

Advertising Standards: The Advertising Standards Authority (ASA) and the UK Code of Non-broadcast Advertising and Direct & Promotional Marketing (CAP Code) continue to set the standard for responsible advertising in the UK, requiring all advertising communications to be legal, decent, honest, and truthful.

Under the Digital Markets, Competition and Consumers Act 2024 (DMCC) – and as further clarified by recently published guidance from the CMA – these expectations now carry significantly greater legal force. The DMCC also gives regulators enhanced enforcement powers, allowing direct action against unfair commercial practices such as misleading advertising.

Data Protection Law: Search engines or marketplaces that process personal data of users must comply with all applicable laws and regulations in the UK relating to privacy and the processing of personal data, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended).

Website Accessibility: Search engines and marketplaces that offer certain in-scope digital products or services to EU consumers need to comply with the European Accessibility Act (Directive (EU) 2019/882), which came into force on the 28 June 2025 and signals a shift towards mandatory digital accessibility for businesses operating online. While standards differ across jurisdictions, compliance with WCAG 2.1 AA standards is generally the best way to ensure compliance. Affected organisations must audit and update their digital platforms, embed accessibility into procurement and development workflows, and train their teams to ensure compliance. Failure to act risks reputational damage, regulatory fines, and exclusion from key markets.

Marketplace Platforms ONLY:

Consumer Protection Laws (including the Consumer Rights Act 2015 (CRA), Consumer Contracts Regulations 2013 (CCRs) and the DMCC):

Fairness and transparency: Marketplaces accessed by consumers must comply with the requirements set out in the CRA, including ensuring any consumer terms and notices comply with the requirements of fairness and transparency (this may include website terms of use, acceptable use policies or, where the platform provider sells directly to the consumer, sales terms and conditions). This means consumer terms and notices must be clear, understandable, and not create a significant imbalance to the detriment of the consumer.

Disclosing company details: Marketplaces, as with other UK businesses, must also clearly display key company details – such as their registered company name, registered company number, place of registration, and contact information – on their websites, in their terms and conditions, and in other consumer-facing materials. This is a requirement under company law, the E-Commerce Regulations, the CCRs, and is further reinforced by the DMCC.

Unfair commercial practices: The DMCC replaces the Consumer Protection from Unfair Trading Regulations 2008 (CPUT) and sets out a number of prohibited practices that are either automatically considered unfair (including the prohibition on fake reviews and the omission of information that must be contained in an invitation to purchase) or practices that may be unfair if they impact consumer decisions. These rules apply during the whole lifetime of a consumer-to-trader transaction (i.e. advertising, marketing, entry into the contract, performance, and enforcement). The changes largely mirror the prohibited practices previously set out under CPUT, but the DMCC introduces notable additions – including, without limitation, a statutory ban on certain unfair commercial practices and new, specific protections against the omission of material information in invitations to purchase.

When a marketplace is acting as a trader (when they are the contractual seller of goods to consumers), rather than an intermediary, then they are also subject to the following:

The CCRs: Under the CCRs, marketplaces must provide prescribed pre-contract information, offer a 14-day cooling-off period where applicable, avoid hidden charges or pre-ticked boxes, and ensure clear and accessible terms throughout the customer journey.

Disclosing Alternative Dispute Resolution (ADR) providers: Under The Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015 (SI 2015/542), as amended by The Alternative Dispute Resolution for Consumer Disputes (Amendment) Regulations 2015 (SI 2015/1392), businesses that sell directly to consumers – including marketplaces when acting as traders – must inform consumers about certified ADR schemes when required by law, trade association or where disputes cannot be resolved internally. This includes naming an approved ADR provider and linking to the provider’s website in a durable format (e.g. email or T&Cs).

Please note, to the extent that search engines offer for sale paid-for services, subscriptions, or digital content (i.e. premium features, etc.), they may also have to comply with the above requirements.

Price Marking Order: The Price Marking Order 2004 (PMO), updated in 2024 and now delayed and coming into full effect in 2026, applies to marketplaces when they act as a trader. The PMO requires UK businesses to display prices clearly, legibly, and with standardised unit pricing – such as per kilogram or per litre – where applicable. This is designed to help consumers make fair comparisons and to ensure traders avoid using misleading pricing tactics. Practically, this means businesses must audit and update all pricing displays across physical stores and digital platforms and ensure that unit prices are visible and accurate at the point of sale. E-commerce templates, shelf labels, and promotional materials will need to be revised, and staff may require training to ensure compliance. With the DMCC reinforcing enforcement powers around pricing transparency, non-compliance could lead to regulatory scrutiny and reputational risk.

Part A: Social Media and Online Platforms:

The term “online platform” has been broadly interpreted here to cover a wide range of digital services – including online stores, marketplaces, comparison tools, content-sharing platforms, app stores, and even some social media services. The relevance and application of the requirements below may vary depending on the nature and function of the platform in question.

Online Safety Act 2023 (OSA): The OSA is being implemented in phases. It imposes statutory duties on any services, such as social media and online platforms, that: allow users to generate, upload or share content; enable users to search other websites or databases; or that publish or display pornographic content. Affected services are required to mitigate the risk of illegal and harmful content appearing on their platforms and must now: remove illegal content; safeguard children from harmful content (where children are likely or able to access the platform); update their terms of service to reflect users’ rights; conduct and publish risk assessments; and provide user-friendly reporting mechanisms. With key deadlines already having passed – including the illegal content risk assessment which was due on 16 March 2025 and the children’s access assessment which was due on 16 April 2025 – platforms must prioritise transparency, user protection, and proactive moderation as further deadlines approach and full implementation is expected in 2026.

Electronic Commerce (EC Directive) Regulations 2002 (amended through the Electronic Commerce (Amendment etc.) (EU Exit) Regulations 2019 following Brexit) (E-Commerce Regulations): The E-Commerce Regulations apply to virtually every commercial website including social media and online platforms (which are considered “hosting services”, since they typically host and display user generated content). The E-Commerce Regulations place specific obligations on social media and online platforms, including requirements to provide users with mandatory information and to ensure the platform includes certain prescribed features and functions.

Platform to Business Regulations (Retained Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services (also known as the UK Platform-to-business Regulation or UK P2B Regulation) as amended by the Online Intermediation Services for Business Users (Amendment) (EU Exit) Regulations 2020, SI 2020/796 (P2B Regulations)): The focus of the P2B Regulations is to regulate the relationship between business users and online intermediation services (e.g. online platforms such as marketplaces, social media platforms etc). The P2B Regulations seek to ensure that the platforms operated by these types of intermediaries deal with their business users fairly and in a transparent manner. The rules ban certain unfair practices, such as changing online terms and conditions without good cause, and mandate transparency over the ranking of search results.

Advertising Standards: Social media and online platforms that display advertisements are responsible for ensuring those ads comply with applicable advertising standards and regulatory requirements. The Advertising Standards Authority (ASA) and the UK Code of Non-broadcast Advertising and Direct Promotional Marketing (CAP Code) continue to set the standard for responsible advertising in the UK, requiring all advertising communications to be legal, decent, honest, and truthful.

With the introduction of the Digital Markets, Competition and Consumers Act 2024 (DMCC), however – and as further clarified by recently published guidance from the Competition and Markets Authority – these expectations now carry significantly greater legal force. The DMCC also gives regulators enhanced enforcement powers, allowing direct action against unfair commercial practices such as misleading advertising.

Data Protection Law: Social media and online platforms that process personal data of users must comply with all applicable laws and regulations in the UK relating to privacy and the processing of personal data, including the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) (as amended).

Website Accessibility: Social media and online platforms that offer certain in-scope digital products or services to EU consumers will need to comply with the European Accessibility Act (Directive (EU) 2019/882) (EAA). The EAA came into force on the 28 June 2025 and signals a shift toward mandatory digital accessibility for businesses operating online. While standards differ across jurisdictions, compliance with WCAG 2.1 AA standards is generally accepted as the best way to ensure compliance. Affected organisations must audit and update their digital platforms, embed accessibility into procurement and development workflows, and train their teams to ensure compliance. Failure to act risks reputational damage, regulatory fines, and exclusion from key markets.

The Statutory Code of Practice (Code): The Code for providers of online social media platforms was published in accordance with Section 103 of the Digital Economy Act 2017. The Code provides guidance for social media platforms. It sets out actions that the Government believes social media platforms should take to prevent bullying, insulting, intimidating and humiliating behaviours on their sites. The Code is directed at social media platforms but is also relevant to any sites hosting user-generated content and comments, including review websites, gaming platforms, online marketplaces and the like. The Code does not affect how illegal or unlawful content or conduct is dealt with.

Disclosing company details: Online platforms, as with other UK businesses, must also clearly display key company details – such as their registered name, registered company number, place of registration, and contact information – on their websites, in their terms and conditions, and in other consumer-facing materials. This is a requirement under company law, the E-Commerce Regulations, the CCRs, and is further reinforced by the DMCC.

Unfair commercial practices: The DMCC replaces the Consumer Protection from Unfair Trading Regulations 2008 (CPUT) and sets out prohibited practices that are either automatically considered unfair (including the prohibition on fake reviews and the omission of information that must be contained in an invitation to purchase) or practices that may be unfair if they impact consumer decisions. These rules apply during the whole lifetime of a consumer-to-trader transaction (i.e. advertising, marketing, entry into the contract, performance, and enforcement). The changes largely mirror the prohibited practices previously set out under CPUT, but introduce notable additions – including, without limitation, a statutory ban on certain unfair commercial practices and new, specific protections against the omission of material information in invitations to purchase. Whilst these unfair commercial practices provisions primarily apply to platforms that transact with consumers – such as marketplaces or service platforms – they may also extend to social media platforms where, for example, paid promotions are not clearly disclosed, or the platform hosts fake reviews.

Part B: Online Platforms ONLY:

Consumer Protection Laws (including the Consumer Rights Act 2015 (CRA), Consumer Contracts Regulations 2013 (CCRs) and the DMCC):

Fairness and transparency: Online platforms that are accessed by consumers must comply with the requirements set out in the CRA, including ensuring any consumer terms and notices comply with the requirements of fairness and transparency (this may, for example, include website terms of use, acceptable use policies or, where the platform provider sells directly to the consumer, sales terms and conditions). This means consumer terms and notices must be clear, understandable, and not create a significant imbalance to the detriment of the consumer.

When an online platform is acting as a trader (when they are the contractual seller of goods to consumers), rather than an intermediary, then they are also subject to the following:

The CCRs: Under the CCRs, online platforms must, for example, provide prescribed pre-contract information, offer a 14-day cooling-off period where applicable, avoid hidden charges or pre-ticked boxes, and ensure clear and accessible terms throughout the customer journey.

Disclosing Alternative Dispute Resolution (ADR) providers: Under The Alternative Dispute Resolution for Consumer Disputes (Competent Authorities and Information) Regulations 2015 (SI 2015/542), as amended by The Alternative Dispute Resolution for Consumer Disputes (Amendment) Regulations 2015 (SI 2015/1392), online platforms that sell directly to consumers must inform consumers about certified ADR schemes when required by law, trade association or where disputes cannot be resolved internally. This includes naming an approved ADR provider and linking to the provider’s website in a durable format (e.g. email or T&Cs).

To the extent that social media platforms sell to consumers, they also may need to adhere to the above requirements.

Price Marking: The Price Marking Order 2004 (PMO), updated in 2024 and now delayed coming into full effect in 2026, applies to online platforms when they act as a trader. The PMO requires UK businesses to display prices clearly, legibly, and with standardised unit pricing – such as per kilogram or per litre – where applicable. This is designed to help consumers make fair comparisons and to ensure traders avoid using misleading pricing tactics. Practically, this means businesses must audit and update all pricing displays across physical stores and digital platforms and ensure that unit prices are visible and accurate at the point of sale. E-commerce templates, shelf labels, and promotional materials will need to be revised, and staff may require training to ensure compliance. With the DMCC Act reinforcing enforcement powers around pricing transparency, non-compliance could lead to regulatory scrutiny and reputational risk.

Under the Online Safety Act 2023, which came into full effect in 2025, the maximum sanction that can be imposed by the regulator Ofcom for breaches of applicable online safety laws includes:

• Fines of up to 10% of a company’s qualifying worldwide revenue; and
• In the most serious cases of non-compliance, Ofcom can apply to the courts to block access to the offending service within the UK.

These powers are part of Ofcom’s broader enforcement toolkit to ensure that online platforms comply with their legal duties to protect users – especially children – from illegal and harmful content.

Types of breaches that may trigger enforcement action include:

• Failure to protect users from illegal content
• Failure to protect children from harmful content
• Failure to implement effective systems and processes

As of July 2025, the UK does not have a single, dedicated law governing spatial computing (which includes technologies such as augmented reality (AR), virtual reality (VR), mixed reality (MR), and digital twins). Several existing and emerging legal frameworks, however, apply to spatial computing systems depending on their use case, data handling, and interaction with physical and digital environments. The introduction of the Data (Use and Access) Act 2025 updated UK data protection law to address emerging technologies including spatial computing including key provisions to:

• regulate passive data collection;
• strengthen consent requirements for processing sensitive data in extended reality environments (including AR, VR, and MR); and
• introduce transparency obligations for AI-driven advertising and personalisation in spatial computing.

There are currently no standalone UK laws specifically governing quantum computing or quantum cryptography. However, quantum technologies are increasingly being considered within broader regulatory frameworks, such as:

• The National Security and Investment Act 2021, which includes quantum technologies in its sector screening questionnaire, identifying areas such as quantum communications, sensing, computing, and quantum-resistant cryptography as sensitive technologies. This means investments or acquisitions involving these technologies may be subject to government scrutiny for national security reasons.
• The Strategic Quantum Regulation Plan, which a pro-innovation regulatory framework being rolled out by the UK government and which aims to foster innovation whilst ensuring responsible governance of quantum technologies.
• Data Protection Laws, including the UK GDPR and Data Protection Act 2018, which apply to any entity processing personal data using quantum technologies.

The UK regulatory environment surrounding data centres is evolving rapidly in 2025 due to the growing demand for digital infrastructure and AI capabilities. The main regulations of note are:

1. Critical National Infrastructure Designation

Since September 2024, UK data centres have been officially designated as part of the country’s Critical National Infrastructure. This elevates their strategic importance and subjects them to increased regulatory scrutiny, similar to sectors like energy and water. The designation aims to:

• Enhance resilience against cyber threats and energy outages;
• Provide a more stable investment platform;
• Enable government oversight through a designated regulator.

2. Cybersecurity and Resilience

The upcoming Cyber Security and Resilience Bill will significantly expand incident reporting obligations for data centres:

• Broader incident reporting criteria and stricter timelines;
• Mandatory customer notifications in the event of significant incidents;
• Enhanced transparency and accountability.

Additionally, UK data centres are now within scope of the NIS2 Directive, which mandates:

• Stronger cybersecurity measures.
• Risk management protocols.
• Supply chain security assessments.

3. Data Protection and Privacy

Data centres must comply with:

• UK GDPR and the Data Protection Act 2018, which govern the handling of personal data;
• ISO 27001 and Cyber Essentials Plus certifications, widely adopted to demonstrate robust information security practices.

1. AI regulations governing the use of artificial intelligence will intensify and globalise, shifting from principles to enforcement.

Laws and regulations around AI are already developing rapidly in the UK. It seems likely that future regulation will focus on the responsible use of “frontier AI”, i.e. generative AI and LLMs. There is likely to be further debate around the open source development of LLMs (which may run the risk of complicating or evading conventional regulatory oversight).

The EU AI Act is already influencing UK businesses, particularly insurers and cross-border operators, and without domestic legislation to refer to, is becoming the de facto standard. An increasingly common example being UK companies using or developing AI required to demonstrate compliance with the EU AI Act in commercial contracts, especially in the context of M&A transactions and SaaS agreements.

We are likely to see increased scrutiny of AI governance, new liability frameworks for AI-related harm, and mandatory risk assessments and documentation for high-risk systems.

The UK has already entered into bilateral agreements with the likes of the USA and South Korea around cooperation on AI model testing and controls, and further international agreements of this type may also feature in the UK’s approach.

2. Legal frameworks for AI-generated content and IP will evolve

Most jurisdictions, including the US and UK, require human authorship for copyright protection. This means that works created entirely by AI without human creative input are not eligible for copyright.

The UK Intellectual Property Office has taken the stance that the person who configures the AI system may be considered the author, especially under the Copyright, Designs and Patents Act 1988, which allows for computer-generated works.

There are still unresolved questions surrounding ownership and attribution when AI tools create paintings, songs, and articles. Should it be the user who prompted the tool, the developer of the AI system, or the organisation that owns the AI infrastructure? These are likely to become questions asked more frequently, as AI-generated works have recently been auctioned off for large sums of money.

3. Developments in privacy law to keep pace with the greater use of technology by government bodies and law enforcement.

As government agencies and law enforcement make greater use of technology, it seems probable that there will be increased concerns around how these technologies (particularly AI) affect and potentially impinge on individuals’ privacy rights and civil liberties. This may lead to the UK courts ruling on the legality of such use of technology by the government and other public services as well as by corporations such as tech giants and/or social media companies.

Customers increasingly request sustainability provisions in their contracts, particularly when procuring business critical technology systems. UK government entities, large corporates, and financial institutions may be subject to extra regulatory scrutiny around their sustainability/net zero commitments.

Often, technology vendors’ public-facing websites have sections that outline their commitments to sustainability (sometimes as part of their ESG reporting), containing extensive reporting data. For technology vendors with a global presence, this data will usually be presented at a global operational level, so it may be difficult to glean UK-specific information from such websites.

Technology vendors typically resist inserting sustainability commitments at a contractually binding level with individual customers. As an alternative, they may agree to provide more fulsome information than that contained on their public websites for review, including country-specific data and/or scorecards/reviews from external sustainability ratings agencies.

Where the customer is a public sector body, or a large corporate or financial institution, it may be more feasible to negotiate contractual level commitments around sustainability from technology vendors.