Stop press!!

After this edition had already gone to press the ICO published its final guidance on the use of storage and access technologies, including cookies. We’ll be providing our insights in a separate update to follow. In the meantime, please get in touch and our team will be happy to help.

#1:  Businesses urged to act now on AI cyber threats and sign up to new Cyber Resilience Pledge

In an open letter to UK business leaders the government warned that rapid advances in AI are fundamentally changing the cyber threat landscape for businesses of every size in every sector. Recent testing by the UK’s AI Security Institute of AI firm Anthropic’s new Mythos model found it to be substantially more capable at cyber offence than any previously assessed model. Tests of such advanced frontier AI models show that AI cyber capabilities are accelerating even faster than expected. Government and businesses must prepare and plan accordingly.

In a keynote speech to the annual government cybersecurity conference the National Cyber Security Centre’s CEO described how the UK faces a ‘perfect storm’ for cybersecurity – rapid technological change such as AI and quantum computing combined with ‘the most seismic geopolitical shift in modern history’. Cyber operations are ‘as much a reality of modern warfare as drones and missiles’. Businesses are urged to follow recent NCSC guidance found in a series of posts here.

At the same conference the Security Minister announced a £90 million investment to strengthen our cyber resilience and introduced the Cyber Resilience Pledge which the government is asking every major organisation to sign. The Pledge will launch this summer and commits signatories to make cyber a Board responsibility; sign up to the Early Warning service; and require Cyber Essentials across supply chains. Signatories will be listed online as models of good practice.

Click here for our latest updates on the Cyber Security and Resilience Bill and the key implications for in-scope businesses.

#2: Government launches unique £500 million fund backing British AI startups

The UK ‘must be an AI maker, not just an AI taker’ said the Technology Secretary as the government launched Sovereign AI, a new £500 million ‘first-of-its-kind’ fund to help promising homegrown AI startups scale fast and compete on the global stage, reducing reliance on a small group of overseas tech giants.

Sovereign AI is independent and will act ‘like a venture capital fund with the muscle of the state behind it’, moving at the pace of the AI industry and cutting through red tape. An investment committee will make its own decisions free from political interference. The package goes beyond direct investment to include fully funded access to the UK’s largest AI supercomputers, measures to fast-track global talent and other hands-on government support.

The first equity investment is in Callosum, a company building a new class of AI infrastructure. Six other startups will receive access to world-class compute and Sovereign AI will have right of first refusal on future investments for a number of recipients.

#3:  Recent ICO activity on automated decision-making, including in recruitment

The data regulator is consulting until 29 May on draft guidance about automated decision-making including profiling. This follows changes introduced by the Data (Use and Access) Act 2025 which allows organisations to make solely automated decisions in a wider range of situations, provided they have appropriate safeguards in place. The draft guidance will inform parts of the ICO’s upcoming ADM and AI code of practice which it will be required to produce by law.

A report published alongside the draft guidance sets out the ICO’s findings and expectations on the use of ADM in recruitment, a key focus of its AI and biometrics strategy. The report draws on evidence gathered from over 30 employers across a range of sectors who engaged voluntarily with the initiative. The overall takeaway is that employers have more work to do to make sure that use of these tools respects people’s information rights. The ICO identified shortcomings concerning meaningful human involvement; transparency and safeguards; fairness, bias and discrimination; data protection impact assessments; and lawful basis.

More legal and regulatory developments…

• The Digital Regulation Cooperation Forum set out five lessons learned about the relationship between digital regulation and AI adoption in the UK, drawing on survey evidence from UK businesses and interviews with stakeholders at the heart of AI decision-making.
• The CMA announced a package of actions on business software and cloud services including the launch in May of a strategic market status investigation into Microsoft’s business software ecosystem. The CMA’s stated aim is to create greater choice for UK businesses and the public sector at a pivotal time of advances in AI.
• The CMA launched five new consumer law investigations as part of its crackdown on fake and misleading reviews.
• The FCA’s chief data, information and intelligence officer said in a recent speech that agentic commerce will change how financial decisions and transactions are made, demanding a fundamentally new approach. Announcing the next phase of the FCA’s AI Lab, they confirmed that there will be no new rules on AI policy. Instead, examples of good and poor practice will be published later this year.
• The FCA is consulting until 3 June on new guidance to help firms understand how they might be affected by the upcoming regulatory regime for cryptoassets.
• The ICO published guidance explaining the new ‘recognised legitimate interest’ lawful basis introduced by the Data (Use and Access) Act 2025 and related guidance for organisations such as local authorities and NHS trusts on requesting personal information to fulfil public tasks or official functions.
• The FCA and ICO issued a joint statement setting out their expectations regarding firms’ approaches to vulnerability related data.
• Data centre disputes are increasing. See our recent article for practical tips on effective risk management and how we can support you.
• Regulations coming into force in May pave the way for a new permit scheme establishing a dedicated licensing route for passenger-carrying automated services to operate on public roads.
• The European Commission unveiled EU Inc., a new single set of corporate rules that will apply across the EU including fully digital operations throughout a company’s lifecycle.

…and in other news

• The NCSC confirmed that it will begin recommending passkeys wherever a service supports them, and two‑step verification where it does not, in a move away from traditional passwords.
• The government published its Smart Data Strategy with a target of five or more active smart data schemes by 2030 rising to at least 20 by 2035. This includes prioritising the key sectors of banking (payments); financial services; road fuels; energy; property; retail; digital markets; transport; telecommunications; and agrifood.
• The Science, Innovation and Technology Committee launched an inquiry into whether low‑energy computing could help solve the AI energy crisis.
• The government published its response to the call for views on enterprise connected device security. Next steps include asking manufacturers to use the NCSC’s device security principles for manufacturers to make their products secure by design.
• The Quantum Development Group of thirteen countries leading the development of quantum tech agreed at their latest meeting held in London to deepen cooperation across priority areas including research and investment security and supply chain resilience, and supporting companies to scale up.
• Google announced that from 15 June it will treat “back button hijacking” – when a site interferes with a user’s browser navigation and prevents them from using their back button to immediately get back to the page they came from – as an explicit violation of its malicious practices policy. This means that pages may be subject to manual spam actions or automated demotions, which can impact performance in Google Search results.
• The BBC reported on OpenAI pausing a £multi-billion UK data centre project citing concerns about high energy costs and regulation.
• The government announced nineteen new Technical Excellence Colleges, backed by £175 million, to deliver high‑quality training in the key growth sectors of advanced manufacturing, clean energy, defence, and digital and technologies.
• The government has awarded regions across the UK up to £20 million through the Local Innovation Partnerships Fund to support local innovation projects and accelerate the commercialisation of new tech. The funding will back regional strengths across areas such as clean energy, advanced manufacturing, defence, autonomous systems, and space and agri-tech.
• The government published the terms of reference for its Women in Tech Taskforce which examines the barriers to women entering, progressing and leading in the UK tech sector.

How we can support you

If you have queries about any of the points covered in this edition of the Technology & Digital round-up, or need further advice or assistance, please get in touch with Sally, Andrew, Nick, Paul, Luke, Matthew or one of our Technology & Digital experts.

Want to watch a previous webinar? Visit our digital academy, home to a library of digital content including webinars, our bite-sized video nuggets and podcasts, including our 60 second videos on what is an NFT and what is a blockchain.

Want to learn more from our Technology & Digital experts and be the first to receive important updates, developments and events from the team? Then visit our #WMTechTalk page or sign up for our newsletter, the Technology & Digital round-up here.