#1: Practical steps to strengthen cyber resilience

We discussed in our April edition the urgent warnings from the government and National Cyber Security Centre to act now to counter AI-enabled cyber threats. In recent developments, the Information Commissioner’s Office published a blog post setting out five practical steps to take now to strengthen cyber resilience:

• Know what you’re up against
• Get the basics right and layer your defences
• Restrict access points
• Improve your detection, monitoring and incident response
• Protect personal data

The Bank of England, Financial Conduct Authority and HM Treasury also published a joint statement on frontier AI models and cyber resilience. They warn that firms that have underinvested in core cybersecurity fundamentals are likely to become progressively more exposed. Action must be taken in line with the regulators’ rules and expectations on operational resilience.

Recent NCSC posts about AI cover 10 questions to ask when using AI models to find vulnerabilities and thinking carefully before adopting agentic AI.

Figures from the government’s latest annual cybersecurity breaches survey show that 43% of businesses reported having experienced any kind of cybersecurity breach or attack in the last 12 months, with phishing attacks remaining the most prevalent type of breach or attack by far.

Interestingly, board-level responsibility for cybersecurity sat at 68% for large businesses. Relatively few businesses were taking steps to formally review the risks posed by their immediate suppliers and wider supply chain. See our recent article on cyber risk, why your supply chain is your biggest vulnerability, and the practical steps you should take now.

Need some help? You can access our interactive cybersecurity tool here.

#2: Latest on EU AI Act as high-risk systems provisions delayed

We’ve talked previously about plans afoot in Europe to streamline parts of the EU AI Act (the ‘AI Omnibus’) as part of a broader simplification agenda. EU policymakers have now provisionally agreed on the changes, which include:

• A fixed timeline for the delayed application of high-risk rules: the new application dates would be 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.
• Reinstating the obligation for providers to register AI systems in the EU database for high-risk systems, where they consider their systems to be exempted from classification as high-risk.
• Reinstating the standard of strict necessity for the processing of special categories of personal data for the purpose of ensuring bias detection and correction.
• A shorter grace period deadline of 2 December 2026 for providers of AI systems placed on the market before 2 August 2026 to mark outputs in a machine-readable format and detectable as artificially generated or manipulated.
• Measures to reduce overlaps between the Act and sector-specific legislation, including exempting the machinery regulation from direct applicability.

The changes are awaiting formal adoption but are expected to go ahead.

The European Consumer Organisation (BEUC) has warned that the AI Omnibus risks creating dangerous regulatory loopholes and weakening consumer protection.

In related developments, the European Commission is currently:

• consulting until 3 June 2026 on draft guidelines for AI transparency obligations which apply from 2 August 2026. A voluntary code of practice to complement the guidelines is expected in June 2026.
• consulting until 23 June 2026 on draft guidelines for the classification of high-risk AI systems.

While the aim is to simplify and streamline the rules, the EU AI Act is still a long and complex piece of legislation. We’re here to help you navigate the complexities and prepare for implementation. Please get in touch.

More legal and regulatory developments…

• A new right to raise data protection complaints direct with organisations comes into force on 19 June 2026. The ICO explains the steps you need to take now to ensure compliance. Click here for more on this, the other changes introduced by the Data (Use and Access) Act 2025 and how we can help you with all aspects of data protection compliance, privacy and cybercrime.
• The ICO issued a fine of nearly £1 million against two companies following a major cyberattack and data breach which exposed significant failures in their approach to data security and left customers and employees vulnerable for nearly two years.
• The ICO published its final guidance on the use of storage and access technologies, including cookies. It reflects the evolution of new tracking technologies and changes through the Data (Use and Access) Act 2025. Crucially, the maximum penalty for non-compliance with cookie and direct marketing rules has increased from £500,000 to £17.5 million or 4% of total annual worldwide turnover, whichever is greater.

• In a related development, the ICO published its advice to government on potential changes to online advertising rules.
• The ICO also published new guidance to support public authorities dealing with AI-generated Freedom of Information requests.
• New measures to make subscriptions clearer and easier to manage or cancel are due to come into force in spring 2027. You should begin your preparations now.
• The Competition and Markets Authority launched a strategic market status investigation into Microsoft’s business software ecosystem.
• The FCA is asking stakeholders to provide examples of good and poor practice in relation to AI use cases in UK financial services. Feedback is requested by 19 June 2026 and will help inform a publication on the topic due later this year.
• The government is consulting until 23 June 2026 on a new, modernised and enhanced core product safety framework, saying that “there are simply too many instances of dangerous products being sold to UK consumers, often online, resulting in serious harm”.
• A Regulating for Growth Bill announced in the King’s Speech will create sandboxing powers to allow existing rules to be temporarily relaxed, under strict controls, to test new products and technologies in real-world settings.
• The government is planning to go ahead with introducing a digital ID system that will modernise how citizens interact with public services through a Digital Access to Services Bill.

…and in other news

• The government responded to the House of Lords Communications and Digital Committee report on AI, copyright and the creative industries. Among other measures, a new taskforce will put forward proposals to government on best practice for labelling AI-generated content, with an interim report expected in the autumn.
• The NCSC is urging all organisations to act now to prepare for a wave of vulnerability patches that it says will address decades of technical debt.
• The NCSC also published a paper on understanding adversarial attacks against machine learning and AI.
• The Technology Secretary gave a keynote speech on why AI is key to the UK’s economic prosperity and national security. A UK AI hardware plan will be developed to secure the country’s future capability in chips and the semiconductor technologies that underpin AI.
• Government-backed Sovereign AI is co-investing with the British Business Bank in a new British frontier AI company building algorithms that can learn for themselves and uncover new knowledge.
• The BBC reported on a warning from the Royal Observatory that instant AI answers can trivialise human intelligence.
• And finally, according to a new study from the University of Sheffield, insects’ lightning-fast reactions could transform the future of AI and robotics.