Corporate/general commerical

Starting on 29 June 2026, the Crime and Policing Act 2026 extends corporate liability to where a senior manager commits an offence while acting in the scope of their actual or apparent authority, for all crimes, replacing the provisions in the Economic Crime and Corporate Transparency Act 2023 which are confined to economic crimes. As the government explains in its factsheet, the definition of “senior manager” looks at what that individual’s roles and responsibilities are within the organisation – the level of managerial influence they might exert – rather than their job title. Companies should identify who may qualify as a senior manager, review controls and reporting lines, and refresh training and risk assessments accordingly.

Legal commentators are increasingly noting significant growth in securities class actions threatened or brought against UK listed companies. Section 90A of the Financial Services and Markets Act 2000 allows shareholders to claim losses arising from false or misleading statements, or dishonest omissions, in published information. These types of claims are fuelled by a variety of factors, including an increased focus on ESG-awareness (including greenwashing and the wider ‘washing’ phenomenon), a class action-friendly competition law regime, the willingness of the courts to deal with claims brought against UK-based parent companies (for example, the recent USD48 billion Mariana Dam case), upcoming regulatory reform in relation to product liability, and more. Robust governance, careful reporting and a swift, strategic response to any intimated complaints will be key to effective management of this emergent risk.

See our recent article for practical steps you can take to mitigate and respond to supply chain disruption in the current climate of uncertainty.

The government announced “the largest crackdown on late payments in over 25 years” as the Commercial Payments Bill was introduced to parliament. Measures include a new 60-day cap on payment terms for large firms, mandatory interest on late payments, and action to ban the practice of retentions in construction.

The government is consulting until 23 June 2026 on a new, modernised and enhanced core product safety framework, saying that “there are simply too many instances of dangerous products being sold to UK consumers, often online, resulting in serious harm”.

The government published guidance to help those responsible for premises and events to determine whether they fall within the scope of The Terrorism (Protection of Premises) Act 2025, known as ‘Martyn’s Law’, and how to comply with their legal duties.

The Law Commission is considering the introduction of a consumer class action regime. The government has asked the Commission to assess whether the way consumer laws are enforced could be strengthened in this way. Work is expected to start in autumn 2026 and the deadline for stakeholders to return an Initial Scoping Questionnaire is 30 October 2026.

The government published its response to the consultation on implementation of the new subscription contracts regime under the Digital Markets, Competition and Consumers Act 2024. The regime is expected to start in spring 2027 and guidance will be published to support business implementation.

In a recent speech, the Financial Conduct Authority’s chief executive described financial crime as a threat to national security and economic stability, requiring a system-wide response.

The English Devolution and Community Empowerment Bill became law. Among other measures, upward-only rent review clauses in new and renewal commercial leases will be banned. See our articles here and here.

The European Commission proposed a plan for simpler, clearer and better enforced EU rules.

In-house lawyers may be wondering about the Mazur case, in which the Court of Appeal recently overturned the High Court’s controversial earlier judgment. The Court of Appeal confirmed that an unauthorised person may lawfully perform any tasks which are within the scope of “the conduct of litigation”, for and on behalf of an authorised person, provided that authorised person retains responsibility for the delegated tasks. You can read the Law Society’s guidance here.

In an important decision in the case of Aabar Holdings v Glencore, the Commercial Court held that legal advice privilege can extend to intra-client communications (i.e. communications not involving a lawyer) and documents, where the communications or documents were created by or sent between members of the client group with the dominant purpose of seeking legal advice.

In Logix Aero Ireland v Siam Aero Repair Company, the Court of Appeal held that a breach of a confidentiality clause did not give rise to liability where third-party fraudsters intercepted emails and caused the loss, as their actions broke the chain of causation. There was no specific contractual duty to protect against the type of fraud committed in this case.

In the case of Eskander v GMC, the Court of Appeal confirmed that claims and statutory appeals are brought in time where the court document is delivered to the court by the relevant deadline, regardless of whether it is accompanied by payment of the relevant fee.

As part of our Illuminate programme for GCs, Formula 1 race strategist, analyst and commentator, Ruth Buscombe, shared her insights on how to make decisions under pressure, even with imperfect data.

Data protection/cybersecurity/tech and digital

In an open letter to UK business leaders, the government warned that rapid advances in AI are fundamentally changing the cyber threat landscape for businesses of every size in every sector. Government and businesses must prepare and plan accordingly. The key message is to treat cybersecurity as an essential part of running a modern company, not an optional extra.

This message is reinforced by the National Cyber Security Centre’s CEO who described in a keynote speech how the UK faces a “perfect storm” for cybersecurity – rapid technological change such as AI and quantum computing combined with “the most seismic geopolitical shift in modern history”.

The Information Commissioner’s Office has published a blog post setting out five practical steps organisations can take to strengthen their resilience to AI-powered threats.

The Bank of England, FCA and HM Treasury published a joint statement on frontier AI models and cyber resilience, explaining why frontier AI matters and what it means for regulated firms.

The government is asking every major organisation to sign a new voluntary Cyber Resilience Pledge. The pledge formally launches in summer 2026 with a public announcement of those organisations that have signed up, as models of good practice. Signatories commit to taking certain prescribed actions, encouraging those actions within their own supply chains and publishing the signed declaration on their website.

See our recent article on the practical implications for in-scope businesses of The Cyber Security and Resilience (Network and Information Systems) Bill which proposes significant changes to the current regime as the government seeks to ramp up the UK’s cyber defence capabilities in the face of ever more sophisticated threats.

The government published the results of its latest annual cybersecurity breaches survey. 43% of businesses reported having experienced any kind of cybersecurity breach or attack in the last 12 months. Phishing attacks remained the most prevalent type of breach or attack by far. Interestingly, board-level responsibility for cybersecurity sat at 68% for large businesses. Relatively few businesses were taking steps to formally review the risks posed by their immediate suppliers and wider supply chain.

You can access our interactive cybersecurity tool here.

The NCSC confirmed that it will begin recommending passkeys wherever a service supports them, and two‑step verification where it does not, in a move away from traditional passwords. Click here for other recent NCSC blog posts including on use of agentic AI.

A new right to raise data protection complaints direct with organisations comes into force on 19 June 2026. The ICO explains the steps businesses need to take now to ensure compliance.

The ICO recently issued a fine of nearly £1 million against two companies following a major cyber attack and data breach which exposed significant failures in their approach to data security and left customers and employees vulnerable for nearly two years.

The ICO published its final guidance on the use of storage and access technologies, including cookies. The updated guidance reflects the evolution of new tracking technologies and the changes brought about by the Data (Use and Access) Act 2025 (DUAA). It is designed to provide organisations that track people online with clarity on the requirements of data protection law, with new examples and practical advice. Crucially, the DUAA amended the Privacy and Electronic Communications Regulations to align the maximum penalty for non-compliance with cookie and direct marketing rules with the UK GDPR – an increase from £500,000 to £17.5 million or 4% of total annual worldwide turnover, whichever is greater.

A reminder that the ICO updated its guidance on international data transfers to reflect February 2026 changes under the DUAA. The DUAA updates the approach to international data transfers by replacing the EU’s “essential equivalence” test with a UK‑specific standard based on whether data protection is not materially lower than in the UK. If you haven’t already done so, review existing transfers and update existing transfer risk assessments in line with the new test and update internal policies and documentation accordingly.

We mentioned previously that the ICO was consulting on automated decision-making (ADM). In an associated report, the regulator sets out its findings and expectations for the responsible use of ADM in recruitment. The report draws on evidence gathered from over 30 employers across a range of sectors who engaged voluntarily. The overall takeaway is that employers have more work to do to ensure that use of these tools respects people’s information rights. Companies should review use of automated decisions in the hiring process to ensure the appropriate safeguards are in place. The ICO expects organisations to proactively monitor for bias, to be transparent with jobseekers and to explain rights to recourse.

The ICO also published guidance to support public authorities dealing with AI-generated Freedom of Information requests.

EU policymakers have agreed to simplify and streamline the rules on AI. Provisions on high-risk AI systems in the EU AI Act were due to enter into force on 2 August 2026. The new application dates are 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products. The European Commission is currently consulting on draft guidelines for AI transparency obligations which apply from 2 August 2026 and on draft guidelines for the classification of high-risk AI systems.

The government responded to the House of Lords Communications and Digital Committee report on AI, copyright and the creative industries. Among other measures, a new taskforce will put forward proposals to government on best practice for labelling AI-generated content, with an interim report expected in the autumn.

Data centre disputes are increasing. See our recent article for practical tips on effective risk management and how we can support you.

The government is planning to go ahead with introducing a digital ID system that will “modernise how citizens interact with public services” through a Digital Access to Services Bill.

A UK-led space mission designed to advance ultra-secure communications has successfully launched into orbit, marking a significant step forward for quantum technology and cybersecurity.

For more on tech developments, see the latest edition of our Technology & Digital round-up.

Sustainability/ESG

The Climate Change Committee warned that the British way of life is under threat from heat, flooding and drought, as it published a new report setting out a comprehensive package of solutions to address the growing impacts of climate change affecting every aspect of life in the UK.

The Environmental Audit Committee warned the government to urgently restrict non-essential uses of ‘forever chemicals’, as it published a new report addressing the risks.

The government published its response to its 2025 consultation on the implementation of biodiversity net gain (BNG) for nationally significant infrastructure projects (NSIPs). BNG is scheduled to apply to NSIP applications from 2 November 2026. Developers and landowners involved in infrastructure projects now have a defined pathway to prepare. NSIPs will be subject to a biodiversity gain statement, which will play a central role in both the examination of applications and the Secretary of State’s decision‑making. Defra has committed to publishing biodiversity gain statements for every National Policy Statement (NPS) this month – May 2026. For NSIPs without an applicable NPS, Defra will publish standalone biodiversity gain statements.

The International Sustainability Standards Board has agreed on the proposed way forward for nature-related disclosures. An IFRS Practice Statement would complement IFRS S1 and S2 without changing the requirements in the Standards. The Practice Statement would guide companies on how to provide the nature-related disclosures already required by IFRS S1. A draft for public comment is expected in October 2026.

The European Commission is consulting until 3 June 2026 on draft revised European Sustainability Reporting Standards and a voluntary sustainability reporting standard for smaller companies. The draft revised standards aim to cut administrative burden for EU businesses while maintaining high-quality sustainability disclosures. The draft voluntary standard is to support companies outside mandatory Corporate Sustainability Reporting Directive reporting and establishes a value chain cap, preventing CSRD in-scope companies from requiring more information from value-chain partners with 1,000 employees or fewer than what the voluntary standard covers.

The FCA recently consulted on proposed rules and guidance for the regulation of ESG ratings providers. From 29 June 2028, any firm wishing to provide certain types of ESG ratings in the UK will need FCA authorisation. A policy statement and final rules are expected in Q4 2026.

Defra published guidance on the British Standards Institution’s Nature Investment Standards – voluntary standards designed to guard against greenwashing and bring greater confidence and consistency to nature markets in the UK.

See our recent article on sustainability in the built environment and how technology can support ESG reporting.

People

The Employment Rights Act 2025 (ERA) is making sweeping changes to UK employment law. To help you navigate the changes, we’ve created a tracker to keep you updated on the proposals, what they mean for employers and how you can prepare, organised by topic and timeline. Access our tracker here. The next set of changes are due in October 2026.

The limitation period to bring most claims in the Employment Tribunal will increase from 3 to 6 months under the ERA. However, for reasons that are unclear, certain claims were not included at schedule 12 of the ERA (including breach of contract claims, fixed term employee claims and part time worker claims). Three sets of draft regulations have now been made to deal with most of those claims that were omitted. These draft regulations are due to come into force on 1 October 2026 (subject to parliamentary approval) and provide that the change will not be retrospective.

We reported in the previous edition that the government has published guidance for employers on creation of action plans to reduce the gender pay gap and support employees experiencing the menopause. Employers with 250 or more employees must already publish gender pay gap data annually on the government portal and their website. Now there is an option to produce and publish a voluntary action plan ahead of these becoming mandatory from spring 2027 under the ERA. These plans must include at least two actions, addressing both the gender pay gap and menopause support. The guidance was recently updated to include information on what you need to do if you are part of an organisation or group with more than one legal entity.

In a related development, the gender pay gap reporting guidance for employers has been updated following the Supreme Court ruling on the definition of sex in the Equality Act 2010.

The Equality and Human Rights Commission’s draft updated Code of Practice for Services, Public Functions and Associations in light of the same Supreme Court ruling and other changes to the law since 2011 was laid in parliament on 21 May 2026. Parliament then has 40 days to consider the draft.

The Women and Equalities Committee launched a new inquiry on access to flexible working for disabled people. The deadline to submit evidence is 26 June 2026.

The Health and Safety Executive is consulting until 30 June 2026 on proposed legislative and non-legislative changes to The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR). The consultation is relevant to all sectors and industries, and particularly to dutyholders and those in control of work premises. Non-legislative change covers improving the RIDDOR reporting process by simplifying the online form to reduce both under-reporting and over-reporting and improving overall usability.

As part of the Plan to Make Work Pay, the government is seeking views until 1 July 2026 on the effectiveness of the TUPE regulations. Responses will be used to develop policy proposals which will then be consulted on in due course. The government has not set out any specific proposals about TUPE reform, and it remains to be seen whether the call for evidence will result in any change, and if so, when.

The government published its response to the consultation on reforming the Senior Managers & Certification Regime in the financial services sector. The aim is to reduce unnecessary regulatory burdens and provide regulators with greater flexibility to deliver more proportionate and risk-sensitive SM&CR rules.

In related news, the FCA published a policy statement setting out changes as part of the first phase of the SM&CR reforms. Most changes took effect on 24 April 2026 so that firms could benefit immediately. Improvements to regulatory reporting and processes apply from 10 July 2026, while changes made to align with the rules and guidance on tackling non-financial misconduct apply from 1 September 2026. If the government’s proposals pass through parliament, regulators expect to consult on the second phase of the reforms later in the year.

The government briefly consulted on proposed changes to its code of practice for employers on avoiding unlawful discrimination while preventing illegal working. It is currently analysing the feedback.

The government announced a radical overhaul of the fit note system for workers who fall ill. Four pilots in different parts of England will look at the best way to end what the government calls a “tick-box exercise” and replace it with personalised ‘stay in work’ and ‘return to work’ plans. This is the first step before legislation is brought forward to further reform the system.

The recent King’s Speech did not mention the Equality (Race and Disability) Bill, so we are no clearer on timing of next steps following the publication of the government’s response to the consultation earlier this year.

The recent case of Kankanalapalli v Loesche Energy Systems highlights the importance of carefully drafted offer letters and the difference between ‘conditions precedent’ and ‘conditions subsequent’.

The government published the final report of the Director of Labour Market Enforcement-commissioned assessment on the scale and nature of labour non-compliance and other work-based harms in the UK. The DLME’s functions have transferred to the Fair Work Agency, an executive agency of the Department for Business and Trade responsible for enforcing workers’ rights. The report reinforces the need for employers to take steps to ensure compliance in the areas that the FWA has/will have responsibility for, including national minimum wage, holiday pay and sick pay. This policy paper sets out the government’s expectations for the FWA in the 2026/27 transitional period of its operation.