The EU Commission’s long-awaited guidelines on high-risk AI systems were published on 19 May 2026. This is the promised explainer on what is – and is not – a high-risk AI system under the EU AI Act.
The guidelines
The
Privacy Day 2026: Why trust is the new competitive advantage
Every year, Privacy Day gives organizations a moment to pause and reflect on how rapidly the data landscape is shifting, but 2026 feels different. The conversation has moved beyond compliance checklists and breach headlines. Privacy is moving beyond legal, shaping
Agentic AI: the ICO’s early thoughts on the data protection implications
The ICO has kicked off 2026 with sharing its early thoughts on the data protection implications of agentic AI in its ICO tech futures: Agentic AI report. The report considers the novel data protection risks presented by agentic AI.
UK Cyber Security and Resilience Bill – new obligations for the data centre sector
This blog post includes headline points on new obligations for the data centre sector proposed under the Cyber Security and Resilience Bill, and existing obligations under the NIS Regulations.
NIS Regulations Keeling Schedule for the Cyber Security and Resilience Bill – changes to the UK’s cyber security law
The Cyber Security and Resilience Bill proposes changes to the UK’s NIS Regulations. Without a ‘Keeling Schedule’ marking up the amendments, these can be difficult to track. We have prepared a mark-up reflecting the proposed changes.
Changes to EU and UK data protection law – a tale of two GDPRs?
The EU Commission recently held a call for evidence on “simplification” of legislation in the data, cybersecurity, and AI space, ahead of a “Digital Omnibus” Act. These changes look to make the EU’s digital rulebook more innovation-friendly, supporting the Commission’s
Pseudonymised data could fall outside data protection law – introducing the “means reasonably likely” assessment
The Court of Justice of the European Union (CJEU) has delivered its judgment on case C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB). The CJEU has confirmed that pseudonymised
Explain yourself: The legal requirements governing explainability
Agentic AI brings the promise of AI making a range of decisions autonomously. It has been proposed as the way forward for some of the most impactful decisions in our lives: interacting with customers and actioning requests, triaging requests for
UK data protection reform – what you need to know and do
The Data (Use and Access) Act (DUAA) received Royal Assent on 19 June 2025. The DUAA enacts the changes to the UK’s data protection regime that have been contemplated since the Data: a new direction consultation in
Global AI regulation
As organisations continue with their roll-out of AI, the global regulatory landscape is becoming increasingly complex. AI-specific laws like the EU AI Act already applicable and new AI-specific laws are proposed, adding to the range of existing laws and regulations