Compliance and risk management

Subscribe to Compliance and risk management via RSS

UK Cyber Security and Resilience Bill – new obligations for the data centre sector

By Marcus Evans (UK) & Rosie Nance on December 3, 2025

This blog post includes headline points on new obligations for the data centre sector proposed under the Cyber Security and Resilience Bill, and existing obligations under the NIS Regulations.

NIS Regulations Keeling Schedule for the Cyber Security and Resilience Bill – changes to the UK’s cyber security law

By Marcus Evans (UK) & Rosie Nance on December 3, 2025

The Cyber Security and Resilience Bill proposes changes to the UK’s NIS Regulations. Without a ‘Keeling Schedule’ marking up the amendments, these can be difficult to track. We have prepared a mark-up reflecting the proposed changes.

Changes to EU and UK data protection law – a tale of two GDPRs?

By Marcus Evans (UK) & Rosie Nance on November 12, 2025

The EU Commission recently held a call for evidence on “simplification” of legislation in the data, cybersecurity, and AI space, ahead of a “Digital Omnibus” Act. These changes look to make the EU’s digital rulebook more innovation-friendly, supporting the Commission’s…

Italy’s Law No. 132/2025 on Artificial Intelligence

By Francesco Gelmetti & Salvatore Iannitti (IT) on October 8, 2025

On September 23, 2025, Italy adopted Law no. 132/2025 on Artificial Intelligence (AI). The law will enter into force on 10 October 2025 and aims, inter alia, to complement the Regulation EU 2024/1689 (EU AI Act).

Can you access your outsourced data?

By Kerri Gevers (SG) on September 1, 2025

Financial regulators globally emphasise the importance of financial entities being operationally resilient, which includes the ability to manage and recover from disruptions caused by their service providers. The topic receives significant attention in the financial services sector because the sector…

New Jersey’s proposed privacy rules include some surprises

By David Kessler (US) & Susan Ross (US) on June 24, 2025

On June 2, 2025, the New Jersey Attorney General’s Division of Consumer Affairs released proposed rules (57 N.J.R. 1101(a)) pursuant to the New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4 et seq.). Although the proposed rules have many similarities to California’s…

AI and Job Postings: Navigating Ontario’s Upcoming Requirements

By Imran Ahmad (CA), Domenic Presta (CA), Joseph Cohen-Lyons & Humna Shaikh on June 16, 2025

On March 21, the Ontario’s Bill 149, Working for Workers Four Act, 2024 (“Bill 149”) received Royal Assent.

AI literacy – the Commission’s pointers on building your programme

By Marcus Evans (UK) & Rosie Nance on May 28, 2025

The EU AI Act’s AI literacy obligation applied from 2 February 2025. This applies to anyone doing anything with AI where there is some connection to the EU – to providers and deployers of any AI systems.

The AI Act…

The Commission’s guidelines on AI systems – what can we infer?

By Rosie Nance, Marcus Evans (UK) & Peter McBurney on February 13, 2025

The EU’s AI Act imposes extensive obligations on the development and use of AI. Most of the obligations in the AI Act look to regulate the impact of the specific use cases on health, safety, or fundamental rights. These sets…

CJEU Advocate General clarifies when pseudonymised data falls outside the definition of personal data

By Marcus Evans (UK), Rosie Nance & Alice Knowles on February 10, 2025

On 5 February 2025, the Advocate General of the Court of Justice of the European Union (CJEU) issued its opinion in the case of C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board…

Data Protection Report