This article has practical relevance for online service providers that are either established in an EU Member state or subject to the Digital Services Act and currently see themselves pressured to comply with national digital regulatory rules that have been introduced on EU Member State level (e.g., youth protection or social media laws).

Download the full version of European Union: EU Commission and Courts Consider National Digital Laws Inapplicable.

The post European Union: EU Commission and Courts consider national digital laws inapplicable appeared first on Global Compliance News.

On 28 January 2026, the Health Sciences Authority (HSA) issued Version 3 of its product defect reporting and recall procedures for therapeutic products (TPs) and cell, tissue and gene therapy products (CTGTPs). The HSA, through the updated guidance, does the following:

• Provides some clarification on the scope of product recalls and reportable defects
• Clarifies and reorganises certain portions of the guidance
• Highlights certain key issues to take note of
• Creates a new product defect reporting form for defects relating to clinical research materials used in clinical trials
• Expands the annexures substantially
  

In more detail

Clarifications on the scope of product recalls and reportable defects

The HSA has made several clarifications on the scope of the guidance, particularly the following:

• The definition of “recall” now expressly excludes the retrieval of expired products not due to product defects and the retrieval of a small quantity of products for investigative purposes.
• Out of specification (OOS) results related to stability commitment batches from previous variation applications are now expressly listed as an example of a reportable defect.
  

Clarifications and reorganisation of the guidance on investigations and risk assessments

The HSA previously included a list of information and actions that are required in the investigation report during the risk assessment. It has now expanded the “Investigation and risk assessment” section to include specific guidance on the components of the investigation, considerations of the risk assessment, what to include in the investigation report, explanations on the distribution and supply information.

Reiteration of the proper product defect reporting procedure

The HSA has emphasised that, while minor variation (MIV) applications may be required as part of the CAPA, they do not substitute the need to first notify the HSA of the defect via the product defect reporting form.

New product defect reporting form for clinical research materials used in clinical trials

The HSA has also provided a link to a new product defect reporting form for applicants and clinical trial sponsors to report defects.

Updated annexures

Finally, the HSA has also considerably supplemented its annexures by including the following information:

• Under Annex II, the HSA elaborates on the requirements for supplying an OOS batch of CTGTP, also adding a new subsection on the scope of applicability while reorganising previous content under clearer subheadings.
• Under Annex III, the HSA consolidates guidance on recommended contents for Dear Purchaser Letters and Dear Healthcare Professional Letters with expanded elaborations.

Under Annex V, the HSA consolidates guidance on consumer-level recalls, mandating notifying the HSA immediately upon deciding to initiate a consumer-level recall. This is justified on the basis that these recalls typically require additional preparation, coordination and regulatory oversight.

Key takeaways

The updated guidance provides clear and structured guidance regarding the entire product defect reporting, investigation, risk assessment, corrective and preventive actions (CAPA), and recall process for TPs and CTGTPs. It is likely that the HSA has refined its guidance on product defect reporting and recall based on deficiencies from past product registrants and dealers in such situations. Product registrants and dealers should familiarise themselves with the updated product defect reporting and recall procedures to ensure compliance with applicable requirements.

* * * * *

The post Singapore: HSA Updates Defect Reporting and Recall Guidance appeared first on Global Compliance News.

On 13 February 2026, the Health Sciences Authority (HSA) published the findings of its public consultation on the proposed exemption from manufacturer’s licensing and product registration requirements for artificial intelligence software as a medical device (AI-SaMD) developed by selected public healthcare entities for use in public healthcare (AI‑SaMD sandbox).

The public consultation was held from 19 May 2025 to 19 June 2025, and the HSA announced that the feedback was generally supportive of the proposed AI-SaMD sandbox. The HSA also published a summary of the suggestions provided.

In more detail

As covered in our May 2025 alert, the HSA invited the public to provide feedback on the proposed AI-SaMD sandbox from 19 May 2025 to 19 June 2025.

The respondents generally expressed support for the proposal and provided constructive suggestions, which broadly fell into the following categories:

1. Suggestions to strengthen controls within the sandbox, such as imposing additional International Organisation for Standardisation (ISO), International Electrotechnical Commission and cybersecurity requirements, and for the AI-SaMDs in the sandbox to eventually be registered with HSA
2. Suggestions to expand the scope of the AI-SaMD sandbox to allow other healthcare professionals, apart from registered medical practitioners, to provide oversight over the development of these AI-SaMDs, and extending participation beyond the public healthcare sector, such as to private healthcare institutions and software developers

The HSA emphasised that the proposed sandbox is intended to ensure appropriate regulatory oversight, while at the same time fostering healthcare innovation. Therefore, the HSA has to consider the existing cybersecurity and data security safeguards that public healthcare entities have to comply with, as well as the prevailing requirements under the Health Products Act and the Healthcare Services Act.

Taking into account the above considerations, the HSA will undertake the following:

• Scope the sandbox only to AI-SaMDs that pose lower potential patient risks, i.e., Class A and Class B AI‑SaMDs, which only aim to diagnose and/or drive clinical patient management for non-critical medical conditions (For more information on the risk classification of AI-SaMDs, see our previous alert.)
• Require a clinician employed in a public healthcare institution, and holding the position of consultant or higher, to oversee the AI-SaMD’s design, validation and output, and to ensure that the AI-SaMD is manufactured under the supervision of a qualified medical practitioner
• Require public healthcare developers to conduct yearly quality management system self‑attestations to confirm compliance with ISO 13485 standards
• Require AI-SaMDs to be endorsed by the chair of the medical board or the CEO of the public healthcare institution for deployment, ensuring that senior leadership is aware of and accountable for the AI-SaMDs being deployed in their public healthcare institution or cluster
• Require that the public healthcare institution or cluster notify the HSA of the AI-SaMDs before deploying them for use in patients
• Require that deployers inform patients when AI-SaMDs developed under the proposed sandbox will be used in their medical care
• Engage with public healthcare developers on the HSA product registration upon the wider deployment of the AI-SaMD across public healthcare

The HSA reiterated that the sandbox is an expansion of the exceptions within the Health Products Act, and the HSA will continue to uphold the key safeguards, such as post-market obligations and accountability, to ensure regulatory oversight and patient safety.

Key takeaways

The HSA has been embracing and encouraging the adoption and use of AI within the Singapore healthcare system, along with providing regulatory guidance to ensure patient safety. This AI-SaMD sandbox is one such measure that facilitates broader AI adoption and scaling up across the Singapore healthcare ecosystem, and the HSA has confirmed that it will be considering extending the scope to beyond public healthcare.

The HSA will closely monitor the outcomes of the sandbox to evaluate and determine the next steps, including the calibration of controls, and to create a comprehensive framework to support AI innovation while ensuring the safe and effective use of AI in healthcare.

Companies should continue to monitor how the HSA calibrates its controls toward AI-SaMDs in Singapore, as the outcomes of the sandbox may have knock-on effects on wider controls and guidance for AI-SaMDs.

The post Singapore: HSA Releases AI Medical Software Consultation Findings appeared first on Global Compliance News.

In brief

South Africa’s Draft National AI Policy has formally entered the Cabinet approval process, signalling a decisive shift from high‑level principles to concrete regulatory development. The Policy is expected to be gazetted for a 60‑day public consultation in March 2026, with finalisation targeted for the 2026/2027 financial year. Government has opted for a sector‑specific, multi‑regulator model rather than a single AI regulator, meaning AI governance will be embedded within existing supervisory frameworks. Five core pillars – skills capacity, responsible governance, ethical and inclusive AI, cultural preservation and human‑centred deployment – guide the Policy. Organisations should assess current AI deployments, governance structures and high‑impact systems ahead of increased oversight and future sector‑specific regulatory instruments.

In more detail

The Road to Gazetting: Timelines and Procedures

On 24 February 2026, the Department of Communications and Digital Technologies (DCDT) briefed Parliament on the progress of the Draft National AI policy (“Draft AI Policy“). The DCDT’s briefing confirmed that the Draft AI Policy has successfully cleared the Socio-Economic Impact Assessment System certification and achieved concurrence across all Director-General clusters. This is a critical administrative hurdle; it suggests the Policy has broad inter-departmental support and is ready for public scrutiny.

The Draft AI Policy is now progressing through Cabinet approval and is expected to be gazetted for a 60-day public consultation period in March 2026. Finalisation is anticipated during the 2026/2027 financial year, with sector-specific strategies and supporting regulatory measures expected to follow from 2027/2028.

Strategic Context of the Draft AI Policy

A key focus of the Parliamentary briefing was on the benefits and risks of AI and how each of these should be more evenly distributed across society. Government highlighted concerns about the current concentration of AI capabilities and emphasised the need to ensure long-term benefits for both current and future generations.

AI was also framed as a tool to support inclusive economic growth. The Draft AI Policy aims to strengthen Government’s ability to regulate and adopt AI responsibly, while encouraging local innovation, supporting job creation and improving access to AI skills, infrastructure and services. These priorities sit alongside efforts to enhance South Africa’s global competitiveness and international collaboration. 

Five Core AI Policy Pillars 

It was against this backdrop that the following five core policy pillars underpinning the Draft AI Policy were introduced by the Government during the Parliamentary briefing.

• Capacity and talent development

The DCDT highlighted the need to build national AI skills through education, training and closer collaboration with industry. This will be supported by improved digital infrastructure, including increased compute capacity (such as graphics processing units) and better connectivity, to support local innovation, SMEs and broader economic growth.

• Responsible AI governance

The Draft AI Policy proposes practical safeguards to address safety, security and privacy risks associated with AI. These include risks such as data misuse, cybersecurity threats, misinformation and deepfakes, with the aim of ensuring that AI systems are deployed with clear accountability and do not cause harm.

• Ethical and inclusive AI

Fairness and bias mitigation were central to the discussion. Government highlighted the importance of training AI systems on representative local datasets to avoid imported bias (i.e., discriminatory outcomes when AI models trained on Global North datasets are applied to South African demographics). The development of national ethical guidelines and mechanisms to hold developers accountable for harmful outcomes was also emphasised.

• Cultural preservation and global integration

The Draft AI Policy aims to use AI to preserve indigenous languages and knowledge systems while strengthening international collaboration. In this regard, the Koi and Satsang languages were specifically mentioned with the intention of AI digitising them. Government also noted the importance of protecting cultural assets while ensuring South Africa remains globally competitive.

• Human-centred deployment

The Draft AI Policy rejects opaque “black box” deployment in high-impact contexts and emphasises accountability when AI systems cause harm. This means that This means that organisations remain responsible for the outcomes of AI-driven decisions, regardless of the level of automation involved.

Implementation model and sector-specific regulation

The DCDT also addressed the intended implementation plan of the Draft AI Policy in practice. Government indicated that a phased approach will be adopted, recognising that AI deployment and risk profiles differ significantly across sectors. AI in healthcare, for example, presents distinct ethical and safety considerations when compared to AI used in financial services, telecommunications or public administration.

As a result, the Draft AI Policy is expected to operate as an overarching framework, with sector-specific strategies developed thereafter and governed within existing sector-specific regulatory frameworks. This is an approach favoured in other countries such as the United Kingdom and India, and signals another departure from the EU AI Act’s comprehensive regulatory approach. These strategies will be tailored to the regulatory realities and risk exposures of individual industries.

Perhaps the most significant structural revelation from the DCDT is the decision not to create a single AI Regulator. Instead, oversight will be distributed among existing authorities – ICASA was specifically mentioned during the briefing as one of the authorities expected to play a role in relation to digital infrastructure and communications aspects of AI deployment.

This multi-regulator model represents a coordinated oversight approach rather than the creation of a centralised AI regulator. As a result, AI governance is likely to intersect with existing regulatory obligations – such as those relating to conduct, risk management, data protection, and cybersecurity – embedding AI accountability within established supervisory frameworks rather than introducing it through a standalone regime.

The way forward

With the Draft AI Policy expected to enter public consultation shortly, organisations should treat 2026 as a period to prepare strategically.

In the immediate term, institutions should monitor the gazetting process and consider participating in the 60-day public comment period. Early engagement may influence how sector-specific strategies are ultimately framed, particularly in relation to explainability and supervisory oversight.

At an operational level, institutions should conduct a comprehensive internal review of existing AI deployments. This includes identifying high-impact systems, mapping data flows, assessing model explainability mechanisms and evaluating alignment with existing governance frameworks and recommendations (such as those under King V) and obligations under existing regulation, such as POPIA, prudential standards and conduct regulation. As governance expectations evolve, regulators are likely to assess AI through the lens of existing accountability frameworks rather than in isolation.

The 2026 Draft National AI Policy represents an effort by the South African Government to catch up with global regulatory trends while addressing local socio-economic realities. The transition from the current open regulatory environment to a sector-specific framework will be complex, but it also offers an opportunity for businesses to build greater trust with their customers through proactive engagement, as the approach towards governing AI in South Africa is mapped.

* * * * *

Despina Lazanakis, Trainee Solicitor, has contributed to this legal update.

The post South Africa: AI Policy Moves Towards Approval appeared first on Global Compliance News.

Given its status as a draft bill, the proposed legislation has not yet entered into force and may still be subject to amendments prior to final approval. That said, the current text already provides a sufficiently clear indication of the regulatory direction and makes early preparation advisable.

While the Draft has a broader scope, the analysis below focuses on those elements expected to have the most significant impact on companies.

KEY TAKEAWAYS

• Corporate law obligations: The Draft introduces the mandatory registration of shareholdings with the Commercial Registry, together with additional disclosure and information obligations under the Spanish Capital Companies Act.

• Enhanced controls in public procurement: Entities seeking to contract with the public sector will be required to implement a criminal compliance model—specifically, an “appropriate organization and management model for integrity and the prevention of criminal offenses, together with effective supervision thereof.” In addition, all participants involved in public procurement procedures must execute conflict‑of‑interest declarations.

• Stricter oversight of Political Parties: The Draft establishes new control obligations relating to audits and introduces more stringent oversight of political donations. These measures significantly increase the level of regulatory scrutiny and, consequently, the associated risk exposure related to donations.

• Potential creation of specialized judicial divisions: The Draft contemplates the possibility of creating specialized divisions within the Courts of First Instance and the Provincial Courts specifically dedicated to anti‑corruption matters and offenses against the Public Administration.

• Harsher penalties and sanctions for corruption: The sanctioning framework applicable to both legal entities and individuals is substantially reinforced. First, the Draft allows for the imposition of fines calculated on the basis of either the company’s annual turnover or the unlawful benefit obtained. Second, it introduces mandatory disqualification measures—which were previously discretionary—preventing offenders from obtaining public subsidies and grants, contracting with the public sector, and benefiting from tax or Social Security incentives (“blacklisting”). With respect to individuals, the Draft also provides for an increase in maximum prison sentences in certain cases for corruption cases, which may reach up to 20 years.

• Extension of statutes of limitation: In cases involving corruption and offenses against the Public Administration, the Draft proposes extending the ordinary statute of limitations from five to seven years for offenses punishable by a maximum prison sentence of five years.

• New compliance obligations linked to internal reporting systems: The Draft establishes an obligation requiring all bodies and entities that are required to maintain an internal information system (whistleblowing channel) to also have a compliance or integrity system in place. The draft specifically proposes amending the Whistleblower Protection Act in order to introduce the following provision: “(h) To have a policy or strategy setting out the general principles governing internal reporting systems and the protection of whistleblowers, which is duly publicized within the entity or body. This policy must be integrated into the entity’s or body’s compliance or integrity system.”

• Confiscation of criminal proceeds: The Draft introduces new prerogatives aimed at facilitating the confiscation of assets derived from criminal conduct, with the stated objective of recovering the damage caused by such offenses.

WHAT DOES THIS MEAN IN PRACTICAL TERMS?

From a practical standpoint, companies will need to further reinforce their criminal compliance management systems, particularly in connection with activities involving corruption and the public sector.

This need is driven, on the one hand, by the authorities’ increased focus on detection and prosecution, supported by greater resources and extended investigation timeframes. On the other hand, the consequences of non‑compliance are significantly more severe, ranging from higher financial penalties to the mandatory imposition of disqualification measures.

Against this backdrop, early and proactive preparation will be essential to mitigating both legal and reputational risks in an increasingly demanding regulatory environment.

The post Draft Organic Law On Public Integrity: A Further Step In The Fight Against Corruption In Spain appeared first on Global Compliance News.

• A growing wave of lawsuits and regulatory actions alleging addictive use and physical harm has made companion chatbot safety a key concern.
• Chatbots of all kinds face a multifaceted compliance landscape, including privacy, cybersecurity, consumer protection, IP, AI transparency, content moderation, and industry-specific regulations.
• Developers and deployers of chatbots should be actively assessing, hardening, and documenting their systems and compliance measures now, before litigation or regulators force them to do so.

In depth

Companion models are a primary focus of recent litigation and lawmaking

Although the first wave of chatbot litigation focused heavily on IP issues, including disputes over training data, copyright and related rights, a newer set of cases and regulatory initiatives has shifted attention toward safety.

Chatbots that act like human companions are now a legal focal point because they sit at the intersection of human longing for connection, mental health, and real-world consequences. There are well-publicized instances of users turning to chatbots for a wide range of human needs and developing deep, intense feelings for AI systems. There are also reports of users engaging in self-harm, high-risk conduct, and suicide following chatbot interactions.

Plaintiffs who have filed suit typically combine product liability theories, including alleged design defects and failures to warn, with negligence claims asserting a duty to implement reasonable safeguards. Some add claims of wrongful death, infliction of emotional distress, and unjust enrichment. Litigation is not expected to abate anytime soon, as plaintiffs’ law firms are starting to advertise more prominently their AI suicide and self-harm practices.

Regulators and lawmakers are also involved. Kentucky’s Attorney General recently sued a well-known company in the AI companion space for allegedly failing to protect minors. And California and New York have both enacted companion chatbot laws.

California’s statute defines a “companion chatbot” broadly as an AI system with a natural language interface that provides adaptive, human-like responses to user inputs and can meet a user’s social needs. The definition includes a few exceptions related to customer service, business and professional tasks, video games, and speaker-and-voice-command interfaces. But the exceptions do not overlap substantially with the core definition of a companion chatbot. For example, an AI-based character in a video game could be a companion chatbot if it can meet a user’s social needs by maintaining discussions on topics unrelated to the video game.

California requires companion chatbot operators to provide clear and conspicuous disclosures that the bot is not human when a reasonable person might think they are interacting with a human; maintain, publish, and operationalize suicide- and self-harm-prevention protocols; and implement heightened safeguards for minors, including periodic “take a break” reminders. Beginning July 1, 2027, they must also submit annual reports to the Office of Suicide Prevention about the company’s suicide prevention protocols and how many times it referred users to a crisis service provider.

New York’s statute defines an “AI companion” as an AI system designed to simulate a sustained human or human-like relationship by retaining information from prior interactions, asking unprompted emotion-based questions, and sustaining an ongoing dialogue about matters personal to the user. The focus on the design and specific features of the systems makes New York’s definition of “companion” chatbots narrower than California’s. New York requires operators to implement protocols to detect and address suicidal ideation or self-harm, including referrals to crisis services, and to provide clear and periodic disclosures that users are not communicating with a human.

In sum, the ability of companion chatbots to engage users in emotionally intense interactions has made them a recent flashpoint for how courts and regulators approach risks of conversational AI.

Companion and non-companion chatbots implicate multiple regulatory frameworks

While early chatbot litigation has focused heavily on the safety of companion models, chatbots of all kinds implicate numerous legal issues. Below are examples of relevant legal considerations.

• Privacy: Some companies offer chatbots to assist with specific questions only, while others are more general purpose. That distinction matters because some US privacy laws require companies to use personal data only in ways consistent with users’ reasonable expectations, as shaped by the nature of the service and the company’s privacy notices. For instance, some consumers might not expect their interactions with a warranty bot to form the basis of cross-context behavioral advertising or surveillance pricing. Providing clear and complete disclosures about how chatbot inputs are used is one of many necessary compliance measures.
• Cybersecurity: Chatbots introduce new attack vectors because they are typically optimized for helpfulness and operate using probabilistic models. These features may be able to be exploited to reveal sensitive company information or bypass safeguards. For example, a malicious user may use carefully crafted prompts to extract internal system details, abuse backend integrations, or generate content that facilitates fraud or account takeover. This makes secure chatbot design, access controls, some level of human involvement, and abuse detection essential.
• Consumer protection: Companies need to ensure that their chatbots do what they are represented to do and do not mislead consumers about their capabilities, limitations, or the level of human versus AI involvement in the interaction. Companies should also be aware that erroneous chatbot outputs can create real-world obligations, such as by confabulating discounts or making up representations about products, services, or company policies. Companies must also guard against unlawful algorithmic discrimination (i.e., systems that result in disparate treatment or unjustified disparate impact on protected classes) and offer opt-outs from automated decisions as required under laws such as the California Consumer Protection Act.
• IP: Chatbot operators must navigate a maze of IP issues, including in relation to training data, user-generated content, model-generated content, and IP licensed from business partners. To date, disputes over training data have attracted the most scrutiny, but the IP rights of all stakeholders must be evaluated holistically. Managing these issues requires attention to training data provenance, precise and internally consistent IP clauses with users and business partners, and system controls to minimize the likelihood of IP-infringing conduct.
• AI transparency: Transparency takes various forms in the AI context. It can mean, for example, disclosing that AI is AI, as contemplated by California law if there is a risk of deception. It can also mean publicly disclosing details about a chatbot operator’s training data as California’s Training Data Transparency Act requires of publicly available genAI system developers. It might also encompass the detailed disclosures that frontier AI developers (i.e., developers of the most powerful AI models) must publish and submit to regulators under California’s Transparency in Frontier AI Act. Or it can mean complying with California’s AI Transparency Act, which will, as of August 2, 2026, require certain large generative AI providers to support detection tools and embed provenance markers identifying content as AI-generated. These examples make clear that AI transparency is not a single checkbox, but a layered set of design, disclosure and governance obligations that chatbot operators need to plan for early.
• Content moderation: Chatbots raise content issues that cut across platform safety, prohibitions against child sexual abuse material (CSAM) and other restricted content, and community expectations. Chatbot operators must think carefully about the type of content they want their systems to generate, while complying with mandatory legal regimes. For instance, the federal TAKE IT DOWN Act criminalizes the knowing distribution of nonconsensual intimate imagery, including AI-generated deepfakes, while the Texas Responsible AI Governance Act restricts AI systems that are designed to produce or simulate CSAM, deepfake sexual imagery, and other unlawful material. To comply, chatbot operators must implement content policies, technical filters, and reporting and takedown procedures.
• Industry-specific requirements: Chatbot operators in regulated industries must also be aware of specific regulations that apply to them. For example, Utah requires suppliers of “mental health chatbots” to make clear and conspicuous disclosures that users are interacting with AI, mandates the creation and filing of detailed governance policies, and imposes a number of privacy restrictions. California has also enacted several laws that govern the use of generative AI in the healthcare context, including a statute that applies to AI-generated patient communications, and a statute that applies to health care service plans, disability insurers and their third-party contractors, and licensed healthcare professionals.

Designing for compliance in a rapidly evolving chatbot landscape

As a practical first step, chatbot operators should assess whether their system is designed, or likely in practice, to function as a “companion” model, since that classification can materially change the legal obligations and risk profile. But regardless of where a chatbot falls on that spectrum, companies now face a dense and overlapping set of requirements spanning safety, privacy, cybersecurity, consumer protection, IP, transparency, content moderation, and industry-specific regulation.

The previous section outlined examples of specific compliance measures chatbot companies must take. Overall, however, developers and deployers must take a systematic approach to assessing risks, hardening systems, and documenting controls and decision-making. Waiting for litigation or regulators to dictate priorities is likely to be more costly and more disruptive than building compliance and governance into chatbot design from the outset.

The post United States: Navigating the Laws of Chatbots and AI Assistants appeared first on Global Compliance News.

On 27 January 2026 the Financial Conduct Authority (FCA) launched the Mills Review to examine the long-term impact of AI on financial services. Led by Sheldon Mills, this initiative invites industry feedback to help shape how AI might transform consumer experiences, market structures, and regulatory approaches in retail financial services. The call for input closes on 24 February, following which Mills will present recommendations to the FCA board in the summer, culminating in an external publication to foster informed debate.

In more detail

The Mills Review

The review focuses on four crucial areas:

1. AI technology evolution: By 2030, AI systems are expected to become more autonomous and adaptive, with agentic AI being more capable of independent decision-making and continuous learning. Furthermore, multimodal AI, which integrates text, speech, images and other data, could radically alter customer journeys and service delivery. The FCA is keen to understand how, at present, firms expect to use AI systems within their business, and their plans for how their use of AI will evolve.
2. Impact on markets and firms: AI is already generating efficiencies across core activities within financial services firms, and its influence is set to grow. As customers delegate decisions to AI, competition among financial services firms could potentially increase through the development of novel value propositions; however, new forms of market power may also emerge, for example if certain AI providers favour certain financial services firms. Financial services firms must adapt to maintain relevance and competitiveness. The FCA is keen to understand the potential impact on, among others, market structure and customer relationships, and to explore whether AI systems provide services functionally equivalent to regulated activities such as advice or intermediation while remaining outside the regulatory perimeter.
3. Consumer trends: Consumers may increasingly interact with financial services via AI interfaces, with expectations likely to shift towards highly personalised, automation-driven financial journeys alongside reduced tolerance for friction, poor value or opaque outcomes. While this has the potential to improve financial outcomes, it also raises concerns about reliance on unregulated advice, vulnerability to mis-selling, model bias or hallucination risks, and AI-driven fraud. The FCA is keen to hear views on both the opportunities and challenges this presents.
4. Regulatory approach: The FCA intends to remain an outcomes-focused regulator, leveraging existing frameworks such as the Consumer Duty and Senior Managers and Certification Regime (SMCR) to ensure flexibility and compliance. The regulator is seeking input on how the FCA can take advantage of the opportunities AI presents, but also, among others, on whether existing frameworks are suitable for the regulation of AI. For example, the FCA will assess how relevant senior managers under the SMCR can continue to discharge their responsibilities for the deployment and maintenance of AI systems, and whether Consumer Duty expectations should be revised to account for the impact of AI.

Key considerations for AI use in retail financial services

Use of AI to date

To date, AI has been deployed in the financial services sector for a variety of purposes, including assisting with creditworthiness assessments, enhancing customer due diligence and financial crime monitoring (such as fraud detection), and providing customer support interfaces such as online chatbots. Each of these use cases introduces unique risks, however, and requires a careful analysis of data protection issues. For example, AI-driven credit assessments can inadvertently perpetuate bias if historic data contains underlying prejudices. Similarly, AI chatbots may occasionally provide unclear or inaccurate responses, an issue that may be particularly acute for vulnerable customers. The FCA is aware of these risks, as highlighted by Sheldon Mills in his speech launching the review. As AI becomes more advanced and autonomous, these risks could increase.

There are also challenges for firms in applying their responsibilities and obligations under the SMCR to the adoption and use of AI, which may have resulted in a slower uptake than might otherwise have been the case. Given the FCA’s position that senior managers should maintain oversight of AI deployment, for example, the lack of “explainability” of many AI models could be seen to conflict with the SMCR’s requirement for senior managers to demonstrate they understand and control risks within their areas of responsibility.

The FCA’s evolving approach

At present, it appears that the FCA intends to maintain its current approach to regulating AI, refraining from introducing additional or bespoke regulations specifically for AI. Instead, the FCA will continue to leverage existing principles-based and outcomes-focused regulatory frameworks to guide firms’ adoption and use of AI, providing firms with a degree of flexibility in their approach to AI. However, this approach is not without challenges: the FCA’s supervisory approach has been reactive, leaving firms with little practical clarity and guidance on how to apply existing regulatory frameworks to their AI deployment, pushing the burden onto firms to take a position forward.

We may, nonetheless, see this approach evolve in the coming months, given the suggestion in a recent House of Commons Treasury Committee report (published a week before the launch of the Mills Review) that this lack of clarity from the FCA may have contributed to a chilling effect on AI adoption. In response, the Treasury Committee has recommended that the FCA should issue guidance on the application of its existing regulatory frameworks to AI usage, that HM Treasury should designate major AI and cloud providers as critical third parties under the Critical Third Parties Regime (giving the regulators greater supervisory control over those providers), and that the Bank of England and the FCA should conduct AI-specific stress testing. The Treasury Committee expects to see movement on the first two of those recommendations by the end of 2026.

Going forward

It is evident that AI will play an increasingly prominent role in financial services. In particular, well-designed and robust AI tools can drive efficiency and deliver cost savings, helping firms meet the Consumer Duty’s expectations around price and value. Nonetheless, firms must ensure that any AI tools or services they adopt are thoroughly evaluated against the FCA’s evolving regulatory expectations.

Firms that are especially reliant on AI, or that plan to increase their use of such technologies, should consider responding to the FCA’s Call for Input. The findings of the Mills Review will influence how the FCA interprets and applies regulatory requirements to AI tools and software, providing an opportunity for stakeholders to help shape the future regulatory landscape.

The post United Kingdom: FCA Launches Review on Future AI Approach appeared first on Global Compliance News.

In brief

The Australian Treasury (“Treasury“) is consulting on proposals to enhance the governance of registered managed investment schemes (MIS). Submissions close on 27 February 2026. To provide a submission, refer to this site.

Key takeaways

On 10 February 2026, the Treasury released the ‘Enhancing oversight and governance of managed investment schemes’ consultation paper (“Consultation Paper“). The Consultation Paper proposes to strengthen retail consumer protections and improve stability and confidence in the superannuation and financial services sectors, predominantly through strengthening governance and capital holding requirements for registered MISs.

The Consultation Paper also considers measures such as waiting periods for superannuation switches and constraints on inappropriate advice‑related fees.

Ultimately, the measures proposed in the Consultation Paper aim to prevent harm to retail consumers stemming from poor governance practices, whilst maintaining investor confidence in the Australian financial system.

In more detail

This comes after the collapse of two MISs, the Shield Master Fund (“Shield“) and the First Guardian Master Fund (“First Guardian“). Both Shield and First Guardian, and their alleged practices employed, have been the subject of ongoing investigations by the Australian Securities and Investments Commission (ASIC), and have intensified regulatory scrutiny and prompted consideration of reform options.

The predominant regulatory issue is the governance and oversight of MISs. The Treasury observes that aspects of the current framework may not adequately mitigate conflicts of interest or misconduct risks and this has contributed to consumers suffering losses. Whilst all investments carry risk, the cases of Shield, First Guardian and other MIS collapses have been characterised by financial misconduct, substantial governance shortcomings and conflicts of interest, rather than merely bad investment choices.

The collapses of various MISs, such as Shield and First Guardian, have placed increased pressure on the entire industry. This has placed increased pressure on the industry-funded Compensation Scheme of Last Resort, which is now set to be reformed by the Government to ensure its long-term sustainability.

Improving MIS governance

Proposal 1: Enhance the regulatory framework for compliance plans

Compliance Plan content

The Treasury presents concerns that current compliance plans contain high-level content which addresses minimum obligations, without detailed procedures for ensuring compliance. There is currently no express statutory requirement for compliance plans to be scheme‑specific, beyond general obligations of adequacy. The Treasury notes that this has, in some cases, resulted in the use of generic plans across multiple schemes, which may reduce their effectiveness.

The Treasury proposes introducing stricter compliance plan requirements, such as more detailed descriptions of the nature of the scheme and its investment strategy and outlining the management process of stricter risks. However, there is a risk that this may make the framework less flexible and increase regulatory burden across the industry.

Another proposal by the Treasury is to amend the liability framework to ensure liability attaches only to material contraventions of the compliance plan. The Treasury hopes that this will incentivise higher quality plans.

Compliance Plan audit

Currently, compliance plans are required to be audited annually by independent, registered company auditors, or audit firms. However, in assessing whether the responsible entity has complied with the scheme’s compliance plan, auditors are not required to meet any minimum qualitative standards under the Corporations Act. The Treasury notes concerns that this may contribute to compliance plan audits not providing the regulatory oversight expected. The Treasury has proposed that existing audit and assurance standards should be made mandatory for auditors of compliance plans.

Compliance committee

A compliance committee is required if less than half of the directors of a responsible entity are external directors. The compliance committee assesses whether a compliance plan is adequate, monitors the responsible entity’s compliance with the compliance plan, reports any breaches to the responsible entity, and where a responsible entity is not adequately dealing with reported breaches, reports such matters to ASIC.

While compliance committee members have duties to act honestly and exercise care and diligence, there are no legislative requirements addressing the qualifications and experience of compliance committee members. The Treasury has proposed that responsible entities should be required to notify ASIC of the appointment, removal or resignation of committee members. The Treasury notes that this will assist in supporting ASIC’s surveillance activities.

Proposal 2: Require majority of external directors on responsible entity boards

The Treasury proposes requiring responsible entities of registered MISs to implement a majority of external directors. The current option of alternatively having a compliance committee would be removed. The Treasury considers that this may promote more effective oversight through independent judgement and ‘detached’ supervision.

Proposal 3: Prohibit responsible entities of registered MISs from conducting related party transactions, with limited exceptions

Related party transactions, such as investing or lending to companies that are controlled by a member of the responsible entity’s board, or companies that are related bodies corporate of the responsible entity, are currently permitted following member approval, or where the benefit provided to related parties is provided on an arms’ length basis, or on terms less favourable to the related party.

The Treasury has proposed to restrict responsible entities of registered MISs from conducting related party transactions more generally. The Treasury has acknowledged that limited exceptions to such a related party transaction prohibition would be required in situations where there is a legitimate business need for the related party transaction (such as a retail scheme investing into a wholesale fund run by the same responsible entity) or where the investment manager of an MIS is a related party of the responsible entity. The Treasury has not otherwise provided any detailed insight as to the scope or conditions of any proposed exception.

Proposal 4: Amend the framework for setting financial requirements for responsible entitles

The Corporations Act prescribes certain requirements for Australian financial services licensees to hold adequate resources, including financial resources. Currently, ASIC has imposed a minimum cash requirement of AUD 150,000 and a minimum net tangible asset requirement of AUD 150,000 or AUD 10 million for responsible entities, pursuant to the ASIC Corporations (Financial Requirements for Responsible Entities, IDPS Operators and Corporate Directors of Retail CCIVs) Instrument 2023/647 (Instrument 2023/647).

The Treasury is seeking feedback on the framework under which ASIC sets the relevant MIS financial requirements and whether more specific financial resource requirements should be imposed on responsible entities, and if so, if this should be legislated, or imposed by way of regulation or ASIC’s powers. Separate to the consultation by Treasury, ASIC is expected to release a consultation paper on capital requirements for responsible entities, IDPS operators and Directors of Retail CCIVs in early 2026, including potential increases to NTA requirements.

Enhancing ASIC’s access to MIS data

Proposal 5: Increase ASIC’s data collection powers on the retail MIS sector

The Treasury is of the view that ASIC’s ability to perform its regulatory role for the MIS sector is impacted by the limited data which is available in relation to the retail MIS sector. Specifically, ASIC is only able to collect recurrent data on the retail MIS sector as the responsible entity holds most data regarding the retail MIS.

The Treasury proposes to increase ASIC’s data collection powers on the retail MIS sector. The Treasury is hopeful that allowing access to data on flows into and out of MISs, alerts on certain types of events and information about MIS type and complaints data, could enable more efficient and effective regulatory action. Potential data sharing between regulators could also reduce regulatory burden regarding the reporting of retail MISs, and streamline the overall process.

Enhancing ASIC’s visibility of superannuation switching

Proposal 6: Alerts to ASIC about superannuation switching

The Treasury notes that regulators consider that the process of superannuation members transferring their existing superannuation account from one fund to another could allow superannuation trustees access to data from which they may be able to identify suspicious or anomalous patterns of behaviour that may be indicators of misconduct.

The Treasury has proposed placing an obligation on superannuation trustees to report to ASIC any suspicious behaviours, which the trustee reasonably considers could place their membership at risk of significant detriment.

Conclusion

The Treasury is accepting responses to the Consultation Paper until 27 February 2026 on how to strengthen governance arrangements and oversight by ASIC. It is anticipated that ASIC may consult in early 2026 on potential changes to net tangible assets requirement for responsible entities of MISs.

* * * * *

William Fuggle, Consultant, and Archit Dhillon, Associate, have contributed to this legal update.

The post Australia: Treasury Moves to Strengthen MIS Governance Standards appeared first on Global Compliance News.

In brief

The Federal Court of Australia in Australian Securities and Investments Commission v FIIG Securities Limited [2026] FCA 92 has ordered FIIG Securities Limited (FIIG) to pay a penalty of AUD 2.5 million plus AUD 500,000 in costs in response to proceedings brought by the Australian Securities and Investment Commission (ASIC) in March 2025 for cyber security failures in breach of FIIG’s general Australian Financial Services Licence (AFSL) obligations between March 2019 and June 2023.

FIIG’s cyber security failures were found to have culminated in approximately 385GB of data being compromised in a cyber-attack beginning 19 May 2023, affecting approximately 18,000 FIIG clients.

This case marks the first time the Federal Court has imposed civil penalties for cyber security failures under the general AFSL obligations and highlights ASIC’s increased focus on cyber risk management and its “clear license-to-operate expectation for robust resilience”.

Key takeaways

Cyber security and cyber resilience are essential elements of an AFSL holder’s obligations. This case highlights that:

• ASIC has prescriptive and technical expectations for risk management systems and cyber security controls and is likely to take a detailed forensic approach to evaluate whether an AFSL holder’s risk management systems and cyber security controls are adequate and proportionate to its data sensitivity, scale and business risks, particularly in the wake of a cyber-attack that results in disclosure of client data;
• Businesses with an AFSL need to ensure that their risk management systems and cyber security measures adequately address cyber security risk, including by deploying adequate financial, technological and human resources to ensure adequate cyber security measures are in place;
• Failure to do so can result in non-compliance with AFSL obligations, ASIC proceedings and penalties;
• Adequate cyber security measures need to be proportionate to the nature of the business, extent and complexity of information held, the value of assets held, the magnitude and potential consequences of the cyber security risks and any contractual obligations the ASFL holder has to its clients; and
• Employees with responsibility for ensuring adequate cyber security measures are in place must be appropriately experienced and given sufficient time and resources to properly discharge their responsibilities.
  

In depth

Background

FIIG is an Australian fixed-income specialist and AFSL holder and is subject to various obligations under the Corporations Act 2001 (Cth) (“Act”) including the general AFSL obligations under section 912A(1) of Act. In providing financial services, FIIG collects and maintains extensive and detailed personal information about its clients. At the time of non-compliance, FIIG held between approximately AUD 2.99 – 3.7 billion in client assets under management. Given these factors, ASIC alleged that there was a real and foreseeable risk that FIIG would be the subject of an attempted or actual cyber-attack, yet failed to implement adequate controls. A cyber-attack in fact occurred from 19 March 2023 to 8 June 2023 and resulted in the theft and subsequent release of sensitive client data onto the dark web. FIIG was unaware of the event until the Australian Cyber Security Centre (ACSC) alerted FIIG on 2 June 2023.

ASIC’s cyber security and resilience expectations to meet general AFSL obligations

The proceedings illustrate ASIC’s detailed, technical and prescriptive expectations for risk management systems and cyber security controls (including vulnerability scanning and threat detection) and appropriate resourcing (including human resources) to meet general AFSL obligations under the Act, including to:

• Ensure financial services are provided efficiently, honestly and fairly (section 912A(1)(a));
• Have available adequate resources (including financial, technological and human resources) to provide the relevant financial services (section 912A(1)(d)); and
• Have adequate risk management systems (section 912A(1)(h)).

The table below summarises ASIC’s expectations coming out of this decision in relation to the risk management systems and controls that would have enabled FIIG to meet its general AFSL obligations under section 912A(1)(a), (d) and (h) of the Act and provides a useful point of reference for other AFSL holders (taking into consideration the relative nature of their business, extent and complexity of information held and the value of assets held).

Looking ahead: ASIC’s ongoing focus on cyber security enforcement

ASIC’s 2026 key issues outlook identifies cyber-attacks, data breaches and inadequate operational resilience and crisis management as harmful threats to market confidence and consumers that it will continue to focus on.

Regulators like ASIC will consider not just whether AFSL holders have risk management frameworks in place, but whether they are:

• Properly and consistently implemented by way of effective controls;
• Proportionate to nature of the business, sensitivity and extent of information and the value of assets held;
• Tested and reviewed on a regular basis;
• Adequately supported by personnel and financial resources; and
• Subject to appropriate governance and oversight.

In this environment it is particularly important for ASIC-regulated businesses and AFSL holders to ensure that cyber resilience is embedded into their licence compliance and governance frameworks, to be able to demonstrate that they have strong risk management measures in place and to test the robustness of these measures regularly and address any identified vulnerabilities to mitigate against the risk of a cyber-attack or data breach.

* * * * *

Vanessa Franco, Summer Clerk, has contributed to this legal update.

The post Australia: Landmark Penalty for Cyber Security Failures appeared first on Global Compliance News.

On 30 January 2026, the Securities Commission Malaysia (SC) provided clarity on the regulatory framework governing the offering of broking services for digital assets.

The SC has affirmed the position that Capital Markets Services Licence holders for dealing in securities and dealing in securities restricted to listed securities (collectively, “CMSL Holders“) are permitted to offer broking services in respect of digital assets that satisfy the prescribed criteria of “securities” under the Capital Markets and Services (Prescription of Securities) (Digital Currency and Digital Token) Order 2019. However, such CMSL Holders must comply with the applicable requirements and restrictions, including (among others) submitting a prior notification to the SC; submitting to the SC a declaration on the system and operational readiness of the CMSL Holder; and trading only in prescribed digital assets.

In more detail: Salient Requirements and Restrictions

The salient requirements and restrictions on CMSL Holders offering digital asset broking services include:

(i) Prior Notification and Declaration to the SC

A CMSL Holder intending to offer broking services for digital assets must notify the SC in advance and submit a declaration that is validated by a third party auditor registered with the Audit Oversight Board, confirming the readiness of the CMSL Holder’s systems and operations.

(ii) Restrictions on Trading in Digital Assets

A CMSL Holder is subject to the following restrictions:

(a) Digital assets must have obtained concurrence of the SC, and can only be sourced from a registered digital asset exchange; or an offshore digital asset trading platform or counterparty which is regulated in a jurisdiction that gives effect to the Financial Action Task Force recommendations for virtual asset service providers, and maintains risk‑based AML/CFT/CPF controls supervised by a competent authority

(b) All transactions with clients are conducted on a cash‑upfront basis

(c) It cannot provide margin or lending facilities to clients

(d) It must refrain from exercising discretionary authority over its client’s digital asset trading account.

(iii) Client Asset Protection

There are safeguarding requirements for purposes of client asset protection, and therefore CMSL Holders must maintain a segregation of client assets; ensure that the digital assets are held with a digital asset custodian and any income or benefits from the digital assets must accrue to the client.

Conclusion and next steps

With clearer regulatory parameters for CMSL Holders intending to offer digital asset broking services, industry players should undertake a thorough assessment of the applicable obligations and restrictions to ensure that their internal controls, custody arrangements, and trading protocols are fully aligned with the SC’s regulatory expectations prior to commencing such broking services, or opting to obtain a CMSL from the SC to do so.

*****

Eliza Chow and Raynice Chew, Associates, have contributed to this legal update.

The post Malaysia: Securities Commission Clarifies Requirements on Digital Asset Broking appeared first on Global Compliance News.

On 29 January 2026, the Korean National Assembly passed an amendment introducing statutory attorney-client privilege (ACP), granting attorneys and clients the right to protect confidential legal communications and related materials. The amendment is expected to meaningfully affect tax audits, investigations, and appeals by offering stronger protection against broad document requests and the use of privileged materials. Under the ACP regime, clients may freely discuss sensitive tax or regulatory matters with their tax lawyers while ensuring that these communications remain confidential and protected from seizure or disclosure, marking a significant shift in safeguarding taxpayers’ defense rights throughout investigative and judicial proceedings.

Background

Previously, the Korean legal system imposed a duty of confidentiality on attorneys regarding communications with their clients but did not grant them the corresponding right to protect such communications. Accordingly, during state investigations, audits, and litigation processes, concerns had been continuously raised that the constitutional right to effective assistance of counsel was not being properly upheld.

Against this backdrop, on 29 January 2026, the National Assembly passed an amendment to the Attorney‑at‑Law Act (“Act”), thereby establishing the legal basis for formally recognizing ACP as a statutory right. The amendment will undergo subsequent legislative procedures, including deliberation by the State Council and approval by the President, before being promulgated, and is scheduled to take effect one year after its promulgation.

Key provisions of the amended Act

The amendment introduces a new Article 26‑2 immediately after the existing Article 26 of the Act, which currently sets forth attorneys’ duty of confidentiality. Under this newly established provision, attorneys and their clients, or individuals seeking to become clients, are granted (1) the right not to disclose to third parties any communications exchanged for the purpose of providing or receiving legal representation or legal services, and (2) the right not to disclose any documents or materials, including those created or maintained in electronic form, that are prepared in connection with litigation, investigations, or inquiries relating to matters they have been engaged to handle.

However, the newly added provision allows exceptions to the application of ACP in certain circumstances, including where (a) the client provides explicit consent, (b) there is a conflict with significant public interest (e.g., where an attorney is involved in a client’s illegal activities, or where a client uses legal advice to commit a crime), (c) disclosure is necessary for an attorney to exercise or defend their rights in a dispute with a client, or (d) a separate statute expressly provides otherwise.

The relevant addendum of the Act stipulates that the amendment will take effect one year after its promulgation. Notwithstanding this general rule, it further provides that the newly established Article 26‑2 shall also apply to communications or materials exchanged prior to the effective date of the Act, thereby leaving open the possibility of retroactive application.

What this means for tax audits and appeals

The introduction of ACP is expected to significantly affect tax audits, investigations, and subsequent administrative and judicial appeals. Under the ACP regime, clients may freely discuss sensitive tax or regulatory matters with their tax lawyers while ensuring that these communications remain confidential and protected from seizure or disclosure.

Typically, taxpayers are often required to provide vast amounts of documents and explanations during tax audits. In particular, during dawn-raids or forensic type investigations, communications with counsel such as emails, legal opinions, and memoranda were often collected without limitation and used throughout the audit and appeals process. With the amendment formally codifying ACP, taxpayers are now expected to have an additional line of defense against excessive or overbroad document requests or collection efforts by the tax authorities, as well as against the use of privileged materials in subsequent appeals proceedings.

The ACP is further expected to function as an important safeguard to protect taxpayers’ right to defense and to ensure procedural fairness in investigative and judicial proceedings, especially for tax offense cases where tax officials are vested with search and seizure powers and the authority to conduct witness interviews similar to investigative agencies.

That said, the exact scope of ACP application remains to be seen, as the amendment does not provide detailed guidance regarding its specific scope or legal effect. In particular, the amendment does not clearly prescribe the legal consequences or available remedies in the event of a violation of ACP and also expressly lists “where a separate statue expressly stipulates otherwise” as an exception to its application. Accordingly, further legislative refinement or judicial interpretation will be needed as the framework continues to develop.

*****

Seonhye Kim, Yeo Joon Yun and Jisoo Bae, Associates, have contributed to this legal update.

The post South Korea: Introduction of Attorney-Client Privilege appeared first on Global Compliance News.

On 4 February 2024, the Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 (“Cryptoassets Regulations”) were made, establishing a comprehensive regulatory framework for cryptoassets in the UK. Under this new regime, cryptoasset firms falling within scope will be subject to regulatory requirements, including, where relevant, authorisation by the FCA. The Cryptoassets Regulations define the categories of cryptoassets and activities subject to regulation, expand the scope of the financial promotions regime to align with the new regulated activities, and make provision for rules relating to market abuse and public offers. The new regime will take effect on 25 October 2027, with the authorisation gateway opening in September 2026. UK cryptoasset firms should review their current and planned activities to determine if they fall within the scope of the new regime, and those seeking authorisation should start engaging with the process now to ensure they are prepared to move quickly once the gateway opens.

In depth

Cryptoassets and regulated activities

The Cryptoassets Regulations define the categories of cryptoassets that will be subject to regulation, namely: qualifying cryptoassets, qualifying stablecoins, and specified investment cryptoassets (e.g., tokenised versions of existing specified investments) (“SICs”). Importantly, the Regulations also amend the Electronic Money Regulations 2011 to clarify that e-money excludes stablecoins, such that a thing is only one or the other. The Cryptoassets Regulations also introduce a range of regulated activities, including issuing qualifying stablecoins, safeguarding qualifying cryptoassets and SICs, operating trading platforms, dealing and arranging activities, and qualifying cryptoasset staking, with certain exemptions applying to specific activities.

Importantly, the regime has a wide territorial scope, particularly in comparison to the regime applying to traditional finance activities. A firm involved in the sale or subscription of a qualifying cryptoasset to or by a UK consumer must obtain authorisation, even if that firm is based overseas. However, if a UK authorised trading platform or dealer acting as principal intermediates between the firm and the UK consumer, the overseas firm is not required to be authorised in the UK. Overseas firms serving only institutional investors may also be exempt from authorisation, provided those investors are not acting as intermediaries to UK consumers. Notably, the territorial scope for issuing qualifying stablecoin is tighter: a firm undertaking the issuance activity from a UK establishment, or arranging for the stablecoin to be issued in the UK, will need to become authorised, but outside of this stablecoins issued overseas will generally be treated in line with other qualifying cryptoassets under the regime for public offers and admissions (as explained below).

Financial promotions

The Cryptoassets Regulations further expand the financial promotions regime to include the new cryptoasset regulated activities. This is achieved by: (i) aligning the definition of “qualifying cryptoassets” under the financial promotions regime with that under the regulated activities regime; and (ii) extending the scope of the regime’s controlled activities to cover safeguarding qualifying cryptoassets and SICs, operating qualifying cryptoasset trading platforms, and qualifying cryptoasset staking (unless such staking constitutes the controlled activity of arranging deals). Additionally, firms registered with the FCA for cryptoasset business under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLRs”) registration regime will no longer be permitted to approve their own financial promotions – firms that are authorised with permission to undertake the new regulated cryptoasset activities will be able to approve their own financial promotions once the new regime takes effect.

Market abuse, public offers and admissions to trading

The instrument also introduces designated activities regimes relating to (i) market abuse as well as (ii) public offers and admissions to trading). Under these regimes, the FCA will regulate certain activities, but firms themselves will not need to be authorised. For market abuse, the framework prohibits insider dealing and market manipulation for certain cryptoassets, establishes obligations relating to the public disclosure of inside information, and includes requirements for related systems and controls. The public offers and admissions to trading regime prohibits any person from making a public offer of a qualifying cryptoasset in the UK unless the offer falls within a specified exception (listed in Schedule 1 to the Cryptoassets Regulations), and empowers the FCA to make rules about public offers, admissions to trading and related disclosure requirements.

The authorisations gateway

The Cryptoassets Regulations are not yet in force; the new regime will take effect on 25 October 2027. The FCA has announced that the application period for authorisation will open on 30 September 2026 and close on 28 February 2027, with the FCA expecting to determine applications submitted during this period before the regime takes effect. Existing firms registered under the MLRs must apply for authorisation, while those with Part 4A permission wishing to carry out regulated cryptoasset business will need to apply for a variation of permission; applications assessed in the order received, with no priority given to existing MLRs-registered or authorised firms. A firm applying for authorisation during the application period will be able to continue to provide cryptoasset services until its application has been finally determined (via a savings provision in the Cryptoassets Regulations). The savings provision also covers the applicant firm’s overseas group members for the purposes of the relevant cryptoasset activity to which the application relates.

While the authorisations gateway will remain open after the application period closes, a firm applying for authorisation outside the application period will not be able to avail itself of the savings provision if it is not authorised at the point the new regime goes live. Instead, the firm will enter the transitional provision set out in the Cryptoassets Regulations. While in the transitional provision, the firm will only be able to conduct the new regulated cryptoasset activities to the extent necessary for the performance of a preexisting contract entered into before the firm entered the transitional provision. It will not be able to enter into new contracts with existing or new UK customers.

Under certain circumstances, the FCA may direct that firm operating via the savings provision should instead enter the transitional provision.

Next steps for cryptoasset firms

UK cryptoasset firms should review their current and planned activities to determine if they fall within scope of the new regime. We recommend that firms seeking authorisation start preparing their application packs early, given the limited time available before the application period opens and the extensive information typically required (such as details about the firm, individuals needing FCA approval under the Senior Managers Regime, compliance plans, business plans, and financial forecasts). Firms should be thinking about:

• Capital structure and liquidity management
• Key individuals that will undertake senior management roles under the Senior Managers Regime (particularly the CEO, money laundering reporting officer, head of compliance etc.)
• Funding sources
• Safeguarding arrangements
• Business plans

Existing MLRs-registered or authorised firms should expect supervisory contact from the FCA in relation to their plans for authorisation under the new regime.

The FCA intends to publish downloadable application forms in July 2026 ahead of the application period opening; although these forms are not yet available, firms can get ahead by identifying and organising the necessary data to streamline the application process once the application period opens. It is also very important that firms engage with the FCA’s numerous ongoing consultations relating to the new regime; although the FCA expects that it will have final rules and policy in place before the application period opens, this timing is not guaranteed and therefore firms should not wait for publication of these final rules before preparing to comply with the new regime.

The post United Kingdom: New Cryptoassets Regime Published appeared first on Global Compliance News.

On 9 February 2026, the European Commission adopted new measures under the Ecodesign for Sustainable Products Regulation (ESPR), covering two key areas:

• The available derogations for the ban on destroying unsold clothing, accessories, and footwear.
• The disclosure requirements on unsold consumer goods, which are already in force for large companies and will extend to medium sized companies in 2030.

Background

The ESPR, in force since 19 July 2024, was introduced to address significant environmental issues associated with the disposal of unsold consumer goods. Alongside establishing a framework for setting ecodesign requirements, the ESPR establishes two key measures aimed at preventing the destruction of unsold consumer products:

• It requires certain companies to publish annual information on the unsold consumer products they place on the EU market and subsequently discard. This disclosure requirement already applies to large companies from the first full financial year following the ESPR’s entry into force (18 July 2024), and will extend to medium sized companies from 19 July 2030.
• It prohibits the destruction of certain types of unsold consumer goods, including unsold apparel, clothing accessories and footwear. This prohibition will come into effect on 19 July 2026 for large companies.

Key takeaways

To support implementation of the ESPR, the European Commission adopted two key measures on 9 February 2026:

• An implementing act setting out the standardized disclosure requirements (“Disclosures Implementing Act”); and
• A delegated regulation specifying exceptions to the destruction prohibition (“Derogation Regulation”).

Disclosures Implementing Act

Under the Disclosures Implementing Act, companies will need to adhere to a standardized reporting format, included in the Annex of the Act, for disclosing discarded unsold consumer goods. This includes disclosing, for each product category:

• The relevant combined nomenclature (CN) code;
• The number and weight of product units discarded, including information on packing weight;
• The reason for discarding the products;
• The proportion of products which undergo preparation for reuse, recycling, other recovery, and disposal; and
• Measures taken and planned to prevent the destruction of unsold consumer goods.

The Disclosures Implementing Act will apply to products discarded in each financial year starting from the first full financial year after its own date of application (which the Commission has confirmed will be February 2027), giving companies additional time to adapt to the detailed reporting format. Large companies in scope will already have started reporting this information — and must continue to do so, transitioning to the standardized reporting format under the Implementing Act from February 2027.

The Derogation Regulation

The Derogation Regulation outlines specific circumstances under which the destruction of unsold apparel, clothing accessories and footwear will be permitted. At a high level, these include where a product:

• Is “dangerous” within the meaning of the General Product Safety Regulation 2023/988;
• Is “unfit for purpose” because it is non-compliant with EU law and destruction is required by law or is the appropriate and proportionate corrective action;
• Infringes intellectual property rights;
• Is subject to a valid and enforceable licence restricting the sale or distribution of the product after a specified time period;
• Is unacceptable for consumer use due to damage, including physical damage, deterioration or contamination, including hygiene issues; or
• Was offered for donation to at least three social economy entities within the EU or on an easily accessible page of the entity’s website for at least eight weeks without being accepted for donation.

The Derogation Regulation additionally sets out stringent requirements in respect of the documentation required for verification of compliance with the above derogations.

Looking ahead

The ban on the destruction of unsold consumer products will apply to large companies from 19 July 2026, and to medium sized companies from July 2030. The ESPR disclosure obligations already apply to large companies and will extend to medium sized companies in 2030. These new measures adopted by the Commission provide businesses with certainty around requirements and obligations.

Failure to comply with the ESPR requirements may expose companies to penalties under the ESPR, which — although determined at Member State level — must be effective, proportionate, and dissuasive. Beyond these penalties, businesses should also be aware of the significant reputational risks associated with non‑compliance, given the high‑profile nature of the legislation and the public scrutiny on the environmental issues it seeks to address.

For more information, please contact our team of experts.

The post European Union: European Commission Adopts New ESPR Measures appeared first on Global Compliance News.

The Employment Rights Act 2025 (ERA 2025) finally received Royal Assent and became law on 18 December 2025. It represents what the government has described as “the biggest upgrade of workers’ rights in a generation” and includes a raft of changes to the current industrial relations framework.

This article, published in International Employment Lawyer on 20 January 2026, covers a number of the key changes, some of which will apply from as early as February 2026.

In depth

Increasing trade union rights

The Department for Business and Trade reported in May this year that the proportion of UK employees who are trade union members (22% in 2024) is the lowest on record. The government is introducing two changes which may well turn the tide on dwindling union membership rates.

The most material change for many organisations is the new right of access. Under the new rules, unions will be able to request an “access agreement” granting union officials access to an employer’s workforce. Access means both physical entry to the workplace and digital access to workers.

Union officers will be allowed to request access to meet, support, represent, recruit or organise workers, and to facilitate collective bargaining, but not to organise industrial action. If an employer fails to respond to a union’s request for access, or negotiations on an access agreement are unsuccessful, unions may apply to the Central Arbitration Committee (CAC) for a determination.

The government consultation on these changes closed in December 2025, and we are expecting the new rules to come into effect in October 2026. To manage limited resources, unions will need to decide where to focus their attention, which may well include industries or large employers which have not traditionally had much union engagement.

Employers will have to provide workers with a written statement informing them of the right to join a union at the start of their employment and at other prescribed times. We are waiting for secondary legislation to confirm the content and form of the statement, and how frequently and in what manner it should be provided. These points formed part of the government consultation which closed in December 2025. It is expected that this will apply with effect from October 2026.

Simplifying the industrial action process

Under current rules, before taking industrial action: (i) at least 50% of all eligible union members must turn out to vote, (ii) a majority of union members who vote must vote in favour, and (iii) in ballots of “important public services” workers, at least 40% of all union eligible members must vote in favour.

From 18 February 2026, the 40% support requirement for important public service workers will be removed. It is expected that the 50% turnout requirement will be removed in April 2026 along with the introduction of electronic balloting. At that point, it will just leave the requirement that a majority of union members who vote must vote in favour of industrial action for it to be lawful, thereby lowering the bar.

Electronic balloting will likely be introduced in April 2026. This is long-awaited for many who consider the current rules on statutory union ballots (which require postal balloting or, in limited cases, workplace balloting) to be outdated. The government consultation on a proposed code of practice on electronic and workplace balloting is open until 28 January 2026.

Also, with effect from 18 February 2026:

• Unions with a mandate for industrial action will need to provide the employer with 10 days’ notice of such action (down from the current 14 days);
• Notices no longer need to include the number of employees in each category that are expected to take part in the action; and
• The mandate for industrial action will automatically expire 12 months after the date of the ballot (up from the current six or nine months with union and employer agreement).

ERA 2025 also gives workers stronger protections against being dismissed or being subjected to detriment for taking part in industrial action.

Simplifying the statutory recognition process

ERA 2025 relaxes the statutory process that unions need to follow to be recognised by employers for collective bargaining purposes. It’s possible that this could lead to more employers receiving statutory recognition requests. The government intended to consult on these proposals in autumn 2025, with new provisions coming into force in April 2026, but we are still waiting for the consultation to be published.

Under current rules, before accepting a union’s application for recognition, the CAC must be satisfied that at least 10% of workers in the bargaining unit are union members. ERA 2025 provides for regulations (not yet published) to amend this threshold to anything between 2% and 10%. In addition, the requirement for the CAC to be satisfied that the majority of workers in the bargaining unit would likely support the union conducting collective bargaining on their behalf will be removed.

The requirement at the ballot stage for at least 40% of workers in the bargaining unit to vote in favour of recognition will also be removed. That will just leave the requirement that a majority of union members who vote must vote in favour of recognition for the union to achieve recognition, a much lower threshold than operates today.

There are also proposed changes to the recognition process itself. If an employer rejects a union’s request for recognition or fails to respond to a request, the union may apply to the CAC for an order for recognition.

ERA 2025 will require employers to provide information about the workers in a bargaining unit within five working days of being notified by the CAC about a trade union’s application for recognition. To meet this short deadline, employers will need to be organised with lists of the names, dates of births, and worker category of each worker in the relevant bargaining unit.

If the CAC accepts a union’s request for recognition and notifies the parties of the need for a recognition ballot, there will be a new 20-working day window for the parties to agree on arrangements for the union to access workers of the bargaining unit. The CAC will have powers to adjudicate on those arrangements. This is likely to reduce what can currently be a lengthy negotiation period before a ballot takes place.

ERA 2025 also cracks down on unfair practices conducted with a view to influencing the outcome of a recognition application taken by either the employer or the union. This includes:

• An extension of the period in which unfair practices are prohibited;
• A block on employers increasing the number of employees in a proposed bargaining unit to dilute the level of trade union membership; and
• An extension of the time limit for bringing a complaint of unfair practice during the balloting process, so that complaints must be brought within five working days of the end of the ballot (rather than the current “before the first working day after the closure of the recognition ballot”).

There is also a new provision that will allow a statutory recognition application to continue even if the employer subsequently enters into a voluntary agreement with a non-independent “sweetheart” union after the statutory recognition application commenced.

What should employers do?

The changes introduced by ERA 2025 mark a real shift in the industrial relations landscape. As a result, employees are more likely to be aware of trade unions and their role, and employers are more likely to have to engage with union requests for access and potentially recognition, including in industries which have not been highly unionised historically.

Employers should review their existing union relationships and industrial relations strategy. Employers should also inform internal stakeholders of their rights and obligations in the event of requests from unions and keep a close eye on how the right of access, in particular, develops.

The post United Kingdom: Employment Rights Act 2025 — Time for Collective Action? appeared first on Global Compliance News.

The Employment Rights Bill was approved and finalised on 18 December 2025, after many rounds of parliamentary “ping pong”, becoming the Employment Rights Act (ERA) 2025. Its final form is substantively very similar to previous versions, with one important exception: the retention of a qualifying period for unfair dismissal rights (albeit reduced from two years to six months) and the removal of any cap on unfair dismissal compensation.

Although we now have a finalised ERA 2025, many key areas of detail are subject to consultations and further regulations. This article summarises the Act’s key provisions, the areas of outstanding detail, anticipated timelines (as set out in the government’s updated timeline on 4 February 2026), and what organisations could or should be doing now to prepare.

Download the full version of United Kingdom: Employment Rights Act 2025 Update – Summary and Next Steps.

The post United Kingdom: Employment Rights Act 2025 Update – Summary and Next Steps appeared first on Global Compliance News.

Regulatory Requirements

European Union

Technology-related developments

AI Regulation

The AI Act is now in force. However, the provisions of the AI Act do not yet apply (with many not coming into force until August 2026 – see below). In the meantime, the European Commission is encouraging companies to sign voluntary pledges in connection with the AI Act. 

Learn More

AI Liability Directive

The European Commission (EC) proposed an AI Liability Directive (“AILD”) on adapting non-contractual civil liability rules to artificial intelligence (AI), with the aim of helping to promote trust in AI. This seeks to address challenges faced by victims of AI-related damage to make claims and receive compensation.

Learn More

Digital Services Act

The aim of the Digital Services Act (EU Regulation 2022 / 2065) (“DSA”) is to facilitate innovation and competition to ensure the development of innovative cross-border digital services, while at the same time maintaining a safe online environment by seeking to balance the responsibilities of users, platforms, and public authorities.

Learn More

Reform of existing legislation

Toy Safety Directive / Regulation

The Toy Safety Directive (“TSD”) is intended to provide a common standard for the safety of toys throughout the whole of the EEA, and outlines various provisions that toy products must comply with (including, mechanical and physical safety, flammability, and, in particular, limits for chemical substances in the accessible parts of toys).

Learn More

Machinery Regulation

In July 2023, a new regulation on machinery products (the “Machinery Regulation” (Regulation 2023 /1230)) came into force, updating the Machinery Directive 2006 / 42 / EC (the “2006 Directive”).

Learn More

The Blue Guide

The latest version of the Blue Guide was published in June 2022 and is available online. The Blue Guide is an important tool for authorities and economic operators subject to EU product compliance laws. Although it is not binding, the Blue Guide is a very useful reference guide to areas of UK product legislation that remain aligned with the EU in the post-Brexit era.

Learn More

Sustainability / Green Deal / Circular Economy

Green Deal and Circular Economy

The European Green Deal, launched in 2019, is the European Union’s flagship decarbonisation strategy. The Green Deal sets the target of a carbon-neutral Europe by 2050 (i.e., “net-zero”). To help achieve this aim, EU Member States have pledged to reduce emissions by at least 55% by 2030, compared to 1990 levels.

Learn More

Deforestation Regulation

On 31 May 2023, the new EU Regulation aimed at tackling deforestation and forest degradation (2023/1115/EU) (the “Deforestation Regulation”) was published in the Official Journal. The new Regulation requires companies to undertake due diligence into the source of a wide range of commodities, including cattle, cocoa, coffee, palm oil, rubber, soya, and wood, to ensure that they have not been obtained as a result of deforestation.

Learn More

Sustainable Batteries Regulation

On 17 August 2023, Regulation (EU) 2023/1542 concerning batteries and waste batteries (the “Batteries Regulation”) entered into force. The new Regulation repeals and replaces the existing Batteries Directive (2006/66/EC) and seeks to make all batteries placed on the EU market more durable, safe, sustainable, and efficient by introducing new mandatory design, content, and conformity assessment requirements.

Learn More

Packaging and Packaging Waste Regulation

On 4 March 2024 the Council of the European Union and the European Parliament reached a provisional political agreement on the new Packaging and Packaging Waste Regulation (the “Regulation”), which will replace the current Packaging and Packaging Waste Directive 94/62/EC. The Regulation aims to reduce packaging waste and introduces a range of sustainability measures including a requirement for all packaging to be recyclable by 2030.

Learn More

Ecodesign for Sustainable Products Regulation

Following its promise to deliver more environmental sustainability and circularity in its European Green Deal, on 30 March 2022 the European Commission published an expansive package of proposals aimed at making sustainable products the norm in the EU. A key element of the package is the Ecodesign for Sustainable Products Regulation (“ESPR”).

Learn More

Germany

Sustainability / Green Deal / Circular Economy

Plastic carrier bag ban

In 2016, the German Federal Ministry of Environment and the German retail industry agreed on voluntary measures to reduce the use of plastic carrier bags. However, upon evaluation of the success of such voluntary action by the industry, the Government came to the opinion that such voluntary measures had not proven to be successful.

Learn More

Single-Use Plastic Levy

In early 2023, the German legislature adopted the “Single-Use Plastic Fund Act” (in German: Einwegkunststofffondsgesetz, “EWKFondsG”). This new law requires manufacturers of specific single-use plastic products to cover the costs of waste collection, cleaning up litter resulting from those products and the subsequent transport and treatment of such litter.

Learn More

United Kingdom

Technology-related developments

Product Safety and Communications

The economic loss resulting from cyber attacks is estimated at over £1 billion per year (see the Explanatory Notes to the Product Security and Telecommunications Infrastructure Act 2022 (the “Act”).

Learn More

Reform of existing legislation

UKCA Marking

The UKCA mark is the United Kingdom’s (UK) new conformity mark for certain types of products placed on the Great Britain (England, Scotland, and Wales) market. It can generally be used on products subject to CE marking for the European Union (EU) market, such as toys, electrical goods, machinery, and PPE, as well as aerosol products which previously required the reversed epsilon marking.

Learn More

Sustainability / Green Deal / Circular Economy

Deforestation Regulation

In November 2020, the Department for Environment, Food & Rural Affairs (“DEFRA”) introduced the Forest Risk Commodities (“FRC”) due diligence regime under the Environment Act 2021 with the aim of tackling deforestation associated with products sold in the UK.

Learn More

Plastic Packaging Tax

The UK Plastic Packaging Tax (“PPT”) came into force on 1 April 2022. The PPT was introduced in the Finance Act 2021 with the Plastic Packaging Tax (General) Regulations 2022 setting out the specific requirements for the regime.

Learn More

Product Liability

European Union

Reform of existing legislation

Product Liability Reform

The EU Product Liability Directive established a strict (no fault) liability regime for defective products. Since then, technology has developed rapidly but the law has not kept pace.

Learn More

Collective Redress / Class Action

The Representative Actions Directive introduced rules allowing organizations and public bodies to seek redress on behalf of groups of consumers through representative actions.

Learn More

United Kingdom

Reform of existing legislation

UK Product Liability Reform

Product safety and regulatory reform is beginning to take shape in the UK. The Product Regulation and Metrology Bill is making its way through the legislative process.

Learn More

Market Surveillance & General Product Safety

European Union

Technology-related developments

Market Surveillance Regulation

The Market Surveillance Regulation aims to improve and modernise market surveillance of almost all non-food products in the EU by providing an efficient and harmonised approach to the implementation of EU regulations and directives.

Learn More

Reform of existing legislation

General Product Safety Regulation

The new GPSR looks set to be one of the most significant updates to the EU’s product regulatory landscape in modern history – making substantial amendments to the GPSD, which has been in force for more than two decades.

Learn More

United Kingdom

Reform of existing legislation

OPSS

Product safety and regulatory reform is beginning to take shape in the UK. The Product Regulation and Metrology Bill is making its way through the legislative process.

Learn More

The post Product Risk Radar appeared first on Global Compliance News.

Recent regulatory developments underscore the growing scrutiny of professional uses of generative AI. On 13 January 2026, the Spanish Data Protection Authority (“Spanish DPA”) issued a formal notice warning of the legal and privacy risks involved in uploading, transforming or generating images of individuals through AI tools. At the same time, the European Commission has published the first draft of its voluntary Code of Practice on Transparency of AI-Generated Content (“Code”). While adherence to the Code is optional, it is intended to support providers in meeting the mandatory transparency obligations set out in Article 50 of the AI Act, which will apply from August 2026 to providers and deployers of AI systems. These developments reinforce the need for robust safeguards, internal controls, and transparent labelling when deploying generative AI.

Key takeaways

What companies need to consider now:

• Treat any upload or use of someone’s image in an AI tool as handling personal data and put basic safeguards in place.
• Before creating or sharing AI‑generated content — even internally — check whether it could trigger risks beyond data protection, such as reputational issues, copyright misuse or misuse of someone’s likeness.
• Prepare for the AI Act’s transparency rules arriving in August 2026, including clear labelling of any content changed or created by AI.

In more detail

Spanish DPA guidance on AI and images

The notice issued by the Spanish DPA on 13 January 2026 provides its clearest position to date on the risks associated with using third party images in generative AI tools. It confirms that uploading, transforming, or generating visual content based on a person’s image constitutes personal data processing, even where the output is not intended to be shared or appears innocuous. This represents an explicit acknowledgement that simply feeding an image into an AI system already triggers General Data Protection Regulation (GDPR) obligations.

The Spanish DPA identifies two main categories of risks:

1. Visible risks which arise when the generated image or video is shared. These include:
   • Using images outside of their original context without a valid legal basis;
   • The ease of forwarding or distributing content;
   • The practical impossibility of removing replicated copies;
   • The creation of intimate or compromising deepfakes with potentially severe consequences; and
   • The risk of falsely attributing behaviors or actions to individuals.
2. Less visible risks which arise even when the content is not shared. These include:
   • Loss of control when external providers process the images;
   • The potential existence of unremovable copies;
   • Additional or undisclosed processing by providers;
   • The generation of metadata enabling re-identification; and
   • The practical difficulty for data subjects to exercise their rights.

Overall, the notice establishes a clear and more stringent framework: the use of images in AI systems must be treated as processing of personal data and must be accompanied by appropriate safeguards.

EU draft good practices code for transparency of AI-generated content

• In parallel, the European Commission has issued its first draft of a voluntary Code of Practice on Transparency of AI-Generated Content (“Code”), intended to help organizations anticipate compliance with the transparency obligations under Article 50 of the AI Act. The final version is expected in June 2026, with mandatory transparency requirements applying to providers and deployers of AI systems from August 2026.
• The Code introduces a two-tier classification system: (i) fully AI-generated content and (ii) AI-assisted content, where AI substantially influences the final output. Each category must be accompanied by clear labelling using a common icon. Until the official EU icon is adopted, an interim icon to support consistent disclosure composed of a two-letter acronym referring to artificial intelligence (such as “AI”, “IA” or “KI” reflecting the translation into the languages of the Member States) may be used.

The Code also sets out sector- and format-specific rules, especially for deepfakes. For instance, real-time deepfake videos must display a continuous on-screen indicator and an initial notice, while non-real-time videos may use individual or combined options such as fixed icons, opening notices or credits-based disclosures, as detailed in the Code.

Deployers choosing to adhere to the Code must also implement robust internal mechanisms, including documentation of labelling practices, staff training on when and how to apply disclosures, continuous monitoring procedures, and a channel for reporting mislabeling. Any reported inaccuracies must be corrected promptly.

This structure is intended to support a consistent and transparent approach to AI-generated content before the AI Act’s obligations become enforceable.

Broader legal considerations

The Spanish DPA’s notice and the Code highlight that the implications of generative AI extend far beyond data protection. The manipulation or use of third-party images, voices or other content may also impact rights such as honor, privacy, and one’s own image. In addition, generative AI can give rise to significant questions around copyright, design rights, trademarks and other intellectual property rights linked to the source materials or the generated outputs.

A holistic, cross cutting legal assessment is therefore essential before implementing or using any generative AI tool. Organizations should ensure adequate employee training, adopt clear internal safeguards, and mitigate risks emerging from both the use of third-party content and engagement with external AI providers. This broader legal lens is critical to ensuring responsible deployment of generative AI technologies.

For tailored guidance on these regulatory developments and to assess your organization’s exposure and compliance needs, please contact our IPTech team.

Related content

• Spanish DPA Notice on Image Use and Generative AI (January 2026)
• First Draft Code of Practice on Transparency of AI-Generated Content (December 2025)

Marta Expósito, Associate, has contributed to this legal update.

The post Spain: Spanish DPA on AI Images and New EU Code appeared first on Global Compliance News.

The New York LLC Transparency Act (“Act“) became effective as of January 1, 2026. Although there was previously uncertainty regarding the definition of a “reporting company” under the Act, on December 31, 2025, the New York Department of State (NYDOS) confirmed that the Act is only applicable to limited liability companies (LLCs) formed outside the US that are authorized to do business in New York State. With this confirmation, the Act now requires non-US LLCs that were authorized to do business in New York State prior to January 1, 2026, to file either a beneficial ownership disclosure or, if applicable, an attestation of exemption by December 31, 2026. Non-US LLCs formed and authorized to do business on or after January 1, 2026, are now required to file an initial beneficial ownership disclosure statement or attestation of exemption within 30 days of filing their application for authority to do business in New York State to the NYDOS.

In more detail

Prior to the issuance of clarifying guidance, there was significant uncertainty under the Act regarding what companies qualify as a “reporting company”. Several key provisions of the Act rely on definitions tied to the federal Corporate Transparency Act (CTA), which was enacted in 2021. In particular, the definitions of “beneficial owner,” “reporting company,” “exempt company,” and “applicant” adopted the terms in the CTA. For more detail on the definitions of these terms, please refer to our March 2024 client alert entitled “Corporate Transparency Act – Three Months In.”

When the Act was signed into law by New York Governor Hochul in 2023, the CTA’s definition of a “reporting company” broadly included both US and foreign entities formed or registered through a filing with a secretary of state, subject to certain exemptions. However, on March 21, 2025, the Financial Crimes Enforcement Network (FinCEN) narrowed the beneficial ownership information (BOI) reporting requirements under the CTA. Only entities classified as “foreign reporting companies” are required to comply with the BOI reporting requirements under the CTA. Further, “US persons” are exempt from being reported as beneficial owners of foreign reporting companies and from having to provide their BOI to such companies.

The changes made by FinCEN effectively limited the scope of the Act to only non-US LLCs. In an effort to realign the Act with the CTA’s original broader definition of “reporting company,” the New York Legislature passed amendments that would have extended the Act’s application to both US and non-US LLCs formed or authorized to do business in New York State. However, this was vetoed by Governor Hochul who clarified that the Act was not intended to impose compliance burdens on New York businesses that go beyond federal requirements. As a result of Governor Hochul’s veto, it remained unclear whether the Act would apply to US LLCs formed outside of New York State in addition to non-US LLCs.

The NYDOS subsequently provided clarification on its Beneficial Owner Disclosure website, which was updated on December 31, 2025, to include beneficial ownership forms and frequently asked questions. The NYDOS guidance confirms that only LLCs formed outside the US that are authorized to do business in New York State are subject to the new beneficial ownership information disclosure requirements under the Act. Non-US LLCs that are authorized to do business in New York State are required to either (i) file an initial and annual beneficial ownership disclosure (as a reporting company), or (ii) file initial and annual attestation of exemption (as an exempt company) with the Department of State. A foreign LLC will be considered as an “exempt company” if it meets a condition for exemption under the CTA (Section 5336(a)(11)(B) of the US Code). There are currently 23 such exemptions, including but not limited to banking organizations, governmental authorities, registered broker-dealers, insurance companies, and registered accounting firms. An attestation of exemption must specify the particular exemption being claimed.

The NYDOS guidance expressly confirms that New York LLCs and LLCs formed in another state or US territory and authorized to do business in New York State, are exempt from reporting requirements under the Act.

To determine the applicability of the Act, it must be determined whether a foreign entity is an LLC. There is currently no definition of “foreign LLC” under the Act nor did NYDOS provide any guidance on this matter. However, Section 102(k) of the New York Limited Liability Company Act (“LLC Act“) defines “foreign LLC” as an unincorporated organization formed under the laws of any jurisdiction, including any foreign country, other than the laws of New York State (i) that is not authorized to do business in New York State under any other of its laws and (ii) of which some or all of the persons who are entitled (A) to receive a distribution of the assets thereof upon the dissolution of the organization or otherwise or (B) to exercise voting rights with respect to an interest in the organization have, or are entitled or authorized to have, under the laws of such other jurisdiction, limited liability for the contractual obligations or other liabilities of the organization. For the purposes of the Act, with respect to the existing foreign LLCs registered to do business in New York State, a logical reading of the definition of “foreign LLC” under the LLC Act would be to exclude the phrase “(i) that is not authorized to do business in New York State under any other of its laws”. Nevertheless, such determination may remain difficult if foreign law does not identify the entity as an LLC.

The Act is effective as of January 1, 2026. Non-US entities that are registered or registering to do business in New York State are well advised to determine whether they meet the definition of a foreign LLC for purposes of the Act, and, if so, to review their activities in New York and discuss with their counsel whether they may be restructured.

Kelly Chan, Associate, has contributed to this legal update.

The post United States: New York LLC Transparency Act appeared first on Global Compliance News.

Yesterday (16 December 2025), the House of Lords backed down and accepted the last remaining issue in dispute in the Employment Rights Bill between the two Houses of Parliament: whether the cap on unfair dismissal should be removed. For more information, see our previous update.

This means that the Bill will shortly receive Royal Assent and is expected to become law as the Employment Rights Act 2025.

Key takeaways

• In July 2024, the then new government promised an Employment Rights Bill within its first 100 days, and it delivered on that promise in October 2024. The Bill provided for sweeping employment law changes, although much of the detail is still to be finalised.
• After a long and sometimes controversial passage through Parliament, including a period of “ping pong” between the Houses, the Bill has now been passed. Royal Assent is expected before Christmas.
• Certain provisions relating to strikes and trade unions will come into force two months after Royal Assent, so anticipated to be February 2026. Others, including the doubling of the current protective award for failure to inform and consult on collective redundancies, are expected in April 2026. 
• The remainder, including limits on the use of fire and rehire (termination and re-engagement) processes, is due to come into force later in 2026 and into 2027. It has been reported that the reduction of the qualifying period of service for unfair dismissal claims, down to six months, will take effect in January 2027. It is presently unclear whether the removal of the compensation cap will take effect at the set time. More detail on the Implementation Roadmap published in July 2025 is here.
• The government has previously promised 26 consultations on the detail of the new rights in the Bill, which will be implemented through secondary legislation, once Royal Assent is granted. This number may have changed slightly since the announcement, but is still likely to be over 20. These consultation papers are expected in the early part of 2026.

The post United Kingdom: Employment Rights Bill passed and due to receive Royal Assent appeared first on Global Compliance News.

In February 2025, the European Commission presented its “Omnibus” package aiming to delay application and simplify the CSRD¹, the ESRS², CSDDD³ and the EU Taxonomy with the ultimate goal of reducing administrative burden and thus addressing concerns that the rules would hamper European competitiveness (see our summary of the Omnibus here). In parallel, and with an aim to address similar concerns, a proposal for simplification and delay to the EUDR⁴ moved swiftly through the legislative process.

As Europeans start wrapping-up ahead of the year-end holidays, the EU institutions have been busy engaging in negotiations and finalizing key rules, delivering to businesses the gift of legal certainty, clarity and the ability to plan ahead of the new year.

Key takeaways

The EU Parliament issues final vote on the amendments to CSRD and CSDDD

On 16 December, the EU Parliament’s plenary voted to approve the Draft Directive amending the CSRD and CSDDD. Following Council’s formal approval (which is expected to be certain and swift given recent communications to the EU Parliament), the text will be sent for publication in the Official Journal and will enter into force twenty days after publication. This officially marks the end of the line for the sustainability Omnibus.

Please click here to find a detailed breakdown of key changes to CSRD and CSDDD.

EFRAG⁵ delivers the revised ESRS

A key proposal envisaged in the Omnibus was the simplification and streamlining of sustainability reporting through a revision of the ESRS. On 3 December, EFRAG released a draft of revised and simplified ESRS (see our summary of key changes here). The Commission will now move to adopt a draft Delegated Act amending the ESRS based on EFRAG’s advice. The EU Commission is expected to launch another public consultation in early 2026 during which stakeholders can provide feedback on such draft Delegated Act. Once the EU Commission has adopted the Delegated Act, the EU Parliament and Council will have the opportunity to scrutinise the Delegates Act and provide any objections. The revised ESRS will apply to EU businesses in scope for mandatory reporting under the CSRD.

Given the significant reduction of thresholds, a large number of businesses is likely to fall outside scope of CSRD reporting. This may create unintended complexities, as businesses may still want to report sustainability data voluntarily or may be requested sustainability data by stakeholders on the basis of different standards. To bridge this gap and minimise complexity, businesses falling outside scope of CSRD will have the option to apply the “sustainability reporting standards for voluntary use”, which are still to be adopted by the EU Commission through Delegated Act. Until such Delegated Act is adopted, the Commission recommends reporting in line with Commission Recommendation 2025/1710, which is based on the Voluntary Standard for Micro and Small Enterprises (VSME) developed by EFRAG.

EU Taxonomy

Changes to the Taxonomy have unfolded separate from, but connected with, the Omnibus Directive. The Delegated Act amending the Taxonomy Disclosures, Climate and Environmental Delegated Acts (see our summary of proposed changes here and here) was adopted in July 2025, but have not yet entered into force (this is expected for early 2026), although the simplified rules are expected to enter into application as from 1 January 2026 for FY 2025. On 17 December, the EU Commission issued a Taxonomy Reporting guidance to help businesses in scope preparing for the simplified disclosures adopted in July 2025.

EU Deforestation Regulation

On 17 December 2025, the EU Parliament plenary voted to approve the targeted simplifications and application delays to the EUDR, as agreed with EU Member States on 4 December 2025 (see our summary of proposed changes here). By 30 April 2026, the Commission must present a report following an assessment of the law’s impact and administrative burden. The revised EUDR text needs to be endorsed by Council and published in the EU’s Official Journal before the end of 2025 for the changes to enter into force.

Next steps

With the dawn of legal certainty finally upon us, it is possible to start considering next steps. Our immediate recommendations would be as follows:

• Reassess scoping for EU entities and non-EU parent based on new thresholds to confirm obligations/ timeline for CSRD and CSDDD
• Create/ update ESG compliance roadmap to consider, inter alia:
  • Updated timeline and compliance obligations for CSRD, EU Taxonomy and CSDDD
  • Impact on double materiality assessment (DMA)

For more information, please contact our team of experts.

1 Corporate Sustainability Reporting Directive

2 European Sustainability Reporting Standards

3 Corporate Sustainability Due Diligence Directive

4 EU Deforestation Regulation

5 European Financial Reporting Advisory Group

The post European Union: EU institutions give businesses the gift of legal certainty on sustainability rules appeared first on Global Compliance News.