On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.Continue Reading UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack
Laura Brodahl
EU Data Act Imposes New Data Sharing Obligations
As of September 12, 2025, the EU Data Act will impose new obligations concerning the sharing of, and access to, data generated by certain products and services offered in the EU. This alert highlights the data sharing obligations for providers of connected devices and related services.Continue Reading EU Data Act Imposes New Data Sharing Obligations
European Privacy Regulators Issue Guidance on Age Assurance
On February 11, 2025, the European Data Protection Board (EDPB) adopted a statement (Statement) on age assurance. The Statement comes at a formative time in the development of age assurance practices, as EU and UK regulatory frameworks increasingly require companies to take steps to identify and protect child users of online services. The Statement outlines key privacy principles that should be followed when developing and deploying age assurance processes, together with the risks to individuals’ rights that can arise.Continue Reading European Privacy Regulators Issue Guidance on Age Assurance
Understanding the EU’s Cyber Solidarity Act: Key Takeaways
On February 4, 2025, the European Union’s (EU) Cyber Solidarity Act (CSA) entered into force. The CSA aims to harmonize and strengthen the cooperation between EU authorities to improve their capacity to detect and address…
Continue Reading Understanding the EU’s Cyber Solidarity Act: Key TakeawaysRansomware Attacks: UK Government Proposes Ransom Payment Ban and Mandatory Notification Requirements
On January 14, 2025, the UK government unveiled a proposed framework aimed at combating the rise of ransomware attacks by implementing a payment prevention and reporting regime. This would require companies to not only report all ransomware incidents, but also to declare whether they intend to pay a ransom. The government also announced that it proposes to ban public bodies and infrastructure providers from making ransom payments to cyber attackers. A public consultation is open until April 8, 2025.Continue Reading Ransomware Attacks: UK Government Proposes Ransom Payment Ban and Mandatory Notification Requirements
New EU Cyber Resilience Requirements for Financial Sector Enter into Force
As of January 17, 2025, financial entities and their critical information and communication technology (ICT) service providers need to comply with the new cybersecurity requirements in the Digital Operational Resilience Act (DORA). DORA introduces significant operational and ICT security requirements for a wide range of financial market participants, including banks, insurers, trading platforms, as well as for their ICT service providers.Continue Reading New EU Cyber Resilience Requirements for Financial Sector Enter into Force
New EU Cybersecurity Obligations for Connected Devices: What You Need to Know
UPDATED: November 20, 2024
On November 20, 2024, the European Union officially published the Cyber Resilience Act (CRA), which introduces cybersecurity obligations for internet-connected hardware and software products offered in the EU (such as wearables). The CRA will enter into force on December 10, 2024 and companies have until September 11, 2026 to comply with the first wave of obligations.Continue Reading New EU Cybersecurity Obligations for Connected Devices: What You Need to Know