Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments from April 2026.
Contents
Regulatory Developments
Cyber Security and Resilience Bill reintroduced
As part of the King's Speech, it was reaffirmed that the Cyber Security and Resilience Bill was subject to a carry-over motion, allowing it to proceed within the next Parliamentary session.
The Bill was reintroduced on 14 May 2026 and will now proceed to report stage on 10 June 2026.
Agreement reached on EU AI Omnibus
The EU institutions (Parliament, Council and Commission) reached an agreement on the AI provisions of the Digital Omnibus.
The agreement was increasingly urgent in light of upcoming 2 August 2026 deadline for the application of high-risk rules. The European Parliament and the Council must now formally adopt the political agreement. Upon adoption, the amendments will be published in the Official Journal of the European Union and enter into force three days later.
The changes agreed, taking effect only upon adoption and publication in the Official Journal, include:
- Fixed timeline for the delayed application of high-risk rules, to take effect from 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products.
- A new provision prohibiting AI practices regarding the generation of non-consensual sexual and intimate content or child sexual abuse material (CSAM).
- Reinstatement of the obligation for providers to register AI systems in the EU database for high-risk systems, where they consider their systems to be exempted from classification as high-risk.
- Reinstatement of the standard of strict necessity for the processing of special categories of personal data for the purpose of ensuring bias detection and correction.
- Postpones the deadline for the establishment of AI regulatory sandboxes by competent authorities at national level until 2 August 2027.
ICO announces fine against South Staffordshire Plc and South Staffordshire Water Plc
The Information Commissioner's Office (ICO) announced a fine of £963,900 against South Staffordshire and South Staffordshire Water PLC following a cyber attack that resulted in personal information of over 600,000 people was extracted and published.
This personal information included names and addresses, and additional information such as National Insurance numbers of employees and bank account details of customers.
The investigation found that South Staffordshire failed to implement appropriate security controls required under UK data protection law.
During the course of the investigation, South Staffordshire made an early admission of liability and, in accepting the ICO's findings, has agreed to pay the penalty without appeal. The ICO have applied a 40% reduction, bringing the final penalty to £963,900, in recognition of the efficiencies that South Staffordshire’s early admission brought to the investigation.
The ICO press release and Monetary Penalty Notice can be accessed via the provided links.
ICO issues guidance on dealing with AI-generated FOIA requests
The ICO has published guidance to support public authorities dealing with AI-generated Freedom of Information Act requests. The guidance has been prompted by comments from FOIA practitioners on the growing impact of AI on their work. Public authorities are seeing an increase in the volume and complexity of requests generated using AI tools. The guidance can be accessed here.
Our data protection and privacy colleagues have commented on this guidance, and the wider environment of AI-generated data subject access requests in the first of our accompanying pieces in the DPC Bulletin this month.
European Commission publishes guidelines to classify high-risk AI systems
The European Commission has published draft guidelines on the classification of high-risk AI systems. A targeted consultation on the clarity of the guidelines will close on 23 June 2026. By way of background, the AI Act identifies two types of ‘high-risk' AI systems:
- AI systems embedded in products regulated under the Union's harmonised legislation on product safety
- AI systems that can significantly affect people's health, safety, or fundamental rights in specific use cases listed in the AI Act
Per the targeted consultation press release, the guidelines are intended to help providers and deployers of AI systems assess whether their AI system is high-risk and what classification of high-risk their system would fall under.
Data & Privacy Developments
ICO publishes advice to government on changes to online advertising rules
The ICO has published details of advice provided by the Executive Director Regulatory Risk and Innovation to the Minister for Digital Government and Data. Over the past year, the ICO has reviewed where regulation 6 consents in the Privacy and Electronic Communication Regulations are preventing the development and adoption of privacy-preserving online advertisements.
The findings have been provided as advice to government ahead of possible changes to regulation 6 through secondary legislation. The preferred approach set out the ICO report states that: "If government decides to amend the regulation 6 requirements, we propose permitting some online advertising purposes without consent within a ‘first-party framework'." This would allow the online service or the publisher serving online advertising to store and access information on the user's device for specific purposes.
This approach would permit third-party data sharing only "for controlled use cases and restricted compared to typical data sharing in programmatic advertising."
The ICO report can be accessed here, and the accompanying letter can be accessed here.
ICO publishes statement on age assurance
The ICO issued a statement on age assurance, noting that it has reached out to a number of major social media platforms earlier this year asking for an urgent review of their age assurance measures. The ICO noted that responses suggested that some action was being taken but overall, the ICO does "not yet have confidence that appropriate measures are being put in place."
The ICO also published its response to the Department of Science, Innovation and Technology (DSIT) consultation 'Growing up in the online world', which closed on 26 May 2026.
ICO responds to government on safe AI-powered innovation
The ICO has published a letter issued to the Secretaries of State for Business and Trade, and Science, Innovation and Technology on the issue of AI-driven innovation. The letter can be accessed here.
The letter confirms that the ICO is developing an updated AI workplan for 2026/27 including two overarching objectives. These are directed at ensuring the UK public feel confident in understanding how AI systems process their personal data and ensuring that the ICO is clear on what data protection law requires when organisations deploy AI systems.
EU and Japan deepen regulatory cooperation on AI and data
The European Commission announced agreements between the European Union and Japan to deepen regulatory and research cooperation on data, AI, quantum, semiconductors, digital infrastructure and online platforms.
On the issue of AI, the parties committed to conclude a Cooperation Arrangement to deepen collaboration on AI research and innovation. A similar arrangement will be concluded on the issue of online platforms to deepen cooperation on the transparency of content moderation systems and the effectiveness of reporting systems for illegal content.
Cyber Developments
FCA, Bank of England and Treasury joint statement on frontier AI models and cyber resilience
The Financial Conduct Authority, Bank of England and HM Treasury issued a joint statement highlighting the cyber resilience implications of frontier AI models, underscoring a growing supervisory focus on how firms respond to increasingly sophisticated technology enabled threats.
The message is less about introducing new regulatory requirements and more about recalibrating firms’ existing approaches to cyber risk in light of a step-change in threat actor capability. The second of our accompanying pieces in our DPC Bulletin this month considers the implications of the statement.
Government Digital Service and DSIT publishes guidance on reducing AI-accelerated vulnerability discovery
DSIT and the Government Digital Service (GDS), has published guidance following discussions as to whether AI-accelerated vulnerability discovery means that public sector departments should stop publishing source code ‘in the open’ by default. The guidance reflects recent developments such as the concern around the cyber capabilities of Claude Mythos and can be accessed here.
DSIT publishes annual cyber security breaches survey
DSIT has published its annual cyber security breaches survey. DSIT has published a summary of key findings from the survey, highlighting trends in cyber security awareness including:
- Almost half of businesses (47%) and a third of charities (35%) reported being insured against cyber security risks in some way – whether as a specific policy or as part of a wider policy.
- Not unexpectedly, large and medium-sized businesses were more likely to have some form of cyber insurance compared to small/micro businesses.
- Phishing attacks remained the most prevalent type of breach or attack by far (experienced by 38% of businesses and 25% of charities) and identified as the most disruptive type of breach or attack (69% of businesses and 69% of charities that experienced a breach or attack).
- Ransomware attacks among businesses have declined compared with the previous two years (1% this year down from 3% in both 2024/2025 and 2023/2024).
- Only 25% of businesses have a formal response plan. This means for the 43% of businesses that experienced a cyber breach or attack in the last year, most were forced to react without a pre-defined strategy.
The results of the survey were discussed by the Digital Minister, Liz Lloyd, during a speech in early May. The speech emphasised that AI is accelerating cyber threats, and that later this summer, the Government will publish the National Cyber Action Plan.
ICO publishes steps for organisations to protect against AI-powered cyber threats
The ICO Interim Executive Director for Regulatory Supervision published a blog on five practical steps that can be taken to strengthen resilience against AI-powered threats:
- Knowing what organisations are up against, understanding the range of potential threats and referencing guidance such as the National Cyber Security Centre's Cyber Assessment Framework.
- Getting the basics rights and layering defences, such as multiple controls.
- Restricting access points, including the implementation of multi-factor authentication on all remote access, admin accounts and emails.
- Improving incident detection and incident response through measures such as maintaining and testing an incident response plan, and the implementation of comprehensive security monitoring.
- Protecting personal data through appropriate measures such as data minimisation, data audits, staff awareness and AI governance.
Government encourages businesses to sign Cyber Resilience Pledge
Following its announcement in April, DSIT has reiterated the importance of businesses of the actions that can be taken by organisations to improve their cyber security:
- Make cyber security a boardroom priority, using the Cyber Governance Code of Practice as part of this.
- Use the Cyber Essentials government-backed certification scheme to protect against common attacks and embed the same requirements across supply chains.
- Following the National Cyber Security Centre and signing up for the free Early Warning Service.
NCSC warns of vulnerability patch wave
The National Cyber Security Centre has highlighted the risk of organisations' 'technical debt', backlog of technical issues resulting from the lower priority given to building resilient products. The NCSC has highlighted that the use of AI can exploit this debt.
As a result, the NCSC has warned all organisations of a forced correction, requiring a 'patch wave', a rush of software updates that will need to be applied to address new vulnerabilities.
The NCSC has recommended a number of steps, including an 'update by default' policy where software updates are prioritised as soon as possible, and ideally automatically. The NCSC commentary can be accessed here.
UK and Australia agree pact to tackle AI security risks
The UK and Australia have agreed deeper ties to tackle AI-related security risks, strengthening ties between the UK AI Security Institute and the Australian AI Safety Institute.
As part of a new Memorandum of Understanding, the organisations will work together to track the latest developments in frontier AI, including how those systems could be used in cyber-attacks. The countries will conduct research into emerging risks and develop international best practice for testing and evaluating AI systems. The press release announcing the pact can be found here.
