Topic: Regulation

On 8 July 2025, the European Banking Authority (EBA) issued a consultation paper on the draft guidelines on the sound management of third-party risk.

Most incidents handled by our Norton Rose Fulbright cyber team originate from the customer’s service provider. In many cases it is the service provider’s systems, infrastructure and environment which proves to be the most vulnerable to cyber breaches and security issues.

Businesses investing in, financing or operating data centres face a complex matrix of laws and regulatory requirements. Ensuring compliance is important for lender and investor due diligence and is crucial to avoiding fines, penalties and contractual or regulatory breaches that can significantly impact the business and any investment in, or financing of, data centres.

The Minister of Public Safety recently announced Canada’s first Sensitive Technology List (STL). The STL identifies the government’s priority categories of new technologies for regulation to safeguard Canadian national security.

Increased regulatory burdens on asset management businesses have resulted in additional cost pressures. However, regulation has also required more pricing transparency, which has led to an increasingly competitive market, with investors demanding either ultra-low cost or increasingly bespoke investment solutions.

The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions.

The European Commission (EC) published a communication on an EU toolbox for safe and sustainable e-commerce, complementing investigations under the DSA into e-commerce platform Shein, and a coordinated investigation by the EU's Consumer Protection Network.

The EU’s AI Act imposes extensive obligations on the development and use of AI.

Ofcom has published its guidance for implementing age assurance measures for regulated service providers. User-to-user (U2U) services and search services take note: a decision not to implement highly effective age assurance measures means that your service may be deemed by Ofcom to be accessible by children.

Directive (EU) 2024/2853 on liability for defective products (the Revised Product Liability Directive) was published in the Official Journal of the European Union on 18 November 2024.