Legislation Update
Cyber Security and Resilience (Network and Information Systems) Bill[1]
Legislative Background
The Cyber Security and Resilience Bill (the Bill) was introduced to Parliament on 12 November 2025, as a means to reduce the likelihood of cyber-attacks on critical infrastructure networks and strengthen national security.
The Bill extends the scope of the previous Network and Information Systems Regulations 2018 and increases the regulation of private and public sector organisations that provide critical IT support and management such as data centre services, large load controllers and managed service providers (including IT management services).
The Bill also sets increased reporting obligations on companies in relation to notification of cyber incidents to the government and any affected customers. Specifically, organisations must provide an initial notification within 24 hours and a full notification within 72 hours of becoming aware of an incident.
The Bill also introduces new enforcement powers for regulators including the ability to designate critical suppliers, new information gathering and inspection powers as well as the ability to impose financial penalties on those with serious failures in respect of security requirements, incident notification requirements or failure to adhere to these laws. The maximum penalty, for serious breaches, has been set at the greater of £17million or 4% of global turnover.
Ministerial Call to Action
With the hostile cyber activity in the UK continuing to rise, and in conjunction with the Bill’s introduction, on 24 November 2025, UK ministers and the National Cyber Security Centre (NCSC) issued an open letter[2] to small businesses and business representative organisations across the UK. This letter urged for a collective response to be taken in regard to cyber security action.
The letter recognises that whilst the Bill aims to tackle key infrastructure and essential services, cyber threat extends to businesses of all sizes and focuses on the two key actions these enterprises could take to put effective cyber protections in place. This includes utilising the NCSC’s free Cyber Action Toolkit[3], and obtaining Cyber Essentials certification.[4]
Next steps
The Bill is currently undergoing the stages of the legislative process, with multiple reading stages in progress. For organisations within the tech sector, you should assess whether your business may fall within the scope of the Bill, particularly if you provide data centre services or managed IT services.
Business that may be captured should review their current cyber security measures in light of the Bill as this develops, in particular ensuring readiness for the new 24-hour and 72-hour incident reporting requirements.
Further relevant proposed legislation
In addition to the Bill above, a further bill was introduced to Parliament on 21 October 2025 – the Cyber Extortion and Ransomware (Reporting) Bill[5]. This was introduced citing a number of concerns around cyber-attacks in the UK, notably around the increase by 50% in “highly significant” cyber-incidents in the UK[6], the impact of these cyber-attacks and the current lack of required reporting should a cyber incident occur.
This bill intends to impose reporting obligations on any company registered in the UK, with a turnover of more than £25 million a year or which is responsible for critical national infrastructure, where they would have to report any cyber-attack or ransomware attack that took place, within 72 hours of the event. If an organisation paid a ransom, a second report would be required in the 72 hours that follow.
These reports would remain confidential unless it was believed to be in the national interest to publish them. If a company failed to provide either of these reports within the designated timeframes, it would be subject to a monetary penalty.
The Cyber Extortion and Ransomware (Reporting) Bill is due to have its second reading on 29 May 2026 but due to the similarity between the Bills, it is likely that the Cyber Security and Resilience (Network and Information Systems) Bill will supersede the Cyber Extortion and Ransomware (Reporting) Bill, which is more aligned with the government’s approach to cyber security.
UN Convention Against Cybercrime[7]
The Convention
The first UN treaty on cybercrime (the Convention against Cybercrime) opened for signature on 25 October 2025, following multiple years of negotiation, with more than 150 Member States participating in over 420 hours of formal negotiations[8].
The UK signed the convention on 25 October 2025, one of 72 nations to sign during the signing ceremony in Hanoi. Notably absent from the signatures was the US, who issued a statement during the signing ceremony in Hanoi confirming that they would take more time to review and consider the Convention[9].
The treaty will officially enter into force 90 days after it is ratified by 40 signatories; signatures remain open in respect of the convention until 31 December 2026. The introduction of the Convention was welcomed by INTERPOL amongst other international bodies, who fed into the negotiations.
The convention aims to promote and strengthen measures to prevent and combat cybercrime, facilitate international cooperation, and provide technical assistance and capacity-building to combat cybercrime, in particular for the benefit of developing countries. It requires states to criminalise a range of cyber-enabled or cyber-dependent offences (including illegal access, illegal interception, and child sexual exploitation material).
Going forward
Speaking in Hanoi, Andrew Whittaker, on behalf of the Foreign, Commonwealth and Development Office said, “The UK stands ready to work with international partners to build resilience, share intelligence, and uphold a secure and open digital environment for all”.
The UK ratified the Budapest Convention in 2011, having signed it in 2001. Given this timeline, it remains to be seen when the UK will ratify this new Convention against Cybercrime.
EU publishes Digital Omnibus Package
Introduction
The European Commission, on the 19 November 2025, published a ‘Digital Omnibus Package’, setting out proposed changes to digital regulation in Europe[10].
Key Proposals
The proposal includes a clarification of the definition of personal data, providing that information would not be considered personal data where the holder of information does not have the means reasonably likely to be used to identify the natural person to whom the information relates.
It also expands the scope of cookies that do not require consent to those aimed at creating aggregated information for measuring audience and maintaining or restoring security. Additionally, there is a new provision which would allow AI controllers to rely on legitimate interests in order to process personal data for AI systems – both in development and operation.
Finally, the proposal delays the full implementation of the EU AI Act in respect of high-risk AI systems to be dependent on standards, specifications and guidelines from the European Commission being published. Otherwise, new ‘backstop’ dates apply which would move compliance deadlines from August 2026 to December 2027 for systems listed in Annex III of the AI Act (made up of designated high-risk AI systems such as AI used in law enforcement, biometrics and critical infrastructure), and to August 2028 for systems listed in Annex I of the AI Act (consisting of systems which are already covered by EU Laws, including toys and machinery, that will have to comply with both the AI Act and any other relevant EU Law).
Context and Stakeholder Engagement
The initiative follows extensive consultations and stakeholder feedback highlighting regulatory overlap and implementation challenges. The proposal has come after significant pressure has been exerted on the European Commissions by European CEOs, as well as from figures in the US government and Big Tech, to relax the implementation of the EU AI Act. This includes an open letter to the Commission in March, requesting the implementation of the AI Act is ‘paused’, from some of the largest organisations in the EU, such as Airbus, Lufthansa and ASML[11].
A range of opinions have been expressed on these changes, some believing that this is the correct step for the reality of commerciality in 2025 and onwards, others expressing concern that this may risk transparency, accountability, and fundamental rights protected under European law[12]. Following a preliminary discussion, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have indicated that they will issue a Joint Opinion and have preliminarily noted that the proposed modification to the definition of personal data appears to go beyond case law of the Court of Justice of the European Union (CJEU), and may risk adversely affecting the fundamental right to data protection.
Impact
For UK software companies operating across European markets, the Digital Omnibus Package presents further compliance considerations. If the changes are confirmed, clarification of the personal data definition may reduce regulatory uncertainty, while the conditional extension of the AI Act implementation timeline provides more breathing space for organisations assessing their high-risk AI systems and ensuring compliance with the Act.
Given the ongoing regulatory dialogue between UK and EU authorities, developments on the Package may also influence the trajectory of UK data and AI regulation.
Case Law Update
Getty Images (US) Inc & Ors v Stability AI Ltd[13]
On 4 November 2025, Mrs Justice Smith delivered a long-awaited judgment that was anticipated to answer the key questions that have been on every AI developer’s and content creator’s mind over the last two years: to what extent can unlicensed third-party data be used to train AI models and who is responsible for their output generation?
Unfortunately, we only got answers to some, not all, of the key questions for which we were seeking answers.
Brief background
The issue initially arose in early 2023, when Getty Images (Getty), a media company that stores digital images, brought a claim against Stability AI (Stability), an AI development company, with Getty claiming that Stability had used, without consent, approximately 12 million Getty images and videos to train its deep learning AI model “Stable Diffusion”. Whilst Getty raised a series of allegations, by the time of the trial, only three main issues remained for determination. We have addressed each determination in the next section.
Further background on this case, including the outcome of previous trials, can be found in previous updates.
Key Judgment Findings
- The court found only limited instances of historic trade mark infringement:
Stability was held liable only in respect of certain versions of its model where there was sufficient evidence to show that the UK generated images contained watermarks. Claims relating to later model versions failed due to insufficient evidence of infringement. For the earlier models, the Court was satisfied that such outputs could lead to consumer confusion as to whether these were in fact licensed by or generated in connection with Getty, when this was not the case. For the later models, Getty failed to show real-world evidence that UK users had generated watermarked outputs and therefore the Court could not determine that infringement took place in these cases.
As the court’s analysis in relation to these claims was heavily fact-specific, it is unlikely to clarify AI trade mark infringement in any meaningful way. Instead, such cases will need to continue to be assessed on an individual basis.
- Getty’s secondary copyright infringement claim was dismissed:
The Court held that whilst the copyrighted works may have been used in the training process, the AI model did not contain or reproduce any of the copyrighted works and therefore could not be deemed to be an “infringing copy” under UK copyright law.
Critically, however, the question as to whether unlicensed third-party data can be used to train AI models, (the primary infringement claim) remains unanswered. This claim was dropped by Getty before it could be addressed at trial, meaning the court did not rule on this fundamental issue.
- Mixed conclusions were reached as to whether licence agreements between Getty and their contributors were “exclusive” under UK law:
Getty sought to bring infringement claims for not only the works it outright owned but also for works uploaded by its contributors. While the court found that some agreements were ‘exclusive’, many agreements failed the exclusivity test as they were drafted in a way that awarded multiple Getty affiliates the licence to the works, which under English law was not a valid exclusive licence. To be valid, an exclusive licence under English law needs to be granted to one entity only.
Practical Implications
For rights-holders, the judgment confirms that making a successful trade mark claim will depend on the strength of real-world evidence. For AI developers, the decision suggests that implementing robust filtering and guardrails (e.g. watermark detection) can reduce the risk of trade mark infringement.
Whilst the outcome of this claim provides some clarity for AI developers and software providers, the debate is far from finished. Many critical questions remain unanswered: the primary infringement question of whether copyrighted works can be lawfully used to train AI models; what the evidentiary threshold is likely to be to bring about a successful trade mark infringement claim for AI generated content; and what an “infringing copy” under UK copyright law would look like in practice.
In the absence of resolutions to these questions, legislative and regulatory reform may be needed to provide clarity on the law going forwards, especially as the world of AI continues to grow exponentially in size and complexity. The UK government has been consulting on AI and copyright, including transparency obligations and potential text and data mining (TDM) reforms, with further progress anticipated in the coming months.
Further Development: Following the outcome of the trial, Getty sought permission from the High Court to appeal their judgement. The High Court has now granted Getty permission, and it is anticipated that the key questions which remain unanswered on every AI developer and content creator’s mind will be clarified in the appeal.
JJH Enterprises Limited (trading as ValueLicensing) v Microsoft Corporation and Others[14]
Background
On 12 November 2025, a judgment was handed down by the Competition Appeal Tribunal (CAT), finding in favour of JJH Enterprises (trading as ValueLicensing) who had brought a claim against Microsoft for breaches of competition law in respect of software license sales, under UK and EU competition law.
JJH Enterprises sells pre-owned Microsoft software licenses and brought the claim due to Microsoft’s restriction on the sale of perpetual licenses for Office and Windows software. JJH alleged that Microsoft was using a dominant market position to reduce competition in this sector.
Key Judgement Findings
The Tribunal was asked to determine 2 main issues.
1) Can there be division and sale of licences bought in volume?
Considering whether Microsoft Windows and Office licenses could be subdivided and sold individually after they had been purchased in bulk through Microsoft’s Enterprise Agreements, the Tribunal found that the copyright exhaustion principles (whereby the original owner of Intellectual Property cannot prevent the resale of goods after they have been sold the first time) applied to Microsoft’s Windows and Office licenses.
2) Does the inclusion of non-program works prevent exhaustion?
Microsoft put forward the argument that there is no way to exhaust non-program works, like programme interfaces as well as clip art and fonts, as they should retain rights to control these after sale. The Tribunal rejected this argument, finding that when these additional works form part of the software package downloaded by the purchaser, the first online sale of Microsoft Windows and Microsoft Office exhausts Microsoft’s distribution and reproduction rights under Article 4(2) of the Software Directive, provided the works are used for the purpose intended when the software was initially sold.
Practical implications
The case was concluded in a 2-day preliminary issues trial, with the Tribunal reaching a unanimous verdict. While Microsoft have been given permission to appeal the judgement, the Tribunal has taken a clear stance that the exhaustion principle under Article 4(2) of the Software Directive operates by law and is not restricted by contractual terms in Microsoft’s Enterprise Agreements. Consequently, Microsoft cannot prevent customers from subdividing and reselling licences they have legitimately acquired (and ultimately, restrict competition).
It is notable however, that the Tribunal in allowing the possibility of appeal, stated that “the preliminary issues raise points of law on which there is no clear authority”[15], so it remains to be seen if this judgement will be modified on appeal, and the law crystallised on the copyright implications for software resale.
[1] Cyber Security and Resilience (Network and Information Systems) Bill – Parliamentary Bills – UK Parliament
[2] https://www.gov.uk/government/publications/ministerial-letter-on-cyber-security-to-small-businesses
[4] Cyber Essentials – NCSC.GOV.UK
[5] Cyber Extortion and Ransomware (Reporting) Bill – Parliamentary Bills – UK Parliament
[7] United Nations Convention against Cybercrime
[8] https://www.unodc.org/roseap/en/2025/10/cybercrime-convention/story.html
[9] https://hanoiconvention.org/statement/united-states-of-americas-statement/
[10] https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal
[11] https://aichampions.eu/#stoptheclock
[12] https://iapp.org/news/a/eu-digital-omnibus-what-the-proposed-changes-to-the-concept-of-personal-data-mean-in-practice/ / https://www.edpb.europa.eu/news/news/2025/edpb-gives-recommendations-make-online-shopping-more-respectful-users-privacy_en
[13] https://www.judiciary.uk/judgments/getty-images-v-stability-ai/
[14] https://www.catribunal.org.uk/cases/15705722-t-jjh-enterprises-limited-trading-valuelicensing