Legislation Update
EU AI Act – Digital Omnibus: Council and Parliament reach provisional agreement
On 7 May 2026, the European Parliament and the Council of the EU reached a provisional agreement on the Digital Omnibus[1], a set of targeted amendments to the EU AI Act designed to streamline and simplify certain provisions. Although the amendments are still proposals at this stage and not formally adopted, the agreement signals a pragmatic approach to implementation, most notably by extending key enforcement deadlines for rules governing high-risk AI systems. The Digital Omnibus forms part of a wider Omnibus package published by the European Commission in November 2025, which seeks to streamline the EU’s existing wider regulatory framework more broadly.
A central feature of the agreement is revised timelines for the application of obligations relating to high-risk AI systems. Under the proposals, the deadline for compliance could be extended by up to 16 months to 2 December 2027 for stand-alone high-risk AI systems and 2 August 2028 for high-risk AI systems embedded in products. These delays are intended to give regulators and industry sufficient time to develop the necessary technical standards and compliance tools, many of which are not yet in place. Where organisations consider their AI systems do not constitute high-risk AI systems, the proposals included a reinstatement of the obligation for providers to register their AI system on a central EU database.
In addition, several clarifications and adjustments have been proposed to ease the regulatory burden and reduce overlap with existing frameworks. Proposals include: the introduction of certain regulatory exemptions for SMEs and small mid-caps, deferment of transparency requirements for AI-generated content until 2 December 2026, and a prohibition on AI systems generating non-consensual sexual and intimate content or child sexual abuse material.
The amendments also aim to better align the EU AI Act with sector-specific legislation by allowing, in certain cases, compliance with existing safety regimes alone, particularly for products such as machinery, and by enabling limitations on the EU AI Act’s application where equivalent rules already exist.
The provisional agreement must now be formally endorsed by the European Parliament and the Council, with adoption expected in the coming weeks, after which the amendments will enter into force shortly following publication. In the meantime, the reforms offer businesses increased certainty and additional time to prepare, but organisations should continue to monitor developments closely, assess their use of AI systems and begin planning for compliance with the evolving EU AI regulatory framework.
Policy Update
Government to create new Fundamental AI Research Lab
The Government has announced the creation of a new Fundamental AI Research Lab[2], backed by up to £40 million in funding over six years, alongside access to large-scale computing infrastructure through the AI Research Resource. The announcement, made on 4 March 2026 by the Department for Science, Innovation and Technology (DSIT) and UK Research and Innovation (UKRI), marks a step forward in the delivery of UKRI’s AI Strategy, published less than a fortnight prior and backed by a record £1.6 billion over four years.
The Lab’s central purpose is to fund ambitious, high-risk scientific research, such as supporting earlier medical diagnoses, resilient infrastructure, faster scientific discovery, and better tools for people and public services. Rather than pursuing incremental improvements through scaling existing models on larger datasets, the Lab is intended to support genuinely novel approaches to how AI systems are built, with the aim of producing AI that is more accurate, transparent, and trustworthy. Work will focus on solving existing issues with AI systems, such as hallucinations, unreliable memory and unpredictable reasoning.
The funding call is open for applications immediately, with the Government inviting the UK’s AI research community to submit their “boldest and most ambitious proposals”. Applications will be assessed by a peer review panel chaired by Raia Hadsell, Vice President of Research at Google DeepMind and a DSIT AI Ambassador. Hadsell has led DeepMind’s frontier AI research efforts since 2014 and brings significant credibility to the programme’s governance structure.
AI Minister, Kanishka Narayan framed the initiative as a long-term investment in UK scientific talent, emphasising that leadership in fundamental AI research allows the UK to ensure that its values are embedded into the technology from the outset, rather than adopted retrospectively.
The announcement situates the new lab within a broader narrative of UK AI competitiveness: the Government notes that the UK’s AI sector has raised over £100 billion in private investment since the current administration took office, and that the country’s academic and research infrastructure places it in a strong position to lead on next-generation AI development.
Government launches new vulnerability monitoring service and a new Cyber Profession
The Government has announced a leap forward in protecting public sector digital infrastructure, revealing that critical cyber security weaknesses are now being fixed six times faster than before. At the heart of this improvement is a new Vulnerability Monitoring Service (VMS)[3], which continuously scans around 6,000 public sector bodies and detects approximately 1,000 different types of cyber vulnerability. Once a weakness is identified, the relevant organisation is automatically alerted with clear, actionable guidance, and progress is tracked until the issue is fully resolved.
The average time to fix domain-related vulnerabilities, flaws in the Domain Name System (DNS), which underpins how users are directed to websites, has fallen from 50 days to just 8 days, an 84% improvement. Without such monitoring, a weakness in a government DNS record could have gone unnoticed for nearly two months, leaving a window for hostile actors to redirect users to fraudulent sites, intercept sensitive communications, or take services offline entirely. The backlog of critical, unresolved domain vulnerabilities has also been cut by 75%, with around 400 confirmed vulnerabilities processed and resolved each month.
Digital Government Minister Ian Murray, speaking at the annual Government Cyber Security and Digital Resilience conference, emphasised that cyber threats have tangible, real-world consequences, delaying NHS appointments, disrupting essential services, and putting sensitive personal data at risk. He confirmed that the VMS is being expanded to cover additional categories of cyber threat, with fix times already falling in those areas too.
Alongside the VMS, the Government has launched the first-ever dedicated Government Cyber Profession, co-branded with DSIT and the National Cyber Security Centre (NCSC). The profession aims to attract, recruit, and develop top-tier cyber security talent for the public sector. It will feature a dedicated Cyber Resourcing Hub, a Government Cyber Academy, a new apprenticeship scheme, and structured career pathways aligned with UK Cyber Security Council professional standards.
The announcement comes against the backdrop of a January 2025 National Audit Office report which found that the cyber threat to government is severe and advancing quickly, with skills gaps identified as the biggest risk to long-term cyber resilience. The new Cyber Profession is designed to directly address that gap, ensuring that technology-driven improvements are matched by the human expertise needed to sustain them.
Codes of Practice Update
Second draft of Code of Practice on Marking and Labelling of AI-generated content published
Under Article 50 EU AI Act, in certain circumstances providers and deployers of AI systems that generate synthetic content (such as text, images, audio and video) are required to ensure that such content is marked and labelled as AI-generated. To help organisations meet these obligations in practice, the Commission is facilitating the development of a voluntary Code of Practice[4], setting out technical and operational measures that signatories can adopt to demonstrate compliance. The Code covers two distinct groups: providers of generative AI systems, who must embed machine-readable markers in AI-generated outputs; and deployers, who must visibly label certain AI-generated content published to the public (including where the content constitutes a deepfake or concerns matters of public interest).
The Commission published the second draft of the Code of Practice in March 2026. Compared to its predecessor, it has been significantly streamlined and offers greater flexibility. It was developed by independent experts and incorporates feedback from hundreds of stakeholders across industry, academia and civil society, as well as contributions from Member States and Members of the European Parliament.
The Code is structured into two sections. The first, aimed at providers of generative AI systems, introduces a two-layered marking approach requiring secured metadata and watermarking of AI-generated outputs, with fingerprinting and logging available as optional supplementary measures. Providers must also make a free-of-charge detection interface available to deployers, users and other legitimate parties, including competent authorities and researchers. Proportionate compliance pathways for SMEs and startups are built in.
The second section, which applies to deployers using AI to generate deepfakes or text published in the public interest within scope of Article 50(4) EU AI Act, focuses on labelling obligations. It removes the previous distinction between AI-generated and AI-assisted content and sets out design and placement requirements for icons, labels or disclaimers. A task force will be established to develop a future uniform EU icon, freely available to all signatories, and there are also specific provisions for artistic, creative and satirical works, and an exemption for text that has undergone genuine human editorial review prior to publication.
The deadline for responding to the call for feedback on the Code of Practice was 30March 2026, with the final version expected to be published in June 2026. The transparency requirements relating to AI-generated output will, however, become applicable on 2 August 2026, which does not afford organisations a significant period in which to consider the Code of Practice and prepare for compliance. As noted above, there is a possibility that the transparency requirements may be deferred to December 2026 under the Digital Omnibus proposals.
New guidance on cross-domain architecture published by NCSC
On 21 April 2026, the NCSC published new guidance on cross-domain approach and architecture[5], designed to make the adoption of cross-domain technologies more straightforward and more secure across government, industry, and the wider security community.
Cross-domain technologies play a vital role in helping organisations to move data safely between environments with different security levels. The NCSC and its partners have developed cross-domain solutions for many years, particularly in the defence and intelligence sectors, where the secure movement of data between systems operating at different security levels has long been a central requirement. However, the relevance of this guidance now extends considerably further. The threats organisations face today are more capable, more persistent, and more strategic, and sectors that were once unlikely targets, including energy, industrial control systems, and wider elements of critical national infrastructure which are now firmly within scope.
Many organisations contain systems that are interconnected in ways their designers never anticipated, and rely on protocols that were not built to resist modern sophisticated attacks. The revised guidance is designed to ensure that cross domain is easier to implement and more widely adopted across disparate sectors. At its core, cross domain is about safely enabling business functions even where those functions span systems with different levels of trust, including importing documents, enabling video communications, or interacting with services hosted in other environments.
Rather than focusing on fixed boundaries or specific technologies, the new approach looks at the end-to-end architecture required to make these functions secure and reliable. This involves developing an explicit understanding of what data flows are required, how systems are connected, and which threats are relevant. Cross domain uses a sequence of functions, often referred to as a pipeline, to build confidence in data as it moves between trust zones, ensuring assurance is gained across the entire flow rather than at a single point.
The new guidance explains essential concepts including zones of trust, trust boundaries, and control points, and largely replaces the NCSC’s older security principles for cross-domain solutions. The original importing data and exporting data design patterns are being deprecated and will in time be replaced by new cross-domain patterns, though the existing security principles remain relevant for the NCSC’s Principles Based Assurance process in the medium term.
Further guidance is planned, covering a step-by-step guide to designing cross-domain architectures, guidance on selecting appropriate technology, and standardised cross-domain patterns to serve as repeatable templates across a range of use cases. Organisations handling sensitive data across systems of differing trust levels, whether in the public sector or in industries such as energy and finance, should familiarise themselves with the updated framework and consider how it applies to their existing architectures.
Case Law Update
Edozo Ltd v Valos (UK) Ltd
In a recent decision of the Intellectual Property Enterprise Court (IPEC)[6], the High Court reinforced an important principle for software businesses: copyright protects the expression of a computer program, not its functionality.
The case arose from a dispute between Edozo and Valos, two competing providers of software platforms offering property-related valuation reports. Each platform guided users through a series of steps to generate those reports. Valos alleged that Edozo’s platform reproduced the same user-facing steps as its own and that this amounted to indirect copyright infringement of Valos’s software. Notably, Valos did not allege that Edozo had access to its source code or the underlying programme architecture. Instead, Valos argued that similarity in how the two systems functioned and appeared to users was sufficient to establish copyright infringement.
IPEC’s approach
IPEC struck out Valos’ allegation of copyright infringement on the basis that the user-facing steps formed part of the software’s functionality, and did not count as a form of expression of the source code. In doing so, IPEC restated the long‑standing distinction in copyright law between ideas and their expression. While copyright protects the intellectual creation embodied in a computer program (such as the source code), it does not extend to the ideas, logic, or functionality underlying that program.
The judge relied on established authority, including Designers Guild v Russell Williams [2000] 1 WLR 2416, SAS Institute v World Programming [2013] EWCA Civ 1482, and Navitaire v easyJet [2004] EWHC 1725 (Ch), to confirm amongst other points that the functionality of a computer program does not count as a form of expression, and two different computer programs can produce an identical result, even if one does not have access to the other’s source code. On that basis, IPEC held that the “steps” experienced by users of Valos’s platform were part of its functionality, not an expression protected by copyright. As a result, replicating those steps was not capable of being an act of copyright infringement.
Why does this decision matter?
This judgment provides reassurance that developing functionally equivalent software will not constitute copyright infringement, so long as protected expression (such as source code or graphical assets) is not copied. Businesses are generally free to study competitor products from a user perspective and to independently build systems that achieve similar outcomes, provided protected expression is not taken.
However, the case also highlights a potential gap in protection for software developers. Where the real value of a product lies in ‘how it works’ rather than ‘how it is coded’, copyright alone may offer limited protection. Businesses may need to consider alternative strategies, such as patent protection (where legally available and commercially viable), stronger contractual controls, or trade secret protections, to safeguard their innovations.
Emotional Perception AI Ltd v Comptroller-General of Patents
In a unanimous decision handed down in February 2026, the Supreme Court has delivered a landmark ruling with significant implications for both AI and intellectual property law. The case, Emotional Perception AI Ltd v Comptroller-General of Patents,[7] establishes that artificial neural networks (ANNs) are capable of qualifying for patent protection under UK law, marking a pivotal moment for software vendors and AI developers seeking to protect their innovations.
At the heart of the case was a longstanding exclusion under UK patent law, which prevents “programs for a computer” from being patented in isolation. The UK Intellectual Property Office had relied on this exclusion to refuse Emotional Perception’s patent application for its ANN-based invention. The Supreme Court disagreed. The judges held that an artificial neural network cannot properly be characterised as a mere computer program under established patent principles, because it can be implemented at the level of both hardware and software simultaneously. Since hardware is involved, the exclusion does not straightforwardly apply.
Beyond resolving the immediate dispute, the Supreme Court took the opportunity to effect a broader and highly significant change in UK patent law methodology. For nearly two decades, UK courts had applied the so-called “Aerotel” test, derived from a 2006 Court of Appeal decision, to assess whether computer-linked inventions were patentable. The Supreme Court has now formally abandoned the Aerotel approach, aligning the UK instead with the test approved by the European Patent Office’s Enlarged Board of Appeal in its 2021 decision, G1/19.
The distinction is an important one. The Aerotel approach assessed the “contribution” made by an invention and whether that contribution fell within an excluded category. The EPO’s preferred approach asks a more fundamental question: whether the claim as a whole amounts to an “invention” with a genuine “technical character.” The Supreme Court found the EPO’s criticism of Aerotel to have “real force”; particularly the observation that the UK courts had, in applying Aerotel, misinterpreted the relevant provisions of the European Patent Convention.
Why does this decision matter?
This ruling is significant for software vendors as it clarifies a stronger pathway to patent protection for AI-driven innovations in the UK, prompting developers of neural network-based products, such as recommendation engines, predictive analytics, and natural language processing tools, to reassess their IP strategies and revisit previously marginal applications. It also brings welcome alignment with the European Patent Office’s approach, reducing the risk of inconsistent outcomes and simplifying parallel UK–EU patent filings post-Brexit. Although the UKIPO must still reassess Emotional Perception’s application on inventiveness and technical character, the decision firmly signals that AI-related inventions can, in principle, qualify for patent protection in the UK.
[1] https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
[2] Government to create new lab to keep UK in the fast lane on AI breakthroughs – GOV.UK
[3] Government cuts cyber-attack fix times by 84% and launches new profession to protect public services – GOV.UK
[4] Commission publishes second draft of Code of Practice on Marking and Labelling of AI-generated content | Shaping Europe’s digital future
[5] New cross domain guidance for government, industry and the wider security community | National Cyber Security Centre
[6] Edozo Ltd v Valos (UK) Ltd [2026] EWHC 93 (IPEC)
[7] Emotional Perception AI Limited v Comptroller General of Patents, Designs and Trade Marks [2024] EWCA Civ 825