UK law
GDS and DSIT publish guidance on AI-assisted vulnerability risks in open-source code
The Government Digital Service (GDS) and the Department for Science, Innovation and Technology (DSIT) have published guidance on safely publishing source code in the open and reducing the risk of AI-accelerated vulnerability discovery. Technology leaders are asking whether AI-accelerated vulnerability discovery means public sector departments should stop publishing source code “in the open” by default. User research suggests that the primary driver of exploitation risk is the presence of weaknesses in systems, including unpatched vulnerabilities, insecure implementation, and unsafe configuration or deployment, together with an inability to remediate them quickly. Publishing source code does not create those weaknesses, but it can modestly reduce attacker uncertainty and speed up analysis (an effect that may increase with AI assistance), especially where maintenance is weak and fixes are slow. The guidance reinforces the minimum operational capability already assumed for safely operating publicly accessible services and provides four key recommendations: meet the minimum standard for publicly accessible systems by ensuring clear ownership, secure-by-design practice, automated hygiene, and credible remediation capability (privacy should not be used as a substitute control); keep open by default, as making everything private adds delivery and policy costs and can reduce reuse and scrutiny, so openness should remain the default posture, with closure used sparingly and deliberately; make exceptions explicit and reviewable, so where code should be closed, a short threat model should be required that states the attacker, what publication adds, and the realistic path to harm, with exceptions kept narrow, time-bound, and periodically re-approved; and strengthen remediation capability by assuming shorter discovery-to-exploit windows, setting patch SLAs, automating dependency and vulnerability management, and ensuring teams can respond quickly to inbound reports. This is essential whether code is open or closed.
Bar Standards Council issues guidance on AI and emerging technologies
The Bar Council has introduced new guidance on the safe and responsible use of artificial intelligence. In response to the increasing use of AI tools across legal practice, recent cases highlighting the risks of misuse, and the judgment in Ayinde v London Borough of Haringey, the guidance provides a practical framework for barristers to use AI safely while continuing to meet their professional obligations. It explains how existing duties and rules under the BSB Handbook apply when using AI and other technologies. It also sets out good practice principles to support barristers at all stages of adopting and using technology, including considering how AI use will affect their ability to fulfil the Core Duties and rules in the BSB Handbook, maintaining a basic level of technology and AI awareness, evaluating the risks, benefits and costs of new technologies before using them, ensuring that IT systems and data governance are properly implemented, being transparent, upholding client confidentiality and protecting sensitive information, and recognising that clients, solicitors and opposing parties may use AI tools and considering how that use may affect barristers’ responsibilities.
Ofcom strengthens Illegal Content Codes with hash matching technology recommendations
Ofcom has announced that it is strengthening its Illegal Content Codes by introducing a new recommendation that tech firms use automated detection technology to reduce the spread of illegal intimate images online. Given the urgent need to better protect women and girls online, Ofcom is adding a recommendation to the codes that certain sites and apps expand their use of automated technology (hash matching) to detect illegal intimate images shared without consent, such as explicit deepfakes. Hash-matching technology works by converting harmful images into digital fingerprints or “hashes”. These are then stored in a database and matched against further attempts to upload the same or similar versions of the image. Ofcom is recommending that services use a hash database such as the market leader StopNCII.org. Ofcom considers that this additional safety measure, together with new measures in the Crime and Policing Act 2026, which introduced a ban on nudification tools and requirements for non-consensual intimate images to be taken down within 48 hours, will make a material difference to protecting women and girls online. Subject to the parliamentary process, Ofcom expects the intimate image abuse amendments to its Illegal Content Codes to come into force in autumn 2026. It will announce further decisions on additional safety measures around that time.
Ofcom issues statement on X’s commitment to bring in new protections to tackle illegal hate and terror content
X has made public commitments to better protect UK users from illegal hate and terror content, which Ofcom has accepted. The first is to expedite timescales for reviewing illegal hate and terror content. X will review and assess UK suspected illegal terrorist and hate content reported through its dedicated UK illegal content reporting tool, on average, within 24 hours of it being reported, measured as a mean. As a backstop, it will review and assess at least 85% of such reports within a maximum of 48 hours. If met, these targets will give UK users some of the strongest protections on X globally. The second commitment is to engage with experts regarding reporting systems for illegal hate and terror content. This responds to concerns raised by some organisations, which said they had alerted X to multiple pieces of suspected illegal hate and terrorism content but were unclear whether those reports were being received or actioned. X will also act against accounts operated by or on behalf of proscribed organisations. It will withhold access in the UK to accounts reported for posting illegal terrorist content where it determines that they are operated by or on behalf of a terrorist organisation proscribed in the UK. X will submit performance data to Ofcom on a quarterly basis over a 12-month period so that Ofcom can actively monitor performance against these targets and ensure that it is delivering improvements to the safety of UK users.
ICO publishes advice to DSIT on potential changes to online advertising rules
The Information Commissioner’s Office (ICO) has published its advice to the Department for Science, Innovation and Technology (DSIT) on recommended changes to regulation 6 of the Privacy and Electronic Communications Regulations 2003. The advice shows how regulation 6 could be amended to allow certain low-risk forms of online advertising to operate without consent, while continuing to require consent for advertising that involves intrusive tracking and profiling over time and across services. This reflects the ICO’s assessment that privacy risks are lower where advertising is based on the context of the content being viewed rather than information about a person’s past online activity. The ICO says that, if the government were to amend regulation 6, there could be practical benefits. Over time, it could mean that websites and apps would not always need to request consent when users first visit them where only low-risk advertising is involved. This could help reduce consent fatigue while maintaining a requirement for valid consent where advertising relies on more intrusive tracking or profiling.
FCA, Bank of England and Treasury issue joint statement on frontier AI models and cyber resilience
The FCA, Bank of England and Treasury have issued a joint statement saying that it is essential for firms to have effective protective, detective, threat-containment and cyber-response capabilities, including to address faster and more disruptive frontier AI-driven attacks. These cover a range of areas, including governance and strategy: firms should ensure their boards and senior management have a sufficient understanding of frontier AI risks so that they can set strategic direction and oversee how control functions manage those risks. The statement also says that investment and resourcing decisions should reflect the emerging threat, including increased exposure from end-of-life systems or those that are out of vendor support. Firms should also consider whether they have appropriate insurance in place. Frontier AI models can rapidly identify and enable the exploitation of a potentially large number of vulnerabilities across firms’ technology estates. Firms should therefore be able to triage, prioritise, risk-assess and remediate vulnerabilities more quickly, more frequently and at scale, including through automation where appropriate, while mitigating the operational risks of doing so. In addition, firms should effectively manage frontier AI cyber risks arising from third parties and supply chains, including open-source software. This means having the capabilities to identify, monitor and manage external applications, libraries and services integrated into their networks, and to address and remediate vulnerabilities identified by third parties at scale. Effective access management, network security and data protection should also enable firms to reduce the attack surface that a frontier AI model might access and limit the likelihood and impact of such attacks. Firms should consider adopting automated and AI-enabled defences that can operate at a comparable speed to AI-driven attacks. Finally, firms should be able to respond to and recover from disruption quickly.
The Government and UK financial authorities will continue to monitor frontier AI developments actively and engage with industry through the Cross Market Operational Resilience Group (CMORG).
EU law
European Commission consults on guidelines on the classification of high-risk AI systems
The European Commission is consulting on Guidelines intended to support providers and deployers of AI systems, as well as competent market surveillance authorities, in assessing whether an AI system should be classified as high risk, thereby facilitating the uniform application and effective enforcement of Article 6 of the AI Act. The Guidelines set out the Commission’s interpretation of certain concepts relevant to classification and, in accordance with Article 6(5) of the AI Act, provide practical examples of AI systems that should or should not be classified as high risk. The examples are intended to cover a broad range of areas and use cases, but they are not exhaustive and may be updated over time. The Guidelines are divided into sections following the structure of Article 6 of the AI Act, which states that an AI system is considered high risk in two scenarios: first, where the system is intended to be used as a safety component of a product, or where the AI system itself is a product, covered by the EU harmonisation legislation listed in Annex I, and the product whose safety component is the AI system, or the AI system itself, is required to undergo a third-party conformity assessment, in which case the system will be classified as high risk under Article 6(1) of the AI Act; and secondly, where the system falls within one of the use cases listed in the areas set out in Annex III, in which case it will be classified as high risk under Article 6(2) of the AI Act. Section III of the Guidelines addresses the first category of high-risk AI systems, while Section IV addresses the second. The consultation ends on 23 June 2026.
European Commission seeks feedback on functioning of EU crypto-assets rules
The European Commission is gathering feedback about how the EU’s regulatory framework on crypto assets functions, the Markets in Crypto Assets Regulation (MiCA). As crypto-asset markets and the broader policy landscape continue to expand, the Commission is assessing whether the current framework remains fit for purpose. MiCA was implemented in 2024 and established a harmonised EU framework for crypto-assets and related services, covering crypto-assets, asset-referenced tokens and e-money tokens (stablecoins), their issuers, and crypto-asset service providers. Since the MiCA regulation was developed, digital asset markets have continued to evolve, with the global policy and regulatory landscape also changing significantly. The Commission is therefore assessing whether the EU framework needs to be updated in light of market and international developments. The consultation ends on 31 August and the feedback gathered will be used to inform the Commission’s future policy work on digital assets.
