No UK AI regulation Bill imminent
On 17 November 2025, Lord Holmes asked the UK government in the House of Lords when they will publish their consultation on artificial intelligence legislation, and when a bill will be introduced. The Minister, Department for Science, Innovation and Technology, responding said “the government does not speculate on legislation ahead of future parliamentary sessions and I cannot confirm the timing of any such bill.” Therefore, it seems like we will be waiting for the next King’s Speech for an AI Bill.
Ofcom fines nudification site £50,000 for failing to introduce age-checks
An Ofcom investigation has concluded that Itai Tech Ltd, which runs the nudification site Undress.cc, has failed to use highly effective age assurance to protect children from encountering pornographic content. As a result, Ofcom has imposed a fine of £50,000 on Itai Tech Ltd, which takes into account the provider’s decision to make the site unavailable to users with UK IP addresses shortly after Ofcom opened its investigation. An additional £5,000 penalty has been levied due to its failure to comply with a statutory information request. In addition, Ofcom has issued two provisional decisions against 8579 LLC and Kick Online Entertainment S.A for similar failings. Both providers now have an opportunity to make representations to Ofcom before it makes its final decisions. It has also opened new investigations under its age assurance enforcement programme into five providers which together operate 20 pornography sites.
High Court considers infringement of database right and copyright in postal address databases
In IDDQD Ltd v Codeberry Ltd and another [2025] EWHC 2561 (Ch), the High Court found that the defendants Codeberry and Mr Smith infringed database rights in Royal Mail Group’s Postcode Address File (PAF) and IDDQD’s GBR Database (licensed from RMG), as well as copyright in the Historic PAF. The case concerned the creation and marketing of the GetAddress database, which was built using PAF data and later modified with the GBR Database. The Court held that database right subsisted in PAF due to RMG’s substantial investment and that Mr Smith had extracted and incorporated a substantial part of PAF into GetAddress, which Codeberry marketed. Arguments based on RMG’s end-user terms and consent were rejected: Mr Smith was licensed only to use PAF for his own benefit, not to incorporate it into GetAddress or market it. He was also jointly liable for Codeberry’s infringement, and both claimants were awarded additional damages.
FTT upholds ICO MPN for unsolicited marketing calls
The First-tier Tribunal (General Regulatory Chamber) in Bishop v Information Commissioner [2025] UKFTT 1352 upheld a £50,000 Monetary Penalty Notice issued by the Information Commissioner under section 55A of the Data Protection Act 1998 for serious breaches of the Privacy and Electronic Communications Regulations 2003. Between January and October 2023, Mr Bishop, trading as ECO4U, made 194,110 unsolicited marketing calls to individuals registered with the Telephone Preference Service without consent, leading to 21 complaints. Although the Tribunal accepted the contravention was not deliberate, it found Mr Bishop knew or should have known the risk given a previous Trading Standards investigation and failed to take reasonable steps to prevent it. The penalty, reduced from £100,000 due to financial circumstances, was deemed appropriate given the seriousness of the breach.
UK government publishes outcome of consultation on the resale of live events tickets
The UK government has confirmed it will legislate to overhaul secondary ticketing for live events, centring on a resale price cap that prevents profit-making by prohibiting resale above the original ticket cost (including unavoidable fees), alongside a separate cap on platform service fees (level to be set following further evidence). It will also introduce volume limits making it unlawful to resell more tickets for an event than the buyer was entitled to purchase initially, and impose strict legal obligations on all online platforms facilitating resale to monitor and enforce compliance with the price cap. Enforcement will be via the Digital Markets, Competition and Consumers Act 2024, enabling the CMA and courts to impose penalties of up to 10% of global turnover and use online interface powers to restrict access to non-compliant content. The cap is intended to apply broadly across live events, with narrow exemptions under consideration for charitable fundraising (where authorised) and certain debenture arrangements. Football is covered under other legislation. The government has decided not to introduce a licensing regime at this stage but will revisit if non-compliance persists. Legislation will be brought forward when parliamentary time allows.
SFO announces investigation into $28 million crypto scheme
The Serious Fraud Office has issued an appeal for investors to come forward with any information they hold about the collapse of a $28 million cryptocurrency scheme called Basis Markets. The SFO launched an investigation into the suspected fraudulent scheme with two raids in West Yorkshire and London. Investigators, supported by the Metropolitan Police and West Yorkshire Police, searched properties in Herne Hill and near Bradford, arresting two men, on suspicion of multiple fraud and money laundering offences. Basis Markets raised approximately US$28m via two public fundraisers, one in November 2021 via the sale of non-fungible tokens and the other in December 2021, using funds to create a “crypto hedge fund”. In June 2022 investors were informed that, due to proposed new US regulations, the project could no longer proceed as planned. This is the first major cryptocurrency case announced by the SFO.
EU law
European Commission seeks feedback on commitments offered by SAP to address concerns about possible anti-competitive practices
In September 2025, the European Commission opened a formal antitrust investigation to assess if SAP’s conduct violates EU competition rules in the EEA aftermarket for the maintenance and support services of SAP’s on-premises Enterprise Resource Planning software. It also adopted a Preliminary Assessment summarising the main facts of the case and identifying its preliminary competition concerns. The European Commission has now invited comments on commitments offered by SAP to address possible anti-competitive practices in the provision of maintenance and support services for an on-premises type of software, licensed by SAP, used for the management of companies’ business operations and called Enterprise Resource Planning.
European Parliament report published on the impact of artificial intelligence on the financial sector
The Committee on Economic and Monetary Affairs’ report examines the use and impact of AI in the financial services sector and the regulatory landscape. It provides policy recommendations to enable the use of AI in financial services and clarify regulatory overlaps. It notes that the majority of AI use cases aims to cut costs by streamlining operations, rather than create new revenue streams. Most use cases represent low-hanging fruit rather than high-risk innovation, meaning that deployment of AI in finance has been prudent. The sector is so heavily regulated, and the fiduciary responsibility of financial institutions so highly regarded, that the lion’s share of use cases are both low-risk and include a human expert in the loop. Nonetheless, the diffusion and uptake of AI technologies across the financial services sector holds significant potential. Not only it can improve the sector’s efficiency, enhance consumer services, and strengthen the competitiveness of European firms, but it can also support more effective anti-money laundering and fraud detection. The issue of data quality, explainability and transparency of AI is a challenge. However, the sector is well placed to deal with this and onerous restrictions would ultimately undermine the sector’s competitiveness, the quality of services offered, and the benefits delivered to consumers. It would also have a negative impact on investment in AI technologies, considering that the financial services sector is the biggest spender on ICT services and products.
European Supervisory Authorities designate critical ICT third-party providers under the Digital Operational Resilience Act
The European Supervisory Authorities (EBA, EIOPA, and ESMA) have issued the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). They say that this designation marks a crucial step in the implementation of the DORA oversight framework. The designation process followed the methodology mandated by DORA. First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services. Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities across the EU from the banking, insurance and pensions, and securities and markets sectors. This assessment was carried out in line with the criteria in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services. Third, ICT third-party providers assessed as critical were formally notified, after which they were able to respond by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, with the aim of ensuring the integrity of the process. The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the EU, reflecting their pivotal role within the financial ecosystem. The objective of the DORA Oversight Framework, mandated to the ESAs, is to promote the sound management of ICT risk by the critical providers. Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could affect the operational resilience of the financial sector of the EU. The ESAs will keep engaging with CTPPs in the course of upcoming examination activities.
European Commission presents European Democracy Shield and EU Strategy for Civil Society
The European Commission has presented the European Democracy Shield, setting out measures to empower, protect and promote strong and resilient democracies across the EU. In particular, it has announced measures to safeguard the integrity of the information space and to ensure the sustainability of EU media. To safeguard the information space, the Commission has announced it will further its work with signatories under the Code of Conduct on Disinformation and will prepare a Digital Services Act incidents and crisis protocol to facilitate coordination between relevant authorities and ensure rapid responses to large-scale and transnational information operations. An independent EU Network of Fact-Checkers will be set up to boost fact-checking capacity in all official EU languages and the European Digital Media Observatory will develop new independent monitoring and analytical capabilities for situational awareness on elections or crises. In the upcoming review of the Audiovisual Media Services Directive, the Commission will assess how it can strengthen the prominence of media services of general interest and modernise advertising rules to foster sustainability of EU media.
