digital economy regulation

However, unlike the European Parliament, the Council does not support making providers of telecoms, instant messaging and social media platforms liable for fraud in certain cases. This Flash analyses the positions of the three EU institutions as the negotiations on the final text of the Payment Services Regulation begin.

The Data (Use and Access) Act became law on 19 June 2025. The act introduces changes to the UK data protection regime in areas such as automated decision-making, the use of cookies and the legal bases for processing personal data. It also restructures the UK data protection authority.

A US federal court ruled, in two separate cases, that training artificial intelligence (AI) models with copyright-protected books without permission from copyright owners does not infringe copyright in certain circumstances. Both rulings are subject to appeal, and the ultimate resolution of this AI training issue remains unsettled. Many other copyright infringement lawsuits over AI training are still pending in the US.

This report gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services over the past two weeks. It also lists events taking place this week.

The UK government is seeking feedback on the cybersecurity of enterprise connected (IoT) devices. Proposed initiatives may include publishing a voluntary code of practice, developing “a new global standard” for cybersecurity and/or introducing legislation that would mandate some or all of the code’s principles.

The NIS2 transposition law has not yet been officially published but it is expected to enter into force on 1 September 2025. The government would have sole responsibility for deciding on restricting high-risk vendors, while the national cybersecurity authority would implement the decision in practice.