Welcome to the latest edition of Technol-AG - practical commentary on our pick of the latest tech law developments. In this edition, we provide an easy to digest overview of the latest AI news and consider the practical takeaways from some of the key announcements in two other areas: cyber resilience and telecoms.
On 23 January 2024, as part of its £2.6 billion National Cyber Strategy to protect and promote the UK online, the Government published a draft Cyber Governance Code of Practice and a response to its call for views on security and software resilience for organisations and businesses. The clear indication is that cyber resilience is a topic Boards should be taking seriously.
The Government has published a draft Cyber Governance Code of Practice aimed at executive and non-executive directors and other senior leaders. The Code is intended to bring together the critical cyber governance areas directors need to take ownership of and formalise the Government's expectations of directors regarding these. A call for views on this Code is open until 19 March 2024.
The key message from the Government is that directors and Boards need to give as much attention to governing cyber risk as they do to other important risks. They see business resilience and cyber security as intrinsically linked and expect organisations to implement a top-down approach. This requires the most senior leaders of an organisation (directors, the Board or equivalent) to take ownership of cyber risk, understand the cyber threats to the organisation and assess the action being taken to manage them.
Although the Code is currently only in draft form, it identifies what the Government considers to be the most critical areas that business leaders must engage with (the areas of focus set out above). Organisations should give serious thought to these areas and ensure that their business has strong accountability frameworks in place regarding cyber governance.
On the same day it published the draft Cyber Governance Code of Practice, the Government also turned its attention to software resilience for businesses and organisations by laying out proposed interventions in a policy framework in its response to a call for views. The stated purpose was to further help address software risks, make organisations more resilient to cyber threats and give more clarity on best practice.
The Government highlighted the severe impacts which attacks on software and digital supply chains can have, giving the example of the recent cyber incident which took the NHS 111 service offline. They emphasised that, given how fundamental software has become to organisations and how much reliance is placed on it, protecting it is crucial.
Of most interest to software users are the proposals to help strengthen software vendor accountability. These include:
In the meantime, organisations should consider reviewing their contractual requirements for software vendors to ensure there is accountability regarding security practices and resilience.
Following the big AI news to end last year with, in the form of agreement being reached on the EU AI Act (please refer to our commentary on this) (the Act), 2024 has already seen some interesting legal developments regarding AI. Here’s our pick of the key things you need to know about.
Although agreement was reached on the Act in principle in December, the text of the Act is still making its way through the formal legislative process and will ultimately have to be formally adopted by both the European Parliament and the EU Council to become EU law. It came as a bit of a surprise therefore when on 22 January 2024 a journalist leaked the text and it was quickly circulated and discussed as though in final form.
Since then, the text of the provisional agreement has been officially published and a major hurdle has been cleared with unanimous approval by the EU Council's Committee of Permanent Representatives. Several further stages remain but it seems increasingly likely that text, substantially in the form of the one published, will be formally adopted in April.
In contrast to the EU position, on 6 February 2024 the Government issued a response to the consultation on its March 2023 white paper setting out proposals to establish a regulatory framework for AI (the White Paper Response). This confirmed their pro-innovation approach and the fact that they are not intending to implement regulation in the near future, instead opting to combine cross-sectoral principles and a context-specific framework. However, alongside various other updates, they announced that they have asked a number of regulators to publish an update outlining their strategic approach by the end of April this year and this information will have a bearing on whether they continue to favour a non-legislative approach.
The White Paper Response also provided an update regarding the Government's approach to AI and copyright. It was revealed that the Code of Practice on Copyright and AI being developed by the Intellectual Property Office (IPO) to clarify the protection of rights holders had been shelved and the Government made clear that it has no immediate solution. Instead, they are intending to continue to engage with both the AI sector and the creative and media sector and their international counterparts who are facing the same challenge.
The way in which the legal issues associated with AI are to be addressed by regulators and governing bodies continues to evolve. Organisations should continue to follow the latest developments in the jurisdictions in which they operate, particularly where they or their supply chain are already starting to make use of AI tools.
An Ofcom consultation launched on 12 December set out Ofcom's plans to protect consumers from uncertain price increases with a proposed ban on telecoms companies providing price increases which are inflation-linked or set out in percentage terms.
If the proposals go ahead, telecoms companies will be banned from including any inflation-linked price rises and any percentage-based price rise terms. If they want to increase the price, they will be required to do so by setting out the amount in pounds and pence and clearly outlining when the change in price will occur.
If you would like to discuss what any of these news stories or updates might mean for your business, please get in touch with David Berry or your usual Addleshaw Goddard contact.
David Berry >
David Anderson >
Susan Garrett >
Damon Rosamond-Lanzetta >
Partner, Co-Head of Tech Group & Head of Corporate (Scotland)
Edinburgh, UK
Find out more about our Technology advisory practice.
Find out moreSubscribe for legal insights, industry updates, events and webinars to your inbox
Sign up nowGet up to date with our latest news on LinkedIn
Follow now
