Follow Travers Smith on LinkedIn.

The UK government has recently introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament, with the objective of strengthening the UK’s defences against cyber threats to systems most critical to daily life. Once in force (many of the substantive reforms will require secondary legislation to be brought into effect), this legislation will extend direct regulation to a broader range of organisations underpinning essential services and key digital services in relation to cyber compliance – including data centres, managed service providers and specifically designated "critical suppliers".

The UK Competition and Markets Authority ("CMA") published its draft revised guidance on merger remedies on 16 October 2025 (the "Draft Guidance"), proposing updates to its approach to the selection, design and implementation of remedies in merger cases. The consultation is open until 13 November 2025, with final guidance expected to be in place later this year.

At its outset, the case before the UK High Court in Getty Images v Stability AI looked set to provide a definitive outcome to the copyright debate dividing “two warring factions” (as the trial judge put it)—the creative industries and the AI industry. However, those hopes faded when Getty Images dropped its primary infringement claim at the end of the trial in June 2025, following insufficient evidence that Stability AI's generative AI model, Stable Diffusion, had been trained within the UK.

The UK Government has issued an open call for evidence asking for examples of where UK regulation inhibits growth, innovation and investment. This is a good opportunity for businesses to make the case for Government to look again at aspects of law or regulation which may be well-intentioned, but are disproportionate in their effects.

The European Banking Authority (EBA) is preparing to usher in a Digital Operational Resilience Act (DORA)-style regime, but this time for non-ICT third-party arrangements. Its proposed draft guidelines significantly expand its former 2019 outsourcing guidelines and will lead to an overhaul of third-party risk management within EU financial services.

In this issue, we look at how to mitigate risks to outsourcings from cyber-attacks and the implications for customers and service providers of proposed reforms on late payment. We also discuss the Employment Rights Bill, cloud service switching, umbrella companies, what to watch out for in the Budget and AI literacy.