- within Food, Drugs, Healthcare, Life Sciences, Employment and HR, Litigation and Mediation & Arbitration topic(s)
EU Puts Forward New Cybersecurity Package
On January 20, 2026, the European Commission (the "Commission") introduced a new cybersecurity initiative to strengthen the EU's resilience and capabilities in response to growing threats. The initiative includes a proposal for an updated Cybersecurity Act to improve the security of the EU's information and communication technology ("ICT") supply chains. It ensures that products supplied to EU citizens are designed with cybersecurity in mind through a more straightforward certification process.
The revised Cybersecurity Act will ensure that products and services available to EU consumers undergo security testing more effectively. This will be achieved through an enhanced European Cybersecurity Certification Framework ("ECCF"). The ECCF will provide greater clarity and simpler processes, enabling certification schemes to be created within a default timeframe of 12 months. It will also implement more flexible and transparent governance to better engage stakeholders through public information and consultation.
If approved, the Cybersecurity Act changes would apply immediately. At the same time, Member States would have one year to implement the NIS2 Directive (the EU's main cybersecurity rules for critical and digital services) updates.
ICO Comments on UK Cyber Security and Resilience Bill
On January 6, 2026, the Cyber Security and Resilience ("Network and Information Systems") Bill, introduced by the UK Government, passed its second reading in the House of Commons. The Information Commissioner's Office (the "ICO") has released its reaction to the Bill. The ICO recognizes the importance of robust data protection for all organizations and applauds the Bill's aim to enhance the UK's cyber resilience. The ICO, however, is requesting guidance to help small and medium-sized enterprises implement the new regulations. In their response, the ICO highlights the need to comply with current data protection regulations, such as the UK GDPR, to avoid confusion and duplication. They also offer to work with the government to improve cybersecurity measures that enhance public trust and data protection.
Commission Expands DSA Investigation into X with New Probe into Grok
On January 26, 2026, the European Commission announced that it had opened a new formal investigation under the Digital Services Act (the "DSA") into X's AI chatbot, Grok. It extended its existing investigation, launched in December 2023, into X's compliance with its risk management obligations. The Commission stated that Grok may pose potential risks to fundamental rights, including for minors, particularly in relation to AI-generated images, such as child sexual abuse material and non-consensual intimate images, which may adversely affect individuals.
Prior to the Commission's investigation, most EU members had already begun taking their own measures against Grok. French authorities raided X's Paris office in connection with Grok's deepfake production, and Elon Musk was summoned for questioning. Similarly, the ICO in the UK also launched an investigation into Grok and X on 7 January regarding images and videos created using Grok's artificial intelligence system.
Commission Guidance Still Pending as High-Risk AI Obligations Apply
The Commission published a Q&A to address in detail the objectives, governance, and implementation of the Artificial Intelligence Act (the "AI Act"), clarifying provisions on high-risk AI systems and general-purpose AI models, as well as measures to promote innovation. Among these Q&As, regarding how to identify high-risk AI under the AI Act, the Commission stated that it had prepared guidelines for high-risk classification, which would be published before the implementation date of Article 6.
Similarly, the Commission was obligated under Article 6 of the AI Act to provide a comprehensive list of examples of the use of high- and non-high-risk AI systems, but it missed the deadline. It is argued that the main reason for the delay is the need to ensure compliance with the Digital Ombinus legislative package, which is expected to be published in late 2025. Final adoption is now expected in March or April 2026.
Taiwan Adopts Its First Comprehensive AI Law
Following approximately two years of extensive discussions in Taiwan, which has long been recognised as a key player in the global technology landscape, particularly in the fields of semiconductor and chip manufacturing, a risk-based artificial intelligence law was enacted on January 14, parallel to the EU AI Act. The Taiwan AI Act is shaped around seven fundamental principles: sustainable development and well-being; human autonomy; privacy protection and data governance; cybersecurity and safety; transparency and explainability; fairness and non-discrimination; and accountability. The Taiwan AI Act will be implemented and developed over the next two years.
London Council Investigates Possible Data Exfiltration After Cyber Attack
In connection with a cyberattack in London in November, hackers are believed to have "copied and exfiltrated" sensitive and personal data, as a local council disclosed on January 1, 2026. The incident remains under investigation, and a dedicated helpline and email address have been established to gather information from the public to assess who may have been affected and which categories of data may be involved.
When Scrolling Never Ends: TikTok Under EU Scrutiny
The Commission made preliminary findings on 6 February 2026 that TikTok violated the Digital Services Act by harming the physical and mental health of its users, particularly minors and vulnerable adults, through addictive behaviour. The Commission believes that TikTok should disable its infinite scroll feature and modify its design, including implementing screen time breaks. In addition to the addictive effects, it was stated that minors who misrepresent their age can access content inappropriate for their age. TikTok had previously made certain commitments to the Commission regarding the lack of transparency in its advertisements. As a result of the investigation, TikTok may be required to take similar measures and pay an administrative fine.
Ontario Publishes AI Scribe Privacy Checklist
The Information and Privacy Commissioner of Ontario has published a checklist of guidelines to ensure compliance with healthcare privacy protection legislation, including assessing AI systems, establishing clear contractual safeguards, monitoring AI systems over time, and developing robust governance and accountability frameworks.
The checklist focuses on practical issues such as when a privacy impact assessment should be carried out, how patient transparency and consent should be ensured, what level of human oversight is required over AI-generated records, and how data minimisation, security, and retention should be addressed. It also emphasises governance arrangements, including clear accountability, vendor management, and the ability to suspend or turn off the AI system where necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
