The deadline is fast approaching for in-scope financial entities and their ICT service providers to conform to the EU’s new digital operational resilience regulation.

By Christian F. McDermott and Alain Traill

With effect from 17 January 2025, a broad range of EU financial entities will be subject to the new EU regulation on digital operational resilience for the financial sector (DORA), with significant impact for firms and their third-party ICT service providers. As the new landscape takes shape, below is an overview of some of the key changes and steps that impacted financial entities and providers should be taking ahead of the deadline.

Covered institutions will need to review their cybersecurity and incident response policies and procedures ahead of the applicable compliance deadline.

By Robert Blamires, Laura Ferrell, Daniel Filstrup, Jennifer Howes, and Sarah Zahedi

The Securities and Exchange Commission (SEC) recently1 adopted amendments to Regulation S-P that expand the scope of requirements applicable to brokers, dealers, investment companies, SEC-registered investment advisers, and foreign (non-resident) SEC-registered brokers, dealers, investment companies, and investment advisers (together, Covered Institutions) in order

Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.