Cyber Security and Resilience (Network and Information Systems) Bill

The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025, with the aim of extending and modernising the UK’s existing cyber security rules. Its introduction is widely seen to be a result of the increase in cyber security threats that have hit UK organisations recently.

This Bill would add to existing UK law (namely, the Network and Information Systems Regulations 2018).

How could it impact your business?

The Bill proposes several key changes, including:

1. Extending the scope of the Regulations to include new sectors and companies, including the energy, transport, health and water industries. New industries will need to adapt to ensure they are complying with both existing and new rules.

2. New, stricter reporting timelines for cyber security incidents (currently proposed at 24 hours to notify the regulator, with a full report due within 72 hours). Businesses will need to make sure they have robust internal policies that enable prompt identification, investigation and reporting of cyber security events within these tight deadlines.

3. Regulators being given stricter enforcement powers.

4. Companies could be subject to fines of up to £17,000,000 or 4% of global turnover (whichever is highest) for the most serious breaches. Ongoing breaches could also attract daily penalties of up to £100,000. These financial repercussions could significantly impact businesses if they fall foul of the rules.

What steps should you take?

There is no confirmed date for when (or if) this Bill will become law, and the scope of its potential impact may change as it passes through Parliament. Nevertheless, it is an important Bill for those in potentially affected sectors to keep an eye on.

It is clear the Government’s focus is on increasing cyber resilience within the UK. With the rise in cyber incidents occurring, it is essential that businesses start taking steps to improve their existing, or implement new, cyber security measures that meet today’s threat landscape head-on.

European Commission publishes model terms and standard clauses on data access/use and cloud computing

As required by the EU Data Act ((EU) 2023/2854), the European Commission has published:

1. three sets of non-binding ‘Model Contractual Terms’ (MCTs) for data access and use;

2. three sets of ‘Standard Contractual Clauses’ (SCCs) for cloud computing; and

3. three sets of SCCs concerned with fairness, reasonableness and non-discrimination.

The terms have been developed to help businesses, particularly SMEs, implement the provisions of the EU Data Act. The Act established new harmonised rules on data access, switching cloud providers and interoperability requirements across the EU. It affects organisations that use, collect and manage data within their EU operations (even if based outside), including in relation to designing connected products and related services, and negotiating data sharing agreements.

The MCTs cover different data sharing situations between data holders, users and third-party recipients, while the SCCs cover cloud-related obligations such as switching providers, contract termination and security, and business continuity during switching.

The terms are non-binding drafts issued through a Commission Communication Recommendation published on 19 November 2025. Adoption of the MCTs and SCCs is voluntary and open to user amendments. Their practical use will begin once the recommendation is finalised.

How could it impact your business?

Any business operating within the EU will be caught by the Data Act and thus the new terms. The terms and clauses provide organisations with a clearer, more consistent framework for drafting data sharing and cloud contracts. Businesses dealing with connected products, data sharing arrangements or cloud service providers may need to revisit their templates to ensure they align with the Data Act’s approach to fairness, transparency and non-discrimination.

The MCTs and SCCs are drafted mainly for business-to-business relationships, but can also be used between businesses and consumers, in which case additional provisions must be incorporated to comply with consumer protection rules.

Existing arrangements, particularly those that involve data access requests, voluntary data sharing or cloud switching, may require updates to reflect obligations set out in the MCTs and SCCs.

Whilst the recommended terms are non-binding, not following them may cause friction in negotiations or expose businesses to allegations that their terms are ‘unfair’ under the Data Act.

The aim of the new MCTs and SCCs is to provide practical, standardised starting points for contracts involving data access, data sharing and cloud services, thereby reducing negotiation time and potential legal uncertainty.

What steps should you take?

Businesses should review existing data sharing and cloud related contracts, cross-referencing these against the structure and expectations of the MCTs and SCCs.

Key steps for businesses include:

• Assessing whether data sharing terms meet the Data Act’s fairness and transparency standards;

• Updating cloud agreements to include switching, termination and continuity provisions aligned with the SCCs;

• Drafting teams may wish to incorporate relevant MCTs and SCC modules into workflow templates;

• Planning for supplementary GDPR compliant clauses; and

• Preparing internal guidance and negotiation playbooks to streamline adoption of the new model terms across teams.

Acting early will make future compliance smoother, prevent potential future renegotiations, and reduce the compliance risk.

Property (Digital Assets etc.) Act 2025 receives Royal Assent

The Property (Digital Assets etc.) Act 2025 (the “Act”) received Royal Assent on 2 December 2025 and came into effect on that date, marking a pivotal moment for legal recognition of digital assets. The Act confirms the existence of a “third category” of personal property rights capable of accommodating digital assets (such as cryptocurrency and non-fungible tokens) by providing that such assets are not prevented from being treated as property simply because they do not fall within the two existing legal categories of property, that is:

• a “thing in possession” being a tangible item that can be possessed (such as a watch); and

• a “thing in action” being a right or property that can only be claimed or enforced through a court action (such as a debt).

The Act is a significant step towards cementing the United Kingdom as the leading legal jurisdiction to underpin the digital asset economy.

The Act means that digital assets can be treated as personal property (assuming that they meet the necessary criteria to constitute property), and therefore attract personal property rights, which provides certainty for businesses and individuals who own or transact with such assets. The Act does not confirm that any particular asset is definitely the object of personal property rights, but rather it permits the courts to develop rules and proprietary remedies that suit the unique characteristics of digital assets. This will be on a case-by-case basis, allowing the courts to respond flexibly as technology evolves.

How could it impact your business?

The Act enhances legal recourse for owners of digital assets with its formal recognition of digital assets in law, ensuring that the law can effectively handle and protect such assets. Key areas include:

• the availability of legal remedies for theft and fraud, enabling owners to take action if such assets are unlawfully taken;

• the inclusion of such assets in insolvency proceedings, allowing them to be treated as part of the asset pool available to creditors;

• the application of certain dispute resolution tools, such as freezing injunctions, to digital assets; and

• the proper characterisation of digital assets in complex legal relationships such as custody relationships, collateral and security arrangements and structures involving trusts.

What steps should you take?

Businesses that own or deal in digital assets should review their contracts to account expressly for such assets as property. Clauses relating to ownership, transfer and dispute resolution should be updated to reflect the change in legal status of digital assets. Systems should be audited to ensure that digital assets can be tracked, stored and transferred properly. Insurance of them should be considered and measures put in place to protect against theft, loss or technical failure.

Third-party litigation funding: reversal of effects of PACCAR judgement

It was announced on 17 December 2025 by the Ministry of Justice that the Government intends to pass legislation to reverse the effects of the Supreme Court’s decision in R (on the application of PACCAR Inc) v Competition Appeal Tribunal [2023] UKSC 28 (the “PACCAR Judgment”).

In the PACCAR Judgment, the Supreme Court held that third-party litigation funding agreements (LFAs) which provide for the funder to receive a fee calculated by reference to the damages which the claimant is awarded constitute damages-based agreements and therefore must comply with the Damages Based Agreements Regulations 2013. This decision impacts the vast majority of LFAs, which generally do not comply with these Regulations, with the result being that they will potentially be unenforceable.

The PACCAR Judgment has caused considerable uncertainty regarding the validity of existing litigation funding agreements and has made it harder to access third-party litigation funding. The Ministry of Justice acknowledges that this uncertainty may be preventing claimants from accessing justice and risks undermining the status of England and Wales as a preferred forum for commercial litigation and arbitration and has confirmed that the Government will take action to remove this barrier to justice.

How could it impact your business?

The intended legislation will provide that, in future, LFAs will not be damages-based agreements, and will introduce proportionate regulation of LFAs to ensure that such agreements are fair and transparent, so that third-party litigation funding works for all those involved. Such regulation will be a new departure, as funders have so far operated under a voluntary regime only.

No indication has been given as to the timing of the introduction of this new legislation but the certainty that will result from the confirmation that LFAs will not be damages-based agreements will be welcomed by defendants, claimants and funders.

What steps should you take?

Parties involved in litigation funding should review their agreements and contact us for advice if required, as well as watching out for future developments.

Employment Rights Act 2025 is passed

Towards the end of 2025, the Government worked hard to pass its flagship Employment Rights Bill (‘ERB’) into law. The timetable for ERB implementation always assumed that the underlying bill would pass in 2025 but key sticking points delayed its implementation.

Key amongst the Government’s difficulties was the House of Lords’ refusal to agree that unfair dismissal should become a ‘day 1’ right. This would have been a very significant change as, currently, an employee only qualifies for unfair dismissal after 2 years of working for an employer.

The Government announced a compromise on 27 November. A press release set out a deal with trade unions and business representatives to apply a 6-month qualification period for unfair dismissal in future.

A second step was then briefly outlined, which also became a matter of intense controversy:

“To further strengthen these protections, the Government has committed to ensure that…the compensation cap will be lifted.”

Subsequent debates in the House of Lords and online showed that this wording had been interpreted in different ways.

The Government’s view was that this meant that the current cap on unfair dismissal would be removed entirely. However, the removal of the cap on unfair dismissal awards did not form any part of the Labour Party’s employment law proposals in opposition. It therefore represented a big and sudden shift in employment law.

Certain politicians and employer organisations indicated their strong opposition to removing the cap. They argued that any agreement to ‘lift’ the cap on unfair dismissal referred to an increase in the amount of the cap on unfair dismissal awards (not its abolition).

However, following another round of debates, the ERB was passed by the Lords on 16 December. Whilst it has been confirmed that the current statutory cap for unfair dismissal will go, further consultation will be undertaken on this aspect of Government proposals

The ERB received Royal Assent on 18 December, becoming the Employment Rights Act 2025. The majority of its provisions will require secondary legislation to bring them into effect.

How could it impact your business?

It is now clear that the ERB will bring two significant changes into effect on unfair dismissal, which employers will have to adjust to:

1. Employer’s will only have a grace period of 6 months (rather than 2 years) to consider and determine if a new hire is ‘up to the job’ before that person gains the right to claim unfair dismissal.

2. It is likely to be harder to settle claims with higher earners, because the unfair dismissal cap currently acts to set a limit on expectations, within which many deals are reached. Removing the current cap will mean that the potential value of claims by higher earners may be highly uncertain without a hearing.

What steps should you take?

Employers should be looking at their probationary clauses, processes and training now, in anticipation of the amended 6-month qualification period.

Evaluating performance rigorously and consistently during the early stages of employment will also become more important. Training managers on how to do this would be particularly beneficial and can be implemented now, well ahead of the impact of these changes.

Finally, thought also needs to be given to briefing and training HR teams and senior managers on the implications of exits for mid-level and senior-ranking staff. Their claims for unfair dismissal may be more uncertain in scope and potentially more valuable, making deals harder to strike at the time of exit.

Government introduces a working paper on the use of non-compete clauses in employment contracts

The Government has launched a working paper on the use of “non-compete” clauses in employment contracts, seeking views on the potential limitation on their use. This follows previous calls for evidence by the Conservative Government in 2016 and 2020. The Conservatives stated they were reconsidering limiting the use of non-competes as they were concerned about their impact and were looking to maximise opportunities for individuals to start new businesses and find new work.

The Government is reviewing the data previously collated by the last Conservative government. Whilst non-compete clauses are presently only enforceable where they are reasonable, disputes in relation to enforceability are costly and time consuming. Accordingly, most employees comply with the restrictions, even where they are not enforceable, out of caution or simply out of a lack of knowledge.

The Government considers their use to be a brake on entrepreneurial activity, making it harder for business to scale up. Any ban on their use or restriction, would bring the UK into line with some other jurisdictions:

• In some US states, non-compete clauses are banned and the Federal Trade Commission has started an investigation into the potential effects of a ban at Federal level.

• France, Germany and Italy require payment of compensation for the duration of the non-compete.

• In Australia, an outright ban was proposed for those earning less than AUD175,000.00.

How could it impact your business?

Non-compete clauses are a potentially valuable tool which employers can use to protect their legitimate business interests where other, less impactful, restrictions are unlikely to work.

An estimated 5 million people in the UK have signed up to a non-compete clause. That said, it is important that any such restriction is fair and reasonable and normally consideration should be paid where you are asking individuals to enter into such restrictions.

It is important to keep up to date on the legality of their use and, should a restriction come into force, it will be important to draft policies, procedures and handbooks to ensure that staff clearly understand the confidentiality requirements that they are subject to whilst employed and post-termination. You should also ensure that confidential information or critical commercial information is kept as secure as possible.

What steps should you take?

At this stage, this information is advisory only. Follow our Horizon Scanning page for future updates and ensure that the use of non-competes is carefully scoped, clear and can be justified.

Increases to statutory payments

The Department for Work and Pensions has announced its planned increases to statutory payments from 1 April 2026, as follows:

• The weekly rate of statutory sick pay (SSP) will be £123.25 (up from £118.75).

• The weekly rate of statutory maternity pay, maternity allowance, statutory adoption pay, statutory paternity pay, statutory shared parental pay, statutory neonatal care pay and statutory parental bereavement pay will be £194.32 (up from £187.18).

• The lower earnings limit (the weekly earnings threshold for qualifying for the above payments, except maternity allowance) will be £129 (up from £125). For maternity allowance the threshold remains at £30 a week.

These increases represent a 3.8% increase in line with the Consumer Prices Index.

The National Minimum Wage will also increase from 1 April 2026, following the recommendations of the Low Pay Commission. From April, the rates will be:

• National Living Wage (aged 21 and over): £12.71 (currently £12.21)

• 18-20 year old rate: £10.85 (currently £10.00)

• 16-17 year old rate: £8.00 (currently £7.55)

• Apprentice rate: £8.00 (currently £7.55)

• Accommodation offset: £11.10 (currently £10.66)

How could it impact your business?

These increases follow last April’s increase to the National Minimum Wage and National Insurance contributions.

What steps should you take?

Whilst businesses will, most likely, already be aware of the above changes, it is important to review current remuneration and record-keeping practices (after payroll deductions) to ensure continued compliance.

EU Omnibus I (sustainability simplification): EP vote passed; CSRD & CSDDD scaled back with revised timelines

On 16 December 2025, the European Parliament approved the Omnibus I sustainability simplification package. It narrows CSRD and CS3D, removes the standalone CS3D climate transition plan requirement, and introduces a 3% cap on administrative fines under CS3D. Proposed headline thresholds are:

• CSRD: companies with more than 1,000 employees and €450m global turnover; and

• CS3D: companies with more than 5,000 employees and €1.5bn global turnover.

The package would also limit value‑chain information requests to SMEs, introduce targeted reliefs (including for certain financial holding companies), and include review clauses to revisit scope. Final adoption and precise timing remain subject to Council approval and any subsequent negotiations.

How could it impact your business?

For UK‑headquartered groups, many may fall out of direct CSRD/CS3D scope unless the higher thresholds (or revised non‑EU group triggers based on EU turnover and EU establishment) are met. However, groups that are EU‑listed, have substantial EU operations, or supply very large EU customers should expect continued (though more targeted) value‑chain data requests, with a stronger risk‑based focus on direct business partners.

Investor and customer expectations around credible sustainability disclosure remain, meaning some UK groups may continue voluntary reporting (for example, ISSB‑aligned or UK SDS‑aligned disclosures) to support capital access and market confidence.

Overall, the compliance burden is expected to ease for mid‑market UK businesses, while large EU‑exposed groups should re‑baseline scope, timing and data needs, and adjust internal policies to reflect the revised thresholds and risk‑based due‑diligence model.

What steps should you take?

1. Re‑scope: Map group headcount and turnover against the proposed CSRD (>1,000 employees and €450m turnover) and CS3D (>5,000 employees and €1.5bn turnover) thresholds, and assess potential non‑EU group triggers linked to EU turnover and branch or subsidiary presence.

2. Reset timelines: If in scope, plan on a working assumption of CSRD application from FY2027 (with non‑EU ultimate parents potentially from FY2028) and CS3D application from July 2029, with reporting expected to follow from FY2030. Align internal data plans to a streamlined ESRS and a risk‑based focus on direct partners.

3. Engage the value chain: Update supplier prioritisation, contractual clauses and grievance mechanisms, while respecting proposed limits on information requests to smaller business partners.

4. Stay investor‑ready: If falling out of mandatory scope, decide which voluntary disclosures to maintain to meet lender, investor and key customer expectations.

Planning & Infrastructure Act 2025

The Planning & Infrastructure Act 2025 (the “Act”) received Royal Assent on 18 December 2025. While some of its provisions took effect on that date, others will come in to force in February 2026, and many require secondary legislation to bring them into force.

The Act aims to modernise planning and infrastructure delivery in England and Wales, improving flexibility, speed, and accountability, with the sections on consents for electricity infrastructure also relating to Scotland. It aims to streamline consent processes, accelerate energy connections, and support renewable energy and transport upgrades. Local authorities gain fee-setting powers and funding mechanisms, while committee decision making standards are to be improved through mandatory training and national schemes of delegation. Heritage protections and extended implementation periods reduce litigation risks. Environmental measures include Nature Restoration Levies and Environmental Delivery Plans to link development with conservation. Updates to development corporations and compulsory purchase procedures enhance efficiency, clarify powers, and expedite land acquisition. Overall, the Act seems to focus on procedural improvements rather than introducing new policy.

How could it impact your business?

The Act impacts several key business areas, primarily those involved in planning, infrastructure, energy and property development:

• It accelerates major projects through streamlined planning and compulsory purchase processes, reducing delays and costs for developers and contractors.

• Energy businesses benefit from faster grid connections and support for renewable generation and storage.

• Property developers face new planning fee flexibility and environmental obligations, including Nature Restoration Levies which could increase costs but should reduce delay.

• Legal and professional services firms will see increased demand for compliance advice due to mandatory training and procedural changes.

The Act intersects with and modifies several existing policies, including National Policy Statements, Judicial Review of Nationally Significant Infrastructure Projects, delegated planning decisions, Environmental Delivery Plans and Strategic Planning Duty.

The Act also creates new obligations and enforcement mechanisms that carry indirect consequences for businesses, for example, developers must pay the Nature Restoration Levy when development falls under an Environmental Delivery Plan. Failure to do so would likely be treated as non-compliance, triggering enforcement actions by Natural England.

What steps should you take?

Developers and construction firms should review Environmental Delivery Plans, budget for Nature Restoration Levies, and integrate conservation measures into projects. Energy companies need to prepare for faster grid connections and renewable opportunities. Local planning authorities must implement new fee structures, mandatory training and updated decision-making processes.

It is best to act promptly. Delaying action could lead to missed opportunities for faster approvals, unexpected costs from new levies and non-compliance with updated procedures, which may result in project delays, reputational risk and potential legal disputes.

How the Renters’ Rights Act 2025 (the Act) will impact Welsh Landlords

In our November Horizon Scanning we set out information on the Renters’ Rights Act 2025 (the Act) which has received Royal Assent and will start to take effect from 1 May 2026.

It is not clear from the mass commentary, but the Act will not impact (apart from the small change set out below) landlords in Wales. This is because housing is devolved – meaning that the Welsh Government has the authority to create its own housing policy and laws.

The Renting Homes (Wales) Act 2016 (the RHWA) overhauled the residential rental sector in Wales in 2022, so Welsh landlords are ahead of English ones when it comes to the minefield of implementing a new regime.

How could it impact your business?

For Welsh landlords, there is very little that will need to be done as the Act does not override the RHWA. The RHWA will continue to govern the private rental sector and the only provisions in the Act that will apply to Wales relate to discrimination. Once implemented, a landlord will not be able to:

1. deter prospective tenants who receive benefits or who have children from enquiring about a property;

2. refuse or restrict their access to viewings; or

3. exclude them from entering into an occupation contract.

Most of the commentary on the Act fails to recognise this, which causes confusion for property owners in Wales.

There are significant differences between the legislation in England and Wales, which will only increase when the Act comes into force. For example, different forms must be served to obtain possession, different formats for occupation/tenancy agreements and different notice periods. From May, Wales will be the only British nation to allow landlords to pursue ‘no-fault’ evictions.

A lack of understanding of the differences between the different legislation could result in a landlord being unable to obtain possession of properties, or receiving fines for missed documents and deadlines.

What steps should you take?

Landlords will need to keep an eye out for when the provision relating to discrimination comes into force (we will feature this again in Horizon Scanning when implemented). The Welsh Government will determine when this will be, however, this provision will come into force in England in late 2026, so it is anticipated to be a similar time frame in Wales.

Landlords will then need to amend the fundamental terms in occupation contracts to include this, and issue the revised versions to contract holders within 14 days of the variation.

Even though this will not be a significant amendment, and the wording is governed by the Welsh Government, it will be an administration burden, especially for those with large stock. Landlords could use this as an opportunity to take stock and assess whether there are any other amendments that they want to make at the same time.