Estimated reading time: 6 minutes
Key Takeaways
- 2026 will be significant for data AI and cybersecurity, with new UK reforms from the Data (Use and Access) Act 2025 expected to take effect soon.
- The UK Cyber Security and Resilience Bill aims to modernise cybersecurity regulations and will likely be passed and implemented in stages in 2026.
- The EU plans to reform its data, AI, and cybersecurity laws through the Digital Omnibus, which includes changes to the EU GDPR and the AI Act.
- The EU has renewed its adequacy decision for the UK, allowing data transfers without additional safeguards until at least December 2031.
- Businesses should prepare for compliance changes and monitor evolving regulatory frameworks in both the UK and EU in 2026.
2026 is shaping up to be a significant year for data protection and digital regulation, with the legal landscape continuing to evolve quickly. This article carries out regulatory horizon scanning to highlight the key UK and EU legal developments to watch in data protection, AI and cybersecurity as we head into the new year.
UK data protection reforms will take effect soon
In June last year, the Data (Use and Access) Act 2025 (DUAA) became law. The DUAA is wide reaching but, of relevance to businesses, are the incoming reforms to the UK GDPR and PECR. Despite the reforms being relatively modest, businesses still need to consider how best to incorporate these into their existing data protection compliance programmes. You can read more about our key takeaways regarding these changes here.
Since its enactment, the changes introduced by the DUAA have been coming into force in phases via secondary legislation. Provisions relating to law enforcement processing and digital verification services took effect towards the end of last year, while the core amendments to the UK GDPR and PECR are expected to follow shortly, likely in early 2026.
New UK Cyber Security and Resilience Bill introduced
- The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025 and received its first reading, with a second reading carried out on 6 January 2026. The Bill is intended to modernise the existing Network and Information Systems Regulations 2018 (NIS Regulations) by strengthening the UK’s cyber resilience framework, particularly in response to the growing frequency and severity of cyber incidents affecting businesses. The Bill seeks to, among other things:
- expand the scope of regulated entities, bringing managed IT service providers and data centres, among other types of businesses, under direct regulation;
- give the regulator broader powers to designate organisations as ‘critical suppliers’ and subject them to NIS-style obligations;
- retain the core security obligations under the current NIS Regulations, while paving the way for more prescriptive requirements through secondary legislation;
- broaden the definition of a reportable incident and introduce a two-stage incident reporting regime which would require notification within 24 hours of awareness and a full report within 72 hours;
- require organisations to notify affected customers of reportable incidents;
- introduce a strengthened enforcement regime, with proposed maximum penalties aligned with GDPR-level fines; and
- provide the Secretary of State with emergency powers to instruct regulators and regulated organisations where this is necessary and proportionate for national security purposes.
The Bill is likely to be amended as it progresses through Parliament, but it is expected to be passed and brought into force at some point in 2026. As with the DUAA, commencement is likely to be phased, with different provisions taking effect in subsequent stages.
Planned reforms in the EU to data, AI and cybersecurity laws
In November 2025, as part of its Digital Omnibus proposal, the European Commission announced a package of proposed reforms to the EU’s data, cybersecurity and AI regulatory framework, the objectives being to simplify the existing regulatory landscape, reduce compliance costs and support innovation, particularly in AI.
The Digital Omnibus proposals contemplate amendments to a number of key instruments, including the EU GDPR, e-Privacy Directive (which governs cookies and electronic direct marketing), the ‘NIS2’ Directive (which relates to cybersecurity in designated critical sectors) and the EU Data Act. A separate Digital Omnibus proposal focuses specifically on targeted amendments to the EU AI Act.
Proposed key changes to the EU GDPR include, among other things:
- redefining ‘personal data’ to allow an element of subjectivity for businesses
- a degree of relaxation to the breach notification requirements
- clarification of the circumstances in which personal data may be used to train AI models
- expanding the circumstances in which controllers may refuse to act on, or charge a fee for, data subject access requests;
- a degree of relaxation to the transparency requirements (in practice, when privacy notices are required);
- reducing the ‘fatigue generated by the cookie banners’
For the EU AI Act, the most significant proposed change relates to its implementation timeline. The rules applicable to high-risk AI systems were originally due to apply from August 2026, but the Commission has proposed extending this deadline by up to 12 or 16 months (the applicable time period depending on the category of high-risk AI system).
These proposals are not yet law and mark only the beginning of the EU legislative process. They will now be subject to negotiation between the European Commission, the European Parliament and the Council of the European Union through the trilogue process, which is likely to take many months. As a result, the final shape of the reforms, and their exact date of implementation, still remains uncertain.
EU’s continued recognition of UK as adequate
The European Commission renewed its adequacy decision for the UK in December 2025. As a result, the UK will continue to be treated as an adequate destination for personal data transfers from the European Economic Area until at least 27 December 2031. This provides welcome certainty for EU-based organisations transferring personal data to the UK, allowing such transfers to continue without the need for additional safeguards or transfer mechanisms. The UK also continues to recognise the EEA as adequate for its own outbound data transfers.
Final comment
While not all of the reforms discussed above are in force – or even finalised – 2026 looks to be an important year for organisations to prepare for change. Businesses should be using this period to assess the impact of the DUAA on their existing compliance frameworks, and be ready for when the changes take effect. At the same time, organisations with EU-facing activities should closely monitor the progress of the proposed EU Digital Omnibus reforms and the potentially revised implementation timeline for the EU AI Act.
Global organisations, particularly those operating across both the UK and EU, will need to grapple with the increasing divergence between the two jurisdictions in data, AI and cybersecurity. Navigating these parallel but evolving frameworks will require strategic choices: some organisations may start to lean towards a more localised, jurisdiction-specific compliance model, while others may seek to adopt a more centralised approach based on the most stringent applicable standards. Each strategy, with its advantages but also trade-offs, can be challenging to implement and in any case requires diligent planning and ongoing review.
Authors
Related legal expertise
Connect with us
