25% Duties on U.S. Imports from Canada and Mexico Lifted for USMCA-Eligible Merchandise
Yesterday, March 6, President Trump signed two Executive Orders significantly curtailing the scope of the emergency tariffs he imposed on Tuesday, March 4, impacting U.S. imports from Canada and Mexico. Effective today, U.S. imports from Canada and Mexico that are eligible for preferential treatment under the U.S.-Mexico-Canada free trade agreement (USMCA) are exempt from these additional emergency duties.
On March 4, President Trump allowed most U.S. imports from Canada and Mexico to become subject to tariffs initially announced on February 1, 2025, and imposed under the International Emergency Economic Powers Act (IEEPA). Effective that day, imports of covered products of Mexico and Canada (except for Canadian energy and energy resources) became subject to 25% additional duties; covered Canadian energy and energy resources imports became subject to a 10% duty rate. Only limited products were not impacted, generally encompassing certain products qualifying for duty-free treatment under Chapter 98 or de minimis provisions, informational materials, donations intended to relieve human suffering and items ordinarily incident to travel to or from any country.
President Trump’s actions yesterday amend those prior announcements. Effective today, March, 7, products qualifying for USMCA preferential treatment will also be exempt from the March 4 IEEPA tariffs. Note, imports that entered between March 4 and yesterday, March 6, will still be subject to duties even if otherwise qualifying for USMCA preferential treatment. In addition, Canadian and Mexican potash imported into the U.S. that is not otherwise eligible for USMCA preferential treatment and, therefore, IEEPA duty-free treatment will be subject to 10% duties rather than the 25% duties originally imposed. Importantly, despite informally announcing this action as a deferral of IEEPA tariffs until April 2, these orders do not merely pause IEEPA tariffs on USMCA-qualifying imports until a new implementation date – meaning, President Trump would need to sign new Executive Orders on April 2 (or another date) further modifying the IEEPA tariffs to resume coverage of the now-exempt imports.
In implementing this modification, President Trump’s executive orders focus on the impact his tariffs have had on the automotive industry. “The American automotive industry as currently structured often trades substantial volumes of automotive parts and components across our borders in the interest of bringing supply chains closer to North America,” he stated, justifying the modification as being necessary to “minimize disruption to the United States automotive industry and automotive workers.” However, the scope of the excluded tariffs is far broader than automobiles and automotive parts, instead encompassing all U.S. imports qualifying for USMCA preferential duty treatment. According to a White House official’s statement to reporters, approximately half of all imports from Mexico and more than one-third of all imports from Canada are utilizing USMCA preferential treatment and will be exempt from IEEPA tariffs.1 U.S. Customs and Border Protection has already issued guidance regarding import classification codes to be utilized for shipments from Canada and Mexico under the modified tariffs.
U.S. imports are eligible for USMCA preferential treatment if those imports meet the requirements of the USMCA Rules of Origin, which are implemented General Note 11 of the Harmonized Tariff Schedule of the United States (HTSUS).
[1] See, e.g., https://apnews.com/article/tariffs-trump-economy-mexico-canada-bfed103a11a2a71d8353350f94c78814
Green, But Lean: EU Eases Sustainability Rules Without Ditching Climate Goals
On 26 February 2025, the European Commission published the Omnibus Simplification Package, a set of proposals designed to streamline key EU sustainability regulations, eliminate redundancies, and reduce administrative burden and compliance costs for companies — while preserving the EU’s ambitious environmental objectives.
If adopted in the currently proposed form, companies will have more time to comply with the CSRD reporting requirements and the CSDDD supply chain due diligence obligations. In fact, the Omnibus Simplification Package proposes postponing by two years the entry into application of the CSRD reporting requirements for companies that have not yet started implementing the CSRD (i.e. large companies and listed SMEs), while the new CSDDD framework is postponing by one year the transposition deadline (to 26 July 2027) and the first phase of the application of the sustainability due diligence requirements covering the largest companies (to 26 July 2028).
The Omnibus Simplification Package also proposes to revise the scope of the CSRD and the CSDDD. The reporting requirements under CSRD would only apply to large undertakings with more than 1,000 employees (i.e. undertakings that have more than 1,000 employees and either a turnover above €50 million or a balance sheet total above €25 million) and the CSDDD due diligence obligations would be significantly narrowed down, in particular by limiting them to direct contract partners.
While many businesses welcome the reduced regulatory burden as well as its postponement, some critics argue that it weakens corporate accountability and dilutes transparency efforts. In any event, the Omnibus Simplification Package is still at a proposal stage and is set to spark intense debate in the EU Parliament and Council, with global stakeholders—including the U.S.—closely monitoring the developments and trying to influence them to meet their own goals.
This alert provides insights into the most relevant proposed changes to CSRD and CSDDD and what those mean for businesses operating under the EU’s evolving sustainability framework.
The Omnibus Simplification Package presented by the European Commission includes:
A proposal for a Directive, the sole content of which is to postpone the application of reporting requirements in the CSRD for certain groups of companies and the transposition deadline as well as the first wave of application of the CSDDD (Omnibus Directive I).
A second proposal for a Directive amending the actual content of and obligations under the CSRD and the CSDDD (Omnibus Directive II).
A draft Delegated act amending the Taxonomy Disclosures and the Taxonomy Climate and Environmental Delegated Acts subject to public consultation.
A proposal for a Regulation amending the Carbon Border Adjustment Mechanism Regulation.
A proposal for a Regulation amending the InvestEU Regulation.
Proposed changes to the CSRD
Postponement of the Starting Date for Reporting for Certain Companies
The Omnibus Directive I proposes a two-year postponement of the implementation of reporting requirements for companies in the second and third waves (see table below) This is to allow the European co-legislators to find agreement on the Commission’s proposal for substantive changes as provided in the Omnibus Directive II.
This postponement is intended to give companies some legal certainty and prevent a scenario where companies would be required to report for the financial year 2025 (second wave) or 2026 (third wave), only to be later relieved from reporting duties if and when the Omnibus II Directive with its higher thresholds is approved. No amendments to the timeline have been proposed for wave four non-EU ultimate parent companies; as a result, those companies continue to be required to report for the first time in 2029 for financial year 2028 (but may opt to report on a consolidated group basis before). Companies already covered in the first wave seem to have to continue reporting on the basis of the existing CSRD – the Omnibus Proposal does not mention any postponement of their duties.
According to Article 3 of the proposed text of the Omnibus Directive I, Member States shall implement the provisions of the Directive by 31 December 2025 at the latest. This indicates that the Commission is assuming that the Omnibus Directive I will be approved quickly by the European legislators – while the content-related Omnibus Directive II may well take considerably longer to get through the legislative process.
In this framework, wave 2 companies currently required to report in 2026 for FY 2025 will have to consider the timing of their preparations for CSRD readiness: once the Omnibus I Directive is approved the postponement will still need to be transposed into national laws to become effective, but (a) we expect Member States to be fairly quick since there seems to be broad agreement about the postponement (in contrast to the content related proposals of the Omnibus Directive II) and (b) we would argue that the postponement would have a pre-effect, which would make it very difficult for Member States to implement current CSRD obligations and impose fines before the new starting date.
New Scoping Thresholds
According to the proposed text of the Omnibus Directive II, only large companies or parent companies of large groups with more than 1,000 employees (individually or in the case of a holding company on a consolidated basis) will be required to prepare sustainability reports under Article 19a and 29a of the Accounting Directive.
That change in itself would reduce the number of undertakings subject to mandatory sustainability reporting requirements by about 80%. In comparison to the current requirements (see table below for details), the new employee threshold would lead to some of the undertakings in the first and second wave and all undertakings in the third wave (listed SMEs) falling out of the scope of the CSRD should Omnibus Directive II be approved.
In addition, the threshold for EU turnover for non-EU parent companies has been raised from €150 to €450 million, and the threshold for an EU branch from €40 to €50 million. These amendments in the reporting thresholds are meant to more closely align the CSRD with the CSDDD, which already only applies to companies above the 1,000 employee and €450 turnover threshold.
Wave
Type of company
Current thresholds and due date for reporting
Proposed thresholds
1(Current kick-off date for reporting: 2025 for FY 2024 – not changed by the postponement proposal in Omnibus Directive I)
Public interest entities (e.g. credit institutions, insurance undertakings and others) already subject to the NFRD
More than 500 employees
With average 1,000 employees
2(Current kick-off date for reporting: 2026 for FY 2025 – may be postponed by Omnibus Directive I to 2028 for FY 2027)
EU companies/parent companies of a groupCompanies (EU or non-EU) with securities listed on EU regulated markets
Exceeding at least two of the following three thresholds (on a consolidated basis at a group level):
Balance sheet total: > €25 million
Net turnover: > €50 million
Average number of employees: > 250
With average 1,000 employees and exceeding one of the following two thresholds (on a consolidated basis at a group level):
Balance sheet total: > €25 million
Worldwide net turnover: > €50 million
3(Current kick-off date for reporting: 2027 for FY 2026, with opt-out option for two years – may be postponed by Omnibus Directive I to 2029 for FY 2028)
SMEs with securities listed on an EU regulated market
Below the thresholds for the second wave companies (see above).
Reporting in 2027 for financial year 2026, with the possibility to opt out for a further twoyears.
Out of scope
4(Current kick-off date for reporting: 2029 for FY 2028 – not changed by the postponement proposal in Omnibus Directive I)
Non-EU ultimate parent companies
Generating a net EU turnover of at least €150 million (at group level) and with
at least one large subsidiary in the EU (i.e., exceeding two out of three of: balance sheet of €25 million and/or turnover of €50 million and/or 250 employees) or
a branch in the EU that generated a net turnover of €40 million
Generating a net EU turnover of at least €450 million (at group level) and with
at least one large subsidiary in the EU (as defined in the Accounting Directive, i.e., exceeding two out of three of: balance sheet of €25 million and/or turnover of €50 million and/or 250 employees) or
a branch in the EU that generated a net turnover of €50 million
Reducing the Trickle-Down Effect by Limiting the Information That Companies Within Scope May Request From Smaller Companies in Their Value Chain
The CSRD requires undertakings to report value-chain information to the extent necessary for understanding their sustainability-related impacts, risks and opportunities.
The current CSRD establishes a so-called value-chain cap, which states that the European Sustainability Reporting Standards (ESRS) may not contain mandatory reporting requirements that would require undertakings to obtain information from SMEs in their value chain that exceeds the information to be disclosed under the proportionate standard for listed SMEs.
The proposed Omnibus Directive II extends this value chain cap from SMEs to companies up to 1,000 employees. In turn the Commission is proposing to adopt simplified standards for voluntary use by out of scope companies having fewer than 1,000 employees, based upon the current simplified standard prepared for non-listed SME by EFRAG, that such companies can use as a shield to limit their response to information requests from banks, large companies and other stakeholders in scope of the CSRD.
Revision of the ESRS
The range of sustainability topics covered by the current ESRS is not changed by the proposed Omnibus Directive II and, despite speculation, the double materiality requirement is not removed. The Commission has proposed to revise the delegated regulation (EU) 2023/2772 establishing the ESRS with the aim to reduce the number of mandatory ESRS datapoints, by removing those deemed least important for general purpose sustainability reporting and further distinguishing between mandatory and voluntary datapoints, and to further enhance the already very high degree of interoperability with global sustainability reporting standards.
According to the text of the Omnibus Directive II, the Commission will adopt the revised ESRS delegated act in time for those undertakings in wave 2 – which according to the proposed new timelines would be required to start reporting under the CSRD in 2028 for FY 2027 – to apply the revised standards.
Deletion of Sector Specific Standards
The Omnibus Directive II proposes to delete the empowerment for the Commission to adopt sector-specific reporting standards (currently due on 30 June 2026) to avoid a further increase in the number of prescribed datapoints that undertakings should report on and facilitate the reporting process. Should undertakings require additional guidance to report on sustainability matters common to the specific sector in which they operate, the Commission specifies that they may have recourse to existing international sustainability reporting standards and sectoral sustainability reporting initiatives.
No Move to Reasonable Assurance
The Commission is currently mandated to adopt reasonable assurance standards by October 1, 2028, based on an assessment of their feasibility for companies. However, the draft of Omnibus Directive II is intended to eliminate this requirement, ensuring that no reasonable assurance standards are introduced and that assurance over CSRD reports remains at the limited assurance level.
Since the amount of work for a limited assurance engagement is significantly less than for a reasonable assurance engagement, this is designed to save companies cost and time: a limited assurance engagement is usually provided in a negative form (stating that no matter has been identified by the assurance provider to conclude that the subject matter is materially misstated) while the conclusion of a reasonable assurance engagement would have to be provided in a positive form (providing an opinion on the measurement of the subject matter against previously defined criteria). In addition, the Commission committed to issue targeted assurance guidelines by 2026.
Voluntary Taxonomy and Partial Taxonomy-Alignment Reporting Option
By virtue of Article 8 of the Taxonomy Regulation undertakings reporting under the CSRD also publish information about the eligibility and alignment of their economic activities with the EU Taxonomy. The proposed provisions in the Omnibus Directive II create a derogation for companies with more than 1,000 employees and an EU turnover below EUR 450 million by making the Taxonomy reporting voluntary. However, companies that have made progress toward sustainability targets but only partially meet EU Taxonomy requirements may choose to voluntarily report their partial alignment. This allows them to showcase their efforts, demonstrate progress toward full compliance, and gain recognition for their commitment to sustainability.
Proposed changes to the CSDDD
Postponement of Applicability of CSDDD and Scope
With respect to CSDDD, the Omnibus Directive I proposes to postpone the transposition deadline by one year to 26 July 2027 (instead of 2026). The Omnibus Directive I also postpones the compliance deadline for the first wave of companies (i.e. those that have more than 5,000 employees and report a net annual worldwide turnover of more than €1.5 billion), which would therefore have to comply with the CSDDD from 26 July 2028 onwards. There is however no change regarding companies that were already meant to comply with the CSDDD from 26 July 2028, or later from 26 July 2029. In addition, the Commission proposes to bring forward the publication of its guidelines for compliance with due diligence obligations under the CSDDD to July 2026, instead of January 2027.
Indirect Business Partner Assessment No Longer Required and Suspension of the Business Relationship as Last Resort
The Omnibus Directive II limits the due diligence measures to the companies’ own operations, those of their subsidiaries and, where related to their chains of activities, those of their direct business partners thus excluding the assessment at the level of indirect business partners.
However, such assessments of indirect business partners will still be required if the company has plausible information that suggests that adverse impacts have arisen or may arise at the level of the operations of an indirect business partner. According to the recitals of the Omnibus Directive II, ‘plausible information’ means information of an objective character that allows the company to conclude that there is a reasonable likelihood that the information is true, for example if it has received a complaint or is in the possession of information, notably via credible media or NGO reports about harmful activities at the level of a business partner, reports of recent incidents, or where the company through its business contacts knows about problems at a certain location (e.g., conflict area).
In addition, the proposal Omnibus Directive II removes the duty to terminate the business relationships in the case of both actual and potential adverse impacts. Should a company assess that the business operations of such a supplier are linked to severe adverse impacts, for instance child labour or significant environmental harm, and the company has unsuccessfully exhausted all due diligence measures to address these impacts, as a last resort the company should suspend the business relationship while continuing to work with the supplier towards a solution, where possible using any increased leverage resulting from the suspension. Irrespective of the termination duty being removed, companies can of course still decide to terminate for severe breaches.
Extended Interval for Periodic Assessments and Updates
In order to reduce the burden on companies and their business partners (which are often SMEs), the Omnibus Directive II proposes to extend to five years (instead of each year) the requirement that companies carry out a periodic assessment of their (and their business partners’) operations and measures to assess the adequacy and effectiveness of due diligence measures.
However, companies will still be required to conduct such assessments ad hoc whenever there are reasonable grounds to believe that the measures are no longer adequate or effective, or that new risks of occurrence of adverse impacts may arise.
Reduced Requirements for Climate Change Mitigation Plans
As a result of the Omnibus Directive II, while companies will still be required to adopt a climate change mitigation plan, such a plan would no longer have to be “put into effect” as required by the CSDDD but rather include an “outline of implementation actions planned and taken”.
Reducing the ‘Trickle-Down’ Effect on SMEs
To avoid unnecessary burdens on SMEs, the Omnibus Directive II intends to limit the information that companies may request in the context of their risk-mapping obligations from their direct business partners with fewer than 500 employees, to the information covered by the voluntary sustainability reporting standards (VSME) set out under the CSRD.
Extension of Maximum Harmonization Requirements
In order to ensure a more uniform transposition of the CSDDD, the Omnibus Directive II extends the scope of maximum harmonization of the CSDDD to several additional provisions that regulate the core aspects of the due diligence process. In practice, this means that Member States will be prohibited from enacting diverging national provisions regarding certain key requirements, including the identification duty, the duties to address adverse impacts that have been or should have been identified, and the duty to provide for a complaints and notification mechanism.
Changes to the Civil Liability Provisions
The Omnibus Directive II proposes to remove the specific EU-wide civil liability regime provided in the CSDDD, including the obligation for Member States to allow representative actions by trade unions or NGOs. Instead, under the Omnibus Directive II, Member States would remain free to provide such rules in their national laws.
Financial Penalties
The Omnibus Directive II removes the minimum cap for financial penalties (5% of net worldwide turnover in the preceding financial year) currently stated in the CSDDD and the requirement that the fine be assessed based on the company’s net worldwide turnover. The Commission will issue guidance to assist Member States’ supervisory authorities to set the appropriate level of penalties to be imposed, provided that Member States are prohibited from setting maximum limits of penalties that would prevent the imposition of penalties in accordance with the principles and factors set out in the CSDDD.
Deletion of the Review Clause for Financial Services
The Omnibus Directive II proposes to remove the CSDDD’s financial services review clause, which currently commits the Commission to submit by 26 July 2026 a report to the European Parliament and to the Council on the necessity of setting up due diligence requirements for the financial services sector. Indeed, according to the European Commission, this review clause did not leave enough time to take into account the experience on the general due diligence framework under the CSDDD.
Omnibus Directive II and policy considerations on the future of simplification measures
With respect to all the simplification measures and changes proposed in the Omnibus Directive II, which would substantially impact the scope and way of reporting under the CSRD and conducting due diligence under the CSDDD as explained above, Article 5 of the current proposal text provides for a deadline of 12 months for Member States to implement the directive into national law once the Directive enters into force. However, the European Commission’s publication of the proposal initiates a complex and lengthy process involving negotiations, amendments, and further discussions across multiple EU institutions, which creates uncertainty around the legislative timeline.
In particular, the proposal will need to be debated and approved by Members of the European Parliament and Member States at the Council of the EU. The political landscape in Europe has deeply changed since CSRD and CSDDD were adopted (respectively, November 2022 and May 2024), and there is a much stronger focus on competitiveness, economic growth, and simplification.
In the European Parliament, the majority center-right European People’s Party welcomed the Omnibus Proposal and supports the process of cutting regulatory burdens on companies. Members of the second largest group, the Socialists&Democrats, oppose significant rollbacks of sustainability regulations, emphasizing the importance of environmental protection and corporate accountability. In particular, Lara Wolters, CSDDD rapporteur, stated that the group “cannot accept the watering down of sustainability, labour and human rights standards in the CSDDD and CSRD”. The debate in the European Parliament is likely to be lengthy and heated.
In Council, most of the Member States are aligned with the Commission’s approach of simplifying EU regulations. Germany and France have previously advocated for delaying and easing the implementation of the rules, calling for a concrete postponement of CSRD and suggesting increasing thresholds for company size and turnover in both CSRD and CSDDD. In contrast, Spain supports maintaining robust environmental reporting standards, underlining the importance of due diligence requirements: while the Spanish government support delaying the application of CSRD, it insists that these rules become mandatory for all companies eventually. Italy has also shown limited opposition to the proposed amendments, suggesting that rules should immediately apply to larger companies and delays and more favorable requirements should be adopted for smaller businesses. However, and given Council’s position on CSDDD in the previous legislative term, it is possible that Member States will adopt a negotiating mandate in line with the Commission’s proposal.
European policymakers will inevitably need to keep an eye on the potential actions of the U.S. government. Twenty-six U.S. states have sent a letter to President Trump urging retaliatory measures against the CSDDD due to its extraterritorial impact beyond Europe. The letter calls on the United States Trade Representative to launch an investigation under Section 301 of the Trade Act of 1974 to assess whether the CSDDD constitutes an unreasonable or discriminatory measure that burdens or restricts U.S. commerce.
Additionally, another letter sent to Congress urges U.S. officials to push for an indefinite suspension of the directive’s implementation based on the following argumentation lines: The directive mandates extensive supply chain due diligence based on UN and OECD principles, which have not been ratified by the U.S. Congress. It also disregards U.S. corporate governance standards. Finally, US companies are not bound by net zero transition plans akin to those imposed on the UE companies, as requested under the CSDDD.
Gabriela da Costa and Edoardo Crosetto contributed to this article
Tariffs Update: Imposed, Paused, Changed, and Reciprocal Tariffs Involving the US, Canada, China, and Mexico (As of March 7)
Go-To Guide
President Donald Trump imposed new tariffs, effective March 4, 2025, including a 25% duty on imports from Canada and Mexico, with Canadian energy resources subject to a reduced 10% tariff. Tariffs on Chinese imports were raised from 10% to 20%.
Tariffs on products from Mexico and Canada, eligible under USMCA, are excluded from the additional tariffs. Approximately 50% of the products of Mexico and 38% of Canadian products qualify under USMCA.
USMCA covered products include automobiles and parts and produce. While some potash, used in fertilizer, qualifies under USMCA, other potash, which is not qualifying, will carry a 10% tariff rather than 25%.
Starting March 12, global steel and aluminum imports will face an additional 25% tariff.
Imports that qualify for de minimis entry from Canada, Mexico, and China are temporarily exempt from the new tariffs.
Canada and China have announced retaliation plans, though it is unclear whether Mexico will follow.
Trump announced that reciprocal tariffs are going into effect on April 2, 2025.
Importers should consider duty mitigation strategies to manage increased costs.
On March 4, 2025, the Trump administration implemented new tariffs on Canada, Mexico, and China. These measures were initially announced in a series of executive orders and have been postponed since Feb. 4, 2025. See our previous GT Alert for more information. The executive orders add an additional 25% duty on imports from Canada and Mexico (except for Canadian energy resources and minerals, which will instead face a 10% tariff and USMCA qualifying products of Mexico and Canada which remain duty free until April 2, 2025), and they increase the 10% tariff on all imports from China to 20%. This GT Alert provides an overview of the different measures.
Please note the Trump administration’s trade policy is fluid and the analysis below is as of March 7, 2025.
Canada
Effective March 4, 2025, 12:01 a.m. EST, all imports from Canada will have a 25% tariff, with the exception of USMCA qualifying merchandise and “energy or energy resources” or “critical minerals” which will have a 10% tariff. The new tariffs will apply in addition to any other duties and fees applicable to the covered imports.
The covered HTSUS provisions that would qualify as “energy or energy resources” or as “critical minerals” have not yet been released. The executive order defines “energy or energy resources” based on a Jan. 20, 2025, National Energy Emergency executive order, which states, “The term ‘energy’ or ‘energy resources’ means crude oil, natural gas, lease condensates, natural gas liquids, refined petroleum products, uranium, coal, biofuels, geothermal heat, the kinetic movement of flowing water, and critical minerals.”
Mexico
Similarly, beginning 12:01 a.m. EST March 4, 2025, all imports from Mexico will have an additional 25% tariff in addition to any other duties and fees applicable to the covered imports with the exception of USMCA qualifying merchandise. The Mexico tariff order is practically verbatim to the Canada tariff order, minus the reduced energy tariffs, meaning any energy imports from Mexico to the United States are subject to the full 25% tariff.
China
President Donald Trump increased the tariff rate on all imports from China from 10% to 20% effective March 4, 2025.
Steel and Aluminum
Twenty-five percent additional tariffs on certain steel and aluminum products will take effect March 12, 2025, according to two Federal Register notices released by the U.S. Department of Commerce implementing Trump’s Feb. 10, 2025, proclamation announcing 25% tariffs on global steel and aluminum imports. See our previous GT Alert on these tariffs. Importers should consider reviewing the product lists to determine if these new tariffs apply to their products. Tariffs on derivative products outside of Chapters 73 and 76 will take effect “upon public notification of the Secretary of Commerce.” Those tariffs will apply only to the derivatives’ aluminum or steel content. The Department of Commerce has not yet announced a plan for implementation.
Status of De Minimis Entry
Pursuant to an amended executive order issued March 2, 2025, imports from Canada, Mexico, and China that qualify for de minimis entry are temporarily exempt from the new tariffs.
Key Takeaways
According to U.S. Commerce Secretary Howard Lutnick, these tariffs are a “reset” after Canada, China, and Mexico “have used us” for illegal fentanyl trafficking without cracking down.
Canada and China have already announced retaliation plans. Mexico’s retaliation plan may be announced March 9, 2025.
On March 4, 2025, Trump also announced that on April 2 global reciprocal tariffs will be implemented, as well 25% additional tariffs on lumber and copper.
Next Steps
There are numerous duty mitigation and supply chain strategies importers can consider to reduce the impact of increased costs, including reviewing valuation and origin of imported merchandise. Duty mitigation strategies also include using the “first sale” in a multi-tier transaction when set up correctly. Importers should also consider taking all possible legal deductions from the declared value, such as foreign inland and international freight and royalty payments and using drawback for duty refunds and bonded warehouses or foreign trade zones for duty deferral.
Regulation Round Up: February 2025
Welcome to the Regulation Round Up, a regular bulletin highlighting the latest developments in UK and EU financial services regulation.
Key developments in February 2025:
28 February
FCA Handbook Changes: The Financial Conduct Authority (“FCA”) published Handbook Notice 127, which sets out changes to the FCA Handbook made by the FCA board on 30 January and 27 February 2025.
27 February
Economic Growth / Consumer Duty: The FCA published a speech on, among other things, how the FCA is working to support growth initiatives in the economy and its approach to the Consumer Duty.
FCA Regulation Round‑up: The FCA published its regulation round‑up for February 2025. Among other things, it covers the launch of a new companion tool to the Financial Services Register and future changes to the pre‑application support services the FCA offers.
26 February
Reserved Investor Funds: The Alternative Investment Funds (Reserved Investor Fund) Regulations 2025 (SI 2025/216) were published, together with an explanatory memorandum. The Reserved Investor Fund is a new UK‑based unauthorised contractual scheme with lower costs and more flexibility than the existing authorised contractual scheme.
ESG: The European Commission proposed an Omnibus package on sustainability (here and here) to amend the sustainability due diligence and reporting requirements under the Corporate Sustainability Due Diligence Directive ((EU) 2024/1760) and the Corporate Sustainability Reporting Directive ((EU) 2022/2464). Please refer to our dedicated article on this topic here.
ESG: The European Commission published a call for evidence on a draft Delegated Regulation amending the Disclosures Delegated Act ((EU) 2021/2178) (Ares (2025) 1532453), the Taxonomy Climate Delegated Act (Commission Delegated Regulation (EU) 2021/2139) and the Taxonomy Environmental Delegated Act (Commission Delegated Regulation (EU) 2023/2486).
FCA Asset Management / Alternatives Supervision: The FCA published a portfolio letter explaining its supervision priorities for asset management and alternatives firms.
Cryptoassets: ESMA published the official translations of its guidelines (ESMA35‑1872330276‑2030) on situations in which a third‑country firm is deemed to solicit clients established or situated in the EU and the supervision practices to detect and prevent circumvention of the reverse solicitation exemption under the Markets in Crypto Assets Regulation (EU) 2023/1114 (“MiCA”).
24 February
Artificial Intelligence: The FCA published a research note on AI’s role in credit decisions.
Suitability Reviews / Ongoing Services: The FCA published a webpage and press release containing the findings of its multi‑firm review of suitability reviews and whether financial advisers are delivering the ongoing services that consumers have paid for.
21 February
Cryptoassets: The Financial Stability Board published summary terms of reference for its thematic peer review on its global regulatory framework for cryptoasset activities.
20 February
PRA Policy: The Prudential Regulatory Authority (“PRA”) published a policy statement (PS3/25) on its approach to policy.
Digital Operational Resilience: Two Commission Regulations supplementing the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (“DORA”) were published in the Official Journal of the European Union (here and here).
17 February
Cryptoassets: ESMA published a consultation paper (ESMA35‑1872330276‑2004) on guidelines for the criteria to assess knowledge and competence under MiCA.
14 February
ESG: The FCA updated its webpage on its consultation paper on extending the sustainability disclosure requirements (“SDR”) and investment labelling regime to portfolio managers. Please refer to our dedicated article on this topic here.
ESG: The City of London Law Society published its response to HM Treasury’s November 2024 consultation on the UK green taxonomy.
Authorised Funds: The FCA published a document setting out its expectations on authorised fund applications.
Financial Sanctions: The Office of Financial Sanctions Implementation published a threat assessment report covering financial services.
13 February
Financial Regulatory Forum: HM Treasury published a statement following the third meeting of the joint UK‑EU Financial Regulatory Forum on 12 February 2025.
12 February
EU Competitiveness: The European Commission adopted a Communication setting out its vision to simplify how the EU works by reducing unnecessary bureaucracy and improving how new EU rules are made and implemented to make the EU more competitive.
European Commission 2025 Work Programme: The European Commission published a communication outlining its work programme for 2025 (COM(2025) 45 final).
10 February
Artificial Intelligence: The European Commission published draft non‑binding guidelines to clarify the definition of an AI system under the EU AI Act.
5 February
ESG: The EU Platform on Sustainable Finance published a report setting out recommendations to simplify and improve the effectiveness of taxonomy reporting. Please refer to our dedicated article on this topic here.
3 February
Payments: The FCA published a portfolio letter sent to payments firms setting out its priorities for them and actions it expects them to take.
Artificial Intelligence: The House of Commons Treasury Committee launched an inquiry into AI in financial services and published a related call for evidence.
Sulaiman Malik and Michael Singh contributed to this article
EDPB Launches Coordinated Enforcement Framework Action on the Right to Erasure
On March 5, 2025, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action (“CEF action”) addressing the right to erasure. The new CEF action follows the EDPB’s 2024 CEF action on the right of access.
During the course of 2025, 32 data protection authorities (“DPAs”) across the European Economic Area will take part in this initiative. The EDPB selected the right to erasure for the 2025 CEF action on the basis it is one of the most frequently exercised rights under the European General Data Protection Regulation and one which is frequently the basis of complaints to DPAs from individuals.
As part of the 2025 CEF action, DPAs will contact controllers from various sectors and may conduct fact-finding exercises or open new investigations. DPAs will evaluate how controllers handle and respond to the requests for erasure that they receive and, in particular, how they apply the conditions and exceptions for the exercise of this right.
Read the Press Release.
Tax Transparency and Data Privacy — Which Wins?
As tax authorities embrace new digital technologies, the issue of safeguarding citizens’ data privacy rights steps to the fore. Since the implementation of the EU General Data Protection Regulation (GDPR) in 2018, there has been a greater focus on data privacy from both the public and organisations. At the same time, the cooperative international effort to combat offshore tax evasion has been steadily increasing. Several information-sharing regimes have been conceived to allow tax authorities to share information globally relating to financial accounts and investments under Automatic Exchange of Information Agreements.
In J Webster v HMRC [2024] EWHC 530 (KB), Ms. Webster, a US citizen, brought a case against His Majesty’s Revenue and Customs (HMRC) regarding information sharing under the Foreign Account Tax Compliance Act. At the centre of this case stands the question of which wins — tax transparency or data privacy?
Automatic Exchange of Information (AEOI)
The United Kingdom shares information with foreign tax authorities under two specific regimes:
1. Foreign Account Tax Compliance Act (FATCA): The FATCA regime is US-specific. Financial institutions outside of the United States are required to provide the US tax authorities with information relating to the foreign financial accounts of US individuals. Information includes, for example, the individual’s name and address, account balance and amount of interest accrued.
2. Common Reporting Standard (CRS): Nicknamed “global FATCA” by commentators at its inception, the CRS requires the automatic exchange of financial account information between tax authorities globally. The information shared is largely the same as that under FATCA, with the addition of the date and individuals’ places of birth (in some cases).
In practice, financial institutions in the United Kingdom supply the required data to HMRC, which then provides it to the relevant tax authorities on an annual and automatic basis.
The GDPR
Data privacy in the United Kingdom is regulated by the UK GDPR (the retained version of the EU GDPR) and the Data Protection Act 2018. Under Article 4(1) of the UK GDPR, personal data means any information relating to an identified or identifiable natural person. There are seven key principles for processing personal data (found in Article 5, UK GDPR). Broadly, these require that personal data is: (i) processed lawfully, fairly and transparently, (ii) collected for specified, explicit and legitimate purposes only, (iii) limited to what is necessary for the purposes (minimisation), (iv) accurate, (v) not stored longer than necessary, and (vi) processed in a manner that ensures appropriate security of the data. Finally, the data controller must be responsible for and able to demonstrate compliance with the preceding six principles.
Importantly, personal data must only be transferred outside of the United Kingdom if the receiving countries have adequate levels of protection for data subjects in place or appropriate safeguards for the transfer of personal data (Article 46, UK GDPR).
So, Which Wins?
Ms. Webster argued that information sharing between tax authorities under the FATCA regime breached her data privacy and human rights. In summary, she claimed that there were no appropriate safeguards in place for the transfers by HMRC and that US law failed to provide adequate levels of protection. Additionally, the data transfers allegedly fell foul of the principle of proportionality, as bulk processing did not account for Ms. Webster’s personal circumstances — specifically, that Ms. Webster had no US tax obligations (having modest income in the United Kingdom and owning no assets or income in the United States).
Unfortunately, the central question of “which wins?” remains unanswered. The judgment focused more on questions of procedure than substance — for example, as argued by HMRC, whether the claim should have been brought via judicial review and was, therefore, an abuse of process.
However, it is not difficult to see some merit in Ms. Webster’s claim. The aims of FATCA and the CRS are clearly worthy, and tax transparency is important. However, since personal data is processed automatically and whether an individual poses any real risk of tax evasion is immaterial to that processing, it is unconvincing that the principles of proportionality and data minimisation are comfortably being met.
Information-sharing regimes have been challenged in other countries as well. For example, the Belgian Data Protection Authority has argued (in a decision that has since been annulled) that data exchanges under FATCA violate the EU GDPR since more information than necessary is shared and the purposes for the data transfers are insufficiently defined. The Slovakian Data Protection Authority also challenged FATCA on the grounds that the AEOI Agreement under which data transfers took place did not contain the necessary safeguards to transfer personal data to third countries.
It is widely agreed that the GDPR is far more comprehensive than US privacy laws — some might remember the highly publicised “Schrems II” case from 20201 where the Court of Justice of the European Union declared that the US privacy laws fail to ensure an adequate level of protection. Recent news about the US Treasury being hacked also inevitably raises concerns about the security of the personal data transferred, and with President Donald Trump’s firing of Democratic members of the Privacy and Civil Liberties Oversight Board since the beginning of his second term, more widespread privacy concerns now linger.
We will have to wait and see how the tension between tax transparency and data privacy culminates. A judgment that focuses on the merits of Ms. Webster’s concerns would bring us some much-needed answers. However, what is clear is that there is pressure on tax authorities to address concerns relating to the data privacy of individuals, which are not subsiding.
1 Data Protection Commissioner v Facebook Ireland Ltd, Maximilian Schrems and intervening parties, Case C-311/18.
Georgia Griesbaum contributed to this article
Trade Update: Navigating Trump Administration Tariffs
On March 4, 2025, the Trump Administration commenced new broad and sweeping tariffs on products of Canada and Mexico, while doubling tariffs on China previously imposed in early February of this year. On March 6, 2025, the Administration announced that tariffs on products of Canada and Mexico that are covered by the U.S.-Mexico-Canada Agreement (“USMCA”) will be postponed through April 2, 2025. The updated country-based duty regimes follow President Trump’s mid-February announcement of new and revised steel and aluminum tariffs targeting imports from all countries. As global trade tensions continue to rise and many countries have already begun to introduce retaliatory tariffs on the U.S., it will be critical to monitor how increased duty rates will impact your company’s cross-border transaction activity, as well as to develop practical supply chain strategies to mitigate the impact of these fluid and dynamic trade disputes.
I. Targeted IEEPA Tariffs
On February 1, 2025, pursuant to the International Emergency Economic Powers Act (“IEEPA”), the Trump Administration originally announced new 25 percent tariffs on nearly all imports from Mexico and Canada (except for certain energy products from Canada, subject to a 10 percent duty), as well as additional 10 percent tariffs on nearly all imports from China. While the 10 percent tariffs on goods from China went into effect on February 4, 2025, the proposed tariffs on Mexico and Canada were initially suspended for 30 days. President Trump subsequently announced on March 3, 2025 that he is proceeding with the 25 percent IEEPA tariffs on Canada and Mexico, in response to outstanding national security concerns associated with both illegal immigration and drug trafficking at the northern and southern borders. In addition, President Trump issued an Executive Order to double the original 10 percent IEEPA tariffs on China to 20 percent.
The Administration then announced a temporary pause on automobile tariffs on Mexico and Canada for one month on March 5, 2025 and subsequently on March 6, 2025 announced an additional temporary pause on USMCA-compliant products through April 2, 2025 – when additional announcements on the Trump Administration’s “reciprocal tariff” regime is anticipated. In the interim, U.S. Customs and Border Protection (“CBP”) is continuing to update its Cargo Systems Messaging Service with related guidance implementing the Administration’s tariff-related Executive Orders.
As of the date of this article, a brief summary of current tariff impacts is included below.
Canada
IEEPA 25% Tariff: CBP announced on March 3, 2025 that all goods that are the product of Canada (except those identified below) that are entered for consumption, or withdrawn from warehouse for consumption, on or after 12:01 a.m. eastern standard time on March 4, 2025, will be subject to an additional ad valorem duty of 25 percent. (Classified in U.S. Harmonized Tariff Schedule (“HTSUS”) 9903.01.10).
IEEPA 10% Tariff: In the same guidance, CBP announced the following products of Canada will be subject to a 10 percent ad valorem duty effective March 4, 2025: Crude oil, natural gas, lease condensates, natural gas liquids, refined petroleum products, uranium, coal, biofuels, geothermal heat, the kinetic movement of flowing water, and critical minerals, as defined by 30 U.S.C. 1606(a)(3). (Classified in HTSUS 9903.01.13).
USMCA Compliant Goods – Temporary Pause: On March 6, 2025, the Administration announced that tariffs on all products of Canada that comply with the USMCA free trade agreement will be paused until April 2, 2025.
Mexico
IEEPA 25% Tariff: CBP announced on March 3, 2025 that all goods that are the product of Mexico (except those identified below) that are entered for consumption, or withdrawn from warehouse for consumption, on or after 12:01 a.m. eastern standard time on March 4, 2025, will be subject to an additional ad valorem duty of 25 percent. (Classified in HTSUS 9903.01.01).
USMCA Compliant Goods – Temporary Pause: On March 6, 2025, the Administration announced that tariffs on all products of Mexico that comply with the USMCA free trade agreement will be paused until April 2, 2025.
Canada and Mexico Tariff Exclusions
Products for personal use included in accompanied baggage of persons arriving in the United States;
Donations of food, clothing and medicine intended to relieve human suffering;
Certain informational materials; and
Certain goods entered under HTSUS Chapter 98 (e.g., HTSUS 9802.00.40, 9802.00.50, and 9802.00.60, where additional duties apply to the value of repairs, alterations, or processing performed in Mexico or Canada).
Foreign Trade Zones, Drawback, and De Minimis
Products of Canada or Mexico admitted to a foreign trade zone (“FTZ”) after 12:01 a.m. ET on March 4, 2025 subject to IEEPA tariffs must be admitted as privileged foreign status. Upon entry for consumption into the U.S., they will be subject to the rate of duty in effect at the time of admission into the zone.
Goods eligible for admission to an FTZ under domestic status (as defined in 19 CFR 146.43) are exempt from the tariffs.
Duty drawback is not available for impacted goods from Canada or Mexico.
The duty-free de minimis exemption under 19 U.S.C. 1321 continues to be available until the Department of Commerce establishes a system to collect such tariffs.
China
IEEPA 20% Tariff: President Trump originally imposed a 10 percent additional IEEPA tariff effective February 4, 2025 applicable to all imported articles that are the products of China and Hong Kong. This Order was amended March 3, 2025 and CBP announced that an additional 20 percent IEEPA tariff will apply to all imported articles that are the products of China and Hong Kong effective March 4, 2025.
Section 301 Tariffs: The 20 percent IEEPA tariffs apply in addition to any general rate of duty, Section 301 duty, or Section 232 duty that may be applicable to articles of Chinese origin. A full list of Section 301 China tariff classifications can be found on the HTSUS website administered by the U.S. International Trade Commission.
II. Section 232 National Security Tariffs
In February 2025, the Trump Administration announced updated 25 percent tariffs on steel and aluminum products pursuant to Section 232 of the Trade Expansion Act of 1962 (“Section 232”), targeting all countries. The updated Section 232 tariffs will be effective March 12, 2025 – and the formal Federal Register notices describing impacted articles by HTSUS classifications for steel and aluminum were published on March 5, 2025. A summary of key information from these Proclamations is included below:
Blanket 25% tariffs on imports of steel, aluminum, and certain steel and aluminum derivative articles effective March 12, 2025.
For newly covered derivative articles that are outside of HTS Chapter 73 (steel) and Chapter 76 (aluminum), the additional duty will apply only to the value of the steel or aluminum content of the derivative product. Further, tariffs on the new derivatives outside of Chapters 73 and 76 will only take effect “upon public notification of the Secretary of Commerce,” upon determining that systems are in place to process and collect tariff revenue for such articles.
Importers will be required to report to CBP the primary country of smelt, secondary country of smelt, and country of cast on imports of all aluminum articles subject to the aluminum and aluminum derivatives Section 232 measures.
Rescission of previous country-specific Section 232 exclusions and tariff rate quotas implemented since 2018.
Recission of Section 232 product-specific exclusion process administered by the Department of Commerce. Previously granted product-specific exclusions remain in effect until they expire or the approved quantity has been exhausted.
CBP is directed to prioritize monitoring of steel and aluminum imports to discover misclassifications of merchandise that result in non-payment of the Section 232 duties, and to assess maximum monetary penalties against importers determined to have misclassified such articles.
In addition, on February 25, 2025 and March 1, 2025, the White House subsequently announced two new Section 232 investigations into (i) copper, and (ii) timber and lumber imports – which may result in additional tariff actions.
III. Supply Chain Strategies and Key Takeaways
Tariffs have been and will continue to be a focal point of the Trump Administration’s global trade policy, whether in pursuit of economic security, national security, or as a broader negotiation tactic. Further, the Administration has made it clear that a broad reciprocal tariff regime will be announced on April 2, 2025 – the scope of which is currently unclear, but which is anticipated to be both sector-based (e.g., automobiles, agriculture, pharmaceuticals, semiconductors, and advanced computing equipment) as well as country-based. That being said, the tariff landscape is evolving rapidly and subject to constant evolution and change – and accordingly, companies and importers should take the following steps as soon as possible:
Evaluate your supply chain and diversify suppliers to mitigate tariff costs;
Reevaluate product designs and manufacturing operations to establish favorable country(ies) of origin;
Negotiate tariff cost-sharing provisions in supply and distribution contracts to mitigate effect of increased tariffs;
For outbound products, identify potential new costs to customers and distributors associated with retaliatory tariffs implemented by third-countries;
Closely monitor evolving negotiations and regulatory changes for new exclusions, exemptions, or carve-outs that may impact your cross-border transaction activity;
Utilize free trade agreements or free trade zones where practicable; and
Consistently audit and document HTS classifications and country of origin determinations for imported goods to ensure customs compliance, timely duty payments, and efficient responses to requests for information issued by CBP.
Cybersecurity in the Nuclear Industry: US and UK Regulation and the Sellafield Case
Key Points:
Real-world examples from both the U.S. and U.K. demonstrate that nuclear facilities are being targeted by sophisticated cyber attackers, including state actors. This isn’t just a theoretical risk—it’s happening now, and facilities must take it seriously.
The successful prosecution of Sellafield with significant fines (£332,500) shows that regulators are now willing to take strong enforcement action, even when no actual breach has occurred. Nuclear facilities cannot afford wait for an incident before improving their cybersecurity—they must be proactive.
With both the U.S. and U.K. strengthening their regulatory frameworks and increasing enforcement powers, nuclear facilities should take steps now to review and upgrade cybersecurity measures. This includes not just updating technical controls, but also ensuring compliance with security plans, auditing systems, and maintaining proper documentation.
National security regulators are particularly concerned about the vulnerabilities of nuclear facilities to cyberattacks. In March 2022, the U.S. Justice Department unsealed criminal indictments against four agents of the Russian government, charging them with offenses related to cyber “spearfishing attacks” which compromised the business network of the Wolf Creek Nuclear Operating Corporation (WCNOC) in Burlington, Kansas. Also of note is the October 2024 prosecution and conviction of Sellafield Ltd in the U.K. for three offenses involving inadequate cybersecurity controls. In that case, the company (rather than the hacker) was charged by the Office for Nuclear Regulation (ONR) for failing to protect sensitive nuclear information and for failure to follow its own cybersecurity plan between 2019 and 2023.
Fortunately, the nuclear facilities in both cases were not materially compromised in these attacks. The targeting of nuclear facility operators demonstrated that malicious actors intended to exploit cyber vulnerabilities within the nuclear industry.
U.S. Regulatory Framework
The Nuclear Regulatory Commission (“NRC”) has been active in establishing rules and guidelines to enhance the cybersecurity of U.S. nuclear facilities:
10 CFR Part 73.54: One of the NRC’s key regulatory frameworks that includes cybersecurity requirements, the regulation mandates that nuclear facilities establish and maintain a cybersecurity program to protect digital assets critical to safety, security, and emergency preparedness.
Regulatory Guide 5.71: In February 2023, the NRC revised its regulatory guide to provide detailed guidance on implementing cybersecurity measures. It outlines a defensive strategy that includes the identification of critical digital assets, continuous assessment of threats, and implementation of protective measures.
Nuclear Energy Institute (NEI) 08-09 (2018 Addendum): This document, developed by the nuclear industry with NRC’s endorsement, offers a comprehensive framework for cybersecurity programs. It emphasizes a risk-informed approach, allowing facilities to tailor their cybersecurity measures based on specific threats and vulnerabilities.
In 2013, the NRC’s Office of Nuclear Security and Incident Response established a Cyber Security Branch (CSB) to strengthen internal governance of the agency’s regulatory activities. Today, the NRC actively monitors threats associated with cybersecurity against NRC-licensed facilities. The CSB maintains a dedicated cyber assessment team responsible for analysing and evaluating real-world cyber incidents.
Today, the Nuclear Regulatory Commission (NRC) actively monitors threats associated with cybersecurity against NRC-licensed facilities. The Cyber Security Branch maintains a dedicated cyber assessment team responsible for analysing and evaluating real-world cyber incidents.
The team evaluates whether an identified threat could impact licensed facilities and makes recommendations for NRC actions and communications to the licensees. The NRC also coordinates with other intelligence and law enforcement communities including the National Counterterrorism Center, the Department of Homeland Security’s U.S. Computer Emergency Response Team, and the Federal Bureau of Investigation in working to prevent cyberattacks.
U.K. Regulatory Framework
The U.K. Nuclear industry is subject to a range of different cybersecurity regulations that all have at their heart the concept that effective cybersecurity is a mandatory requirement. These rules have existed in various forms over the years, but there is now increasing activity by regulators to strictly enforce them.
The U.K. Nuclear industry is subject to a range of different cybersecurity regulations that all have at their heart the concept that effective cybersecurity is a mandatory requirement.
The overarching framework is set out in the Civil Nuclear Cyber Security Strategy 2022. This strategy aims to strengthen the cybersecurity posture of the U.K. civil nuclear sector over five years. It focuses on four key objectives:
Risk Management: Prioritizing cybersecurity as part of a holistic risk management approach.
Risk Mitigation: Proactively addressing cyber risks, including those from legacy systems and new technologies.
Incident Management: Enhancing resilience by preparing for and responding to cyber incidents collaboratively.
Culture and Skills: Promoting a positive security culture and developing cyber skills within the sector.
Underpinning this strategy are an overlapping (and growing) regime of cybersecurity laws:
The Nuclear Industries Security Regulations 2003 (“the NISR”) governs a wide range of security issues, including obligations to ensure that “sensitive nuclear information” is kept secure.
The Network and Information Security Regulations (“NIS 1”) designates nuclear sites as critical infrastructure and imposes an obligation to implement “appropriate technical and operational measures” to protect IT systems and to ensure continuity of service.
Whilst these regimes have been in place for some time, regulators recently stepped up enforcement to ensure compliance with these laws as was evidenced by the recent prosecution of Sellafield.
The Sellafield Case
Sellafield Ltd, the company licensed to operate the Sellafield nuclear decommissioning and waste site, received a fine in October 2024 of £332,500 after pleading guilty to three offences relating to inadequate cybersecurity controls and procedures that it had in place across a four-year period.
The prosecution was brought by the U.K.’s independent nuclear regulator (the Office for Nuclear Regulation (“ONR”)) following its investigation where it had identified that Sellafield Ltd had failed to meet the requisite standards, procedures and arrangements set out in its own approved plan for cybersecurity as required under the NISR.
The ONR’s case was not brought on the basis that there had been an actual exploitation of the security failings (seemingly because there was a lack of evidence that attacks had been successful, rather than conclusive proof that the attacks were stopped). The basis of the prosecution was Sellafield’s unsatisfactory performance in relation to the management of its IT systems, and that had the vulnerabilities been exploited by attackers, it could have led to the unauthorised access to critical systems and loss of key data resulting in disrupted operations, damaged facilities and the delay of important decommissioning activities. In particular, Sellafield failed to comply with its own cybersecurity plan and failed to undertake annual checks on the security of its operational and information technology systems.
Following its guilty plea to three offences under the NISR, Sellafield Ltd was ordered to pay a fine of £332,500, along with prosecution costs of £53,253.20. Despite the successful prosecution, the ONR has reported that the cybersecurity failings have yet to be fixed and are subject to ongoing required improvements.
Going forward, the U.K. legal regime is only going to get stronger. The Government has announced that it plans to introduce a new Cyber Security and Resilience Bill which intends to strengthen the U.K.’s operational resilience to cyber threats by, amongst other things:
Updating the existing (NIS1) regime to ensure that more essential services are protected, including by increasing the scope of digital services and supply chains within the regime;
Increasing regulators’ powers through introducing new cost recovery mechanisms and the ability to proactively investigate potential vulnerabilities (similar to the U.S.’s 2022 update to inspection procedure 71130); and
Expanding reporting requirements.
It is worth noting that the European Union’s transition from NIS 1 to NIS 2 demonstrates a strengthened approach to cybersecurity, featuring expanded scope, more detailed requirements, and enhanced enforcement measures. This update emphasizes the EU’s dedication to protecting critical infrastructure and extends security obligations to equipment suppliers and service providers. The U.K. Government is likely to use NIS 2 as a model when developing its own Cyber Security and Resilience Bill.
Going forward, the U.K. legal regime is only going to get stronger. The Government has announced that it plans to introduce a new Cyber Security and Resilience Bill which intends to strengthen the U.K.’s operational resilience to cyber threats.
Looking Ahead
U.S. and U.K. regulators are focused on ensuring that organisations providing essential services, and their related key digital suppliers, implement sufficient technical controls to enhance the level of cybersecurity and help protect critical infrastructure. Those in the nuclear industry will be at the sharp edge of these changes and should take the opportunity to review their operational and technical cybersecurity measures now to ensure they are fit for purpose.
The EU’s Omnibus Package: A Step Back on Sustainability?
We reported in previous blog posts (here and here) on the European Commission’s Green Deal initiatives and their impact on companies doing business in Europe as well as the significant recent headwind against these instruments.
On Wednesday, 26 February 2025, the European Commission (the “Commission”) published the first set of proposals – the omnibus package, which includes considerable simplification in the areas of sustainable finance disclosure, sustainability due diligence, the European Union (EU) taxonomy, the border carbon adjustment mechanism and European investment programs.
The Commission aims to reduce complexity of EU requirements for all businesses, in particular SMEs and small mid-caps (SMCs, i.e. companies with not more than 500 employees) while focusing on larger companies with potential bigger impact on climate. This article focuses on the changes affecting the Directive (EU) 2022/2464 on corporate sustainability (“CSRD”) and the Directive (EU) 2024/1760 on corporate sustainability due diligence (“CS3D”).
The relevant draft directives can be found here and here.
Background to the original CSRD and CS3D
The CSRD, which entered into force on 5 January 2023, with a deadline for implementation into national laws on 6 July 2024, is a legislative measure introduced by the EU to improve the quality, consistency and comparability of sustainability information provided by companies. The CSRD requires some companies, based on their size, to report sustainability information. For details, please see our previous article here.
The CS3D, which entered into force on 25 July 2024 with a deadline for implementation on 26 July 2026, aims to foster sustainable and responsible corporate behaviour in companies’ operations and across their global value chains. As we reported, the French authorities published a memorandum on 20 January 2025 urging the EU to modify the CSRD and the CS3D, which they consider not to be aligned with the competitiveness challenges EU companies are facing. For details, please see our previous article here.
With its omnibus package, the European Commission is now proposing to address some of the criticisms raised against the existing directives.
The proposed changes to the CSRD
The current CSRD requires EU large undertakings, as well as EU and non-EU listed companies (excluding micro-undertakings) to report sustainability information. Moreover, in some cases, non-EU undertakings are targeted and their EU subsidiary or branch have to make available the sustainability report.
The initial timeframe for applying the CSRD differs depending on the type of undertaking: financial year (“FY”) 2024 for large undertakings which are public interest entities with more than 500 employees; FY 2025 for other large undertakings; FY 2026 for listed SMEs; and FY 2028 for non-EU undertakings with net EU turnover above EUR 150 million (through their subsidiary or branch).
The Commission now proposes to increase the threshold and require EU large undertakings with more than 1,000 employees to comply with the reporting obligations starting with FY 2027, and non-EU undertakings with net turnover above EUR 450 million starting with FY 2028.
It is also proposed to simplify and streamline the European Sustainability Reporting Standards (“ESRS”) through a Delegated Act by reducing mandatory datapoints, prioritizing quantitative data, distinguishing between mandatory and voluntary datapoints, ensuring global compatibility, and improving clarity and consistency with EU laws. Under the proposal, the Commission will no longer be able to adopt sector-specific standards and to propose the option to convert a limited assurance requirement to a reasonable assurance requirement.
The new proposed reporting obligations and timelines can be summarized as follows:
Existing Categories of Companies
Existing Timeframes
New Proposed Categories
New Proposed Timeframes
Large public interest (“PIE”) companies and parent companies of a large group exceeding at least two of the following three thresholds: > 500 employees > EUR 50 million turnover > EUR 25 million balance sheet
In 2025 for FY 2024
Large undertakings with more than 1,000 employees and exceeding one of the following thresholds: > EUR 50 million turnover > EUR 25 million balance sheet
In 2028 for FY 2027
Other large EU undertakings
In 2026 for FY 2025
Listed SMEs
In 2027 for FY 2026
Deleted
Deleted
Non-EU undertakings with: > EUR 150 million turnover ; and at least 1 subsidiary in the EU that is itself covered by the CSRD or a branch in the EU that generated a net turnover of EUR 40 million
In 2029 for FY 2028
Non-EU undertakings with: > EUR 450 million turnover ; and at least one large EU subsidiary or a branch in the EU that generated a net turnover of EUR 50 million
In 2029 for FY 2028
While exempt, companies can opt for voluntary reporting based on the voluntary standards for SMEs (“VSME Standard”) developed by European Financial Reporting Advisory Group (“EFRAG”). This standard is proportionate to their size and capacity, focusing on providing essential sustainability information without the complexities required of larger companies.
The proposed changes to the CS3D
The current CS3D applies to EU limited liability companies and partnerships with more than 1,000 employees and a net worldwide turnover of more than EUR 450 million, as well as ultimate parent companies of a corporate group that meet these thresholds on a consolidated basis, and franchisors/licensors meeting certain conditions and thresholds. The CS3D also applies to non-EU undertakings of a legal form comparable to LLCs/partnerships with a net turnover of more than EUR 450 million generated in the EU, as well as ultimate parent companies of a corporate group that meets the threshold on a consolidated basis, and franchisors/licensors meeting certain conditions and thresholds.
The current timeframe for applying the CS3D differs depending on the type of undertaking: July 2027 for EU companies with more than 5,000 employees and EUR 1,500 million worldwide turnover, as well as non-EU companies with more than EUR 1,500 million turnover generated in the EU; July 2028 for EU companies with more than 3,000 employees and EUR 900 million worldwide turnover, as well as non-EU companies with more than EUR 900 million turnover generated in the EU; and July 2029 for all other companies in scope.
The Commission proposes to extend the transposition deadline of the Directive into national law by one year to 26 July 2027 with the first phase of application for the largest companies postponed to 26 July 2028 (instead of July 2027). The omnibus package proposes new turnover and employee thresholds and changes to the dates when reporting is required under the CR3D. The below table summarises the existing and proposed new rules:
Current CS3D
Omnibus changes
Categories
When
Categories
When
EU companies > 5,000 employees > EUR 1,5 billion worldwide turnover
From 26 July 2027
EU companies > 3,000 employees > EUR 900 million worldwide turnover
From 26 July 2028
EU companies > 3000 employees > EUR 900 million worldwide turnover
From 26 July 2028
Non-EU companies > EUR 1,5 billion worldwide turnover
From 26 July 2027
Non-EU companies > EUR 900 million worldwide turnover
From 26 July 2028
Non-EU companies > EUR 900 million worldwide turnover
From 26 July 2028
Deleted
Deleted
EU undertakings >1000 employees and EUR 450 million net worldwide turnoverNon-EU undertakings >450 million net worldwide turnover
From 26 July 2029
No change: From 26 July 2029
No change: From 26 July 2029
The Commission announced it would issue guidelines by July 2026, to help companies adapt and rely more on best practices rather than extensive legal and advisory services.
Substantive changes to the CS3D include the following elements:
due diligence efforts are primarily directed at direct business partners, rather than the entire supply chain
companies are required to conduct in-depth assessments only when there is plausible information suggesting potential or actual adverse impacts at the level of indirect partners;
the obligations concerning indirect business partners are limited to cases of circumvention or when there is credible information about likely or actual adverse impacts
the frequency of mandatory monitoring exercises is reduced, alleviating the administrative burden on companies
regular monitoring is required every five years, with additional assessments triggered by significant changes or new risks
companies are required to engage only with relevant stakeholders, focusing on those directly affected by their operations
the trickle-down effect is reduced by the limitation of information that in-scope undertakings can request from their SME and SMCs business partners to the information specified in the VSME Standard, unless in-scope undertakings require additional information to complete the mapping (e.g. on impacts not covered by the standards) and they cannot obtain this information in any other reasonable way.
Outlook and next steps
For the Omnibus Package to become law, it requires approval from both the European Parliament and a majority of EU member states in the European Council. Once law, directives would then have to be transposed into national laws. Until then, existing national laws remain in effect.
It is too early to predict a clear outcome, as significant criticism has been raised against the Omnibus Package from different parts of the EU suggesting that easing sustainability reporting rules could undermine long-term green growth and corporate accountability and impact on human rights and environmental protections.
However, given that key EU member states are in favour of the Omnibus Package and the drive to increase competitiveness, the weight of the Draghi Report and the fact the EC has asked for the legislative process to be fast-tracked, we would expect that a lot of the proposed changes will become EU law likely in months, not years.
Some EU countries may well decide to further goldplate their national laws to address some of the raised criticisms, which would risk a divergence of approach to reporting standards on a national level. This would be an unfortunate outcome and make the monitoring of reporting obligations burdensome.
What Every Multinational Company Should Know About … The Rising Risk of Customs False Claims Act Actions in the Trump Administration
On February 20, 2025, the Deputy Assistant Attorney General for the Commercial Litigation Branch at the U.S. Department of Justice (DOJ), Michael Granston, emphasized using the False Claims Act (FCA) to address U.S. Customs & Border Protection (Customs) violations at the Federal Bar Association’s annual qui tam conference. According to Granston, the Trump administration will seek to “aggressively” deploy the FCA as a “powerful” enforcement mechanism against importers that take steps to evade customs duties, including all the new tariffs being imposed by the Trump administration.
The application of the FCA for underpayments of customs tariffs is already a growing trend. The increased tariffs and attention will combine to increase the number of FCA actions targeting tariff underpayments and the potential amount of recoveries. The U.S. government has unparalleled access to detailed import data covering nearly all imports, giving it the ability to run algorithms to see discrepancies and anomalies that might indicate the underpayment of tariffs. The FCA also can be enforced by whistleblowers who file qui tam suits in the government’s name, in hopes of receiving a share of the recovery in successful cases. Taken together, these factors mean the scene is set for a vast expansion of the use of the FCA as a tool to combat tariff underpayments.
Against this scrutiny, importers should ensure they accurately determine and pay all tariffs, including the new Trump tariffs. The remainder of this article summarizes the heightened risks that the FCA poses in the Trump administration, as well as some practical steps companies can take to minimize the risk of an FCA action.
The Application of the False Claims Act to Customs Violations
The False Claims Act, 31 U.S.C. § 3729 et seq., is a special form of civil remedy used by the government to recover funds the government paid as a result of fraud — typically, a false statement or document that supports a demand for government monies. The FCA allows the government to recover treble damages plus penalties up to $28,619 for each violation. Thus, the FCA authorizes the government to seek not only any tariff underpayments but also three times the amount of the underpayment and penalties for each instance of underpayment. Needless to say, the FCA poses enormous financial risk to importers.
The statute also enables private individuals to act as whistleblowers (or “relators”) by filing qui tam actions on behalf of the government. If the action is successful, the relator can receive up to 30% of the money recovered in the litigation, plus attorney’s fees, with the rest going to the government. This potential for recovery has spawned an active plaintiffs bar that encourages the filing of qui tam actions.
Indeed, the 979 qui tam actions filed by relators in the fiscal year ending in September 2024 constituted a 37% increase over the prior year and a 60% increase over 2019 filings. In addition, the government also originated 423 investigations on its own — almost triple the number the government originated five years ago. Further, the government reported that it recovered almost $3 billion in settlements and judgments in 2024, which followed a nearly-as-high recovery of $2.8 billion recovered in 2023.
In his speech, Granston explained the FCA could be a powerful tool in recovering under-reported tariffs. With the Trump administration announcing a dizzying array of new tariffs, the amount of tariffs imposed — and the risk of FCA actions — are both certain to increase. The emphasis on tariffs and trade continued at the conference. Jamie Ann Yavelberg, director of the Fraud Section of the Civil Division, identified tariff evasion as a “key area” for enforcement, with a focus on false statements about country of origin, declared value of goods, and the number of goods involved.
The following are examples of the Department of Justice’s use of the FCA to address underpayment of customs duties and show the broad range of customs issues that can support an FCA action:
One importer paid almost $22.8 million to settle FCA allegations that it misclassified its vitamin products to avoid paying the full amount of customs duties due, as well as its failure to pay back duties owed after correcting certain misclassifications.
Another importer paid $22.2 million to settle FCA allegations that it misrepresented the nature, classification, and valuation of its imported construction products to evade antidumping and countervailing duties, as well as improperly claiming preferential treatment under free trade agreements, with the relator receiving $3.7 million.
A third importer paid $45 million to resolve allegations that it misrepresented the country of origin on goods that should have been declared to be of Chinese or Indian origin, thereby evading high antidumping and countervailing duties imposed on the entries from those countries.
A fourth importer paid $5.2 million for allegedly evading antidumping and other duties by falsely describing wooden bedroom furniture imported from China as “metal” or “non-bedroom” furniture on documents submitted to CBP while also manipulating images of their products in packing lists and invoices, directing their Chinese manufacturers to ship furniture in mislabeled boxes and falsifying invoices to try to evade detection.
Finally, another importer paid $4.3 million for allegedly failing to include assists (customer-provided production aids) in the declared value of its entries.
Key areas where FCA cases are most likely to arise include:
The misclassification of goods, to move them from a higher to a lower tariff classification.
The misclassification of goods, to move them out of the coverage of the new Trump tariffs such as those imposed on aluminum and steel derivative products.
Incorrectly declaring the wrong country of origin, to avoid the Section 301 tariffs imposed on China or on countries subject to the new tariff proclamations such as China, Canada, or Mexico.
Failing to pay antidumping or countervailing duties, which often have very high tariff rates.
Failing to accurately declare the correct value of goods.
Failing to include assists (production aids provided by the customer) or royalties within the declared value.
Failing to have a customs transfer pricing study in place, if this results in the undervaluation of goods imported from an affiliated company.
Failing to correct past entry information if Customs notifies the importer of a change that impacts the duty rate, such as by issuing a Form 28 Request for Information or Form 29 Notice of Action. When this occurs, Customs expects that importers will use the Post-Summary Corrections Process to correct all analogous prior entries and to pay back duties on those prior entries.
Another factor that increases FCA risk is that Customs maintains two additional whistleblower programs of its own — one under the Enforcement and Protect Act (EAPA), for reporting of antidumping and countervailing duty evasion, and an eAllegations portal for all other claims of tariff evasion. It remains to be seen whether the new administration will mine these sources for FCA enforcement purposes.
Practical Steps Importers Can Take to Minimize Potential FCA Actions
Given the likelihood of increased enforcement, as well as the sharply rising levels and types of tariffs, importers should prioritize customs compliance, as any underpayments raise the specter not only of customs penalties but also potential FCA damages and penalties.
Customs-Related Steps
In a high-tariff environment, the stakes for compliance miscues are substantial and include potential penalties and interest for underpayments as well as FCA risks. Some key areas to consider for ongoing customs compliance include the following:
Inaccurate classifications can result in incorrect duties or penalties, so confirm your company has procedures to correctly classify goods using the correct Harmonized Tariff Schedule (HTS) codes and maintains a regularly updated import classification index to reflect new products or changes in tariff codes.
Confirm that your organization maintains a detailed customs compliance manual that outlines procedures for classification, valuation, origin determination, recordkeeping, interactions with brokers and Customs, and other relevant matters that impact the accuracy of information reported to Customs and can create underpayments.
Review and ensure there are procedures to track and properly report assists, royalties, or other non-invoice costs that might affect the declared value of imported goods. Misreporting these costs could lead to underpayments of duties and penalties.
Ensure that there are procedures to regularly review entries after entry to identify potential errors in valuation, origin declarations, classification, or other entry-specific items that impact how much duties are owed.
Regularly use post-summary corrections as a means of correcting error, as most entry-related information can be corrected until liquidation without penalty (generally, around 314 days after entry).
In addition to post-entry checks, more detailed customs audits can uncover underlying issues that can lead to customs penalties. Major importers should consider conducting regular customs audits, pulling a judgmental sample of entries for thorough examination to determine if there are areas that contain errors.
Ensure your company maintains procedures for overseeing customs brokers and freight forwarders, including written protocols that are consistently followed to ensure there is proper oversight of customs brokers and freight forwarders.
Customs traditionally has not imposed penalties if an importer initiates a voluntary self-disclosure before the government begins its investigation. Importers should be aggressive in using voluntary self-disclosures to minimize the likelihood of customs penalties and related FCA liability risks.
Request confidential treatment for your company’s import data. Much of the information filed as part of the entry process is available for review by companies, such as PIERS and Panjiva, which aggregate import data and sell it to the public. By filing a government confidentiality request and keeping it up to date, your company can limit the ability of third parties (including competitors and whistleblower law firms) to analyze import data to discern trading patterns, supply chains, and exposure to high-risk regions or high-tariff products.
Compliance and Whistleblower Steps
In addition to the customs-related steps listed above, maintaining a robust corporate compliance program that addresses customs issues and general whistleblowing concerns can help prevent an internal complaint from turning into a qui tam suit. Some measures to consider include the following:
Maintain an Effective Compliance Program. Maintain a corporate compliance program that meets DOJ’s expectations for effectiveness, and ensure the program is coordinated with a well-tailored customs compliance program. Effective compliance programs are marked by senior leadership support, adequate resources, use of risk assessments, well-developed policies and procedures, tailored trainings, encouragement of internal reporting, and meaningful responses to complaints. Given the heightened risk environment, make sure your company has a compliance officer or team that understands customs issues and can follow up on reports of potential customs violations.
Encourage Internal Reporting & Whistleblower Protection. Establish a confidential internal reporting mechanism (e.g., hotline). Protect employees from retaliation to encourage internal reporting over external whistleblower actions. Investigate and address complaints promptly and transparently.
Conduct Regular Training & Education.Train employees on Customs and FCA requirements and the risks of false claims. Effective training is tailored to the roles and responsibilities of given groups of employees.
Strengthen Internal Controls & Audits. Perform regular post-entry checks and internal audits to identify and correct potential customs violations and underpayments.
Respond Proactively to Potential Violations.Act quickly if an issue is detected to correct errors, and consider self-reporting to Customs when necessary, both to lock in a no-penalty situation with Customs and to reduce the likelihood of qui tam suits.
Respond Promptly and Fully to All Customs Forms 28 (Requests for Information), Form 29s (Notices of Action), and Informal Inquiries. Importers should designate an internal employee to be an ACE contact so that your company receives Customs notices at the same time as the customs broker, instead of relying on the broker to forward any notices. Any requests for information or Customs actions should be investigated thoroughly and have a well-supported response (generally required within 30 days).
Follow Through on Customs Notices. If Customs makes a determination, such as reclassifying a product, then Customs requires that the importer search through its recent imports and reflect the Customs decision for all identical or analogous entries. In some cases, substantial customs penalties or FCA liability have arisen from the failure to do so. Ensure that the full implications of any Customs action are thoroughly understood and that your company uses the Post-Summary Corrections process to reflect any changes mandated by Customs. Consider using a voluntary self-disclosure to reflect changes to older entries.
Follow Up Thoroughly on Any Civil Investigative Demand (CID) from DOJ or Any Qui Tam Complaint.The receipt of a CID or qui tam complaint always requires the highest level of attention, given the draconian penalties the FCA authorizes. Follow up on the receipt of these items to take swift action to investigate and defend against those claims, using outside counsel with experience in the FCA and customs issues.
By proactively addressing customs compliance, importers can help minimize the risk not only of customs penalties but also the risk of qui tam lawsuits. Especially in a high-tariff environment, customs compliance and taking all available steps to ensure the proper payment of all tariffs lawfully due is essential and needs to be at the top of the list for any risk-based compliance program.
The BR Privacy & Security Download: March 2025
STATE & LOCAL LAWS & REGULATIONS
Virginia Legislature Passes Bill Regulating High-risk AI: The Virginia legislature passed HB 2094, the High-Risk Artificial Intelligence Developer and Deployer Act (the “Act”). Using a similar approach to the Colorado AI Act passed in 2023 and California’s proposed regulations for automated decision-making technology, the Act defines “high-risk AI systems” as AI systems that make consequential decisions, which are decisions that have material legal or similarly significant effects on a consumer’s ability to obtain things such as housing, healthcare services, financial services, access to employment, and education. The Act would require developers to use reasonable care to prevent algorithmic discrimination and to provide detailed documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of AI systems would be required to implement risk management policies, conduct impact assessments before deploying high-risk AI systems, disclose AI system use to consumers, and provide opportunities for correction and appeal. The bill is currently with Virginia Governor Glenn Youngkin, and it is unclear if he will sign it.
Connecticut Introduces AI Bill: After an effort to pass AI legislation stalled last year in the Connecticut House of Representatives, another AI bill was introduced in the Connecticut Senate in February. SB-2 would establish regulations for the development, integration, and deployment of high-risk AI systems designed to prevent algorithmic discrimination and promote transparency and accountability. SB-2 would specifically regulate high-risk AI systems, defined as AI systems making consequential decisions affecting areas like employment, education, and healthcare. The bill includes similar requirements as the Connecticut AI bill considered in 2024 and would require developers to use reasonable care to prevent algorithmic discrimination and provide documentation on an AI system’s purpose, limitations, and risk mitigation measures. Deployers of high-risk AI systems would be required to implement risk management policies, conduct impact assessments before deployment of high-risk AI systems, disclose AI system use to consumers, and provide opportunities for appeal and correction.
New York Governor Signs Several Privacy Bills: New York Governor Kathy Hochul signed a series of bills expanding compliance obligations for social media platforms, debt collectors who use social media platforms, and dating applications. Senate Bill 895B—effective 180 days after becoming law—requires social media platforms operating in New York to post terms of service explaining how users may flag content they believe violates the platform’s terms. Senate Bill 5703B—effective immediately—prohibits the use of social media platforms for debt collection purposes. Senate Bill 2376B—effective 90 days after becoming law—expands the scope of New York’s identity theft protection law by including in its scope the theft of medical and health insurance information. Finally, Senate Bill 1759B—effective 60 days after becoming law—requires online dating services to notify individuals who were contacted by members who were banned for using a false identity, providing them with specific information to help users prevent being defrauded. Importantly, the New York Health Information Privacy Act, which would significantly expand the obligations of businesses that may collect broadly defined “health information” through their websites, has not yet been signed.
California Reintroduces Bill Requiring Browser-Based Opt-Out Preference Signals: For the second year in a row, the California Legislature has introduced a bill requiring browsers and mobile operating systems to provide a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser or mobile operating system. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), provides California residents with the ability to opt out of the sale or sharing of their personal data, including through an opt-out preference signal. AB 566 would amend the CCPA to ensure that consumers have the ability to do so. AB 566 requires the opt-out preference signal setting to be easy for a reasonable person to locate and configure. The bill further gives the California Privacy Protection Agency (“CPPA”), the agency charged with enforcing the CCPA, the authority to adopt regulations to implement and administer the bill. The CPPA has sponsored AB 566.
Virginia Senate Passes Amendments to Virginia Consumer Protection Act: Virginia’s Senate Bill 1023 (“SB 1023”) amends the Virginia Consumer Data Protection Act by banning the sale of precise geolocation data. The bill defines precise location data as anything that can locate a person within 1,750 feet. Introduced by Democratic State Senator Russet Perry, the bill has garnered bipartisan support in the Virginia Senate, passing with a 35-5 vote on February 4, 2025. Perry stated that the type of data the bill intends to ban has been used to target people in domestic violence and stalking cases, as well as for scams.
Task Force Publishes Recommendations for Improvement of Colorado AI Act: The Colorado Artificial Intelligence Impact Task Force published its Report of Recommendations for Improvement of the Colorado AI Act. The Act, which was signed into law in May 2024, has faced significant pushback from a broad range of interest groups regarding ambiguity in its definitions, scope, and obligations. The Report is designed to help lawmakers identify and implement amendments to the Act prior to its February 1, 2026, effective date. The Report does not provide substantive recommendations regarding content but instead categorizes topics of potential changes based on how likely they are to receive consensus. The report identified four topics in which consensus “appears achievable with additional time,” four topics where “achieving consensus likely depends on whether and how to implement changes to multiple interconnected sections,” and seven topics facing “firm disagreement on approach where creativity will be needed.” These topics range from key definitions under the Act to the scope of its application and exemptions.
AI Legislation on Kids Privacy and Bias Introduced in California: California Assembly Member Bauer-Kahan introduced yet another California bill targeting Artificial Intelligence (“AI”). The Leading Ethical AI Development for Kids Act (“LEAD Act”) would establish the LEAD for Kids Standards Board in the Government Operations Agency. The Board would then be required to adopt regulations governing—among other things—the criteria for conducting risk assessments for “covered products.” Covered products include an artificial intelligence system that is intended to, or highly likely to, be used by children. The Act would also require covered developers to conduct and submit risk assessments to the board. Finally, the Act would authorize a private right of action for parents and guardians of children to recover actual damages resulting from breaches of the law.
FEDERAL LAWS & REGULATIONS
House Committee Working Group Organized to Discuss Federal Privacy Law: Congressman Brett Guthrie, Chairman of the House Committee on Energy and Commerce (the “Committee”), and Congressman John Joyce, M.D., Vice Chairman of the Committee, announced the establishment of a working group to explore comprehensive data privacy legislation. The working group is made up entirely of Republican members and is the first action in this new Congressional session on comprehensive data privacy legislation.
Kids Off Social Media Act Advances to Senate Floor: The Senate Commerce Committee advanced the Kids Off Social Media Act. The Act would prohibit social media platforms from allowing children under 13 to create accounts, prohibit platforms from algorithmically recommending content to teens under 17, and require schools to limit social media use on their networks as a condition of receiving certain funding. The Act is facing significant pushback from digital rights groups, including the Electronic Frontier Foundation and the American Civil Liberties Union, which claim that the Act would violate the First Amendment.
Business Groups Oppose Proposed Updates to HIPAA Security Rule: As previously reported, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) issued a Notice of Proposed Rulemaking (“NPRM”) to amend the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule to strengthen cybersecurity protections for electronic protected health information (“ePHI”). See Blank Rome’s Client Alert on the proposed rule. A coalition of business groups, including the College of Healthcare Information Management Executives, America’s Essential Hospitals, American Health Care Association, Association of American Medical Colleges, Federation of American Hospitals, Health Innovation Alliance, Medical Group Management Association and National Center for Assisted Living, have written to President Trump and HHS Secretary Robert F. Kennedy, Jr. opposing the proposed rule. The business groups argue that the proposed rule imposes great financial burdens on the healthcare sector, including on rural hospitals, which would divert attention and funds away from other critical areas. The business groups also argue that the proposed rule contradicts Public Law 116-321, which explicitly requires HHS to consider a regulated entity’s adoption of recognized security practices when enforcing the HIPAA Security Rule, by not addressing or incorporating this legal requirement.
National Artificial Intelligence Advisory Committee Adopts List of 10 AI Priorities: The National Artificial Intelligence Advisory Committee (“NAIC”), which was established under the 2020 National Artificial Intelligence Initiative Act, approved a draft report for the Trump administration with 10 recommendations to address AI policy issues. The recommendations cover AI issues in employment, AI awareness and literacy, and AI in education, science, health, government, and law enforcement, as well as recommendations for empowering small businesses and AI governance and supporting AI innovation in a way that would benefit Americans.
CFPB Acting Director Instructs Agency Staff to Stop Work: Consumer Financial Protection Bureau (“CFPB”) Acting Director Russel Vought instructed agency staff to “stand down” and refrain from doing any work. The communication to CFPB employees followed an instruction to suspend regulatory activities and halt CFPB rulemaking. Vought also suspended CFPB’s supervision and examination activities. This freeze would impact the CFPB’s rule on its oversight of digital payment apps as well as the CFPB’s privacy rule that created a right of data portability for customers of financial institutions.
U.S. LITIGATION
First Washington My Health My Data Lawsuit Filed: Amazon is facing a class action lawsuit alleging violations of Washington’s My Health My Data Act (“MHMDA”), along with federal wiretap laws and state privacy laws. The suit is the first one brought under MHMDA’s private right of action and centers on Amazon’s software development kit (“SDK”) embedded in third-party mobile apps. The plaintiff’s complaint alleges Amazon collected location data of users without their consent for targeted advertising. The complaint also alleges that the SDK collected time-stamped location data, mobile advertising IDs, and other information that could reveal sensitive health details. According to the lawsuit, this data could expose insights into a user’s health status, such as visits to healthcare facilities or health behaviors, without users knowing Amazon was also obtaining and monetizing this data. The lawsuit seeks injunctive relief, damages, and disgorgement of profits related to the alleged unlawful behavior. The outcome could clarify how broadly courts interpret “consumer health data” under the MHMDA.
NetChoice Files Lawsuit to Challenge Maryland Age-Appropriate Design Act: NetChoice—a tech industry group—filed a complaint in federal court in Maryland challenging the Maryland Age-Appropriate Design Code Act as violating the First Amendment. The Act was signed into law in May and became effective in October 2024. It requires online services that are likely to be accessed by children under the age of 18 to provide enhanced safeguards for, and limit the collection of data from, minors. In its Complaint, NetChoice alleges that the Act will not meaningfully improve online safety and will burden online platforms with the “impossible choice” of either proactively censoring categories of constitutionally protected speech or implementing privacy-invasive age verification systems that create serious cybersecurity risks. NetChoice has been active in challenging similar Acts across the country, including in California, where it has successfully delayed the implementation of the eponymous California Age-Appropriate Design Code Act.
Kochava Settles Privacy Class Action; Unable to Dismiss FTC Lawsuit: Kochava Inc. (“Kochava”), a mobile app analytics provider and data broker, has settled the class action lawsuits alleging Kochava collected and sold precise geolocation data of consumers that originated from mobile applications. The settlement requires Kochava to pay damages of up to $17,500 for the lead plaintiffs and attorneys’ fees of up to $1.5 million. Among other changes to its privacy practices Kochava must make, the settlement requires Kochava to implement a feature aimed at blocking the sharing or use of raw location data associated with health care facilities, schools, jails, and other sensitive venues. Relatedly, U.S. District Judge B. Lynn Winmill of the District of Idaho denied Kochava’s motion to dismiss the lawsuit brought by the Federal Trade Commission (“FTC”) for Kochava’s alleged violations of Section 5 of the FTC Act. The FTC alleges that Kochava’s data practices are unfair and deceptive under Section 5 of the FTC Act, as it sells the sensitive personal information collected through its Mobile Advertising ID system (“MAIDs”) to its customers, providing customers a “360-degree perspective” on consumers’ behavior through subscriptions to its data feeds, without the consumer’s knowledge or consent. In the order denying Kochava’s motion to dismiss, Winmill rejected Kochava’s argument that Section 5 of the FTC Act is limited to tangible injuries and wrote that the “FTC has plausibly pled that Kochava’s practices are unfair within the meaning of the FTC Act.”
Texas District Court Blocks Enforcement of Texas SCOPE Act: The U.S. District Court for the Western District of Texas (“Texas District Court”) granted a preliminary injunction blocking enforcement of Texas’ Securing Children Online through Parental Empowerment Act (“SCOPE Act”). The SCOPE Act requires digital service providers to protect children under 18 from harmful content and data collection practices. In Students Engaged in Advancing Texas v. Paxton, plaintiffs sued the Texas Attorney General to block enforcement of the SCOPE Act, arguing the law is an unconstitutional restriction of free speech. The Texas District Court ruled that the SCOPE Act is a content-based statute subject to strict scrutiny, and that with respect to certain of the SCOPE Act’s monitoring-and-filtering, targeted advertising and content monitoring and age-verification requirements, the law’s restrictions on speech failed strict scrutiny and should be facially invalidated. Accordingly, the Texas District Court issued a preliminary injunction halting the enforcement of such provisions. The remaining provisions of the law remain in effect.
California Attorney General Agrees to Narrowing of Its Social Media Law: The California Attorney General has agreed to not enforce certain parts of AB 587, now codified in the Business & Professions Code, sections 22675-22681, which set forth content moderation requirements for social media platforms (the “Social Media Law”). X Corp. (“X”) filed suit against the California Attorney General, alleging that the Social Media Law was unconstitutional, censoring speech based on what the state sees as objectionable. While the U.S. District Court for the Eastern District of California (“California District Court”) initially denied X’s request for a preliminary injunction to block the California Attorney General from enforcing the Social Media Law, the Ninth Circuit overturned that decision, holding that certain provisions of the law regarding extreme content failed the strict-scrutiny test for content-based restrictions on speech, violating the First Amendment. X and the California Attorney General have asked the California District Court to enter a final judgment based on the Ninth Circuit decision. The California Attorney General has also agreed to pay $345,576 in attorney fees and costs.
U.S. ENFORCEMENT
Arkansas Attorney General Sues Automaker over Data Privacy Practices: Arkansas Attorney General Tim Griffin announced that his office filed a lawsuit against General Motors (“GM”) and its subsidiary OnStar for allegedly deceiving Arkansans and selling data collected through OnStar from more than 100,000 Arkansas drivers’ vehicles to third parties, who then sold the data to insurance companies that used the data to deny insurance coverage and increase rates. The lawsuit alleges that GM advertised OnStar as offering the benefits of better driving, safety, and operability of its vehicles, but violated the Arkansas Deceptive Trade Practices Act by misleading consumers about how driving data was used. The lawsuit was filed in the Circuit Court of Phillips County, Arkansas.
Healthcare Companies Settle FCA Claims over Cybersecurity Requirements: Health Net and its parent company, Centene Corp. (collectively, “Health Net”), have settled with the United States Department of Justice (“DOJ”) for allegations that Health Net falsely certified compliance with cybersecurity requirements under a U.S. Department of Defense contract. Health Net had contracted with the Defense Health Agency of the U.S. Department of Defense (“DHA”) to provide managed healthcare support services for DHA’s TRICARE health benefits program. The DOJ alleged that Health Net failed to comply with its contractual obligations to implement and maintain certain federal cybersecurity and privacy controls. The DOJ alleged that Health Net violated the False Claims Act by falsely stating its compliance in related annual certifications to the DHA. The DOJ further alleged that Health Net ignored reports from internal and third-party auditors about cybersecurity risks on its systems and networks. Under the settlement, Health Net must pay the DOJ and DHA $11.25 million.
Eyewear Provider Fined $1.5M for HIPAA Violations: The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) imposed a $1,500,000 civil money penalty against Warby Parker for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Security Rule. The penalty resulted from a cyberattack involving unauthorized access to customer accounts, affecting nearly 200,000 individuals. An OCR investigation resulted from a 2018 security incident. Between September 25, 2018, and November 30, 2018, third parties accessed customer accounts using usernames and passwords obtained from breaches of other websites, a method known as “credential stuffing.” The compromised data included names, addresses, email addresses, payment card information, and eyewear prescriptions. OCR found that Warby Parker failed to conduct an accurate risk analysis, implement sufficient security measures, and regularly review information system activity.
CPPA Finalizes Sixth Data Broker Registration Enforcement Action: The California Privacy Protection Agency announced that it is seeking a $46,000 penalty against Jerico Pictures, Inc., d/b/a National Public Data, a Florida-based data broker, for allegedly failing to register and pay an annual fee as required by the California Delete Act. The Delete Act requires data brokers to register and pay an annual fee that funds the California Data Broker Registry. This action comes following a 2024 data breach in which National Public Data reportedly exposed 2.9 billion records, including names and Social Security Numbers. This is the sixth action taken by the CPPA against data brokers, with the first five actions resulting in settlements.
INTERNATIONAL LAWS & REGULATIONS
First EU AI Act Provisions Become Effective; Guidelines on Prohibited AI Adopted: The first EU AI Act (the “Act”) provisions to become effective came into force on February 2, 2025. The Act’s provisions prohibiting certain types of AI systems deemed to pose an unacceptable risk and rules on AI literacy are now applicable in the EU. Prohibited AI systems are those that present unacceptable risks to the fundamental rights and freedoms of individuals and include social scoring for public and private purposes, exploitation of vulnerable individuals with subliminal techniques, biometric categorization of natural persons based on biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs or sexual orientation, and emotion recognition in the workplace and education institutions, unless for medical or safety reasons, among other uses. The new AI literacy obligations will require organizations to put in place robust AI training programs to ensure a sufficient level of AI literacy for their staff and other persons working with AI systems. Certain obligations related to general-purpose AI models will become effective August 2, 2025. Most other obligations under the Act will become effective August 2, 2026.
UK Introduces AI Cyber Code of Practice: The UK government has introduced a voluntary Code of Practice to address cybersecurity risks in AI systems, with the aim of establishing a global standard via the European Telecommunications Standards Institute (“ETSI”). This code is deemed necessary due to the unique security risks associated with AI, such as data poisoning and prompt injection. It offers baseline security requirements for stakeholders in the AI supply chain, emphasizing secure design, development, deployment, maintenance, and end-of-life. The Code of Practice is intended as an addendum to the Software Code of Practice. It provides guidelines for developers, system operators, data custodians, end-users, and affected entities involved in AI systems. Principles within the code include raising awareness of AI security threats, designing AI systems for security, evaluating and managing risks, and enabling human responsibility for AI systems. The code also emphasizes the importance of documenting data, models, and prompts, as well as conducting appropriate testing and evaluation.
CJEU Issues Opinion on Pseudonymized Data: The Court of Justice of the European Union (“CJEU”) issued a decision in a case involving an appeal by the European Data Protection Supervisor (“EDPS”) against a General Court decision that annulled the EDPS’s decision regarding the processing of personal data by the Single Resolution Board (“SRB”) during the resolution of Banco Popular Español SA during insolvency proceedings. The case reviewed whether data transmitted by the SRB to Deloitte constituted personal data. Personal data consisted of comments from parties interested in the proceedings that had been pseudonymized by assigning a random alphanumeric code, as well as aggregated and filtered, so that individual comments could not be distinguished within specific commentary themes. Deloitte did not have access to the codes or the original database. The court held that the data was personal data in the hands of the SRB. However, the court ruled that the EDPS was incorrect in determining that the pseudonymized data was personal data to Deloitte without analyzing whether it was reasonably possible that Deloitte could identify individuals from the data. As a takeaway, the CJEU left open the possibility that pseudonymized data could be organized and protected in such a way as to remove any reasonable possibility of re-identification with respect to a particular party, resulting in the data not constituting personal data under the GDPR.
European Commission Withdraws AI Liability Directive from Consideration; European Parliament Committee Votes to Press On: The European Commission announced it plans to withdraw the proposed EU AI Liability Directive, a draft legislation for addressing harms caused by artificial intelligence. The decision was announced in the Commission’s 2025 Work Program stating that there is no foreseeable agreement on the legislation. However, the proposed legislation has not yet been officially withdrawn. Despite the announcement, members of the European Parliament on the body’s Internal Market and Consumer Protection Committee voted to keep working on liability rules for artificial intelligence products. It remains to be seen whether the European Parliament and the EU Council can make continued progress in negotiating the proposal in the coming year.
Additional Authors: Daniel R. Saeedi, Rachel L. Schaller, Gabrielle N. Ganze, Ana Tagvoryan, P. Gavin Eastgate, Timothy W. Dickens, Jason C. Hirsch, Adam J. Landy, Amanda M. Noonan and Karen H. Shin.
Key Updates to the Employment Rights Bill
As part of the UK Government’s efforts to boost living standards and following weeks of consultation with business groups and trade unions, the Government has announced a series of proposed changes that the Employment Rights Bill (the “Bill”) plans to implement.
Here is a brief overview of the measures:
Employees will receive new “Day One” rights including being entitled to:
statutory sick pay (at present, this only applies from the third day of sickness absence);
unfair dismissal protection (removing the two-year qualifying employment requirement);
parental leave (removing the 26-weeks continuous service requirement); and
paternity leave entitlement (removing the one-year continuous service requirement).
Increasing the maximum period of the protective award for collective redundancy from 90 days to 180 days. Tribunals will be able to grant larger awards to employees for an employer’s failure to meet consultation requirements. Further guidance will be issued on this.
Abolishing the Lower Earnings Limit of £123 weekly to ensure that all employees, irrespective of pay, have access to statutory sick pay (“SSP”). People on wages below £123 weekly will receive either 80% of their average weekly earnings or statutory sick pay (which is currently £116.75), whichever is lowest.
A requirement for employers to take all reasonable steps to prevent sexual harassment and sexual harassment-related disclosures will constitute “protected disclosures”.
Flexible working is set to become the “default” for all workers from their first day with employers only able to refuse a flexible working request if it is “unreasonable” based on a lawful ground (listed in the Bill).
It will be unlawful to dismiss pregnant mothers during their pregnancy and maternity leave (subject to exceptions which are yet to be clarified).
Bereavement leave will be available for those who suffer a pregnancy loss before 24 weeks.
A Modern Framework for Industrial Relations will be created to align trade unions operations with modern work practices.
Time limits for bringing claims in the employment tribunals will be extended from three to six months following the date of the act(s) complained of.
Dismissing an employee who does not agree to a contract variation, or enabling an organisation to employ another person, or re-engaging the same employee under a varied contract to carry out substantially the same duties will be considered unfair dismissal unless the employer can show it could not have reasonably avoided making the variation.
The definition of workers will now include agency workers who should be able to access a contract which reflects the hours they regularly work. The zero-hour contract ban will extend to include agency workers.
Those working for umbrella companies will be given comparable rights and protections as they would have if they were working for a recruitment agency. Enforcement action will be able to be taken against umbrella companies if they do not comply.
The Government will no longer be including a “right to switch off” outside of working hours in the Bill which would have prevented employers contacting staff out-of-hours. However, there have been suggestions that this right may be included in an accompanying code in due course.
The Bill is set to be heard before Parliament over the next few weeks during which further amendments may be made. The Bill is expected to be introduced next Autumn.
Maya Sterrie also contributed to this article.