Ratings Agency Announces That It Will Analyze Physical Climate Risk When Evaluating Certain Assets

Recently, Fitch Ratings issued a discussion paper that outlined a “contemplated framework for the analysis of physical climate risk for [Structured Finance] and [Covered Bonds] for the potential negative implications of physical climate events on asset performance, and, ultimately, on ratings.” In essence, a major credit ratings agency has effectively announced that physical climate risk–including “acute wildfire, wind, flood, drought, precipitation, and hail risk”–should be included when analyzing and issuing credit ratings. 
This development provides further evidence for how companies are integrating climate risk into day-to-day operations, and the increasing salience of this issue for a number of different industries (e.g., finance, insurance). For example, here, with respect to the covered bond market, the physical risk posed by climate change to the underlying asset could have a significant impact on the risk profile of the security–and thus upon its price. 
Irrespective of the extent to which climate data is subject to mandatory climate disclosures by governmental authorities, the private sector is nonetheless demanding certain climate data in order to function properly and profitably.  

Against that backdrop, Fitch is now in the process of integrating physical climate risks into credit assessments. The move reflects an evolving concern among ratings firms and regulators alike that climate change is hitting the mortgage market — and the bonds that finance it — in ways that have yet to be adequately reflected in valuations. What happened in Switzerland should serve as a reminder that when climate shocks hit, their impact can be devastating, Rossiter said.
news.bloomberglaw.com/…

Navigating Change: The Impact of the UK’s Data (Use and Access) Bill on Businesses

The UK Data (Use and Access) Bill (the “DUA Bill”) has been subject to a surprisingly prolonged legislative journey, oscillating between the House of Commons and the House of Lords as it approaches the final stages. This back-and-forth reflects the complexity and controversy surrounding certain of its provisions. Once the DUA Bill is agreed, it is estimated that it will come into effect within approximately 12 months. This article summarises certain of the key changes to UK data protection and privacy legislation proposed by the DUA Bill, considers the impact of such changes on the UK’s existing EU Commission adequacy decision and discusses how businesses should approach compliance.
How the DUA Bill Amends Data Protection and Privacy Legislation
The DUA Bill proposes fundamental changes to the UK’s data protection and privacy legislation, including the UK General Data Protection Regulation (“UK GDPR”). The focus of the UK government is to modernise and streamline existing legislation as part of an effort to bolster data governance in the UK. It addresses key areas of data protection and privacy, such as legitimate interests, international data transfers and automated decision-making (“ADM”), while also covering other data-related areas, including smart data and public registers. It seeks to balance the need for flexibility in data processing with robust safeguards for personal data, reflecting the evolving digital landscape and the increasing importance of data-driven technologies. The UK government believes that the proposed legislative amendments will foster innovation and enhance public trust, while remaining aligned with international standards and the EU General Data Protection Regulation.
AI Models
The key topic which remains under debate between the House of Lords and the House of Commons is whether to include provisions related to AI models. The House of Lords argued for the inclusion of transparency requirements for business data used in relation to AI models and inserted provisions requiring developers of AI models to publish all information used in the pre-training, training, fine-tuning and retrieval-augmented generation of the AI model, and to provide a mechanism for copyright owners to identify any individual works they own that may have been used during such processes. These provisions emerged as the most contentious aspect of the DUA Bill, contributing significantly to its ongoing back-and-forth between the House of Commons and the House of Lords. The House of Commons is of the view that transparency requirements for AI models warrant separate legislative action, arguing that their inclusion in the DUA Bill would complicate the overarching framework and would require additional public funds. As of the time of writing, the transparency provisions for AI models have been removed from the DUA Bill and replaced with provisions requiring the Secretary of State to introduce, amongst other things, draft legislation containing proposals to provide transparency to copyright owners regarding the use of their copyright works as data inputs for AI models. We now wait to see whether this approach will be agreed to between the House of Lords and House of Commons.
Recognised Legitimate Interests and Legitimate Interests
The DUA Bill introduces “recognised legitimate interests” as a new, lawful basis for processing personal data. Building on the existing lawful basis of legitimate interests, this new basis allows businesses to process data for specific purposes defined under the DUA Bill without conducting a traditional legitimate interests assessment (“LIA”). The listed processing activities include national security and defence, and responding to emergencies and safeguarding vulnerable people.
Additionally, the DUA Bill outlines a further list of processing activities which “may” be processed under the existing legitimate interests lawful basis. While such activities are not “recognised legitimate interests” and therefore still require an LIA, the legislative footing allows businesses more surety when seeking to rely on legitimate interests for the activity. The activities include direct marketing, sharing data intra-group for internal administrative purposes, and ensuring security of network and information systems.
International Data Transfers
The DUA Bill amends the adequacy decision framework in several ways. The amendments re-work Article 45 of the UK GDPR so the framework comprises “transfers approved by regulations,” as opposed to “transfers on the basis of an adequacy decision.” To approve a country by regulations, the UK Secretary of State must be of the view that the “data protection test” is met, i.e., the standard of protection in the third country is “not materially lower” than that of the UK. Similar to the UK GDPR, the DUA Bill sets out considerations which the UK Secretary of State should take into account when assessing whether the data protection test is met for a third country, including, for example, whether the third country has respect for the rule of law and human rights, and whether the third country has an authority for enforcing data protection. While the amendments initially appear as fairly substantial, they are unlikely to significantly affect international data transfers from the UK as they do not radically reform the existing framework.
Data Subject Access Requests
The DUA Bill seeks to address certain challenges posed by data subject access requests (“DSARs”). The amendments clarify that data subjects are only entitled to information resulting from a “reasonable and proportionate” search by the business, the intention being to reduce the cost and administrative burden on businesses of fulfilling DSARs. The DUA Bill also amends the time limit for responding to a DSAR, enabling businesses to extend the initial one-month period for responding by a further two months where it is deemed necessary by reason of the “complexity” or “number” of requests by a data subject.
Automated Decision-Making
The DUA Bill relaxes restrictions on the use of ADM, enabling ADM without the existing restrictions under Article 22 of the UK GDPR (e.g., procuring consent of the individual) where special category data is not to be processed. Where ADM is conducted without special category data, the DUA Bill still requires safeguards be implemented such as transparency regarding the ADM and allowing individuals to contest decisions and seek human review.
Scientific Research Provisions
The DUA Bill broadens the definition of scientific research to encompass any research “reasonably described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity,” expanding the exemptions for processing of special category data under the UK GDPR to include privately funded and commercial research. The definition also removes the need for a public interest assessment with respect to the processing of scientific research data. Under the new definition, data subjects will be able to consent to the use of their data for scientific research purposes even if such purposes are not yet “possible to identify.”
Purpose Limitation
The DUA Bill clarifies the concept of “further processing.” Amongst other things, it outlines criteria to help assess whether further processing is compatible with the original purpose, such as the link between the new and original purposes, the context in which the data was originally collected and the possible consequences for data subjects of the further processing being contemplated. It also sets out instances when processing for a new purpose would be deemed compatible with the original purpose, for example where the data subject consents or where the processing meets a condition set out in the new Annex 2, for example, where the processing is necessary for the purposes of complying with an obligation of the controller under an enactment, a rule of law or a court order or tribunal.
Children’s Data
Emphasising the protection of children’s data, the DUA Bill introduces the concept of “children’s higher protection matters” to the principle of data protection by design and default in the context of providing an information society service which is likely accessible by a child. This places additional duties on businesses and the Information Commissioner’s Office (the “ICO”) to consider the vulnerability of children when carrying out responsibilities under data protection law in an effort to ensure enhanced safeguards for young individuals.
Cookie Requirements and PECR Fines
The DUA Bill introduces key changes to the rules governing the use of cookies and similar tracking technologies under Privacy and Electronic Communications Regulations (“PECR”), most notably regarding the need for consent. The DUA Bill provides exemptions from the requirement to seek consent for certain non-essential cookies and similar tracking technologies used solely to collect statistical data with a view to improve the appearance or performance of a website, adapt a website to a user’s preferences, or to make improvements to services or a website. It also includes an exhaustive list of purposes for using cookies and similar tracking technologies which can be considered strictly necessary, such as security and fraud detection. The impact of such is that consent is not required to use the cookies and similar tracking technologies, nor are businesses required to offer the ability to opt-out. Additionally, the DUA Bill aligns fines for non-compliance with PECR with the UK GDPR, setting sanctions at up to 4 percent of global turnover or £17.5 million, whichever is higher.
Information Commission
The DUA Bill provides for significant organisational changes to the ICO. For example, the DUA Bill abolishes the ICO and replaces it with the Information Commission and replaces the lead Information Commissioner role with a Chair and executive/non-executive members. It also reforms the process by which data subjects can submit complaints to the ICO by requiring complaints be addressed by the relevant business first. The complaint can only be escalated to the ICO when it has not been dealt with satisfactorily, thereby reducing the number of complaints reaching the ICO.
Other Provisions
Beyond the amendments to data protection regulations, the DUA Bill introduces other provisions that, according to the UK government, seek to promote the growth of the UK economy, improve UK public services and make people’s lives easier, such as:

Smart Data: The DUA Bill introduces provisions enabling Smart Data Schemes, whereby the Secretary of State can issue regulations governing access to customer and business data. Open Banking is an example of a Smart Data Scheme already existing in the UK. Government consultations will define which businesses can access data and what safeguards apply.
Digital Verification Services: The DUA Bill establishes a framework for “trusted” providers of digital verification services (“DVS”) by introducing a DVS register with additional certification through a DVS Trust Framework which will be created by the Secretary of State in consultation with the ICO. This initiative aims to enhance trust and security in digital verification processes.
Healthcare Data: To facilitate data sharing across platforms, the DUA Bill mandates that IT systems in the healthcare system must meet common standards. The Secretary of State will be given the power to publish an information standard on IT services in the healthcare setting, including on technical provisions such as functionality, connectivity, interoperability, portability, storage and data security.

Conclusion
The DUA Bill represents a comprehensive effort to modernise data protection laws in the UK, balancing the need for economic growth and innovation with the imperative to safeguard individual privacy and data security.
The UK government is optimistic that these changes will be well-received by the European Commission when considering the UK’s adequacy decisions. The European Commission recently granted a six-month extension to the UK’s two adequacy decisions to allow the UK additional time to finalise the DUA Bill, after which the European Commission intends to reassess the adequacy of data protection in the UK (see here for more information on the extensions).
As it nears implementation, businesses impacted by the DUA Bill should take proactive measures to review their data processing practices in anticipation of the new requirements set forth by the legislation. This preparation involves not only ensuring compliance with the new obligations but also capitalising on opportunities to enhance data management and security, and to streamline certain processing activities such as the use of ADM and cookies.

New Travel Ban Takes Effect

On June 4, 2025, President Donald Trump signed an Executive Order restricting the entry of certain foreign nationals to the United States, with the purported goal of protecting the United States from foreign terrorists, as well as other national security and public threats. (Read the proclamation here: Restricting The Entry of Foreign Nationals to Protect the United States from Foreign Terrorists and Other National Security and Public Safety Threats – The White House.)
The travel restrictions took effect on June 9, 2025, at 12:01 a.m. Only those individuals who are outside the United States on this date and who do not already hold a valid nonimmigrant or immigrant visa for entry to the United States are affected. Visas issued to these individuals will not be revoked pursuant to this proclamation. 
These restrictions will be first reviewed after 90 days (on September 7, 2025) and then will be reviewed every 180 days thereafter to determine whether the restrictions should be continued, terminated, or modified, or if additional travel restrictions should be imposed.
COMPLETE RESTRICTION OF ENTRY TO THE UNITED STATES
Individuals who have passports from the following countries are generally restricted from applying for admission to the U.S. either as a nonimmigrant (i.e., in any nonimmigrant visa category such as B-1/B-2, F-1, H-1B, L-1, etc.), or as an immigrant (i.e., as a permanent resident), subject to certain exceptions:

Afghanistan
Burma
Chad
Republic of the Congo
Equatorial Guinea
Eritrea
Haiti
Iran
Libya
Somalia
Sudan
Yemen

PARTIAL RESTRICTION OF ENTRY TO THE UNITED STATES
Individuals who have passports from the following countries are generally restricted from applying for admission to the United States, if they are applying for entry to the United States with either an immigrant visa or with a non-immigrant visa within one of the categories identified below:

Burundi: Suspension of entry on B-1, B-2, B-1/B-2, F, M, and J visas
Cuba: Suspension of entry on B-1, B‑2, B-1/B-2, F, M, and J visas
Laos: Suspension of entry on B-1, B‑2, B-1/B-2, F, M, and J visas
Sierra Leone: Suspension of entry on B-1, B-2, B-1/B-2, F, M, and J visas
Togo: Suspension of entry on B-1, B‑2, B-1/B-2, F, M, and J visas
Turkmenistan: Suspension of entry on B-1, B-2, B-1/B-2, F, M, and J visas 
Venezuela: Suspension of entry on B‑1, B-2, B-1/B-2, F, M, and J visas

Individuals from Egypt may also be included in future revisions to the travel restrictions.
EXCEPTIONS TO TRAVEL RESTRICTIONS
The U.S. Attorney General can make a case-by-case exception to permit individuals from countries on these lists to enter the United States, if the individual’s travel would advance a critical U.S. national interest, including if the individual is required to participate in criminal proceedings as a witness.
INDIVIDUALS EXEMPT FROM TRAVEL RESTRICTIONS
The travel restrictions do not apply to the following individuals:

Permanent Residents of the United States (i.e., “green card holders”)
Dual nationals who have a second passport from a country that is not listed in the proclamation, and who present the unaffected passport when applying for admission to the United States.
Visa holders in any of the following categories: A-1, A-2, C-2, C-3, G-1, G-2, G-3, G-4, NATO-1, NATO‑2, NATO-3, NATO-4, NATO-5, or NATO-6 (i.e., diplomats)
Athletes applying for entry to the United States to participate in the World Cup, Olympics, or other major sporting event.
Immediate relatives of U.S. Citizens (spouse, unmarried child under 21 years of age, or parent of a U.S. citizen (if the U.S. citizen is 21 years of age or older). Immediate relatives must have immigrant visas in the following categories: IR-1/CR-1, IR-2/CR-2, IR-5)
Adopted children who have immigrant visas in the following categories: IR-3, IR-4, IH-3, IH-4)
Afghan Special Immigrant Visa holders
U.S. government employees with Special Immigrant Visas
Ethnic and religious minorities facing persecution in Iran with Immigrant visas
Individuals already granted asylum, refugees admitted to the United States, and individuals granted withholding of removal under the Convention Against Torture (“CAT”).

The Proclamation does not limit the ability for individuals to seek asylum, refugee status, withholding of removal, or protection under CAT.
PURPOSE OF TRAVEL RESTRICTIONS
In determining what restrictions to impose for each country, the President considered foreign policy, national security, and counterterrorism goals, and each country’s screening and vetting capabilities, information sharing policies, and country-specific risk factors—significant risks of terrorism within each country, the visa-overstay rate of individuals from each country, and each country’s cooperation with accepting the return of individuals who have been removed from the United States. The President also considered the different risks posed by individuals admitted to the U.S. on temporary, non-immigrant visas, as well as those admitted to the U.S. on immigrant visas who become lawful permanent residents or “green card” holders of the United States.

Trump Suspends Travel to U.S. for Nationals of 19 Countries

President Donald Trump signed a proclamation suspending entry to the U.S. for nationals of 19 countries on June 4, 2025. The proclamation stated that the designated countries are so deficient in their information screening and vetting that a suspension on the entry of nationals from those countries is necessary. “Presidential Proclamation Restricting the Entry of Foreign Nationals to Protect the United States from Foreign Terrorists and Other National Security and Public Threats” took effect at 12:01 a.m. ET on June 9, 2025.
Nationals of the following countries are fully suspended from entering the U.S. as immigrants or nonimmigrants starting June 9, 2025:

Afghanistan
Burma
Chad
Republic of Congo
Equatorial Guinea
Eritrea
Haiti
Iran
Libya
Somalia
Sudan
Yemen

Nationals of the following countries are partially suspended from entering the U.S. as immigrants or as nonimmigrants on B-1, B-2, B-1/B-2, F, M, or J visas:

Burundi
Cuba
Laos
Sierra Leone
Togo
Turkmenistan
Venezuela

The suspension on entry applies to all nationals of the designated countries who are outside of the U.S. on the effective date and do not have a valid immigrant or nonimmigrant visa on the effective date. Visas issued before June 9, 2025, will not be revoked.
Similar to the travel ban under President Trump’s first term, there are exceptions to the suspension on entry in specific circumstances, which include:

U.S. Lawful Permanent Residents (“green card holders”);
Foreign nationals holding dual citizenship with and traveling on the passport of a country not subject to the suspension;
Certain A, C, G, or NATO nonimmigrant visa holders;
Athletes, members of an athletic team, coaches, support personnel, and immediate relatives traveling for a major sporting event, such as the World Cup or Olympics;
Certain immediate relatives of U.S. citizens;
Adoptions;
Special Immigrant Visas for Afghanis or U.S. government employees;
Immigrant visas for ethnic and religious minorities facing persecution in Iran;
Individuals granted asylum, refugee status, or withholding of removal under CAT.

In addition, there are two “national interest” exceptions, where the travel by the individual would:

Advance a critical U.S. national interest involving the Department of Justice; or
Serve a U.S. national interest at the discretion of the Secretary of State.

The proclamation does not indicate how long the travel ban will remain in effect. Instead, it provides that the State Department will assess whether the travel suspensions and limitations should be continued, terminated, modified, or supplemented 90 days after implementation, and then every 180 days. In the proclamation, the president specifically asked for an evaluation on whether Egypt should be added, so it is likely the list of covered countries will grow.
Important Takeaways for Employers

Restrictions on entry to the U.S. will greatly hinder business and personal travel for covered workers and employees. Even in an emergency, travelers could find themselves unable to return to the United States. Employers should closely monitor international business travel requirements and carefully plan to avoid disruption from employee travel.
While the travel ban does not revoke immigrant or nonimmigrant visas issued before June 9, 2025, nationals of the designated countries may nonetheless be subject to enhanced inspections by U.S. Customs and Border Protection when seeking admission.

A New Gateway for Cross-Border Enforcement: Hague Judgments Convention Comes into Effect in the UK on 1 July 2025

The Hague Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil and Commercial Matters (the “Hague Judgments Convention”) will come into effect in the UK on 1 July 2025. The process of enforcing UK judgments[1] in other contracting states (including all EU Member States (except Denmark), Ukraine and Uruguay) will now be far more streamlined in most cases, thereby reducing the delay, cost and uncertainty of enforcement in those jurisdictions.
While the entry into force of the Hague Judgments Convention in the UK is a welcome step in the facilitation of cross-border dispute resolution, particularly post-Brexit, there are some notable limitations to its scope. For instance, it does not provide for the automatic recognition and enforcement of relevant judgments, judgments must meet certain requirements, and it will apply only to UK judgments where the underlying proceedings were commenced on or after 1 July 2025. 
Scope and purpose of the Hague Judgments Convention
The Hague Judgments Convention provides a uniform and simplified legal framework for the reciprocal recognition and enforcement of judgments in civil and commercial matters across contracting states, without the need to re-examine the substance of the case in fresh proceedings (provided that certain criteria are met; see below). For example, only a specified group of documents will need to be produced in every case[2].
Importantly, the Hague Judgments Convention applies to judgments where the dispute falls within both exclusive and non-exclusive jurisdiction clauses (in contrast to the 2005 Hague Convention[3], for example, which applies only to exclusive choice of court agreements), making it widely applicable to many cross-border contracts.
A broad range of civil and commercial matters are within its scope, including both contractual and tort claims. Several types of cases are excluded, however, including: status and legal capacity of natural persons; family law; defamation; insolvency; tax; customs; revenue; administrative law matters; anti-trust; privacy; activities of armed forces; carriage of passengers and goods; and intellectual property matters[4]. Arbitration and related proceedings are also expressly excluded[5].
Eligibility criteria for recognition and enforcement and other limitations
There are several limitations as to the scope and applicability of the Hague Judgments Convention, which will apply only to UK judgments where the underlying proceedings were commenced on or after 1 July 2025.
Notably, it does not provide for the automatic recognition and enforcement of judgments, unlike the simplified EU regime[6]. To be eligible for recognition and enforcement, a judgment must fall within one of the specified bases[7]. These include (but are not limited to) the defendant: having expressly submitted to the jurisdiction of the court of origin; having been habitually resident in the state of origin at the time it became a party to the relevant proceedings; or having had their principal place of business in the state of origin at the time it became a party to the proceedings, with the dispute arising out of activities of that business.
Recognition and enforcement may be refused in certain (relatively limited) cases. These include cases where: (1) a judgment has been obtained by fraud; (2) the defendant was not notified of the proceedings in sufficient time to arrange a defence; (3) recognition would be manifestly incompatible with public policy of the state in which enforcement is requested; (4) a judgment is inconsistent with a judgment given by a court of the requested state in a dispute between the same parties; or (5) a judgment is inconsistent with an earlier judgment given by a court of another state between the same parties on the same subject matter[8]. Any refusal by the requested state to enforce a judgment under the Hague Judgments Convention does not prevent a subsequent application for recognition or enforcement of the judgment in that state, however.
Further, the law of the requested state (i.e. the country in which recognition and enforcement is sought) governs the applicable procedure (unless the Hague Judgments Convention provides otherwise). This is likely to introduce some uncertainty around timing and process, albeit the relevant court is still required to act expeditiously[9]. Any pre-existing treaties to which a contracting state is a party will also continue to apply, although the contracting states must as far as possible interpret the Hague Judgments Convention to be compatible with any other treaties that are in force[10].
Geographic reach: other contracting states
The Hague Judgments Convention has broad geographic reach (where matters fall within its scope). 
As at the date of publication (June 2025), contracting states include all EU Member States (except Denmark), Ukraine and Uruguay (and the UK from 1 July 2025) [11]. 
Albania, Andorra and Montenegro each have ratified the Hague Judgments Convention, where it is expected to come into force in 2026[12]. Meanwhile, the United States, Israel, Costa Rica, Kosovo, North Macedonia and Russia have all signed the Hague Judgments Convention, thus signalling an intention to join, although those states will not be bound until they ratify it.
Significance for the UK and its judicial system
Since leaving the EU, the UK has not benefited from certain mechanisms that facilitate cross-border enforcement of civil judgments across EU Member States, such as the Brussels I Recast Regulation 2015 (“Brussels Recast 2015”) and the Lugano Convention 2007. For example, Brussels Recast 2015 provided for automatic recognition of judgments across EU Member States without the need for a declaration of enforceability.
Since the end of the post-Brexit transition period on 31 December 2020, enforcement of UK judgments has followed the domestic rules in – and (where applicable) bilateral agreements with – overseas jurisdictions, all of which vary and can lead to legal uncertainty and increased costs.
The Hague Judgments Convention helps to fill this post-Brexit enforcement gap to some extent – albeit with the caveat that (as noted above) it does not provide for the automatic recognition and enforcement of judgments as does the simplified EU regime. 
Accordingly, while the Hague Judgments Convention (re)strengthens the attractiveness of the UK as a forum for resolving international commercial disputes by providing a reliable enforcement mechanism in participating countries, it remains to be seen how the courts of contracting states will apply it in practice in terms of both procedure and any pre-existing treaties in place.
Conclusion
The entry into force of the Hague Judgments Convention in the UK is a welcome step in the facilitation of cross-border dispute resolution, particularly post-Brexit. The clear and streamlined framework for the recognition and enforcement of judgments across other contracting states will be of benefit to businesses and individuals who are engaged in international commerce and who wish to rely upon the UK courts to uphold their legal rights. Despites its limitations, the Hague Judgments Convention is still expected to improve legal efficiency and enhance enforcement predictability, whilst also reinforcing the UK’s position as a global legal hub.

[1] I.e. Judgments issued by the courts of England & Wales, Scotland and Northern Ireland.
[2] Article 12.
[3] Hague Convention of 30 June 2005 on Choice of Court Agreements.
[4] Article 2.
[5] Article 2(3)).
[6] E.g. under the Brussels I Recast Regulation 2015; see further below.
[7] Article 5.
[8] Article 7.
[9] Article 13(1).
[10] Article 23.
[11] Contracting states at the time of publication are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, European Union, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Ukraine and Uruguay. For the latest status, see: https://www.hcch.net/en/instruments/conventions/status-table/?cid=137 (links to a third party website).
[12] On 1 March 2026 in Albania and Montenegro; and on 1 June 2026 in Andorra.

Regulation Round Up May 2025

Welcome to the Regulation Round Up, a regular bulletin highlighting the latest developments in UK and EU financial services regulation.
Key developments in May 2025:
30 May
Trade Settlement: The Financial Conduct Authority (“FCA”) published a press release on the faster settlement of trades in funds.
29 May
FCA Regulation Round‑up: The FCA has published its regulation round-up for May 2025. Among other things, it covers a future data request for the advisers and intermediaries’ sector, and an upcoming webinar on the FCA’s recent consultation paper on simplifying its insurance rules.
28 May
Cryptoassets: The FCA has published a consultation paper (CP25/14) on proposed prudential rules and guidance for firms carrying on the regulated activities of issuing qualifying stablecoins and safeguarding qualifying cryptoassets.
27 May
Liquidity Risk Management: The International Organization of Securities Commissions (“IOSCO”) has published its final report on its updated liquidity risk management recommendations for collective investment schemes alongside final guidance for the effective implementation of its revised recommendations.
23 May
FCA Handbook: The FCA has published Handbook Notice 130, which sets out changes to the FCA Handbook made by the FCA board on 1 May and 22 May. The changes relate to payment optionality for fund managers, consumer credit regulatory reporting and handbook administration.
19 May
Consumer Credit: HM Treasury published a consultation paper on the first phase of its proposed widescale reforms to the Consumer Credit Act 1974.
16 May
Bank Resolution: The Bank Resolution (Recapitalisation) Act 2025 was published. The Act will amend the Financial Services and Markets Act 2000 and the Banking Act 2009 to introduce a new mechanism allowing the Bank of England to use funds provided by the banking sector to cover certain costs associated with resolution under the special resolution regime.
15 May
UK Sanctions: The UK Government published its cross‑government review of sanctions implementation and enforcement.
Artificial Intelligence: The European Parliament’s Committee on Economic and Monetary Affairs published a draft report on the impact of artificial intelligence (“AI”) on the financial sector (PE773.328v01‑00). The report provides policy recommendations to enable the use of AI in financial services and outlines concerns of regulatory overlaps / legal uncertainties, indicating potential early tensions with the proposed AI Act. The report also calls on the European Commission to ensure clarity and guidance on how existing financial services regulations apply to the use of AI in financial services.
PISCES: The Financial Services and Markets Act 2023 (Private Intermittent Securities and Capital Exchange System Sandbox) Regulations 2025 were published and laid before parliament. The regulations establish the Private Intermittent Securities and Capital Exchange System (“PISCES”) Sandbox, including providing the framework for potential PISCES operators to apply to operate intermittent trading events for participating private companies and investors.
14 May
Insurance: The FCA published a consultation paper (CP25/12) on proposals to simplify its insurance rules for insurance firms and funeral plan providers.
12 May
Investment Research: The FCA has published a policy statement (PS25/4) on investment research payment optionality for fund managers.
8 May
Solvency II: The Prudential Regulation Authority (“PRA”) has updated its webpage on Solvency II to note that it will delay the implementation of the updated mapping of external credit rating agency ratings to Credit Quality Steps (“CQSs”) for use in the UK Solvency II regime.
Small Asset Managers: The FCA has published a webpage setting out the findings from its review of business models for smaller asset managers and alternatives.
7 May
MAR and MiFID II: The European Securities and Markets Authority (“ESMA”) has published a final report containing technical advice to the European Commission on the implications of the Listing Act on the Market Abuse Regulation (596/2014) (“MAR”) and the Markets in Financial Instruments Directive (2014/65/EU) (“MIFID II”).
6 May
ESG: The European Commission has published a call for evidence about revising Regulation (EU) 2019/2088 on sustainability‑related disclosures in the financial services sector (“SFDR”). Please refer to our dedicated article on this topic here.
2 May
ESG: ESMA has published a consultation paper on regulatory technical standards under Regulation (EU) 2024/3005 on the transparency and integrity of ESG rating activities.
Cryptoassets: The FCA has published a discussion paper (DP25/1) seeking views on its future approach to regulating cryptoasset trading platforms, intermediaries, cryptoasset lending and borrowing, staking, decentralised finance, and the use of credit to buy cryptoassets.
FCA Handbook: The FCA published Handbook Notice 129, which sets out changes to the FCA Handbook made by the FCA board on 27 March 2025.
Sulaiman Malik & Michael Singh also contributed to this article. 

Call for Evidence for Impact Assessment of the European Biotech Act Will Close June 11, 2025

The European Commission (EC) began a call for evidence on May 14, 2025, for an impact assessment of the European Biotech Act. The EC states that the overall objective is to improve the size and competitiveness of the biotechnology sector in the European Union (EU) while maintaining high safety standards. The new European Biotech Act will aim to ensure that the EU makes the most of the biotechnology revolution for the benefit of society, the environment, and the economy, while making it easier to develop and bring to market products across all biotechnology sectors in the EU. According to the EC, the European Biotech Act would address the following issues:

European companies have difficulty expanding within the single market because of “a complex regulatory framework that is perceived as slow and burdensome.” According to the EC, there are cases where implementation of the relevant EU regulatory framework diverges among EU member states, resulting in regulatory environments that are complex to navigate for companies and that can hinder the development or commercialization of biotechnology products. In addition, barriers at national or regional levels can further delay or hinder market entry.
The growth and development of biotechnology companies in Europe is hindered by market fragmentation, risk capital constraints, and scattered innovation support. EU companies lack sufficient access to risk-tolerant capital, and there is a lack of coordinated private and public investment to support the translation of innovation into products and the scaling-up of production for innovative biotechnology products.
The EC states that the EU does not tap into the full potential of its scale when it comes to pooling capacities to make it more competitive globally. Because national interests often lead to support for local companies, many biotechnology clusters exist throughout the EU. Some clusters are mostly of regional relevance, do not cover all the steps from laboratory to market, duplicate efforts at low scale, do not fully use their capacities, or have limited resources.
Manufacturing biotechnology products requires highly specialized equipment and a highly qualified and multidisciplinary workforce. According to the EC, in the EU, there is a mismatch between the labor supply and the biotechnology and biomanufacturing skills required.
Artificial intelligence (AI) and big data — including access to supercomputing capacity and to large, integrated, high-quality datasets — offer huge potential for all sectors underpinned by biotechnology, provided that appropriate safeguards are put in place.

The impact assessment will explore the following areas:

Speed and streamlining: “Time-to-market” is an essential parameter for the successful translation of innovation into commercial products. Where appropriate, the regulatory environment for biotechnology needs to be simplified, including the procedures for risk assessments. The aim is to facilitate and speed up the development and approval of biotechnology products and to bring them to the market faster and more easily, without compromising safety for health and for the environment or biosecurity standards. Best practices for accelerated time-to-market at EU, national, and regional levels need to be promoted.
Financing: Having access to sufficient capital is key to supporting the process of translating innovation into product development and the scaling-up of production capacities. Risk-tolerant capital is essential for the development of the biotechnology industry at seed phase, scale-up stage, and at later stages of development.
Scale: Tapping into the potential of the EU in terms of both scale of production and market size can help to ensure that companies thrive in Europe. Further options could be to look at possible support for the development, operation, governance, and coordination of biotechnology clusters or centers of excellence in the EU. The EC states that an open, competitive and at-scale business environment will be essential to keep the EU ahead in the global race.
Skills: Specific measures will be considered to improve the upskilling and reskilling of the workforce in the biotechnology area. This is to ensure that companies have access to adequately trained staff and to equip academic developers with the necessary entrepreneurial skills to create and grow a company.
Use of data and AI in the biotechnology sector: Access to data, storage services, and computing resources is essential for biotechnology research and innovation and for the development of AI tools and solutions to support the development of biotech products. According to the EC, having access to supercomputing capacity and AI testing facilities is essential to enable biotechnology companies and organizations to use data effectively. Targeted projects and tailored programs at the EU level have the potential to facilitate and push forward the development and adoption of digital solutions and AI in all biotechnology sectors.

Comments are due June 11, 2025. The EC plans a public consultation on the draft legislation in the fourth quarter of 2025, and to adopt final legislation in the third quarter of 2026.

DHS Terminates Temporary Protected Status for Nepal

On June 5, 2025, the U.S. Department of Homeland Security (DHS) announced that it would terminate the temporary protected status (TPS) for Nepal, effective Aug. 5, 2025.
As background, DHS grants TPS to eligible individuals from countries experiencing ongoing armed conflict, environmental disasters, or other extraordinary conditions, which allows them to live and work in the United States without fear of deportation. 
Nepal was first given TPS designation in 2015 for an 18-month period after an earthquake devastated the country. DHS subsequently extended the TPS designation for an additional 18-month period. Later, DHS, under the first Trump administration, sought to end Nepal’s TPS designation in 2018, but this was challenged in federal court. As a result of the litigation, DHS rescinded its decision to terminate TPS for Nepal. DHS has since extended TPS for Nepal on several other occasions, up through the current expiration date of Aug. 5, 2025. 
Employees currently working pursuant to TPS under Nepal will lose work authorization on Aug. 5, 2025, and must depart the United States unless they have applied for alternative U.S. immigration benefits that provide work authorization under a different program or category. 

Nanjing’s Intellectual Property Protection Center Bans the Use of Generative AI in Drafting Patent Application Documents Submitted for Pre-Examination

On June 4, 2025, Nanjing’s Intellectual Property Protection Center (NIPPC) announced it is banning the use of artificial intelligence (AI) in drafting patent application documents submitted for pre-examination. China’s pre-examination system enables applicants to submit their patent applications to a regional office for an initial examination and potentially receive expedited examination at China’s National Intellectual Property Administration (CNIPA) if certain conditions are met. The NIPPC stated that it was determined that “relevant content [of patent applications] was directly generated by artificial intelligence.”
The NIPPC stated:
I、 Clear prohibition requirements1. It is strictly prohibited to use AI generated content directly in patent application documents. The patent application documents shall be manually written, drawn, edited, and organized by the applicant or their authorized patent agency based on real inventions, research results, and related materials.2. It is strictly prohibited to use AI to generate research and development evidentiary materials, including but not limited to experimental data reports, technical research and development documents, scientific research achievement explanations, etc. The R&D certification materials should be generated by real R&D activities, objectively and accurately reflecting the R&D process and results, and have verifiability and traceability.II、 Explanation of the consequences of violationFor those who violate the prohibition regulations, the relevant pre-trial cases will not be approved, and a “Pre-Examination Quality Notice” will be issued to the applicant and the agency.For serious cases, according to the “Management Measures for Pre Examination Services of Filing Entities and Agency Institutions (2024)” (宁知保〔2024〕32号), the qualification for pre-examination services will be suspended for a certain period of time and included in the negative list of graded and classified management.3. For particularly serious circumstances that clearly violate Article 20 of the Patent Law and Article 11 of the Implementing Regulations of the Patent Law, reports will be made to the administrative authorities at all levels, and corresponding administrative penalties will be recommended for the applicant and the agency in accordance with the law.III、 Notification of verification measuresIn the subsequent pre-examination review of cases, the Nanjing Intellectual Property Protection Center will use various methods to verify the application documents and research and development certification materials, including but not limited to: using professional text detection tools to analyze the originality of the content; organizing review experts to evaluate the rationality, logic, and professionalism of the documents; requiring the applicant to explain, clarify or provide further supporting materials for the key content in the document.
The original Notice is available here (Chinese only).

Ad Restrictions on HFSS Products in the UK to Take Effect on 5 January 2026, with Voluntary Compliance from Advertisers and Broadcasters from 1 October 2025

The UK Government has delayed the implementation of the Advertising (Less Healthy Food Definitions and Exemptions) Regulations 2024 (“Regulations”), which were due to come into force on 1 October 2025, in order to explicitly exempt ‘pure brand’ advertising from the Regulations. The Regulations will now come into force on 5 January 2026. However, despite this delay, advertisers and broadcasters have voluntarily committed to complying with the restrictions from 1 October 2025 (as originally planned).
In a letter addressed to the Government, representatives from the advertising industry stated their commitment not to run ads for specific, identifiable less healthy food or drink products. The letter was signed by key advertising bodies, such as the Advertising Association, ISBA, the IPA and IAB. The letter was also signed by major media organisations and broadcasters, including Channel 4, ITV, Sky and Reach plc, along with the Food and Drink Federation.
The Regulations will impose new restrictions banning ads for “identifiable” food and drinks that are high in fat, salt or sugar (“HFSS”) from being shown on TV before 9pm in the UK or at any time in online paid-for advertising. The aim of the Regulations is to reduce the exposure of HFSS marketing to children by restricting such advertising, with the forthcoming change following numerous governmental commitments regarding HFSS restrictions over the past few years. 
What restrictions will be introduced?
The restrictions being introduced include:

a 9pm watershed for “identifiable” less healthy food and drink advertising on TV. This will also include all on-demand programme services (“ODPS”); and
the introduction of a complete ban on paid-for less healthy food and drink advertising online, including on non-Ofcom regulated ODPS.

The Regulations will apply to businesses involved or associated with the manufacture or sale of “less healthy” food or drink with 250 or more employees (which includes franchises) who pay to advertise HFSS products. Only HFSS products that are “identifiable” will be regulated.
Which products are covered by the Regulations?
HFSS products within the scope of the Regulations are those:

falling within one of the 13 product categories in the schedule to the Regulations;[1] and
scoring at least a certain number of points under the relevant Nutrient Profiling Model technical guidance .

To help businesses understand the types of products that may fall outside the scope of the Regulations, Department of Health and Social Care (“DHSC”) guidance provides a list of non-exhaustive exemptions (e.g. neither dried fruit snacks nor garlic bread are HFSS products).
There are also numerous exempt products that are already subject to separate regulations, which include (among others) infant formula, total diet replacement products, meal replacement products (which use an approved health claim) and food for special medical purposes.
Enforcement
The Regulations will be enforced by the Advertising Standards Authority (“ASA”) and Ofcom. Non-compliant businesses could face the following (among others):

enforcement notices and corrective action;
consumer and competitor complaints;
financial penalties where the business makes serious breaches; and/or
reputation damage, which may be incurred as result of the ASA (and the press) publicly reporting on any non-compliance.

Pure brand advertising
‘Pure brand’ advertising refers to advertising that focuses on promoting a brand’s overall identity and recognition, rather than specific product features or promotions. However, the ASA considered that it was not clear whether pure brand advertising was caught within the scope of the restrictions or not.
Following this, the DHSC published a number of statements to clarify its position regarding pure brand advertising. Ashley Dalton, Parliamentary Under-Secretary of State for Public Health and Prevention, stated on 22 May 2025 that “the Government intends to make and lay a Statutory Instrument (SI) to explicitly exempt ‘brand advertising’ from the restrictions. The SI will provide legal clarification on this aspect of the existing policy, as it was understood and agreed by Parliament during the passage of the Health and Care Bill. This will enable the regulators to deliver clear implementation guidance and mean that industry can prepare advertising campaigns with confidence”.
As such, businesses can still promote their brands insofar as any ads do not identify less healthy products and be exempt from the restrictions.
Next steps
With only months until the restrictions are introduced, businesses within the food and drink sector and those supplying them (such as advisors, agencies and consultancies) should familiarise themselves with the new advertising obligations and assess current product compliance using the nutritional scoring to determine how impacted they will be. With the ASA shaping its guidance so regularly, businesses should monitor updates to proactively ensure that they are keeping abreast of any developments. Businesses may also want to consider adapting their marketing strategy to promote healthier products or reformulating certain products so that they are no longer deemed “less healthy” and caught by the restrictions.

[1] These products include (among others): soft drinks (category 1); savoury snacks (category 2); breakfast cereals (category 3); confectionary (category 4); ice cream/lollies (category 5); cakes and cupcakes (category 6); sweet biscuits and bars (category 7); “morning goods”, which includes pastries and pancakes (category 8); desserts and puddings (category 9); sweetened yoghurt (category 10); pizza (category 11); chips and wedges (category 12); and ready meals, products ordered from a menu that are intended to be consumed as complete meal, breaded or battered seafood or meat product and sandwiches (category 13).
The authors wish to thank Royce Clemente for his contribution to this post.

Crack the Code: A Guide to the UK Stewardship Code 2026

On 3 June 2025, the Financial Reporting Council (“FRC”) published its new UK Stewardship Code 2026 (the “Code”). The voluntary Code applies to asset managers, asset owners and services providers with the aim of providing greater transparency on reporting in respect of the stewardship roles undertaken on behalf of clients and beneficiaries.
Although the UK Stewardship Code is voluntary, certain UK-regulated firms are required to disclose their adherence to it under the Financial Conduct Authority’s Handbook (specifically under Environmental, Social and Governance sourcebook and Conduct of Business sourcebook). The Code is widely embraced across not only the UK asset management sector, but also by international firms and non-UK managers, with a current status of 297 signatories managing £52.3 trillion in assets under management, making it highly relevant to a broad range of firms.
The Main Features of the new 2026 Code include:
1. Streamlined Reporting Requirements
The number of principles has reduced and reporting prompts have been shortened with the aim to avoid a “box-ticking” approach.
Signatories can now choose between submitting:

A combined report (to be made annually during one of the two application windows); or
Separate Policy and Context Disclosures (to be made every 4 years) and Activities and Outcomes Reports (to be made annually).

2. Refined Definition of Stewardship
The definition has been revised to clarify that stewardship is about the responsible allocation, management, and oversight of capital to create long-term sustainable value for clients and beneficiaries. The previous definition from the 2020 code was considered by some to imply by some that stewardship encompassed a duty to deliver on societal or environmental benefits in addition to the economic aspect.
3. Tailored Principles for Different Signatories
New specific principles have been introduced for proxy advisors, investment consultants and engagement service providers.
4. Optional Guidance for Non-Equity Asset Classes
The FRC has published draft guidance which can be found here to help organisations report on stewardship across asset classes beyond listed equity, such as fixed income or real estate.
What does this mean for Asset Managers, Asset Owners, and Service Providers?
In essence, the new Code will allow for more focused reporting as either a single combined report can be submitted or, alternatively, split into a separate policy and Context Disclosure and Activities and Outcomes Report – this will hopefully reduce the administrative burden and allow more flexibility with the stewardship role.
The Code will also likely trigger more substantive engagement as managers must show how stewardship activities (such as engagement or voting) have influenced investment decisions or outcomes.
The optional guidance will also provide asset managers the chance to report on stewardship with respect to non-equity assets which will be beneficial for diversified portfolios or multi-asset strategies.
Lastly, the Code now distinguishes between different types of signatories, so asset managers for example, are assessed based on their specific role and influence in the investment chain, and this more tailored approach may enhance the relevance of the principles to certain signatories.
Key Dates for applying
The Code will have two application windows for signatories or hopefully signatories to submit reports:

Spring 2026: applications from asset managers and service providers will be due by 30 April 2026. Applications from asset owners will be due by 31 May 2026.
Autumn 2026: all applications will be due by 31 October 2026.

Transition period
To support the move towards the UK Stewardship Code, 2026 will be treated as a transition year. All existing signatories submitting a renewal application will remain on the signatory list throughout this period. The reasoning behind the transition period is to recognise that organisations will have already met the requirements under the 2020 code and will seek to encourage them to embrace the updated Code without the need for reassessment by the FRC.
Current signatories to the Stewardship Code who are scheduled to report in the autumn cycle are still expected to provide their reports by 31 October 2025.
For new signatories that are not party to the current 2020 code, they will be subject to the full assessment process.
How can firms get ready for the new Code?
1. Review and Understand the 2026 Code
Check the refined definitions of stewardship and how it aligns with your firm’s investment philosophy or values. Familiarise your team with the revised principles paying attention to the new structure and reporting options.
2. Assess Current Practices
Consider conducting a gap analysis comparing your current stewardship policies and reporting against the new Code.
3. Choose a Reporting Path
Decide whether to submit a combined report or to split the reporting disclosures based on internal resources and complexity of your investment strategies.
4. Engage with Service Providers
If you use proxy advisors, consultants, or engagement services, ensure they are aware of the new Code and have measures in place to support your compliance. A review of contracts and expectations would also be beneficial to align with the Code’s tailored principles for these providers.
There is also the option to submit feedback on the draft guidance (especially for non-equity asset classes) before the 31 August 2025 deadline (Comments can be sent to [email protected]).

EDPB Finalizes Guidelines on Data Transfers to Third Country Authorities and Training Materials on AI and Data Protection

Data Transfers to Third Country Authorities
On June 4, 2025, the European Data Protection Board (“EDPB”) published the final version of Guidelines 02/2024 on Article 48 of the GDPR (the “Guidelines”) regarding data transfers to third country authorities.
The predominant focus of the Guidelines is to clarify that judgements or decisions from third country authorities cannot be automatically or directly recognized or enforced in an EU Member State, reaffirming that a request from a foreign authority does not inherently constitute a legal basis for the processing or a ground for the transfer.
The Guidelines highlight that international agreements may provide for both a legal basis and a ground for transfer, although the Guidelines also recognize that other legal bases or grounds for transfer could be considered where no international agreement exists or where such agreement lacks adequate safeguards. However, while other bases under Article 6 may be suitable, the EDPB clarified that Article 6(1)(b), which provides a lawful basis where processing is necessary for the performance of a contract, cannot be relied upon by a private entity in the EU as an appropriate legal basis to answer a request for transfer or disclosure from a third country authority.
For more information on the Guidelines, read our previous blog on the topic.
Training Materials on AI and Data Protection
During its June plenary meeting, the EDPB presented two new Support Pool of Experts projects, Law & Compliance in AI Security and Data Protection (aimed at data privacy officers and privacy professionals) and Fundamentals of Secure AI Systems with Personal Data (aimed at cybersecurity professionals, developers or deployers of high-risk AI systems), to provide training materials on AI and data protection.
The EDPB hopes that the projects will help provide professionals with essential competences in AI and data protection, creating a “more favorable environment for the enforcement of data protection legislation.”
With the reports, the EDPB, factoring in the “very fast evolution of AI,” has launched a one-year pilot project consisting of a modifiable community version of the reports, enabling external contributors to propose changes or add comments to the documents.