Microsoft's facing a £2 billion lawsuit in the UK over its cloud computing and software licensing practices.

A lawsuit brought by competition lawyer Maria Luisa Stasi on behalf of nearly 60,000 businesses alleges that the company has been overcharging UK organizations that use its Windows Server on rival cloud services.

And the Competition Appeal Tribunal (CAT) has now ruled that the case can go ahead, dismissing Microsoft's arguments and saying that the case 'comfortably crosses the hurdle of having a real prospect of success'. It's granted a Collective Proceedings Order (CPO) on an opt-out basis.

"Today's ruling is an important moment for the thousands of organizations impacted by Microsoft's conduct and in ensuring that a critical sector of the economy is innovative and open," said Stasi.

"For years, Microsoft's practices have had real financial impact on both public and private organizations. I'm now looking forward to preparing for trial and getting their money back on their behalf."

The lawsuit alleges that customers using Amazon Web Services (AWS), Google Cloud Platform (GCP) or Alibaba Cloud, rather than Microsoft Azure, were charged higher licensing fees for Windows Server.

The Services Provider License Agreement (SPLA), it said, also offers lower quality services than the Microsoft Azure licensing deal.

"We are very pleased with the Tribunal's decision, including its confirmation that Dr Stasi's action should proceed on an opt-out basis, as sought in her application," said James Hain-Cole, partner at law firm Scott+Scott, which is leading the case.

"Certification of this claim is a pivotal step in securing compensation for thousands of businesses and organisations. The decision illustrates the importance of the regime for UK businesses who, like consumers, require and deserve the access to justice that it was designed to offer."

Microsoft, which has claimed that its business model improves competition, said it planned to appeal against the CAT's decision.

This case is one of many challenging Microsoft's licensing practices. Last month, the UK Competition and Markets Authority (CMA) said it planned to open a strategic market status investigation in May, covering the firm's licensing practices in relation to Microsoft 365.

In November last year, the European Commission announced another investigation to assess whether Microsoft should be designated as a 'gatekeeper' for its cloud computing services under the Digital Markets Act (DMA), despite not technically meeting the DMA gatekeeper thresholds for size, user number, and market position.

And last summer, the firm settled a $22 million case with cloud industry group Cloud Infrastructure Service Providers in Europe (CISPE) that claimed customers on non-Azure platforms were paying a 20% surcharge on Microsoft software. Other investigations have been launched over the last year in Brazil, Switzerland, the US, and Japan.

The Scottish government has released a new five-year AI action plan, aiming to help businesses expand their use of AI to develop new products and services, grow market share, and generate new jobs and investment.

Scotland's AI Strategy 2026-2031 calls for the rollout of a national AI adoption program, with a jobs panel to assess AI's impact on the workforce, along with an AI leadership academy. An independent expert advisory board will provide strategic guidance on the strategy's delivery, with "AI Champions" representing priority sectors and regions.

"The unprecedented pace at which AI is increasing and evolving presents an enormous opportunity. It has the potential to be genuinely transformative – for every sector of our economy, and for people from all backgrounds and communities," said deputy first minister Kate Forbes.

"This strategy sets out a clear plan to harness the economic and social benefits of AI responsibly with practical, tangible steps to be taken this year to help ensure we translate our innovation and expertise into more businesses, jobs, and investment."

She said the plan would involve Scotland's enterprise agencies, The Data Lab, and other partners.

Independent analysis by GC Insight has indicated the AI sector could be worth an extra £23 billion to the Scottish economy by 2035, with the cumulative additional GDP generated amounting to £140.75 billion between 2025 and 2035.

"Scotland is quietly doing some of the most interesting work in AI anywhere," commented Rich Wilson, CEO and co-founder of Gigged.AI.

"We have world-class universities leading the way in research, and we are increasingly seeing collaboration between start-ups and large enterprises to build practical AI applications. Collaboration will be key to competing on the global stage."

The plan lists a series of key actions to be completed before the end of March 2027. These include positioning AI Scotland as the national flagship program driving strategy delivery, and working to showcase Scotland's AI strengths on the global stage.

Along with the appointment of AI industry champions reporting to an independent Expert Advisory Board, a Future Jobs Panel will assess AI's workforce impact and guide national skills planning.

A nationwide engagement program will be launched to listen to concerns and develop solutions that ensure public trust and confidence, with a rigorous, trusted framework to ensure the safe, ethical, and efficient use of AI across health and social care services.

There will be a new boost to the national AI adoption program to accelerate SME productivity and competitiveness, the government said, including a new AI Leadership Academy.

Meanwhile, there are plans to pilot an AI Scaleup Accelerator connecting high-growth companies with experienced entrepreneurs and investment networks, as well as an innovation program to apply commercial and research expertise in AI to the delivery of public services.

The government also said it will work with partners to promote Scotland as a centre for green data centers and maximise the economic potential of the Lanarkshire AI Growth Zone.

And, finally, a data matchmaking pilot will enable organizations to access trusted public-sector datasets to support data-driven innovation.

"This strategy sets out our ambition to build on Scotland's unique strengths, delivering tangible benefits for our people, businesses, and communities. It shows how government, industry, and academia will work together to shape our national response, and to ensure Scotland remains in the vanguard of this new technology in the years ahead," said Forbes.

"Our ambition is clear: to secure the benefits of AI for everyone in Scotland. That means boosting our economy, closing the productivity gap, and driving innovation while also supporting improvement to our health and education outcomes and increasing the efficiency and quality of our public services."

Kyndryl has announced a new “policy as code” feature aimed at helping organizations scale agentic AI across complex and regulated environments.

The idea is to turn a company's organizational rules, regulatory requirements, and operational controls into machine‑readable policies that govern where agents can and can’t operate.

"Organizations typically implement policy as code through a combination of declarative policy languages and enforcement engines," explained Patrick Gormley, Kyndryl's global data science and AI consult lead.

"In other words, they incorporate the appropriate regulations and operational rules into code that AI agents can read and must obey. If it’s in the code, the AI agent must execute. And if an instruction is not in the code, the AI agent cannot see or act upon it."

The move comes amid growing regulatory compliance concerns for enterprises ramping up agentic AI adoption. According to Kyndryl, more than three-in-ten of its customers have complained that compliance issues are seriously limiting their ability to scale recent technology investments.

The new policy as code capability aims to address this by defining operational boundaries and designing agents' actions to remain explainable, reviewable, and aligned with customer-defined business and regulatory requirements.

This new feature will be embedded directly into the Kyndryl Agentic AI Framework, launched last summer as a portfolio of specialized, self-directed, self-learning AI agents.

"Kyndryl's policy as code capability overcomes limitations of conventional AI agent controls and provides the structure customers need as they adopt agentic AI solutions," said Ismail Amla, senior vice president, Kyndryl Consult.

What to expect with Kyndryl’s ‘policy as code’

Features include deterministic execution, with agents only executing actions that have been permitted and enforced in advance.

Guardrails block unpredictable or unauthorized actions along the workflow, eliminating the operational impact of agentic hallucinations, and each agent action and decision is logged and explainable, supporting compliance and oversight.

Notably, decisions are subject to human supervision, with agents executing tasks aligned with established and testable policies that are monitored via a dashboard.

Gormley said policy as code should be particularly valuable in heavily regulated industries, such as financial services, healthcare and government.

"Policy as code helps enable these industries to realize the full benefits of AI and agentic AI by reducing the risk of the types of compliance failures that damage reputations and incur heavy financial penalties," he said.

"By enforcing programmatic rules at scale, policy as code helps eliminate the human error that can lead to granting inappropriate permissions to AI, interpreting rules and regulations inconsistently, and failing to document exceptions to standard operations."

FOLLOW US ON SOCIAL MEDIA

Europe’s long-running struggle to define digital sovereignty – and to turn it into something practical – is reaching an inflection point.

That was the message at this year’s Gaia-X Summit in Porto, where executives and governments argued that the continent finally has the technical foundations for sovereign data sharing.

All it needs now is the political will, economic models, and global partnerships to make it work at scale.

Gaia-X is a Brussels-based industry association bringing together European enterprises, technology vendors, cloud providers, standards bodies, and public sector institutions.

Its purpose is to build a common, verifiable framework: the Gaia-X Trust Framework. This framework is designed to define how organizations can share, store, and govern data in interoperable, sovereign, and audit-ready ways.

The initiative now underpins dozens of projects in manufacturing, energy, aerospace, mobility, finance and healthcare.

Unlike early misconceptions, Gaia-X is not a cloud provider. It sets rules around identity, compliance automation, service labelling, policy enforcement, and interoperability that cloud and data ecosystem providers must adhere to if they want to be considered sovereign-ready.

From pilots to real deployments

Gaia-X CEO Ulrich Ahle opened the Summit by admitting that while conceptual momentum is strong, adoption remains thin on the ground.

Europe has “more than 150 implementation projects in Europe at the moment in preparation,” but “we still have just a handful of operational databases really implementing benefits for their end users,” he said.

To help change that, Gaia-X will release its first multi-provider catalogue: 600 services from 15 providers aligned to four security and sovereignty levels. Ahle also reiterated Gaia-X’s near-term growth target: 1,000 services by the end of the year, scaling to 3,000 afterwards.

The top tier of the catalogue – Gaia-X Label Level 3 – is designed for maximum sensitivity use cases such as aerospace, energy, and national infrastructure workloads. Critically, Level 3 services can only be delivered by providers that have their headquarters in Europe, ensuring they are not subject to extraterritorial laws like the US Cloud Act.

EDF’s nuclear station program illustrates the demand: its data space is “requesting the highest level of security… the Gaia-X label level three. And this highest level security is reality,” said Ahle.

It’s worth noting that the conversation around digital sovereignty in Europe has shifted dramatically in the last two years, driven by one factor: AI systems that ingest sensitive, large-scale operational data.

“Trustful AI needs trustful data. And here, data sovereignty is of utmost importance,” said Ahle.

Hyperscalers: foundational but insufficient

CIOs and CTOs know the hyperscalers aren’t going anywhere. Gaia-X leaders know it too. But the limits of “sovereign cloud” offerings from US players were addressed without ambiguity.

Even when operated inside Europe by European employees, those services “are still under the American legislation, under the Cloud Act,” said Ahle. That constraint may be acceptable for 90% of enterprise workloads, but not for the 10% that carry regulatory, national infrastructure, or safety-critical risks.

Chairwoman of the Gaia-X Board and EVP digital at Airbus, Catherine Jestin, put it more bluntly: “The fact you have not done it in the past doesn’t guarantee that you will do it in the future.”

This is why Airbus does use hyperscaler services – but not for its most sensitive workloads: “I really love to work with AWS, with Google and Microsoft… but not for the most critical applications and services.”

For IT teams, this is the emerging pattern: hyperscalers for scale, elasticity and tooling; sovereign frameworks for critical data integrity, compliance automation, and legal insulation.

When asked whether trust in US providers had worsened under President Donald Trump’s second term in office, Jestin noted, “It hasn’t helped.”

This aligns with the wider shift across Europe. For years, EU member states could not agree on whether stringent sovereignty rules were needed. But now, Jestin said, “we see with the latest publication from the European Commission that’s now… on the top of the agenda.”

CIOs designing long-term cloud strategies could see certifications, service labels, and jurisdictional guarantees increasingly required by regulators and embedded into RFPs.

Operating a data space is not free

One of the most useful insights for IT leaders came from Jestin, who highlighted the hidden operational costs of building and maintaining data spaces – the very reason many sovereign cloud initiatives fail internally.

Running a compliant data space requires organizations to “maintain and support the connectors… to maintain [and] support Identity and Access Management (IAM)… to maintain the contracts.”

Without sustainable economics, she warned, “you just go in a negative spiral, and your data space will not be successful in the future.”

To address this, Gaia-X is working with economists at Paris Dauphine University to model participant roles, orchestrator responsibilities, and cost-recovery mechanisms to ensure sovereignty is engineered as a business model, not just a compliance posture.

The bottom line for CIOs, CTOs, and architects

Gaia-X said it’s not trying to reinvent the cloud. Rather it’s trying to standardize trust, compliance, and verifiability in a market dominated by providers whose legal obligations don’t always align with European sovereignty requirements.

The Porto Summit’s message was that sovereignty is becoming programmable through labels, identity rules, compliance automation, and clearing houses.

Yes, hyperscalers remain essential, but they are no longer sufficient for high-risk workloads. AI governance is elevating data integrity and traceability to strategic priorities.

Economic models for data spaces must be planned upfront, not retrofitted. And geopolitics has entered the IT architecture stack in a way organizations can no longer ignore.

“Technology is ready. It is about adoption… and sustainable operation,” Ahle said.

MORE FROM ITPRO

• So much for data sovereignty — AI infrastructure is dominated by just a handful of countries
• Can the UK achieve AI sovereignty?
• SAP wants to take data sovereignty to the next level with new 'on-site' infrastructure options

Laws to regulate AI have hit a hurdle following pushback from big tech and US President Donald Trump.

In the US, Trump is considering using an executive order to ban regulations to rein in AI, according to Reuters, while in Europe, the European Commission said it wants to delay some aspects of the AI Act in response to complaints from big tech over bureaucracy.

With no federal laws regulating AI forthcoming in the US, some states have pushed to enact their own local legislation, including recent laws in California and Colorado.

The Trump administration has previously attempted to block such state-level AI laws by including a 10-year moratorium on local regulation in his "big, beautiful bill" over the summer, though that was thwarted by the Senate. Earlier this week, Trump backed plans to add a similar ban in the National Defense Authorization Act.

Now, the president is considering using an executive order in an attempt to discourage any state-level AI laws by threatening lawsuits or withholding federal funding, according to a draft of the document seen by Reuters.

As drafted, the order would establish an "AI Litigation Task Force" led by Attorney General Pam Bondi to challenge in court any state that implements AI regulation, on the grounds that "such laws unconstitutionally regulate interstate commerce" and are preempted by existing federal rules.

The order would also see the Department of Commerce refuse to allocate funding for broadband to states that don't comply.

Colorado recently approved a rule designed to prevent algorithmic discrimination – highlighting a long-running issue of bias in large-language models (LLMs), which the draft order seen by Reuters noted may force "AI models to embed DEI in their programming".

California has also wrangled with a series of AI laws, and recently passed a law around disclosure that would require companies tell the government how they plan to avoid serious risks and fess up to any critical safety incidents.

A White House official did not confirm the order to Reuters, and said it was speculation.

European regulation delays

Over in Europe, the European Commission has suggested delaying some aspects of the EU AI Act for 16 months and tweaking others as part of a move which sparked concerns it's responding to criticism from American tech giants.

The commission said the move was part of wider efforts to "simplify existing rules" on AI, cybersecurity, and data in its Digital Omnibus, which aims to streamline technology-focused laws to make them easier to manage for companies.

The EU’s economy commissioner, Valdis Dombrovskis, said the measures would save businesses and consumers alike €5bn in red-tape related costs by 2029.

He added: "Europe has not so far reaped the full benefits of the digital revolution and we cannot afford to continue to pay the price for failing to keep up with a changing world."

Criticism of delay

Critics disagreed on the value, however. Blue Duangdjai Tiyavorabun, Policy Advisor at European Digital Rights (EDRi), suggated the Digital Omnibus is a “full-on betrayal of Europe’s promise”.

"They are trading the protection of people from harmful AI systems for hollow promises of ‘innovation’. This is no shocker: when tech money flows like water in Brussels, guess who is steering the ship?"

A Commission official said during a briefing: "Simplification is not deregulation. Simplification means that we are taking a critical look at our regulatory landscape."

Alongside delaying the timeline for implementing "high-risk rules" by 16 months to December 2027 from August 2026, the Commission said it would extend some rule simplifications for small businesses and small mid-cap companies.

Elsewhere, it plans to extend compliance measures so more companies can use regulator sandboxes in core industries like automotive and centralize oversight on AI systems to help reduce governance fragmentation.

"Efficient implementation of the AI Act will have a positive impact on society, safety and fundamental rights," the EC said in a statement. "Guidance and support are essential for the roll-out of any new law, and this is no different for the AI Act."

Thierry Breton, former European commissioner for the internal market and digital affairs, wrote in the Guardian, that Europe should be proud of its AI laws.

"We should resist any attempt to unravel these laws, through 'omnibus' bills or otherwise, mere months after they have entered into force, under the pretext of simplification or remedying an alleged 'anti-innovation' bias," he said.

"No one is fooled over the transatlantic origin of these attempts. So let’s not be useful idiots."

MORE FROM ITPRO

• Is the UK falling behind the EU on AI regulation?
• The fractured regulatory landscape tech companies face in 2025
• Three things you need to know about the EU Data Act

A host of key provisions in the EU Data Act will come into effect on 12 September, and there’s a lot for businesses to unpack.

The regulation came into force on 11 January 2024 and while a grace period has been running to ensure implementation, rules under the legislation will be applicable across the European Union (EU) from here onward.

At its core, the EU Data Act will introduce sweeping changes with regard to how data from connected devices and cloud services is accessed, managed, and shared across the union. This includes new rules on data access, service portability for organizations, and contractual fairness.

The potential long-term impact of the legislation cannot be understated, according to Soniya Bopache, VP and general manager for data compliance at Arctera.

“The EU Data Act has the potential to foster a more competitive and equitable data economy – largely thanks to its provisions on data access, fair contractual terms, and cloud switching,” she said.

“For businesses governed by the Act, this isn’t just a matter of compliance, it’s an opportunity to build a more transparent, efficient, and innovative digital ecosystem.”

So what can businesses expect with the EU Data Act?

What industries fall under the EU Data Act?

The legislation applies to a broad range of sectors, spanning areas such as manufacturing, cloud computing, transport, and consumer goods.

Moreover, it’s not limited to the private sector, with public sector organizations also expected to benefit from the legislation, according to Peter Grimmond, VP and head of technology at Cohesity.

“The EU Data Act has huge potential to deliver acceleration of both public and private sector innovation, through increased data democratization and access,” he said.

“For all enterprise and public sector organisations that have a robust, compliant, data classification processes already in place, the act will create an environment of collaboration and innovation where innovation can thrive without compromising corporate resilience or individual rights”

Data Access and Transparency

Data access and transparency is a key focus of the legislation, according to official EU materials on the Act.

Fundamentally, the regulations are designed to “enhance the EU’s data economy and foster a competitive data market” by making data more accessible and usable.

The move comes in the wake of an explosion of connected devices across the union in recent years. These IoT products collect vast volumes of data, which the legislation aims to capitalize on for reuse across the region.

To achieve this, new rules under the act will give users of connected devices - including businesses and individuals - greater control over the data they produce.

Similarly, the Act also includes rules on how enterprises can share data with other businesses. According to Grimmond, this aspect of the legislation could deliver positive long-term benefits for both businesses and consumers alike.

“It will speed the ability for data to be shared from more devices across more organisations, and opens the door for the development of new products, services, and ways of doing business,” he explained.

“Crucially, it does this without undermining the robust privacy standards that are the EU’s hallmark regulatory framework: building on GDPR’s global standard for privacy and aligning with DORA’s focus on digital operational resilience.”

Cloud service flexibility

As mentioned, another core aspect of the legislation centers around data portability, particularly with regard to cloud services. The Act aims to provide enterprises more flexibility in how they engage with cloud providers and, crucially, switching or opting for multiple options.

This aspect of the legislation comes in direct response to growing calls for a more fluid and competitive cloud computing industry in the EU, with enterprises having contended with “vendor lock-in” for several years now.

Running parallel to this frustration has been the rise of multi-cloud and hybrid cloud strategies, whereby enterprises host data on multiple providers, or through a combination of on-prem and cloud-based services.

Yet businesses with one particular cloud provider aiming to switch to another have faced significant costs transferring data. These “egress fees” have become a recurring point of contention and even prompted legal action against major industry providers.

With this in mind, the EU Data Act includes measures that ensure customers can switch from one data processing service to another in a more efficient manner.

Notably, the Act doesn’t specifically rule out vendors charging fees for data transfers. However, it obliges cloud providers to pass on these costs to the customer rather than charging excessive payments.

Some providers have taken steps to adhere to the new legislation. Google Cloud, for example, recently announced it would waive data transfer fees for customers switching to another provider.

MORE FROM ITPRO

• DORA and why resilience (once again) matters to the board
• Everything you need to know about the NIS2 Directive
• What businesses need to know about the General-Purpose AI Code of Practice

A majority of cyber professionals believe responsibility for security and regulatory compliance lies with the board, according to new research.

CIISec’s recent State of the Security Profession report shows 91% of practitioners believe the burden for security lies with the board, and not security managers or CISOs.

Notably, more than half (56%) said they believe senior management figures should “face consequences”, including fines, prosecution, and sanctions, for serious cybersecurity failings.

Just 34% believe the employee who breached policy - if that’s the case - should be held responsible.

Amanda Finch, CEO of CIISec, said the study highlights the need for a more aligned approach to cybersecurity between the board and frontline practitioners.

“If the buck stops with senior management – as the survey makes clear – our profession must take a more collaborative approach to security, ensuring the board is aware of the risks and included in major decisions,” she said.

“This means more learning for cybersecurity professionals, improved understanding of regulations and developing better communication of risk to stakeholders outside of the security function.”

Regulatory concerns drive demand for change

A key factor behind changing sentiment on board-level responsibility comes amidst a period of growing regulatory scrutiny on both sides of the Atlantic, Finch noted.

The introduction of the EU AI Act, DORA, NIS2, and the UK’s Data (Use and Access) Bill, mean practitioners are more conscious of regulatory compliance than ever before.

“It’s important to remember that regulations aren’t imposed to make the security profession more challenging, although sometimes it may feel that way,” she said.

“They have been developed to help address failures from the past, close gaps that have previously been overlooked and establish a minimum standard across the industry.”

Finch noted that while these regulations have created fresh challenges for enterprises and security professionals alike, they serve a vital purpose and therefore require close attention.

“These laws have been introduced to protect citizens, improve their quality of life and ensure that businesses can be held accountable for irresponsible actions,” she added.

“As cybersecurity matures as a profession, we should view increased regulation not as a burden but as a sign of progress.”

Compliance is easier said than done, however. Research earlier this year showed a significant number of companies were struggling to achieve compliance with NIS2 regulations.

Separate research on DORA showed four-in-ten UK financial services firms were struggling to achieve compliance with the legislation ahead of its introduction.

MORE FROM ITPRO

• Why does cybersecurity still struggle with professionalization?
• Cyber professionals call for a 'strategic pause' on AI adoption
• Work-related stress “keeps cyber security professionals awake at night”

The second major enforcement deadline for the EU AI Act is approaching, meaning big tech firms will face a greater degree of scrutiny over AI model safety.

From August 2nd, new governance rules for general-purpose AI (GPAI) models will be introduced through a voluntary Code of Practice.

The deadline represents the second major enforcement date for the landmark legislation this year, following on from a February deadline which focused primarily on prohibited use cases.

Enza Iannopollo, VP principal analyst at Forrester, said that while the onus will be placed on providers, enterprise end-users will also likely feel the impact of the new rules.

“Whilst the first regulatory milestone on 2nd February focused on requirements, including those on prohibited use cases, this second deadline expands accountability and enforcement as it introduces critical provisions regarding general-purpose AI (GPAI) models,” she explained.

“Providers of generative AI models are directly responsible for meeting these new rules, however it’s worth noting that any company using genAI models and systems — those directly purchased from genAI providers or embedded in other technologies — will feel the impact of these requirements on their value chain and on their third-party risk management practices.” 

What the GPAI code of practice means for businesses

The GPAI code of practice will enforce more robust guardrails for training AI models, according to EU lawmakers, and is based on three key pillars.

This includes greater transparency, meaning AI model providers are required to document and disclose training processes and share information on models with regulators.

Safety and security are a key focus of the code, again focusing on whether GPAI models pose risks to the public or enterprises. Under the new rules, providers are required to assess and document potential harms and take appropriate action to reduce any risks.

Dirk Schrader, resident CISO (EMEA) and VP of security research at Netwrix, said security considerations in the act are welcomed and help create a more aligned approach to AI-related security risks.

“One of the most significant anticipated successes of the Act is the standardization of AI security across the European Union, creating a harmonized, EU-wide security baseline,” he said.

“A key strength of the proposed regulations is their emphasis on a security-by-design ethos, mandating a lifecycle approach that integrates security considerations from the outset and throughout an AI system's operational life.”

Security considerations do raise questions over compliance, however. Simply put, there isn’t a solid baseline for enterprises to work from with regard to AI-related security risks at this stage.

“The Act is the first major law to call out protections against data poisoning, model poisoning, adversarial examples, confidentiality attacks, and model flaws,” he said.

“The real compliance burden will be determined by technical specifications that don't yet exist, as these will define the practical meaning of 'appropriate level of cybersecurity' and may evolve rapidly as AI threats mature.”

Elsewhere, rules pertaining to copyright are also outlined in the code of practice, and this has been a major point of contention in recent months. For example, under the code, signatories must ensure training data is sourced lawfully.

A host of major tech companies have agreed to the code of practice, most recently Google and OpenAI. Some, however, have taken a harder stance.

Earlier this month, Meta revealed it won’t sign up for the code of practice amid what it described as concerns over “legal uncertainties”.

In a LinkedIn post clarifying the company’s stance on the code, Meta’s chief global affairs officer Joel Kaplan said the code will introduce measures which “go far beyond the scope of the AI Act”.

"Europe is heading down the wrong path on AI. We have carefully reviewed the European Commission’s Code of Practice for general-purpose AI (GPAI) models and Meta won’t be signing it," he said.

The risks of non-compliance

Organizations that fail to comply with the EU AI Act face serious repercussions, and while the new code of practice is voluntary, Iannopollo said it’s crucial that enterprises operating in the region pay close attention to the enforcement deadline.

“Like it or not, the EU AI Act will contribute to shape AI risk management and AI governance practices of most global companies,” she said. “Its requirements may not be perfect, but they are the only binding set of rules on AI with global reach, and it represents the only realistic option of trustworthy AI and responsible innovation.

“It’s crucial that companies operating AI technology in the EU, or using AI-generated insights within the EU market, pay attention to this enforcement milestone.”

The EU AI Act contains “significant fines” for non-compliance, including up to 7% of a company’s global turnover. Iannopollo noted that not all the authorities responsible for enforcement are up and running yet, but others are, including the EU AI Office.

“Companies, make no mistake: there will be action in the next few months,” she said.

MORE FROM ITPRO

• The EU just shelved its AI liability directive
• How the EU AI Act compares to other international regulatory approaches
• Everything you need to know about the EU AI Act

Meta has said it won't sign up for the EU's code of practice for providers of general-purpose AI models, citing concerns over "legal uncertainties".

The voluntary guidelines form part of the EU AI Act, due to come into force next month. They ask companies to, amongst other things, refrain from training AI on pirated materials and comply with requests from content creators to omit their work from training data.

As part of the rules, providers are also required to issue regular updates on AI tools and services.

While the code is voluntary, the EU has said that AI providers who don't sign up will be expected to demonstrate compliance by other means, and might face more regulatory scrutiny.

Meta has hit back at lawmakers, however, accusing the EU of overreach.

"Europe is heading down the wrong path on AI. We have carefully reviewed the European Commission’s Code of Practice for general-purpose AI (GPAI) models and Meta won’t be signing it," wrote chief global affairs officer Joel Kaplan in a post on LinkedIn.

"This Code introduces a number of legal uncertainties for model developers, as well as measures which go far beyond the scope of the AI Act."

Meta has history with the EU

Meta has been complaining about the AI Act for a while. Last summer, Mark Zuckerberg and Spotify CEO Daniel Ek issued a joint statement saying that "Europe’s risk-averse, complex regulation could prevent it from capitalizing on the big bets that can translate into big rewards."

The tech giant has support from US president Donald Trump on the issue, who has called for the AI Act to be paused - although the EU appears to be standing firm.

Henna Virkkunen, the European Commission vice-president responsible for tech sovereignty, recently said lawmakers are "very committed to our rules when it comes to the digital world".

Earlier this month, companies including Google, Meta, Airbus, BNP Paribas, and TotalEnergies called for a two-year delay in implementation, claiming that as it stands, the AI Act will stifle innovation.

"Businesses and policymakers across Europe have spoken out against this regulation. Earlier this month, over 40 of Europe’s largest businesses signed a letter calling for the Commission to ‘Stop the Clock’ in its implementation," said Kaplan.

"We share concerns raised by these businesses that this over-reach will throttle the development and deployment of frontier AI models in Europe, and stunt European companies looking to build businesses on top of them."

OpenAI and Mistral have already signed the code - although the latter has voiced concerns about the impact of the legislation.

"Compliance with the Code and the AI Act’s risk based framework must be as simple and streamlined as possible for the homegrown start-ups and smaller businesses that will be the future leaders of Europe’s AI-first economy," said OpenAI in a statement.

"We have advocated⁠ for greater simplification and harmonization to support these next generation companies and will continue to back their concerns, as they are key to AI of, by and for Europe."

MORE FROM ITPRO

• The UK government is working with Meta to create an AI engineering dream team
• Meta faces new ‘open washing’ accusations with AI whitepaper
• Meta is working on a 5GW data center to supercharge AI infrastructure

Apple is pushing back against new app store rules imposed by the European Commission (EC), claiming the EU body has taken changes and a €500 million (£430m) fine too far.

The EC levied the fine in April, arguing Apple was in breach of anti-steering obligations in the EU Digital Markets Act (DMA). That refers to Apple's long-running ban on alternative app stores and rules that stop developers from telling users about discounts or other offers outside of the Apple platform.

Apple previously took a cut of up to 30% on sales inside apps and has been locked in a war of words over the practice with developers.

The tech giant complied with the app store rule changes last month in order to avoid additional fines that could reach 5% of its average revenue globally.

That included a wider range of commission rates up to 13%, alongside user acquisition fees, with the costs dependent on what marketing support the developer wants in the App Store as well as technical aspects such as automatic updates.

Developers will also be able to promote alternative ways of purchasing services outside the app, though Apple would charge a commission on sales advertised via apps in its App Store.

Apple is baffled, the EC is standing firm

Key to Apple’s argument, and appeal, is that the company claims this new system is "confusing" to business users.

"Today we filed our appeal because we believe the European Commission’s decision – and their unprecedented fine – go far beyond what the law requires," said Apple in a statement.

"As our appeal will show, the EC is mandating how we run our store and forcing business terms which are confusing for developers and bad for users."

Apple has yet to reply to a request for comment from ITPro.

The Commission, meanwhile, is standing by its decision. In a statement responding to the appeal, it said: "We stand ready to defend our decisions in court.”

The EC previously said that Apple shouldn't charge developers for the right to "steer" customers, suggesting that a commission on sales promoted in-app wouldn't meet requirements.

Political battle

A legal expert told The Guardian that Apple may be employing delay tactics.

"The blunt truth is that it is worth spending a few million on legal fees in order to disrupt and delay the development of a more open app ecosystem, which is a market that is worth many billions a year to Apple," Tom Smith, a competition lawyer at Geradin Partners, told the publication.

The app store quarrel isn't the only ongoing battle between the EU and tech companies. In April, Meta was hit with a €200m fine for charging users to get rid of ads, while last year Apple was fined €1.8bn over music streaming competition.

The appeal comes ahead of US President Donald Trump's 9 July deadline to settle a trade deal with the EU or risk 50% tariffs. The Trump administration has repeatedly said the EU is targeting US tech companies in retaliation for trade disruption and other political concerns, with Trump trade advisor Peter Navarro calling it "lawfare".

EU action against tech giants stretches back well before even the first Trump administration, with a €497 million fine against Microsoft in 2004 over Windows Media Player bundling that was later increased to €899 million for non-compliance.

That was followed by cases against Intel in 2009, an investigation against Google on search that began in 2010, and investigations into taxes that pulled in Apple and Amazon beginning in 2014.

That said, things have accelerated since 2017 with a €2.42bn fine against Google over price comparison shopping services. In subsequent years, EU lawmakers imposed a €4.34bn for Android and €1.49bn over AdSense, with other cases targeting Apple, Amazon and Meta in recent years.

MORE FROM ITPRO

• Apple throws cold water on the potential of AI reasoning
• Apple is offering rewards of up to $1 million to find critical flaws in its private AI cloud systems
• Apple: Our AI data was gathered responsibly

Former Google CEO Eric Schmidt has hit out at EU AI regulation, suggesting overburdening rules put European companies at an inherent disadvantage compared to global counterparts.

Speaking on the BBC Radio 4Today program, Schmidt said a combination of factors are hampering AI innovation in the region, including restrictive regulation and the natural “structure” of European markets.

Reflecting on his time at Google, Schmidt said he worked for “at least 10 years to try to get Europe up to the bar”, noting that lucrative talent pools on both the continent and in the UK give enterprises a prime opportunity to compete.

Regulatory barriers, however, are preventing the region from making any headway in the global AI race.

“The system doesn't work, right? They can't build big enough companies. The markets are not integrated. Partly it's just the structure of Europe, but it’s also that Brussels, in addition to promising uniform markets, also regulates in a particularly strong way,” he said.

“The result of this is that the AI revolution, which is the most important revolution in my opinion since electricity, is not going to be invented in Europe, and that's to Europe's disservice,” Schmidt added.

“Europe could do it, but it's chosen not to do it, and I'm really quite brutal on this.”

Fair game in the US AI market

The situation is quite different across the Atlantic, Schmidt noted. The US’ approach to AI development stands in stark contrast to the European market, with lawmakers and enterprises alike engaged in a rabid race to the top.

With the Trump administration now in place in Washington DC, Schmidt pointed to a sense of burgeoning optimism among leading enterprises in the AI space, many of whom have invested billions of dollars thus far and intend to ramp up spending in the year ahead.

So far this year, Meta, AWS, Microsoft, and Google have all outlined plans to accelerate capital expenditure – and a key factor in this will be expanding AI infrastructure. Meta, for example, expected to spend upwards of $60 billion this year, marking a significant increase from $39 billion in 2024.

“When I looked at the swearing in with my friends behind the president I thought, ‘wow, we have arrived’ - and that doesn’t necessarily mean that we are going to be unregulated,” he said.

“It means the inverse in my view,” he added. “Everyone, starting with you, are watching what we're doing, which I view as a good thing.”

This doesn’t mean that the US will pursue a ‘Wild West’ approach to AI development, however. Instead, providing enterprises the regulatory flexibility to develop AI models and adopting a gentler approach is the ideal situation.

“The truth is that AI and the future is largely going to be built by private companies,” Schmidt said.

“It has to do with the incentives and the money, where the talent is, and how the world works, they're not going to be built in the equivalent of a Manhattan Project.”

Schmidt noted that it’s “really important that governments understand what we’re doing and keep their eye on us”.

“We’re not arguing that we should unilaterally be able to do things without oversight,” he added.

Schmidt has been highly vocal on the potential dangers posed by unchecked AI development in recent months, warning that systems could be used by bad actors for nefarious purposes ranging from biological warfare to cyber crime.

Britain has an opportunity to differentiate itself

While discussions over the potential barriers to AI innovation in Europe continue, Schmidt did point to the UK’s opportunity, suggesting it can differentiate itself from European counterparts.

The UK joined the US in refusing to sign an international agreement on sustainable AI development at this week’s global summit in Paris, prompting suggestions an ‘Atlantic rift’ is opening up on the topic of AI.

This decision was based on concerns that the declaration lacked 'practical clarity', officials said, particularly on the issue of global governance and national security.

The UK’s approach to AI has deviated from that in Europe, and the current government has made clear it hopes to position itself as a global leader on this front by attracting international investment and building out infrastructure.

Notably, Schmidt said the UK has success stories to champion that will stand it in good stead.

“So some credit to Britain,” he said. “Much of the path to general intelligence was pioneered in King’s Cross in a building occupied by a subsidiary of Google called DeepMind by - now a Nobel Prize winner - Demis Hassabis.”

“What they have done is so extraordinary it should be a point of national pride,” Schmidt added. “It may be the most important thing that Britain has done in the last five years, in my opinion.”

Schmidt further hailed the government’s apparent pursuit US-style regulation, which involves consultation and close collaborative ties with industry.

“It looks to me like the pairing of the US and the UK is a winning strategy,” he said. “And it looks to me like the Europeans, because of Brussels, are being held behind.”

MORE FROM ITPRO

• Salesforce thinks the UK is ready to lead the next wave of AI
• Why the UK needs to look inward on AI legislation
• Google says UK needs policy step change to embrace its AI potential

The first of a number of enforcement actions for the EU AI Act have officially come into effect, and experts have warned firms should accelerate preparations for the next batch of deadlines.

Passed in March last year, the first elements of the EU’s landmark legislation came into effect on the 2nd February 2025, bringing with it a series of rules and regulations that AI developers and deployers must adhere to.

The EU AI Act employs a risk-based approach to assessing the potential impact of AI systems, designating them as being minimal, limited, or high-risk. High-risk systems, for example, are those defined as posing a potential threat to life, human rights, or financial livelihood.

These particular systems are in the crosshairs following the introduction of the new rules this month.

Speaking to ITPro ahead of the deadline, Enza Iannopollo, principal analyst at Forrester, said lawmakers specifically chose to target the most dangerous AI use cases with the first round of rules.

“Requirements enforced on this deadline focus on AI use-cases the EU considers pose the greatest risk to core Union values and fundamental rights, due to their potential negative impacts,” Iannopollo said.

“These rules are those related to prohibited AI use-cases, along with requirements related to AI literacy. Organizations that violate these rules could face severe fines — up to 7% of their global turnover — so it’s crucial that requirements are met effectively,” she added.

Iannopollo noted that fines will not be issued immediately, however, as details about sanctions are still a work-in-progress and the authorities in charge of enforcement are still not in place.

While there may not be any big fines in the headlines in the next few months, Iannopollo said this is still an important milestone.

Tim Roberts, UK country co-leader at AlixPartners, said the first set of compliance obligations will act similarly to GDPR, mainly in that they will apply to any organization doing business with AI models in Europe.

With this in mind, it’s critical that companies are aware of these first batch of rules, even if they are not EU-based.

“Naturally, this also reignites the debate about striking the right balance between innovation and regulation. But instead of seeing them as opposing forces, it’s more useful to think of them as two things we need to get right in parallel … because regulation can be a facilitator of innovation - not a blocker,” Roberts said.

“The speed at which AI is advancing has caused discomfort for some consumers, but strong safeguards can build trust and create a thriving (and fairer) environment for greater business innovation.

“The EU AI Act is an important first step in this journey, and its success will depend on how well it is applied and how well it evolves, with the end goal being smarter regulation that drives businesses to continue pushing boundaries for the benefit of all.”

EU AI Act: Firms should tighten up risk assessments

Due to the global reach of the Act and the fact that requirements span the entire AI value chain, Iannopollo said enterprises must ensure they adhere to the regulation.

“The EU AI Act will have a significant impact on AI governance globally. With these regulations, the EU has established the ‘de facto’ standard for trustworthy AI and AI risk management,” she added.

To prepare for the rules, enterprises are advised to begin refining risk assessment practices to ensure they’ve classified AI use cases in line with the designated risk categories contained in the Act.

Systems that would fall within the ‘prohibited’ category need to be switched off immediately.

“Finally, they need to be prepared for the next key deadline on 2nd August. By this date, the enforcement machine and sanctions will be in better shape, and authorities will be much more likely to sanction firms that are not compliant. In other words, this is when we will see a lot more action.”

The FCC has decided to impose new, more stringent requirements on telecom carriers to secure their networks in response to the recent Salt Typhoon threat campaign targeting the industry.

Jessica Rosenworcel, chairwoman at the FCC, said the body has taken action to ensure the nation’s communication systems are safeguarded against ongoing cyber threats, including state-sponsored attacks from sophisticated groups.

“In response to Salt Typhoon, there has been a government-wide effort to understand the nature and extent of this breach, what needs to happen to rid this exposure in our networks, and the steps required to ensure it never happens again," she said.

“At the Federal Communications Commission, we now have a choice to make. We can turn the other way and hope this threat goes away. But hope is not a plan.”

The Salt Typhoon group is thought to have been responsible for a spate of recent attacks on multiple major US telecommunication companies, including Verizon, and AT&T.

In December, White House deputy national security advisor Anne Neuberger said the group was able to use its access to record the conversations of high-ranking American political figures.

Rosenworcel added that it was time the US updated its regulation of network security in critical sectors such as communication.

“Leaving old policies in place when we know what new risks look like is not smart. Today, in light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed,” she said.

“The time to take this action is now. We do not have the luxury of waiting. Telecommunications networks are essential for everything in day-to-day life, from our national defense to public safety to economic growth. The actions we take and propose here will strengthen our cybersecurity safeguards and enhance our resilience against future attacks.”

Experts told ITPro that because the UK had more up to date regulations protecting communications, namely the Telecommunications Security Act (TSA), it was well-placed to address increased threats to its telecoms industry.

Moreover, during a press briefing at the end of 2024, Neuberger said that when discussing the recent intrusions with security colleagues from the UK, they argued that the UK’s more stringent regulations, such as the TSA, would have meant the attack was identified and contained far faster.

US authorities are now looking to address this security gap and ensure its critical communication infrastructure remains resilient to continued and more sophisticated attacks.

FCC sanctions hit China-linked ‘cyber actor’

The US Treasury Department has also imposed new sanctions on a Chinese individual as well as a cybersecurity company in the region for their involvement in the Salt Typhoon attacks against US telecoms companies.

The Office of Foreign Assets Control (OFAC), the body responsible for US economic sanctions, said Shanghai-based ‘cyber actor’ Yin Kecheng played a role in the recent Department of the Treasury network compromise.

It also revealed it would be sanctioning Sichaun Juxinhe Network Technology Co. Ltd, a cybersecurity firm based in Sichuan that was alleged to have had direct involvement in the Salt Typhoon group.

Sichuan Juxinhe Network Technology is said to have had “direct involvement in the exploitation of these US telecommunication and internet service provider companies”, according to a US Treasury Department press release.

Following the action taken by OFAC, announced on 17 January, all property and interests in property of Yin Kecheng and Sichuan Juxinhe Network Technology in the US will be blocked and relevant parties are required to notify OFAC.

“The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,” said deputy secretary of the Treasury Asewale O. Adeyemo.

More than four-in-ten UK financial services firms look set to miss the deadline for compliance with the new Digital Operational Resilience Act (DORA) tomorrow.

Companies failing to comply with the regulations could face fines of up to 2% of worldwide daily turnover for as long as six months.

However, while nearly nine-in-ten UK CISOs and senior security decision makers believe that DORA will be beneficial, 43% said they won’t be compliant for at least three months.

"The regulatory landscape in the EU is heavily congested with several overlapping standards and laws now in effect," said Richard Lindsay, principal advisory consultant at Orange Cyberdefense, which commissioned the research.

"There is a lot to navigate, and we’re increasingly seeing businesses taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible."

"However, remaining non-compliant could have severe ramifications, with fines of up to 2% of global annual turnover and the potential of fines of over €1m for individual senior leadership."

The challenges in implementation varied from organization to organization, but included a lack of prioritization, the short timeline involved, a lack of skills, and a lack of visibility over supply chain or third-party partners, each cited by around a quarter of respondents.

To deal with these issues, virtually all said they planned to call on external support.

Budgetary constraints weren't highlighted as an issue, with 84% of respondents saying they had allocated funds ahead of the deadline. Around three-quarters have reallocated funding from other business areas, and around half have pulled in staff members from other projects.

In the longer term, though, two-thirds of CISOs and senior security decision makers believe that DORA will significantly increase cybersecurity costs.

The new regulations include more than 500 individual requirements, with businesses expected to implement essential protection, detection, containment, recovery, and repair measures.

Rules contained in the legislation place a strong emphasis on ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks.

PwC has estimated that more than 22,200 financial bodies and IT service providers fall under the scope of the act. However, the EU is expected to take a targeted approach to any breaches, focusing on larger players and significant breaches.

The White House has launched a new cybersecurity label for internet-connected devices in a bid to help end-users quickly assess the security credentials of IoT systems.

The program will mean smart devices sold in the US can be given the ‘Cyber Trust Mark’ to indicate vendors have implemented essential security measures when developing their products.

“The U.S. Cyber Trust Mark program allows them to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label,” the announcement stated.

The Cyber Trust Mark aims to “educate American consumers” and build their trust in connected devices amid rising IoT-based cyber attacks while incentivizing vendors to produce more secure devices by default.

The initiative has received praise from the wider security community, who generally identified its potential, but some stakeholders have expressed concern of a lack of rigorous testing for vendors looking to take advantage of the label.

Roger Grimes, defense evangelist at security awareness firm KnowBe4, praised the program’s overall aim but said the label would have more meaning if it included binding security requirements vendors would need to satisfy in order to receive the Mark.

"There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program,” he argued.

“But the devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable.”

Weak requirements could allow vendors to skimp on cyber basics

Grimes used the example of including hard-coded default passwords in IoT devices, a security weakness that has plagued smart products for a number of years. He argues that the current version of the program could result in vendors merely paying lip service to addressing this vulnerability by notifying customers to change passwords, instead of removing the problem in the first place.

“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password.”

This may lead to inconsistency among vendors, Grimes warned, with some taking the Mark more seriously than others.

He argued the program lacks a clear way to distinguish which vendors are actually working to meaningfully secure their devices from those that aren’t, where both entities would be able to use the Trust Mark on their products.

“So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information,” Grimes said.

“Wouldn't it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?”

Grimes compared the situation to FCC safety marks used to demonstrate the safety of electronic devices, stating that by simply seeing the mark users know it is safe and meets certain minimum criteria, whereas the Cyber Trust Mark leaves room for vendors to skirt actually ensuring their products are secure.

“When I see an FCC safety mark on an electrical cord or lamp, I know it's safe. I don't have to scan a code and read information to find out if it is actually safe,” he said.

“I wish the Cyber Trust Mark label meant the same thing...that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn't."

Parliamentarians from both sides of the aisle have called on the government to modernize the UK’s “outdated” cybersecurity laws to secure the country from growing digital threats.

The coalition, led by Lord Holmes of Richmond, said it wants to fix areas of the 1990 Computer Misuse Act (CMA), stating the legislation is not fit to govern the modern internet.

The CMA was drawn up to control dangerous or malicious misuse of computer systems and data. As the bill was created before the modern internet, the coalition argued that it fails to account for the challenges UK security practitioners are currently facing.

In particular, the bipartisan group said the CMA inadvertently criminalizes a very wide range of legitimate digital activities that it argues are crucial for safeguarding the country’s critical national infrastructure, businesses, and citizens.

The cross-party group has proposed a statutory defense for security practitioners who can demonstrate either a reasonable belief that the organization in charge of the system would have consented to their work, or that work was necessary to catch malicious activity.

The push will seek to make “key amendments” to the Data (Access and Use) Bill which are expected to be debated in the House of Lords Grand Committee on 18 December.

The CyberUp Campaign, a UK initiative pushing for refreshing the UK’s cyber laws, argued that the changes proposed by Lord Holmes et al are vital to enable security researchers to play a more central role in protecting digital systems and sensitive data in the UK.

Rob Dartnall, CEO at UK-based threat intelligence provider SecAlliance and representative of the CyberUp Campaign, said the campaign welcomed the recent developments, stating legitimate cybersecurity researchers face unique challenges in the UK as a result of the “outdated” legislation.

“We are delighted to see an amendment tabled that could bring the Computer Misuse Act into the 21st century by introducing a statutory defence. Updating this Act would represent a landmark moment for UK cyber security legislation, which is outdated when compared to the cyber threat landscape we face,” he said.

“The UK’s outdated cyber laws are preventing our cyber security professionals from defending organisations effectively. In no other sector do security professionals face risks of breaking the law for simply doing their jobs. Campaign research shows that nearly two-thirds of cyber professionals say the CMA hinders their ability to safeguard the UK—an untenable situation as cyber threats grow.”

Dartnall added that this action has been sorely needed in light of the growing cyber threats facing the country, arguing that giving security practitioners the freedom to do more to help protect the country is essential.

“ The last two years have seen unprecedented levels of critical vulnerabilities, ransomware breaches and third party system breaches, all of which have had a massive effect on people’s data privacy and the UK’s economy,” he explained.

“By introducing a statutory defence, the UK could protect legitimate cybersecurity professionals, strengthen its cyber defences, and reinforce its place as a cybersecurity leader.

"It is time we updated the law to fit with the digital age. With support from across parliament, we believe this amendment could be a catalyst for a change that would better protect the country.”

The Federal Trade Commission (FTC) has issued orders to five of the biggest names in cloud and artificial intelligence (AI), requiring them to reveal detailed information about recent investments and partnerships.

Cloud service providers Amazon, Microsoft, and Alphabet – Google’s parent company – as well as generative AI companies Anthropic and OpenAI received notification from the regulator on 25 January.

The commission is looking not only for information regarding specific investments, but also the strategic rationale behind such investments and the practical implications they have on decisions about new product releases or board level conversations.  

The regulatory body also seeks to investigate the competitive impact of these partnerships by analyzing changes in market share, sales growth, and expansion. 

“History shows that new technologies can create new markets and healthy competition,” FTC Chair Lina M Khan said in a statement.

“As companies race to develop and monetize AI, we must guard against tactics that foreclose this opportunity,” she added. “Our study will shed light on whether investments and partnerships pursued by dominant companies risk distorting innovation and undermining fair competition."

Not the first time AI investments have faced scrutiny 

The FTC’s announcement comes as one of several responses to some hefty AI investments from the big name cloud providers.

Microsoft’s $10 billion investment in OpenAI drew the most attention from regulators. It marks the largest single AI investment to date and occupies the bulk of the total $11.3 billion of investment that OpenAI garnered in 2023. Following this, the UK’s Competition and Markets Authority (CMA) announced an initial review into the relationship between Microsoft and OpenAI in December.

A month later, the European Commission announced it would conduct its own regulatory probe into the partnership in order to check “whether Microsoft's investment in OpenAI might be reviewable under the EU Merger Regulation”.

The relationship between the two companies has been intimate for some time. A coup at OpenAI pushed CEO Sam Altman into the arms of Microsoft, only for him to be rehired by OpenAI days later.

This is the first time Anthropic has found itself in the regulatory firing line, however, despite its relationship with another two big names in cloud: Google and AWS.

AWS announced it would invest $4 billion in the AI firm last year as a part of a “strategic collaboration” to improve Anthropic’s Bedrock services . This investment was quickly followed up by a pledge of $1.5 billion from Google on top of the $500 million it had previously given the organization. 

All the companies involved have 45 days from receipt to respond to the FTC's demand.

Analysis: Why the evolution of generative AI reflects the problems with cloud

As companies weigh up the value of investment in various AI platforms, transparency surrounding backers will be key to making an informed decision. We can find a parallel for this process in the cloud market: Some businesses have found the OpEx model of cloud too costly in the long term and want to repatriate their cloud workloads, however they are facing heavy egress costs and vendor lock-in. 

Attempts to prevent the AI market from falling into the same pattern – with ‘hyperscalers’ offering the most expansive services at the expense of robust competition – will help prevent the need for more drastic regulatory intervention down the line.

While OpenAI has been an AI frontrunner since late 2022, the likes of Anthropic have aimed to top the household name with products to compete with ChatGPT at the commercial and enterprise level. Google and Amazon’s belief that Anthropic offers a competitive edge is clear from their respective investments.

But neither Google nor Amazon are neutral parties when it comes to AI model development, as both offer enterprise AI models of their own and have vast amounts of investment for AI in the pipeline. Both companies face the tricky task of explaining why Anthropic is worthy of  billions of dollars in backing, but not so impressive that taking it off the board as a competitor won’t harm competition in the space.

Microsoft's exclusive agreement with OpenAI traces back to 2019, so in many ways, the firm has an easier task when it comes to regulatory investigation. The cloud giant may try to sell OpenAI as a shrewd investment that paid off rather than a poster child startup backed by reactionary funding delivered once it knew the way the wind was blowing when it came to generative AI. This angle is contingent on it selling its reported $10 billion investment in the firm as one of many long-term investments in OpenAI.

Greater investment in open source foundation models could help to quell any fears the FTC might have over harm to competition in the generative AI market. There has already been movement in this direction with AWS’ partnership with Hugging Face, intended to ‘democratize’ AI, or Meta and IBM’s alliance for the open development of AI.

The UK, US, European Union (EU), India and China are amongst 28 countries and governments to sign up to the Bletchley Declaration on AI safety, announced on 1 November at the UK's AI Summit.

The agreement recognises that so-called frontier AI technology, such generative AI chatbots and image generators, has “potential for serious, even catastrophic, harm, either deliberate or unintentional". It outlines three key areas of risk: Cybersecurity, biotechnology, and disinformation.

It says risks are best addressed through international cooperation, with participating nations agreeing to work together to support a network of scientific research on AI safety.  

"This is a landmark achievement that sees the world’s greatest AI powers agree on the urgency behind understanding the risks of AI – helping ensure the long-term future of our children and grandchildren," said UK prime minister Rishi Sunak.

"The UK is once again leading the world at the forefront of this new technological frontier by kickstarting this conversation, which will see us work together to make AI safe and realise all its benefits for generations to come."

The agreement has received tentative approval from the UK tech sector, with Rashik Parmar, CEO of BCS, saying that it takes a more positive view of the potential of AI than expected.

"I’m also pleased to see a focus on AI issues that are a problem today – particularly disinformation, which could result in personalised fake news during the next election – we believe this is more pressing than speculation about existential risk," he added. 

"The emphasis on global cooperation is vital to minimise differences in how countries regulate AI."

Amanda Brock, CEO of OpenUK, said the agreement will need hard practicalities baked in, and is calling for the open source software and open data business communities to be included.

"Their input will help to appropriately shape the transparency called for in the Declaration alongside the internationally inclusive, collaborative cross border research and innovation and international co-operation in an open manner," she said.

Joseph Thacker, researcher at SaaS security firm AppOmni, was less confident, however.

"The biggest challenge is that the open source ecosystem is really close to enterprises when it comes to making frontier AI," he said. 

"And the open source ecosystem isn't going to adhere to these guidelines – developers in their basement aren't going to be fully transparent with their respective governments."

The Bletchley Declaration isn't the only game in town, though. US secretary of commerce Gina Raimondo used the summit to announce a new US-led international AI safety institute.

Just two days before the conference kicked off, on 30 October, US president Joe Biden signed an executive order, described by the White House as “the most significant actions ever taken by any government to advance the field of AI safety”, requiring AI firms to report the risks their technology could pose.

The EU is already in the process of passing its AI Act and, on the same day Biden signed his executive order, the G7 agreed a set of guiding principles for AI and a voluntary code of conduct for AI developers. 

The challenge, most agree, will be to ensure that future international efforts are focused on practical measures. 

"The test will be seeing cooperation on the concrete governance steps that need to follow," said Seán Ó hÉigeartaigh, programme director of AI: futures and responsibility at the University of Cambridge. 

"I hope to see the next summit in South Korea forge a consensus around international standards and monitoring, including establishing a shared understanding of which standards must be international, and which can be left to national discretion," he added.

There’s a saying in security that criminals only have to get lucky once to count a success. This is as true in cyber security and data protection as it is anywhere else – organizations need to be on alert and ready to defend against a possible attack every minute of every hour of every day. There is, sadly, no respite.

Companies don’t have to face this challenge alone, though; governments, regulatory bodies and the wider security industry are increasingly collaborating to introduce best practice and legislation to help increase everyone’s security posture.

One example of this is the NIS2 Directive, which was created by the European Commission in January 2023 with the aim of boosting cyber security across the European Union. It expands on the existing NIS Directive to include new sectors and entities, improving the resilience and incident response capacities of public and private organizations alike. Members of the 27-nation bloc have until 17 October 2024 to transpose the directive into their own legislation and the UK government has also confirmed it plans to update its NIS regulations as well.

With so much to consider, ITPro, in association with Rubrik, bring you an informative webinar to offer you real-world guidance and insight.

Madeline Bennett, ITPro’s Contributing Editor will be joined by Richard Cassidy, Field CISO at Rubrik to:

• Help businesses understand more about the latest updates around the NIS2 EU Directive including what will – and won’t – be covered by it.
• Learn why we all need to take this new directive more seriously, starting now. 
• Explore how Rubrik's products can help organizations align it's compliance with EMEA regulations such as the NIS 2 Directive.

To hear all this and more, register for the webinar today.

Financial penalties issued for mismanaging subject rights are set to rise above $1 billion worldwide in 2026, according to Gartner forecasts.

Researchers say the figure represents a tenfold increase from 2022’s levels. 

In this context, subject rights requests (SRRs) are a set of legal rights that enable individuals to demand clarity – and occasionally request changes – regarding the use of their data.

Nader Henein, VP Analyst at Gartner, described the management of SRRs as a basic requirement for security and risk management leaders. 

He said: “Data subject rights should not be treated exclusively as a legal requirement.

“To support positive customer sentiment, the organization’s privacy UX should be developed with the same care as any customer-facing service.”

Researchers also noted that data held on staff, regardless of employment status, was worthy of the same care as that given to customers. The report noted: “The highest cost per request is often attributed to employees’ SRRs rather than those coming from customers due to the complexity and the volume of data”.

Automation is key to avoiding substantial fines, and sticking with a manual process for responding to SRRs is likely to increase the risk of an organization facing regulatory fines and possible reputational damage. Henein noted that demands around SRRs would not go away and said that adopting a zero-touch model would allow users to self-serve via a privacy portal.

The same portal should be transparent about the data being held and ensure users understand how it is used and by whom.

Organizations are faced with multiple potential costs from both regulators and attacks by threat actors.

The former have been adopting a stronger stance in recent years. For example, the EU has rolled out GDPR rules to give citizens more control over their data. Although SSRs are only part of the rules, penalties possible under the wider regulatory framework can be severe.

Meta has incurred more than €1 billion in fines alone from European regulators over a 12 month period over its GDPR violations.

The UK’s Information Commissioner’s Office (ICO) has similarly been increasing the fines it levies, with its current average of £14.7 million per year in fines representing a tenfold increase when compared to fines imposed in the 12 months prior to GDPR rules coming into effect. 

The rise of generative AI has also resulted in lawmakers giving consideration to how data is used in training models, as well as a number of lawsuits leveled at AI vendors.

Organizations are also facing increasing costs from attacks. One recent report noted that public companies experience an average net income drop of 73% within the first year of a data breach’s disclosure.

Microsoft and AWS have sparked a fierce war of words with regulators in light of claims that they maintain a “stranglehold” on the UK cloud computing market. 

The hyperscaler duo has claimed that their investment in the country could be threatened by moves to loosen their grip on the cloud computing market, marking an embattled stance ahead of a potential regulatory crackdown. 

The threat follows a landmark report from Ofcom on the state of the cloud computing landscape in the UK that warned the companies are stifling competition due to restrictive practices for customers. 

Ofcom’s report accused Microsoft and AWS of conducting a campaign of ‘vendor lock-in’ to prevent customers from switching to new providers or pursuing alternative options, which is harming both competitors and customers alike. 

In the wake of the report, Ofcom said it plans to consult with the Competition and Markets Authority (CMA) on the matter in a hint that it could recommend the watchdog commence a robust investigation into the providers’ practices. 

Naturally, Microsoft and AWS have contested the claims from Ofcom. In a report from the Telegraph last week, a spokesperson for AWS said that any regulatory interventions would be “unwarranted” and “could lead to significant unintended harm to customers and competition”. 

Long-term, a crackdown from regulators could “considerably affect AWS’ investment decisions” and lead to a “dampening of incentives to invest”, the company warned. 

While an entirely predictable counter from AWS, the threat of dampening investment in the UK cloud market could send shivers down spines in Whitehall. 

The hyperscaler is among the top suppliers of cloud services and infrastructure for the UK government. In 2021, it accounted for more than half of government cloud spending, and is the leading market provider across the UK. 

For UK businesses, the prospect of lowered investment also doesn’t bode well amid a period of rapid digitization and growing demand for cloud services. AWS is a key provider of cloud services for a host of major businesses, serving thousands of firms across the country. 

The enemy of my enemy is my friend

Idol threats over pending regulatory scrutiny could, under normal circumstances, be brushed off as a case of spitting the dummy out. We see this in Europe on a very regular basis. 

However, the severity of the situation appears to weigh on minds so heavily that AWS and Microsoft have formed somewhat of a rebel alliance against Ofcom and the CMA. 

Microsoft, sensing a crackdown, also lashed out at UK regulators by suggesting that proposed standards to enable businesses to switch more easily could “chill investment”. 

Threats of “dampened” and “chilled” investment bear similarities to what we’ve seen in Europe of late with the upcoming AI Act. In this instance, one would hope that UK regulators have the fortitude and will to resist pressure from big tech. 

From both their positions, it appears rather ironic that they would issue such warnings while maintaining a hardened grip on the UK cloud landscape - they hold the high ground in this instance and are in a position to spit the dummy out while competitors fight over the scraps. 

Combined, the two companies command a market share of between 60-70%. By comparison, Google Cloud, another of the three major ‘hyperscalers’, controls between 5-10% of the market. 

In its initial response to Ofcom’s report, Google said that competition in the UK cloud market is “generally working well” and that the landscape “bears many hallmarks of healthy competition”. 

Despite some agreement with Ofcom’s findings, the tech giant has remained relatively quiet amid the furor caused by its counterparts - which perhaps speaks volumes and suggests that it’s willing to watch them battle it out while reaping long-term rewards. 

After all, Google pulled no punches in its criticism of Microsoft's practices in its June testimony to US regulators on the topic of competition. 

This brewing battle could be costly for AWS and Microsoft, however, and result in a bloody nose for the pair. 

In recent months the CMA has showcased its resolve with regard to tackling big tech. In April, the watchdog announced it would block Microsoft’s acquisition of Activision Blizzard in a multi-billion pound deal. 

The decision sparked a major spat between the CMA and Microsoft, with company president Brad Smith hitting out with claims that the EU is a “more attractive place to start a business than the United Kingdom”. 

The CMA’s willingness to take a leading position in blocking the $69 billion deal marked a significant moment for the regulator. 

If this initial stance is anything to go by, then AWS and Microsoft could face significant pressure in the coming months if regulatory action is taken. But that’s not to say that the duo will be stonewalled outright, however. 

The watchdog has also shown that it’s flexible in its approach. Earlier this week, the CMA called for public responses on whether the deal should be cleared ahead of its final verdict on 29 August. 

In this regard, AWS and Microsoft may detect an opportunity to work productively with the CMA and reach an amicable agreement. Alternatively, the gloves could come off with both sides preparing to dig in. 

The open source community is very much at a critical juncture amid a period of regulatory uncertainty in the EU, with new legislation posing a threat to the industry. 

This week, a consortium of companies including GitHub, Creative Commons, and Hugging Face published a policy paper aimed at EU regulators requesting greater support for open source AI development in the upcoming AI Act. 

The coalition outlined a series of suggestions for EU lawmakers in the paper, making a number of requests. These included more concise definitions of AI components and greater support and leeway for open source research into the development of AI models. 

A key focus here centers around whether research and testing of AI models will be interpreted as “commercial activity” and thus subject to stringent rules under the act. 

Under the proposed EU guidelines, real-world testing of AI systems will not be granted exemption from the regulations, which the companies argued could be inhibitive to innovation and prove costly for enterprises. 

Instead, the coalition suggested a change in language to accommodate for testing which is done “on a limited scale with sufficient documentation and transparency to users”. 

“Research and development (R&D) is crucial to the development of beneficial, trustworthy AI systems,” the paper reads. 

“The act should recognize that some real-world testing, including preliminary exploration of a model’s appropriateness to specific deployment conditions and allowing scrutiny and evaluation by relevant civil society organizations outside of the development chain, can be necessary and appropriate for R&D.”

Warranted criticism

The policy paper is by no means a scathing criticism of the AI Act, but does contain suggestions on how regulators and open source developers might foster a closer relationship that fuels innovation. 

However, the paper does warn that, based on its current iteration, the Act risks creating “impractical barriers” for contributors in the ecosystem. 

“The AI Act holds promise to set a global precedent in regulating AI to address its risks while encouraging innovation,” the paper reads. 

“By supporting the blossoming open ecosystem approach to AI, the regulation has an important opportunity to further this goal through increased transparency and collaboration between stakeholders.”

“Unfortunately, current proposals threaten to create impractical barriers to and disadvantages for contributors to this open ecosystem,” it added. 

Peter Chichon, senior policy manager at GitHub, one of the leading voices in this discussion with regulators, warned in a blog post that the act risks “chilling open source AI development” and undermining “responsible innovation” across the union. 

Long-running concerns

Given recent clashes between regulators and the community, the move from GitHub et al should be welcomed and provide food for thought among lawmakers in the EU who appear determined to stifle open source innovation. 

This isn’t the first time industry stakeholders have, justifiably, raised concerns about restrictive policies from the union. 

The Brookings think tank published a report criticizing the proposals in September last year warning that the act would seriously undermine open source AI development and harm developers. 

Similarly, earlier this month, Wikipedia founder Jimmy Wales and OpenUK chief executive Amanda Brock suggested that the act’s stringent rules for open source developers could harm broader European AI ambitions and enable the US to “outpace” Europe in the space. 

Speaking during a roundtable discussion, Brock described the act as “very prescriptive” and suggested that exemptions for open source development “don’t go far enough”. 

“It’s not going to work,” she said. 

With such strong pushback - and repeated pushback from industry figureheads - EU regulators could be faced with the prospect of curtailing worrisome aspects of the legislation. 

But will it work? History tells us otherwise. Ahead of GDPR implementation in 2018, EU lawmakers fought off a wave of complaints and concerns from the industry and continued to steam ahead with plans. 

The EU has already brushed off complaints from industry big-hitters such as OpenAI, whose CEO Sam Altman warned earlier this year that the company could be forced to ‘pull out of Europe’ due to aspects of the regulation. 

Altman’s comments were met with a fierce response from lawmakers and later prompted a u-turn from the chief executive in a debacle that highlighted the unwavering resolve of regulators. 

Clashing heads with regulators

This current call to action also bears similarities to other battles we’ve seen between the open source community and regulators in recent months. 

In April, 13 open source industry bodies penned an open letter to EU lawmakers voicing concerns over the Cyber Resilience Act (CRA), arguing that aspects of the legislation would harm the open source community across Europe. 

The letter, signed by Linux Foundation Europe, the Open Source Initiative (OSI), and the Eclipse Foundation, said the proposals would have a “chilling effect” on open source software due to rules that would leave developers liable for software vulnerabilities. 

More recently, critics once again reared their heads ahead of a crunch vote in the European Parliament on the cyber act, claiming that in its current form, the legislation represents a “death knell” for open source in Europe. 

Despite this, MEPs on the Industry Committee nonetheless voted to back the draft bill, with 61 votes to 1 and 10 abstentions. 

Once again, lawmakers in the EU proved their resolve and reaffirmed their apparent disregard for the concerns raised by members of the open source community. 

This all begs the question of whether the EU views the open source industry as a valuable player within the broader technology landscape. While regulations are being pushed to protect consumers and businesses alike, there is no denying that significant pressure is being placed on the open source community, which offers valuable economic benefits. 

Millions of businesses spanning all 27 member states rely on open source software in their day-to-day operations. The vital applications and platforms that represent the lifeblood of the European tech economy are maintained by a dedicated community of developers, who in the EU’s eyes it seems cannot be trusted. 

With the European Parliament voting to adopt its position on the AI Act in June, time is fast running out for the open source community to see any meaningful changes implemented by lawmakers. 

And if the EU’s approach to the Cyber Resilience Act is anything to go by, it’s likely that the industry will be ignored and have stifling changes imposed on it that harm developers and long-term innovation.

Critics of EU regulations have warned that developers may choose to “back out” of projects as a result of the potential penalties, threatening one of the most celebrated corners of the industry.

Gabriele Columbro, general manager for the Linux Foundation in Europe, told ITPro in April that this could become a reality as contributors seek to avoid being “slapped with lawsuits”. 

If this proves to be the case, then the open source community, which is already stretched and becoming increasingly burnt out, could enter a dark period - and that spells trouble for innovation in Europe, undoubtedly harming businesses. 

The EU’s proposed Cyber Resilience Act could spell disaster for the open source community, with critics describing the legislation as a ‘death knell’ for the industry. 

Brian Fox, CTO at Sonatype, said that in its current form, the act risks “severely undermining” open source projects across the union and poses a serious threat to security and sustainability in the ecosystem. 

Fox’s comments come ahead of a crucial EU vote on the future of the act on Wednesday, which could see developers held liable for software vulnerabilities. 

Critics are now calling for lawmakers to caution restraint and have urged MEPs to vote against the bill in its current draft. 

“In its current form, the Cyber Resilience Act risks being a death knell to open source, severely undermining both its security and sustainability,” he said. 

“If the current course isn’t changed before the upcoming vote, we are at risk of an open source software crisis in the EU, which would be catastrophic for our digital economy, innovation, and security.

“We are calling on EU citizens to implore their MEPs to vote against the Act and help fix this mess. It is now the eleventh hour in the race to save open source.”

Punishing open source developers

A focal point of the Cyber Resilience Act centers around liability for open source developers. In its current iteration, developers may be held accountable for vulnerabilities in software. 

Given that open source software is used by businesses across the Union, critics argue that potential penalties and compliance requirements could prompt contributors to back out of projects. And long-term, this could seriously harm the ecosystem. 

This aspect of the bill has led to a long-running dispute between the European open source community and legislators, Fox said, with back-and-forth discussions on the matter resulting in little change. 

Earlier this year, an open letter signed by several industry stakeholders, including the Linux Foundation Europe, warned that the bill would have a “chilling effect” on open-source development and the community. 

In April, Gabriele Columbro, general manager for the Linux Foundation in Europe, told ITPro that many contributors across Europe were worried they could be “slapped with lawsuits” and “decide not to put a project in the open” as a result.

Fox echoed this sentiment, suggesting that EU lawmakers have a “narrow outlook” on the benefits of open source and that they have been unwilling to compromise with the community in recent months. 

“It is hugely worrying that legislators are ignoring the industry’s voice,” he said. “The EU has approached the issue of software security with a narrow outlook and has failed to address the concerns raised”. 

Pro-innovation legislation

Fox specifically highlighted the US’ Cyber Security Strategy as an example of how legislators can work in closer alignment with the open source community. 

Unveiled in February, the sweeping security legislation excluded liability for open source developers and projects. At the time, this was welcomed by industry stakeholders and hailed as a pro-innovation approach. 

“This is in contrast to the attitude of the US government, which has consistently given the open source industry a voice in its cyber security initiatives. Some of us in the industry have been working for more than six months to try to prevent the impending open source disaster in the EU.”

EU regulators have once again hit back at big tech criticism of regulatory changes in what marks the latest tit-for-tat battle ahead of the pending Data Act. 

Amid concerns the legislation could harm tech companies, Thierry Breton, European commissioner for internal markets, will say it’s expected to do the exact opposite. 

Lawmakers won’t shift their stance either despite the mounting opposition from big tech, according to the draft text of a speech set to be delivered in San Francisco this week. 

“Our European data strategy is to unlock a wealth of big data and set out how that data should be shared, stored, and processed. This will benefit all businesses – European, American, and others alike,” he is expected to say, and will add: “Assertiveness is not protectionism.”

Why tech companies are fighting the Data Act

The Data Act aims to prevent non-EU governments from accessing data processed by firms operating within the union. Rules outlined in the act will apply to both corporate and consumer data, and are applicable to a range of services and products, such as smart technologies and industrial machinery. 

Some US companies, however, warn the legislation could have a negative impact on international data transfers and create additional cost burdens for companies that operate across borders. 

US firms aren’t alone in leveling criticism. Last month, Siemens and SAP suggested the act could compromise “trade secrets” due to provisions requiring companies to collaborate with third parties to ensure regulatory compliance. 

In an open letter to Breton, EU antitrust chief Margrethe Vestager, and Commission president Ursula von der Leyen, German companies opposed to the act said it “risks undermining European competitiveness by mandating data sharing”. 

"Effectively, this could mean that EU companies will have to disclose data to third-country competitors, notably those not operating in Europe and against which the Data Act's safeguards would be ineffective," the letter read.

Pushing back against regulation

This criticism marks the latest in a long-running trend of big tech companies across the world pushing back against pending EU legislative changes.

Earlier this year, a number of industry stakeholders, most notably OpenAI, slammed the EU’s long-awaiting AI Act, branding it too restrictive and potentially inhibiting operations within the union. 

OpenAI CEO Sam Altman sparked controversy after suggesting the firm could be forced to “leave Europe” if the act was approved as it stood. While Altman swiftly reneged on the threat and clarified OpenAI’s commitment to Europe, the comments drew harsh criticism from Breton. 

Breton told Reuters at the time the AI rules are aimed specifically to safeguard the “security and well-being of our citizens” and insisted that changes “cannot be bargained”. He stressed the EU has been ahead of the curve in “designing a solid and balanced regulatory framework” in the interests of safety but also so Europe can “become a frontrunner in trustworth AI”.  

Data sovereignty rules in the EU have also been in the crosshairs for non-EU firms, with the cyber security labeling rules described as “discriminatory” against international firms in recent months. 

Big tech resistance is futile

Such pushback has a common theme: time and time again they fall flat. 

The first real acid test for this was prior to the implementation of GDPR, which received a significant degree of resistance from firms within the union and internationally. 

Similarly, cookie legislation and data-sharing rules in the wake of the Schrems cases, which saw companies such as Facebook hint they’d back out of the EU, fizzled out with a whimper. 

It appears tech companies haven’t learned their lesson. EU lawmakers are steadfast in their position and unrelenting in their attempts to implement regulations that benefit member states and citizens. 

For regulators to suddenly u-turn at the slightest hint of pushback would be disastrous from a political perspective. Companies, too, with even the slightest bone to pick would smell blood and pounce on future proposals. 

This raises questions over why organizations continue to try so hard to water down legislation. There are two differing tactics at play – playing tough and cozying up – both of which aim to temper potential regulatory crackdowns.

Altman’s hardline approach backfired. But around the same time Microsoft president Brad Smith outlined how the organization planned to develop a responsible framework for generative AI development. This approach showed a more measured approach that could curry favor with regulators. 

With the draft Data Act pending, organizations pushing back will likely find their criticism – which sometimes seems more like spitting out the dummy than offering constructive input – will come to no avail. 

Oracle has announced plans to launch its long-awaited sovereign cloud region for customers in the European Union (EU). 

The company said its new EU Sovereign Cloud will enable private and public sector organizations across the union to gain “more control over data privacy and sovereignty requirements”.

Described as one of the first cloud offerings specifically designed to address pending regulatory changes, the new cloud region will be located entirely within the EU, Oracle said. 

Similarly, the region will be supported by EU-based personnel and operated by separate legal entities within the union. 

As part of the move, sovereign cloud data centers will be located in Frankfurt and Madrid. 

The Frankfurt site will be operated by Equinix while Digital Reality is the host partner for the cloud region in Madrid.

Richard Smith, executive vice president for technology, EMEA, at Oracle, said the new region comes in direct response to a changing regulatory landscape in the union at present. 

"The European Union technology landscape has changed dramatically due to the growing importance of data protection and localization, leading to increased demand for sovereign cloud solutions that can securely host sensitive customer data and comply with regulations such as GDPR," he said. 

“Our goal is to meet customers wherever they are in their cloud journey and with Oracle EU Sovereign Cloud, customers in highly regulated industries, as well as those subject to certain country-specific legislation, can now accelerate their cloud strategies."

Data sovereignty focus

The new sovereign cloud region will operate under a “comprehensive” set of policies and governance that will support OCI’s existing capabilities, Oracle said. 

This will include a framework for data and operational sovereignty focused specifically on regulating how OCI stores and manages access to EU data, as well as how data access from non-EU entities is handled. 

“Oracle EU Sovereign Cloud is designed for data residency and security with an architecture that shares no infrastructure with Oracle's commercial regions in the EU and that has no backbone network connection to Oracle's other cloud regions,” the firm said. 

“Customer access to Oracle EU Sovereign Cloud is managed separately from access to Oracle Cloud's commercial regions.”

Pending EU regulations

The move from Oracle comes at a time when EU lawmakers are tightening their regulatory approach to data sovereignty. 

This has been a contentious talking point in recent months amid plans to implement more stringent rules for non-EU companies processing data within the union. 

In May, the European Union Agency for Cybersecurity (ENISA) revealed plans to introduce a ‘cyber security label’ that will be required for non-EU companies operating in the union. 

These proposals mean that major cloud providers such as Microsoft, Google, and AWS, would be required to enter into a “joint venture” with an EU-based firm for regulatory purposes.

This forms part of a wider regulatory crackdown via the EU certification scheme (EUCS), which aims to establish a union-wide certification regime for cloud providers and companies handling EU data.

Oracle isn’t alone in its sovereignty push, either. Earlier this month, IBM confirmed its own plans to open a dedicated quantum cloud data center and cloud region in Ehningen, Germany. 

IBM said the facility, which is the second of its kind for the firm, is designed specifically to “help clients continue to manage their European data regulation requirements”. 

The EU has progressed a key bill seeking to regulate the use of artificial intelligence (AI) to its latter stages, in another move that outpaces the UK’s AI efforts.

On 14 June, MEPs held a pivotal vote to move the AI Act closer to being signed into law across the region, which was passed by an overwhelming majority.

The Artificial Intelligence Act (‘AI Act’) is a wide-ranging series of controls for the implementation of AI technology, centered around a risk-based approach.

UK government officials have become more vocal on the issue of AI in recent weeks, but have not pushed forward any legislation to curb the use of the technology.

Under the EU’s measures, companies seeking to use AI would be required to provide transparency around data used to train models and to clearly label AI-generated content.

The draft bill sets out a framework for risk assessment of systems, with high-risk systems defined as those that pose a “high risk to the health and safety or fundamental rights of natural persons”.

Companies that develop these systems will be required to register them in an EU database for public oversight.

Those that do not comply with the requirements of the act could be hit with fines of up to 4% of their annual worldwide turnover, or €20 million ($21.6 million).

The Financial Times reported a senior British official as having described the EU’s regulation as “draconian”, and OpenAI’s CEO Sam Altman warned his company could leave the EU over the law before walking this threat back.

In contrast to the EU’s strict risk-based approach, the UK whitepaper is based on a framework of five ‘principles’ for AI:

• Safety, security, and robustness
• Appropriate transparency and explainability
• Fairness
• Accountability and governance
• Contestability and redress

It lays out no corresponding measures that could be taken against non-conforming companies, nor plans for statutory controls over AI.

The UK whitepaper specifically states that the government will not seek AI regulation on a statutory basis initially due to concerns that this could hinder innovation in the field.

Some in the industry have hailed this as a positive move for the UK AI landscape, as firms may be more willing to invest in the region if they believe it provides a better environment for profitable development.

“The key is to strike the balance between ensuring fairness and making AI possible to use and experiment with – which this pro-innovation approach supports,” said Iván de Prado Alonso, head of AI at Freepik Company.

“I expect a warm welcoming from technology vendors across the UK as the government encourages creating an AI-enabled nation.”

AI regulation: Clashing approaches to risk

As with the GDPR, firms seeking to operate within the EU will still need to abide by the AI Act, which could limit the extent to which AI firms feel the freedom that the UK government is at pains to provide.

Industry consultation indicated that small businesses could face great time and financial burdens by compliance requirements if regulators are “not proportionate and aligned in their regulation of AI”.

In place of initial legislation, existing regulators, such as Ofcom or the Digital Markets Unit, will be asked to implement controls in a way seen as proportionate.

Setting out the exact powers each regulator will have is likely to push the legislation well into the next parliament; the two years it has taken for the Competition and Markets Authority’s (CMA) Digital Markets Unit to get off the ground casts a shadow over these proposals.

The decentralized approach, based on an evolving framework and tending towards pro-innovation rather than caution, could also allow the UK to adapt to the changing state of the AI market more easily.

First proposed in April 2021, the AI Act has had to be rewritten many times to keep up with the developments in areas such as generative AI since its inception.

AI regulation: Banned technologies

The UK whitepaper acknowledged specific risks posed by generative AI and deepfakes, such as the potential for a criminal to generate false compromising images of an individual to damage their reputation, or for large language models (LLM) like ChatGPT to generate disinformation.

It did not go as far as providing risk guidelines with pre-defined uses or technologies in mind, and this could prove vital for its continued relevance as new technologies emerge.

The draft document for the AI Act, in comparison, includes a list of technologies deemed to carry an unacceptable risk, such as systems that could subliminally influence individuals or the use of AI for real-time biometrics tracking.

In this regard, it presents more of a complete overview for AI regulation than the UK whitepaper, which businesses can use to inform their business decisions going forward. 

The UK’s approach could give AI developers more freedom to try systems out; it has also left firms guessing when it comes to what regulations they may have to follow down the line. 

While outright bans on some uses of AI may be seen as restrictive, this is an example of the EU having delivered a clear answer to the ethical and regulatory questions that are being asked today while the UK is still in the consultation stage.

The conservative EPP Group sought to quash the biometrics ban through a last-minute amendment to the bill but failed to muster the votes necessary to have this passed. 

It remains to be seen whether the ban will stick, and the bill does reference “certain limited exceptions” for the technology that may leave the door open for use by EU nations.

Police use of real-time biometrics technology such as live facial recognition (LFR) has long been a point of controversy. 

In 2022 a University of Cambridge study called for the UK to ban the technology in public spaces, and cited instances of the Metropolitan Police Service (MPS) using LFR in which “minimum ethical and legal standards” were not met.

Human rights groups have strongly objected to the use of LFR in recent years, alleging that the technology will entrench racial biases and violate individual privacy to an unacceptable degree.

“With such a persistently inhospitable environment towards people fleeing wars and conflict or in search of a better life, it is vital that the European Parliament doesn’t dismiss the harms of racist AI systems,” said Mher Hakobyan, advocacy advisor on AI regulation at Amnesty International.

“Lawmakers must ban racist profiling and risk assessment systems, which label migrants and asylum seekers as ‘threats’; and forecasting technologies to predict border movements and deny people the right to asylum.”

A cross-party group of UK lawmakers called for CCTV devices from two Chinese companies to be banned in July 2022, due to alleged links with Uyghur internment camps and reported use of facial-recognition technology to detect Uyghur individuals.

During a trip to the US in June, UK Prime Minister Rishi Sunak attempted to distance the UK’s approach to AI from that of its closest neighbors.

Sunak has voiced ambitions for the UK to become a global leader in AI, and the newly announced Atlantic Declaration will see the UK and US work closely on AI safety.

The UK is also set to host the first international summit on AI safety later this year.

AI regulation: Common ground on sandboxes

Both the EU and UK approaches favor the adoption of trial environments, or ‘sandboxes’, for AI testing and deployment.

The UK whitepaper committed to providing businesses with a regulatory sandbox for AI, following a recommendation by Sir Patrick Vallance, a measure the EU has also promoted.

It is hoped that this will allow AI products and services to reach market faster, and highlight any hurdles to innovation, or emerging tools that deserve greater regulatory attention.

EU digital technology industry organization Digital Europe published a report based on results from nine European startups and SMEs. 

A key finding was that respondents supported sandboxes, and would favor a continuous sandboxing process in which to test products.

With lawmakers on both sides of the Atlantic circling the wagons, generative AI leaders look ready to commend themselves into the loving arms of regulators – or so they’d have us think. 

OpenAI CEO Sam Altman embarked on a whistlestop public relations tour of Europe last week, meeting with lawmakers and industry figures, and flying the flag for the organization amid heightened regulatory scrutiny. 

This tour saw him stop at Downing Street to meet with UK Prime Minister Rishi Sunak alongside several industry execs to discuss the acceleration of generative AI, how regulation may shape the evolution of the industry, and how AI itself may shape the future of industry. 

The tour bore similarities to a royal visit in many ways. Here, there, and everywhere and a whole lot of schmoozing, yet without the crowds, pomp, and lavish splendor. It was a case of  talking a good game and smiling for the cameras, giving the impression of an industry leader open to discussing the simmering undercurrent of concern over what generative AI means for the future. 

Toying with pulling the plug

While there’s no denying Altman has been willing to communicate on the issue of AI regulation – after all, he turned up to Congress last month – it’s part of a pattern of cosying up to regulators prior to crackdowns. 

At an event in London last Wednesday, Altman told attendees during a panel session the company could “leave Europe” if it were unable to meet regulatory requirements, describing pending proposals as ‘over-regulating’. 

“Either we’ll be able to solve those requirements or not,” Altman told attendees. “If we can comply, we will, and if we can’t, we’ll cease operating. We will try. But there are technical limits to what’s possible.”

This pungent whiff of absolutist, childish rhetoric was swiftly snuffed out by a u-turn on Friday in which Altman declared the firm was “excited to continue to operate here, and of course have no plans to leave”. 

A sigh of relief for many across Europe, no doubt. But the breakneck speed at which Altman was willing to threaten pulling out of Europe and then renege on the statement should raise concerns. Perhaps some industry leaders in the AI space just aren’t too keen on regulation – who would’ve thought?

Another regulatory Groundhog Day

We’ve seen this before. In 2020, Meta (then Facebook) spat the dummy out over a potential ban on sharing EU citizens’ data in the US due to privacy concerns. In a court filing, Facebook’s associate general counsel suggested enforcing a ban on trans-Atlantic data sharing would leave the company unable to operate.

“In the event that [Facebook] were subject to a complete suspension of the transfer of users’ data to the US,” Yvonne Cunnane wrote, “it is not clear how, in those circumstances, it could continue to provide the Facebook and Instagram services in the EU.”

Meta’s recent spats with EU regulators have also been halted by swift u-turns after bold declarations. Calling EU regulators’ bluff has, historically, been an abysmal tactic. And Altman’s recent outburst highlighted this perfectly, prompting a strongly-worded backlash from lawmakers in the union. 

Thierry Breton, European commissioner for internal markets, hit back at Altman’s comments, stating that rules on AI development “cannot be bargained”. 

“Let’s be clear, our rules are put in place for the security and well-being of our citizens and this cannot be bargained,” he told Reuters. 

“Europe has been ahead of the curve designing a solid and balanced regulatory framework for AI which tackles risks related to fundamental rights or safety, but also enables innovation for Europe to become a frontrunner in trustworthy AI.”

Talking the industry into the good books

Although aggressive in nature, Altman’s recent statements are an interesting tactic in the cat-and-mouse game innovators play with regulators. 

An outright crackdown from lawmakers would be disastrous and, frankly, counterproductive to the future of the industry. But if the industry keeps them talking and engaged for long enough, they may be able to temper the outcome and reduce the long-term hit. 

While Altman was wrapping up his Eurotrip, Microsoft president Brad Smith outlined the company’s future goals for AI governance, transparency, and responsible use. 

Detailing ‘five key principles’ to ensuring responsible AI development at the tech giant, Smith’s approach appears very much focused on currying favor with regulators on both sides of the Atlantic. 

“We are committed and determined as a company to develop and deploy AI in a safe and responsible way,” he wrote in a blog post. “We also recognize, however, that the guardrails needed for AI require a broadly shared sense of responsibility and should not be left to technology companies alone.”

A key talking point in this blog post was Smith’s calls to pursue “public-private partnerships to use AI as an effective tool to address the inevitable societal challenges that come with new technology”. 

Smith asserted the “key to success” moving forward will be to develop closer ties between government, “respected companies”, and NGOs to ensure transparency, regulation, and prevent misuse. A bold statement, and one that will likely be welcomed by regulators in both the US and EU. 

At the same time, however, acknowledging the “inevitable societal challenges” that will arise due to AI advances hardly fills one with confidence, and underlines how urgent proper regulations are.

AI innovators, it seems, have a choice; spit the dummy out and buckle in for a battle, or cozy up to regulators and hope the gamble pays off. Either way, the "move fast and break things" honeymoon period is over, and regulation is coming.

The UK government has announced new legislation intended to prevent big tech firms from unduly dominating digital markets, and to hold firms more accountable to customer obligations.

Once passed, the Digital Markets, Competition, and Consumers (DMCC) Bill will grant the Digital Markets Unit (DMU) new powers to punish anti-competitive practices under consumer law.

Under the bill, companies that are found to have large market power over one or more digital activities, and whose turnover exceeds £25 billion ($20 billion) worldwide or £1 billion ($800 million) in the UK, will be designated with Strategic Market Status (SMS).

The DMU sits within the Competition and Markets Authority (CMA), and will be able to decide when companies have broken consumer law instead of going through the courts once the bill has passed.

It will have the authority to set rules for how firms with SMS operate, such as mandating more choices for consumers, which it will enforce with fines of up to 10% of global annual turnover.

In a bulletin announcing the bill, the government gave the example of large firms being asked to provide rival search engines with their data or provide greater insight into how their app store review systems operate.

Alongside its reactive powers, the DMU will work proactively to establish new routes into markets for startups and small businesses and may demand that certain services are accessible on devices and systems on which they are currently restricted.

“Today’s announcement shows we are proudly pro-growth and pro-innovation across the board in the tech sector, seeking to open up new opportunities for all firms, however small or large they are, while empowering consumers,” said Paul Scully, minister for tech and the digital economy.

“The Prime Minister has made his intention to secure growth and innovation within every corner of our economy very clear – the new Digital Markets Unit will help fulfil this important priority for the UK in the digital economy.”

Those seeking greater regulation of big tech have waited years for the DMU to receive the powers necessary to meet its founding principle. 

First announced in November 2020, it launched without statutory powers in April 2021, pending the results of a government consultation which was eventually published in May 2022.

In the years since critics have accused the UK of dragging its feet on big tech regulation while other regions pressed ahead with improved customer protections.

The EU’s Digital Markets Act was passed into law in September 2022, with regulators placing their sights on the likes of Alphabet, Microsoft, Meta, and Apple to curb uncompetitive growth.

"Holding big tech firms accountable for their actions will help promote a more level playing field and encourage new players to enter the market,” said Kim Leary, chair at Birmingham-based Birmingham Tech CIC

“It is another step towards encouraging innovation and diversity in the digital marketplace. However, excessive regulation could stifle innovation and limit the growth of companies that have contributed to significant technological advancements. 

“Nonetheless, it remains to be seen how effective this crackdown will be in promoting fair competition and diversity in the market."

Some have expressed concern that the EU’s act, which is expected to force Apple to open iOS devices to third-party app stores, may unintentionally expose users to security risks.

The CMA has stated that it’s been preparing DMU staff in anticipation of the regulator’s new powers, and published a blog post advertising vacancies within the DMU in December 2022.

The bill will be passed into law following parliamentary approval, and may change in line with further guidance.

The disruptions of recent years have opened our eyes to entire new categories of risks, both seriously affecting business operations and negatively impacting customer experiences. A failure to respond to these threats can have a significant effect on the future of the organisation.

This paper highlights the need to transform legacy risk management approaches, and shares three key pillars that can enable businesses to proactively respond to, and overcome, the risks they face.

Download now to learn how to get ahead of the curve with real-time risk visibility, how to ensure risk management is a company-wide responsibility, and how internal audits can improve risk posture.

Provided by  ServiceNow

Google CEO Sundar Pichai has admitted that potential AI-related harms are a serious cause for concern and “keep him up at night”. 

Pichai’s comments came in an interview with CBS’ 60 Minutes program in which the broadcaster delved into the ongoing work to develop AI systems at the tech giant. 

Pichai said the rollout of generative AI systems will have a profound impact on society, noting that ‘knowledge workers’ such as software developers, accountants, and writers, could be among the most at-risk professions due to automation. 

“This is going to impact every product across every company,” he said. “So that’s why I think it’s a very profound technology. AI will impact everything.”

When asked about the risks AI poses to society, Pichai warned that the current pace of development does raise concerns. 

Google has been locked in a battle with Microsoft in recent months, with both tech giants rolling out generative AI systems to support core product offerings.

‘Bard’, Google’s generative AI system, launched in February and has been positioned as a key competitor to OpenAI’s ChatGPT system, which Microsoft has been integrating across a number of services, such as its Azure cloud division. 

“If deployed wrongly, it could be very harmful,” he said. “The technology is moving fast. Does that keep me up at night? Absolutely.”

Aligning AI regulation

Pichai insisted that the development of new systems must be matched by regulatory safeguards to mitigate adverse effects. 

He noted, however, that the future of AI development and regulation should not be placed in the hands of a singular organization or group. 

“It’s not for a company to decide,” he told the program. “This is why I think the development of this [AI] needs to include not just engineers, but social scientists, ethicists, philosophers, and so on."

“I think we have to be very thoughtful and I think these are all things society needs to move along.”

Pichai’s comments on AI regulation follow a controversial open letter published last month calling for an “immediate pause” to AI development. 

The letter, signed by an array of tech pioneers, was published amid concerns that adequate regulatory safeguards were not currently in place to ensure systems would not cause societal problems. 

It warned that AI development is “out of control” and demanded a six-month pause so international regulators can respond to the pace of innovation. 

Lawmakers on both sides of the Atlantic have been exploring potential approaches to AI regulation in recent months.

Last week, the US National Telecommunications and Information Administration (NTIA) announced plans to explore “accountability measures” for companies developing AI systems. 

The NTIA said it will launch a public consultation on AI products and services in a move that could help shape the Biden administration’s approach to federal regulations. 

The former CIO at TSB Bank has been fined for his involvement in the company’s 2018 IT migration which saw customers locked out of their accounts. 

Carlos Abarca, who led the botched IT migration, was handed an £81,620 fine by the Prudential Regulation Authority (PRA) for failing to take “reasonable steps” to ensure that the bank supervised its outsourcing arrangements with a third party during the project.

An investigation by the PRA found that Abarca “failed to ensure that TSB had obtained sufficient assurance from the third party” that the IT migration could be successfully carried out. 

Abarca was responsible for TSB’s outsourcing relationship with its main third-party supplier for the IT migration program. 

However, the PRA found that the former CIO failed to ensure the third party’s “ability and capacity were adequately assessed on an ongoing basis”.

Similarly, the investigation concluded that Abarca failed to ensure that TSB had obtained “sufficient assurance” over the third party’s readiness to operate the new IT platform.

Sam Woods, deputy governor for Prudential Regulation and CEO at the PRA, said Abarca was found to have breached the PRA’s senior manager conduct rule 2 and that his conduct during the program “fell below the standard” the regulatory body expects.

“Senior managers have an essential role to play in ensuring that firms manage and supervise outsourcing effectively,” Woods said in a statement.

“In this case, the PRA has fined Mr AbarcA because his management of a key outsourcing relationship fell below the standard we expect.”

In its statement, the Bank of England said Abarca agreed to resolve the matter with the PRA, which resulted in a 30% reduction in the overall fine imposed by the PRA. Without this discount, the financial penalty would have been £116,600.

TSB’s botched migration

The April 2018 migration project at TSB had intended to update its IT systems and migrate data for corporate and customer services to Banco Sabadell’s systems as part of a merger.

Although the migration was initially successful, the platform subsequently experienced major technical issues, resulting in significant disruption to TSB banking services. 

In-branch, telephone, online, and mobile banking services were all severely disrupted due to the failed migration, which affected millions of customers. 

Some customers were left without access to banking services until December that year, and the company was forced to pay more than £30 million in compensation to affected customers. 

The incident also prompted regulatory action against the high street bank. In December last year, the Financial Conduct Authority fined TSB £48.65 million. 

This fine marks the first penalty imposed on an individual involved in the failed migration, according to the Bank of England.

ChatGPT's developer OpenAI has been ordered to implement a ‘right to be forgotten’-style policy in the chatbot by the Italian data protection regulator (SA).

Data subject rights were among the most important considerations made by the Italian regulator in deciding ChatGPT’s long-term presence in the country, which has recently been in doubt.

The additional measures that must be implemented, per the Italian SA’s recent address, include the capability for users and non-users to request their personal information be changed if generated in ChatGPT user prompts. 

“OpenAI will have to make available easily accessible tools to allow non-users to exercise their right to object to the processing of their personal data as relied upon for the operation of the algorithms,” the regulator said. 

“The same right will have to be afforded to users if legitimate interest is chosen as the legal basis for processing their data,” it added. 

The measures echo the so-called ‘right to be forgotten' - the data privacy rule that preceded GDPR and was ultimately included in the EU-wide regulations in 2018.

Since Italy banned the use of ChatGPT in the country earlier this month, a move that was branded ‘an overreaction’ by experts, talks have been ongoing between it and OpenAI - ChatGPT’s developer.

The result of these talks has led the California-based firm being given a ‘to-do’ list of changes before it can resume operating in the country. 

OpenAI has been given a deadline of 30 April to comply with the numerous measures set out by the Italian SA. 

These include changes to data processing transparency, the rights of data subjects, the legal basis of data processing for algorithmic training, and safeguards for minors. 

GDPR and data subject rights

Data subject rights outlined under GDPR include eight fundamental tenets, including the right to withdraw consent for the use and processing of personal data. 

Under GDPR, citizens are also entitled to the right to rectification under Article 16 of the legislation, meaning that data subjects can request “inaccurate or outdated personal information be updated or corrected”.

Similarly, data subjects have the right to be forgotten, or the ‘right to erasure’, which enables them to request that their personal data be deleted.

In this context, the Italian data protection regulator appears concerned that given the potential for personal information to be disclosed via ChatGPT, this poses a risk to Italian citizens and is in breach of GDPR. 

Large language models (LLMs) such as ChatGPT rely on huge volumes of information drawn from the internet to train AI models.

This has posed questions recently over how platforms such as ChatGPT may pose privacy risks - and the generation of incorrect information has been thrust firmly into the spotlight in this regard.

Last week, an Australian mayor mulled the prospect of legal action when ChatGPT generated false information which stated he was imprisoned for bribery.

In reality, Brian Hood, Mayor of Hepburn Shire Council, was a whistleblower and was neither arrested nor convicted on criminal charges.

Regulatory crackdown

Discussions around regulatory safeguards to mitigate the potential dangers of generative AI have raged since the launch of ChatGPT in November last year.

 Earlier this week, US authorities launched a public consultation to explore potential “accountability measures” for companies developing AI systems such as ChatGPT. 

The consultation could guide the development of future US legislation on AI safeguards to ensure responsible use.

Lawmakers in the US are set to explore potential “accountability measures” for companies developing artificial intelligence (AI) systems such as ChatGPT amid concerns over economic and societal impacts. 

The National Telecommunications and Information Administration (NTIA), the US agency which provides advice to the government on technology policies, said it will launch a public consultation on AI products and services. 

According to the NTIA, insights gathered from this consultation will help inform the Biden administration to develop a “cohesive and comprehensive federal government approach to AI-related risks and opportunities”. 

“NTIA’s ‘AI Accountability Policy Request for Comment’ seeks feedback on what policies can support the development of AI audits, assessments, certifications, and other mechanisms to create earned trust in AI systems that they work as claimed,” the department said in a statement on Tuesday. 

In its statement, the NTIA said that potential audits of AI systems could work in a similar fashion to those conducted in the financial services industry to “provide assurance that an AI system is trustworthy”.

NTIA administrator Alan Davidson said the consultation will help inform the US administration’s long-term approach to AI products and prevent or mitigate any adverse effects. 

“Responsible AI systems could bring enormous benefits, but only if we address their potential consequences and harms. For these systems to reach their full potential, companies and consumers need to be able to trust them,” he said. 

“Our inquiry will inform policies to support AI audits, risk and safety assessments, certifications, and other tools that can create earned trust in AI systems.”

Concerns over AI's growth

The move from the NTIA follows mounting concerns about the potential impact of generative AI systems such as ChatGPT. 

The rapid advent of generative AI products has prompted a degree of hesitancy among lawmakers on both sides of the Atlantic. 

In late March, Italy announced a shock ‘ban’ on ChatGPT amid data privacy concerns. 

The Italian data protection authority voiced serious concerns about the generative AI model and said it plans to investigate OpenAI “with immediate effect”. 

Lawmakers elsewhere in Europe are also thought to be exploring a potential crackdown on AI systems, with German authorities among those cited as having serious concerns. 

While lingering worries over generative AI products such as ChatGPT continue, some industry analysts described the Italian decision as an “overreaction”, saying that such crackdowns could have negative long-term implications for companies in the country exploring the use of AI. 

Andy Patel, researcher at WithSecure, told ITPro that Italy’s decision had essentially “cut off” one of the most transformative tools currently available to businesses and individuals. 

Industry stakeholders have also voiced a growing discontent over the speed of generative AI development. 

Around the time of Italy’s ChatGPT decision, an open letter penned by tech industry figures including Elon Musk called for an immediate halt to “out of control” AI development. 

The controversial letter demanded a six-month pause be imposed on companies building generative AI models and argued that there is a concerning lack of corporate and regulatory safeguards currently in place to moderate generative AI development. 

Digital transformation creates a variety of new opportunities, but unfortunately can also result in the increase of risks, and the more an enterprise can understand the risks it faces - especially as a company-wide initiative - the more successful their digitisation will be.

This special edition guide can help your employees better understand how they can be part of a successful digital risk management strategy, with practical advice on how to apply learnings to real risk management situations.

Download now to learn:

• The basics of risk identification and management
• How to manage digital risk
• As well as five tips for successful digital transformation

Provided by

A bipartisan US antitrust bill, which could soon be voted on in the Senate, has reportedly faced an expensive opposition campaign by tech giants.

One of several bills included in a wider antitrust proposal, the American Innovation and Choice Online Act (AICO) has been two years in the making and seeks to forbid tech giants from engaging in ‘self preferencing’, using platform data for unfair profitable advantage, and infringing upon the payment or pricing methodology of competitors.

Bloomberg reports that Google, Apple, Amazon and Meta, alongside trade groups with which they are affiliated, have spent just under $95 million since 2021 to lobby against support for the bill, which they argue will limit their ability to run platforms effectively.

In a similar focus to the EU’s Digital Markets Act (DMA), the AICO would seek to prevent so-called ‘gatekeeper’ firms, those that run the largest online platforms home to many smaller competitors, from abusing their positions of power for financial gain. For example, Google’s promotion of Google Maps reviews when a customer searches for a restaurant or Amazon’s control over which products are listed highest will be put under scrutiny by the bill.

“It is really hard to take on these subjects when you have the biggest companies the world has ever known, that control an inordinate part of the economy, opposed to it,” Vox quotes senator Amy Klobuchar, the co-sponsor of the AICO, as having remarked.

In a blog post from January, Google’s president of global affairs Kent Walker argued that potential US legislation on this level would be damaging for customers and the tech sector:

“Antitrust law is about ensuring that companies are competing hard to build their best products for consumers.

“But the vague and sweeping provisions of these bills would break popular products that help consumers and small businesses, only to benefit a handful of companies who brought their pleas to Washington.”

Those sponsoring the bill are confident that if voted on, it has the support necessary to clear the Senate. But it remains to be seen if the bill will be raised for a vote in the narrow window before the midterm elections in November, which are likely to change the voting balance within the senate.

If enacted, the AICO would give the Federal Trade Commission (FTC), along with the Department of Justice, the authority to sue companies that fail to comply, though what the penalty could look like has yet to be determined.

The bill comes to vote as many legislators around the world consider the power that many tech giants exert over their market. The EU has recently opened an investigation into Google’s dominance over the Play Store, which sees it charging high developer fees and limiting the extent to which apps can use alternative billing systems, while in the UK, the Competition and Markets Authority (CMA) has opened an investigation into whether Amazon’s platform gives its retail arm an unfair advantage over third-party sellers.

Despite individual reviews of monopolistic practice, however, the UK is not yet pursuing big tech regulation to the same degree as the EU is with the DMA. Set to come into effect in Spring 2023, this will greatly curb the extent to which tech giants can use platforms to unfairly push their services, as well as protect data from being used to damage the competitiveness of the market.

In particular, the act seeks to limit the powers of gatekeeper companies. Such firms that fail to comply with the rules will face fines of up to 10% of their worldwide turnover, or 20% on repeat offences.

Without lobbying power in Europe as in the US, there is little that Google or any other tech giant can do to halt the implementation of the DMA, and companies may be forced to change their worldwide practice as a result.

Regtech can best be described as the use of a range of different technologies to help organisations meet compliance requirements efficiently. Typically it includes technologies like analytics, robotic process automation, machine learning, natural language processing, and, of course, cloud. Yes, all the buzzwords. The outcome should be faster, smoother compliance. Inevitably there should also be reduced generation of paper, easier access to documentation and the elimination of silos. Ultimately, regtech gives organisations a single source of truth for compliance management.

Let’s start with finance

Finance has been the sector that’s pushed ahead fastest with regtech, and that’s no surprise. As Chris Steele, director of banking risk and regulation at KPMG UK tells IT Pro: “Firms in the financial services sector have seen a huge growth in both compliance requirements and the number of staff required to deal with those requirements, with some banks having four times the number of compliance staff than before the last financial crisis.”

He also points out that large banks spend millions of pounds each year on compliance and this, plus the threat of substantial fines, has been a key motivating factor in banks turning to technology.

Other sectors are not immune to the growth of compliance requirements, and have watched the financial sector benefit from using regtech to keep up with the mushrooming regulatory requirements it faces. Think about GDPR and consumer protection in retail, and about the increased regulation of utilities provision for example. As regulation grows, regtech has proved its worth and is expanding from finance into other sectors.

Strategic decisions for the board

Micheal Sheehy, deputy chief compliance officer at global payments provider and eCommerce enabler Payoneer tells IT Pro that boards might be drawn to regtech, because it can help “give [them] peace of mind, knowing their companies are compliant and that the company is doing what it needs to do, when they need to do it”. Nevertheless, regtech is relatively new outside the financial sector, and boards interested in examining the value it might bring could find themselves without a huge number of other organisations to compare themselves with.

Boards need to tread carefully when taking on something completely new, and something so absolutely vital helping to ensure compliance. Sheehy tells IT Pro that boards should pay particular attention to three things: Ensuring their regtech provider can deliver the coverage required – whether that is local or global; getting complete clarity on costs and efficiency savings; and being certain about the potential for mitigating risk, including removal of manual processes and the reduction of the use of paper.

A regtech provider also has to fit in with the organisation’s wider technology. Steele says boards should ask themselves if a particular provider is a good fit with existing systems and future digital transformation plans. “Organisations will have digital and data strategies that are firm-wide and integration with those is key. Any regtech or digital solution will have to operate both within existing frameworks and alongside legacy systems,” he says.

Looking beyond the immediate

For boards – and for shareholders – certainty around compliance is a key plus of implementing regtech, but there are many other benefits as well. “Many regtechs have core aims of reducing cost, cutting through complexity and/or dealing with uncertainty, however technology that supports a better customer experience can also help boards achieve their strategic goals of building and maintaining trust with customers,” Steele points out.

It’s likely there will be considerable disruption as a regtech solution is implemented. Compliance tasks might be spread across several departments or teams, and the locus may need to change. Management and maintenance of paper systems may no longer be necessary, and this could have staffing implications. There will also be a need to either digitise or otherwise manage older paper documents, perhaps entailing a period of additional work as part of the implementation programme. Resources may also need to be devoted to retiring or ensuring appropriate interfacing with legacy document management systems.

As with any technological change, there will be disruption, but the benefits of regtech extend far beyond the important one of improving and streamlining compliance processes. They also extend to improved customer trust, reduced paper usage, longer term financial savings and greater confidence in the organisation at board level and beyond.

New York lawmakers have submitted a bill banning cryptocurrency mining operations for three years.

Introduced on Monday, bill S6486 seeks to put a moratorium on the operation of cryptocurrency mining centers unless they undergo a full environmental impact statement review. The review would have to prove that a mining center doesn't affect the state’s greenhouse gas emission targets.

"Cryptocurrency mining centers are an expanding industry in the State of New York, often, but not exclusively, located in retired or converted fossil fuel power stations, including dormant power plants," the bill said.

As part of its Climate Leadership and Community Protection Act, the state has called for a 40% reduction in greenhouse gas emissions over 1990 levels by 2030. That rises to 85% and net-zero emissions in all sectors of its economy by 2050.

The cryptocurrency mining bill added, "The continued and expanded operation of cryptocurrency mining centers will greatly increase the amount of energy usage in the State of New York, and it is reasonable to believe the associated greenhouse gas emissions will irreparably harm compliance with the Climate Leadership and Community Protection Act in contravention of state law."

The bill applies to existing and proposed mining operations. In addition to a cumulative impact assessment on greenhouse gas emissions, it would also include a review of any impacts on water or air quality, or wildlife. Reviews would include a 120-day public comment period.

Bitcoin has had a considerable impact on energy consumption. Its consensus algorithm relies on a process called proof of work, in which miners compete for the chance to include transactions in a block on the chain. To do so, they compete to solve a complex mathematical problem. The bitcoin protocol seeks to regulate the production of blocks to one every 10 minutes. To do that, it must make the mathematical problem more difficult as more miners join the network, adding more computing power.

Proof of work forces the total computational power on the network upward as bitcoin becomes more popular. The cryptocurrency has seen its price soar recently, forcing the hash rate up.

According to the Bitcoin Energy Consumption Index, it takes 1138 kWh of energy to process a single bitcoin transaction at the time of writing, which equates to the energy required to run a single US household for 39 days. The bitcoin network uses roughly the same amount of energy as the Netherlands each year.

While the core bitcoin developers seem committed to proof of work, competing network Ethereum, which offers additional functionality, is preparing to transition to an alternative proof-of-stake mechanism. This approach replaces miners with validators chosen to mine each block, dramatically reducing energy use compared to proof of work.

Tech companies and industry groups are urging governments to act against the rising threat of ransomware by regulating cryptocurrency.

The Ransomware Taskforce has released a report urging governments to require cryptocurrency exchanges, crypto kiosks, and over-the-counter trading desks to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws. The task force comprises participants from governments, software firms, cyber security vendors, non-profit and academic institutions worldwide.

The Combating Ransomware report made 48 recommendations to address the ransomware threat.

It called on the US to “lead by example” and execute a “sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”

It said this must include the establishment of an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; an internal US Government Joint Ransomware Task Force; and a collaborative, private industry-led informal Ransomware Threat Focus Hub.

The report also urged coordinated, international diplomatic, and law enforcement efforts to proactively prioritize ransomware through a comprehensive, resourced strategy, “including using a carrot-and-stick approach to direct nation-states away from providing safe havens to ransomware criminals.”

Industry figures welcomed tighter regulation but said such laws should not treated as a sole means of stopping ransomware.

Peter Grimmond, International CTO & International VP Technical Sales at Veritas Technologies, told ITPro that tighter regulation on cryptocurrencies will certainly “throw a spanner in the works for cybercriminals but businesses should be wary of thinking of this as a silver bullet or of letting their guard down.”

“Hackers have a long history of finding ways of getting paid for their activity. In the early days, it was sending cheques to anonymous PO boxes, then making payments to anonymous vendors on eCommerce marketplaces. As these routes were shut down, hackers evolved their payment demands to cryptocurrencies,” Grimmond said.

Grimmond added that while he supported any move that makes it harder for criminals to take advantage of the organizations, businesses should be wary of a false sense of security cryptocurrency regulation might bring and remain mindful that the best way to protect themselves is to ensure their data is backed up and encrypted.

Ilia Kolochenko, CEO, founder, and chief architect at ImmuniWeb, told ITPro the report provides a broad spectrum of valuable and bright ideas. However, most of them are "burdensome and far too expensive from a practical viewpoint."

"Strong global collaboration to combat cybercrime is probably a utopia, especially amid the rapidly growing political tensions around the globe, unclarity of international law’s application to cyberwar and disruptive aggressions in the digital space," Kolochenko said.

"Sadly, virtually all Western law enforcement agencies are significantly underfunded today, while efficient combat with ransomware will probably require at least a tenfold budget increase - just to address this isolated phenomena. Spiraling pandemic losses will unlikely allow countries to spend more on cybercrime prosecution and investigation units unless the private sector donates billions of dollars. Fighting digital currencies is a waste of time, cybercriminals will find a myriad of other smart ways to bypass sanctions and get paid in impunity."

The increasing complexity of enterprise cloud environments, and the rise of hybrid cloud in particular, is rapidly increasing IT workloads and fuelling a rising demand for automation, Puppet’s CTO has claimed.

During a time when many organisations are being asked to do more with less, the shift from mostly on-prem to a mixture of cloud environments in a relatively short space of time has radically complicated the workloads of CIOs.

Speaking exclusively with IT Pro on the launch of Puppet’s automated Comply platform, Puppet CTO Abby Kearns suggested the increasing complexity of IT infrastructures over as little as the last five years is serving as the main element driving demand for automation.

“The hybrid cloud, and managing across hybrid environments, is the number one driver, honestly, because it’s so complex,” Kearns said. “So many companies started about five years ago to move workloads to the cloud, so we started to see that slow migration, but the cloud wasn’t really set up to mimic the way we were managing on-prem environments.”

Enterprises now have an on-prem environment, a public cloud deployment or perhaps even multiple clouds, with different tools, different workloads and different approaches all in play. Businesses are also using more cloud-native applications and more microservices, so the landscape for IT standards compliance is becoming far more complex.

Puppet’s Comply automation platform is a system designed to cut out many of the traditionally manual processes IT teams and CIOs would manage when ensuring their hardware meets a range of compliance standards.

The product, which will be offered in addition to a compliance automation consultancy service the company already markets, would allow customers to manage their own automation programmes across their IT estate.

Alex Hin, Puppet’s principal product manager, told IT Pro the platform will raise IT visibility, identify compliance shortcomings and remediate these issues.

He explained the need for such software comes from small teams of three to five people suddenly being tasked with making configuration changes on hundreds of thousands of nodes, either on-prem or on the public cloud. This becomes a high investment for the company, requiring a lot of spend and a lot of expertise for all environments to move into compliance.

“That’s really where it comes into play,” Kearns continued, “the idea that automation is really the only route to be able to do that. Because this isn’t just something where you can assign more people to the work. You can’t just throw more people at the problem, you’re going to have to figure out how to automate this as you start to get into the hundreds of thousands of workloads. It’s just a different kind of scale.”

Puppet’s Comply platform will launch in the coming weeks with pre-integrated compatibility with the CIS benchmarks, and further plans to integrate a number of other compliance standards in future. These will extend to include many common standards from DISA, FedRAMP, SOX, HIPAA, and PCI DSS.

The drive to automate, Puppet hopes, will begin to free up time for many organisations that are trying to do more with less, particularly as a result of economic pressures due to COVID-19. One example of a process that Comply will automate is the ‘desired state configuration’ feature. This essentially automatically reverts any configuration changes to a ‘desired state’ if the system detects that the change has led the system to deviate from the particular standard to which it’s adhering to.

“For us, we’ve spent the last six months really investing in a platform-centric approach and the opportunity to really extend into compliance and really build on those capabilities are really powerful for us and our customers,” Kearns added.

“And that’s something we’re going to spend the next several years really continuing to expand on, and really continuing to drive innovation from an automation standpoint, but also from a compliance standpoint as we see those things go hand-in-hand for our customers. “

Think about the digital services you use personally and the services your business could not operate without. From collaboration tools to recommendations in online stores, they all rely upon sophisticated algorithms to work – and these algorithms are about to take a quantum leap forward in sophistication.

With massive datasets now available and intelligent systems able to interrogate them, do we need to pay much more attention to how algorithms are regulated to avoid unfairness, and potential ethical issues when algorithms are applied to personal data?

Algorithms are increasingly entrenched in every aspect of our lives, to an extent people may not even realise; McDonald’s, for example, recently purchased AI company Dynamic Yield to analyse the habits of its customers, yet many will be completely unaware this is happening. With concerns the widespread use of algorithms and AI could lead to an increase in problems such as inherent bias and discrimination, there are growing calls for more visible regulation.

Some countries and regions have already started to take action. Late last year, Denmark began development of a labelling scheme to deliver a new seal of approval for IT systems to ensure data is used ethically.

Not everyone believes such steps are necessary, however. Martin Schallbruch, deputy director of the Digital Society Institute at German business school ESMT Berlin, says trying to regulate the use of algorithms is unnecessary and quite possibly pointless.

“We do not need algorithm police,” he tells IT Pro. “A general algorithm regulator would fail. Algorithms are used in railways as well as in pacemakers, by the police as well as by the education system. A single regulator cannot set the framework for innovation and the use of algorithms for all areas of life.

“We already have a high degree of overlap between data protection authorities, information security agencies and various sectoral regulators. An algorithm regulator would overlap massively with all these bodies – either the effectiveness would evaporate, or the innovation would be stifled by overregulation.”

However, the rapid development of AI is driving much of the debate around how algorithms are being used. Indeed, across the EU, algorithm accountability is driving regulators to consider the concept of “Trustworthy Artificial Intelligence” where businesses using these algorithms would self-regulate having obtained approval from a future EU regulator.

Transparent code

The use of algorithms will only expand and become even more entrenched in the business processes and services used by enterprises and individuals alike. As DARQ – distributed ledger, AI, extended reality and quantum computing – develops, will the need for some form of regulation become impossible to ignore?

Felix Hufeld, president of the Federal Financial Supervisory Authority, says: “What happens if something goes wrong and errors are made? Can a board member say: ‘it wasn’t us, it was the algorithm’? I say No. Ultimate responsibility must remain with management, meaning people.”

Automation is clearly on the development roadmap for all businesses. The use of automated systems will become critical for many companies. Speaking at the Ethical Governance session of the Zebra Project, deputy CEO of techUK, Anthony Walker, noted: “Why is transparency so important? So that we are innovating in a way that creates broad trust, and that companies are seen as trustworthy by customers and regulators. Companies need to be able to explain why things are being done. We need to build a culture of thoughtful, reflective innovation where people are thinking about the precise objective we want to get to, and what do we not want to happen.”

Ensuring algorithms are not used as black box technologies will be critical. As Walker points out, trust is at the heart of these systems and unethical, or at best dubiously ethical, use of data is rife. This is exacerbated by the likelihood that as these technologies become more complex and pervasive, they could become more challenging to control. This is the space where regulators will likely have to step in to protect the liberties of populations and businesses alike.

However, this may be easier said than done, and in some areas policing algorithms may be impossible. Dr Mike Lloyd, CTO of RedSeal, tells IT Pro: “Some algorithms can usefully explain how they came up with an answer, while others cannot. If we don't pay attention to this distinction, the future is going to be a lot harder to navigate.

“One inconvenient truth is some of the best artificial intelligence and machine learning algorithms are the ones that lack transparency – they do not offer any way for humans to get a handle on why they came up with the answers they did.”

In this scenario, it will be vital to get the initial parameters the algorithm uses right. Here, human intervention will be needed, but this opens up the potential for intrinsic human bias and discrimination being unwittingly built in by the creators, which leads back to one of the greatest arguments for the need for transparent AI in the first place.

In June 2019, James Proudman, then the Bank of England's executive director for UK Deposit Takers Supervision, told the UK Financial Conduct Authority's (FCA) conference on governance in banking: “You cannot tell a machine to ‘do the right thing’ without somehow first telling it what ‘right’ is, nor can a machine be a whistleblower of its own learning algorithm. In a world of machines, the burden of correct corporate and ethical behaviour is shifted further in the direction of the board. Also, it may become harder and take longer to identify the causes of problems and to attribute accountability to individuals in a workplace dominated by big data and AI.”

Controlling the machines

The UK's government is already investigating how human bias can influence the datasets being interrogated by algorithms, particularly in areas such as law enforcement. The Centre for Data Ethics and Innovation (CDEI) and the Cabinet Office’s Race Disparity Unit are assessing algorithmic discrimination. The Durham Constabulary, meanwhile, began testing HART (Harm Assessment Risk Tool) in 2017 that uses AI to help decide whether a suspect should be kept in custody. Given black people are three times more likely to be arrested than their white counterparts, despite having the lowest conviction ratio, the risks for potential discrimination and the misallocation of risk are clear.

In their interim report, the CDEI concludes that algorithms and human decision-makers should always be present together when technology is being used to make highly sensitive decisions. They acknowledge that “it is critical that governance approaches cover this broader context and do not focus exclusively on the algorithmic tools themselves”.

Hannah Fry, associate professor in the Mathematics of Cities at University College London and the author of Hello World, believes we need something akin to the US Food and Drug Administration (FDA) for algorithms

Speaking to science website Nautilus, Fry said: “You can roll out an algorithm that genuinely makes massive differences to people's lives, both good and bad, without any checks and balances. To me, that seems completely bonkers. So, I think we need something like the FDA for algorithms. A regulatory body that can protect the intellectual property of algorithms, but at the same time ensure that the benefits to society outweigh the harms.”

Nadun Muthukumarana, lead partner for data analytics and cognitive AI within the transport and public sector at Deloitte, agrees, telling IT Pro: “Bias, fairness and ethics will depend on the guidance that is given to an algorithm that would create another. Moderation techniques will need to be built in for the removal of bias and the preservation of fairness and ethics within algorithms.

“Regulation, however, will still be the backstop that will ultimately prevent the application of algorithms, man or machine-made, to do harm. In this case, regulatory measures set a precedent for how these algorithms are created and applied.”

For many, though, regulation can create a stranglehold on innovation and it may be impossible to make some black box systems fully transparent. As AI in particular develops, businesses, consumers and governments will all have their part to play to ensure these systems work with the minimum level of bias and discrimination.

EU officials have rejected Mark Zuckerberg’s latest ideas and proposals for regulating social media platforms following a brief meeting, suggesting they do not go far enough.

Following a short meeting with the Facebook chief, the European commissioner for internal markets and services Theirry Breton suggested that the EU shouldn't adapt to Facebook’s demands, but vice versa.

He rejected out-of-hand a paper prepared by Facebook, according to Reuters, in which the firm criticised the threat of 'intrusive regulations'. Instead, the platform favours more flexible rules which would demand that companies regularly report harmful content, and publish enforcement data.

“It’s not enough,” Breton told reporters, adding: “it’s not for us to adapt to this company, it’s for this company to adapt to us."

Moreover, Zuckerberg failed to address his company’s market dominance and the responsibilities of his platforms.

Zuckerberg, who runs a vast social media empire comprising Facebook, Messenger, WhatsApp and Instagram, on Monday suggested that social media giants should be judged as if they were in between a newspaper and a telecoms firm.

“I do think that there should be regulation on harmful content ... there’s a question about which framework you use for this,” Zuckerberg said during a Q&A session at the Munich Security Conference.

“Right now there are two frameworks that I think people have for existing industries - there’s like newspapers and existing media, and then there’s the telco-type model, which is ‘the data just flows through you’, but you’re not going to hold a telco responsible if someone says something harmful on a phone line.

“I actually think we should be somewhere in between.”

Zuckerberg has previously dipped his toe into the well of regulation, putting forward a series of proposals in the past as the regulatory climate against social media platforms intensifies.

The Facebook founder claimed in April last year there should be a set of new regulations and standardised systems in areas beyond just data protection, which has seen reinforcement following the introduction of GDPR.

There should, for example, be a set of common standards across borders, with enforceable rules, that compel social media platforms to get to grips with the uploading and sharing of ‘harmful’ content.

The European Commission’s vice president for values and transparency Věra Jourová, who also met with the Facebook CEO, similarly backed the idea that Facebook cannot expect to bend the will of regulators to suit its agenda.

“Facebook cannot push away all the responsibility,” she said. “Facebook and Mr Zuckerberg have to answer themselves a question ‘who do they want to be’ as a company and what values they want to promote.

“It will not be up to governments or regulators to ensure that Facebook wants to be a force of good or bad.”

The European Commission is expected to announce proposals tomorrow that are aimed at challenging the market dominance of companies like Google and Amazon.

These may build on draft proposals issued in January that set out ambitions to create a data-centric single market to make it easier for companies to tap into the bloc’s large volume of industrial and professional data. They’ll also be accompanied by draft proposals that govern the use and applications of artificial intelligence.

The EU has been toying with a range of ideas regulating tech companies, particularly when it comes to compelling platforms to remove harmful, illegal or extremist content. Proposals have been publicly discussed under different guises for years, with one idea shared in 2018 involving compelling companies to remove content within an hour.

Last July, the bloc proposed rewriting the rulebook on how to engage with Big Tech altogether, touting the suggestion of a new ‘Digital Services Act’. This would give the EU a raft of legal powers to influence how social media platforms govern content that falls into the bracket of hate speech or extremist-inclined.

The UK has also previously hinted at a form of tech regulation, although proposals initially announced in 2019 were significantly watered down last week when the government released its response to public consultation. Under the new plans, the telecoms and broadcast watchdog Ofcom would be given license to police Silicon Valley giants, as opposed to an entirely new regulator as was previously suggested.

The culture secretary will hold talks with Mark Zuckerberg today in an attempt to engage the Facebook CEO just weeks before the government releases proposals to regulate big tech companies.

Secretary of state for digital, culture, media and sport (DCMS) Jeremy Wright will be granted 30 minutes of Zuckerberg's time, according to the BBC, at the company's Californian headquarters today.

The meeting has been scheduled in the wake of growing pressure on the role social media giants are playing in exacerbating mental health conditions in young people, with repeated suggestions from the government they are ready to legislate.

Facebook has also this week been lambasted by the DCMS select committee in the findings of its 18-month investigation into fake news and disinformation, with the influential group of MPs accusing the tech giant of behaving like "digital gangsters".

Zuckerberg had refused to meet with or give evidence to the committee during its investigation, much to the ire of its chair Damian Collins MP, who has made countless attempts to engage the Facebook founder.

But the culture secretary, leading a UK delegation that includes digital minister Margot James, will speak with Zuckerberg about ways to prevent online harm, in an attempt to gauge his views ahead of publishing a legislative white paper. The Californian trip will also include meetings with Apple, Google, and Twitter among other firms.

Due in the next few weeks, the white paper will outline the government's thinking on how to regulate tech giants for the first time, with mounting speculation that any new proposals will include setting up an industry watchdog.

An independent regulator, akin to Ofcom for telecoms firms, are among the range of measures proposed in the DCMS committee's report, as well as its demand for a compulsory code of conduct.

The 108-page report particularly focused on how Facebook failed to prevent the spread of fake news and disinformation on its platform during political campaigns, as well as failed to deal with known sources of harmful content.

The committee also accused the social media firm of deliberately disregarding data privacy principles and willfully breaking data laws in the interests of "profit over data security".

"We believe that in its evidence to the Committee Facebook has often deliberately sought to frustrate our work, by giving incomplete, disingenuous and at times misleading answers to our questions," Collins said after the publication of his report.

"Even if Mark Zuckerberg doesn't believe he is accountable to the UK Parliament, he is to the billions of Facebook users across the world. Evidence uncovered by my Committee shows he still has questions to answer yet he's continued to duck them, refusing to respond to our invitations directly or sending representatives who don't have the right information."

Is it time to regulate algorithms? One Labour MP believes so -- and she's not the only one raising concerns about algorithmic accountability.

Chi Onwurah, shadow industry minister for Labour, told the Guardian that algorithms need to be regulated the same way their results are.

"Algorithms aren't above the law," she told the newspaper. She added: "The outcomes of algorithms are regulated the companies which use them have to meet employment law and competition law."

Onwurah admitted it's not easy to regulate algorithms when they lack transparency, saying the issue will be examined in a paper from Labour due in the new year.

The potential challenge to Silicon Valley's smoke and mirrors follows pressure on Google and Facebook to address the flood of "fake news" propagated by both services, and as more people find work in the so-called gig economy, with their employment influenced by algorithms created by the likes of Uber.

Such problems require algorithmic accountability, academics have argued. The question is how to give accountability to something that's by its nature confusing and more often than not the "secret sauce" behind a company's success.

"Algorithms are an area that in principle should be regulated, since they are ways of categorising people, things and actions and counting up the results," said Nick Couldry, Professor of Media, Communications and Social Theory LSE. "It matters a lot what is counted, and how the results are processed."

But he added that the need for regulation depends on the function. "I may care a lot less about algorithms that change what buying or listening recommendations I receive than those affect what appears to me as news, or affect how I am evaluated by others," he told IT Pro.

"Organisations should always take responsibility for how they represent the world and how they represent human beings, and this is no different," he added. "It is not so much a question of transparency (it may be hard for lay people to understand how an algorithm works even if they are told) as accountability. And underlying that, the question of whether the information on which the algorithm works should be collected in the first place."

In other words, algorithmic accountability may, in some ways, come back to data protection.Dr Alison Powell, assistant professor and director of Media and Communication at the London School for Economics, notes that theGeneral Data Protection Regulation stipulates that the function of an algorithm must be "made understandable to those they influence."

But she said that functional transparency may not be enough, and it may be necessary for the training data and other elements to be available for examination. "It is possible to regulate algorithms ex post - that is, in terms of their outcomes - but this is difficult in contexts where machine learning or other artificial intelligence techniques are used as there may be a gap between the claims made at the beginning of a process and the outcomes at the end," she explained. "Computer science scholars have proposed a strategy of 'procedural regularity' to address this. This process tries to make the steps of the algorithmic processing more regular so that there are ways of auditing and ensuring that the process isn't discriminating against people unfairly."

Ofcom has stung Vodafone with a 4.6 million fine for a "serious and sustained breaches of consumer protection rules".

More than 10,000 pay-as-you-go customers lost out when Vodafone systems failed to transfer account credit during 'top-up' requests. Customers collectively lost 150,000 over a 17-month period.

The regulator also criticised Vodafone for failing to act quickly enough to address errors caused by switching to a new billing system. A second Ofcom investigation found the company failed to comply with customer complaint rules, as many Vodafone service agents were not briefed on what constituted a complaint.

The system for handling complaints, including prioritisation and responding in a timely manner, was also severely inefficient, according to Ofcom.

It levied a penalty of 3.7 million for failing to credit pay-as-you-go customer accounts, and an additional 925,000 fine for its poor customer service.

Vodafone has already reimbursed affected customers, and must pay the fines within 20 days.

"We have refunded or re-credited 10,442 customers out of the 10,452 affected. The average refund per customer was 14.35," said Vodafone in a press statement.

The company acknowledged the incidient was a "serious error" and teams "failed to appreciate its significance" once it was discovered. Vodafone has assured customers that it has implemented "system wide changes" to its management system, and has overhauled its escalation procedures in response to the investigation.

"This isn't the first time Ofcom have levied a fine for this type of thing, but it is certainly the largest," said Matthew Howett, regulatory analyst at research firm Ovum.

"Vodafone would have been expecting a fine, particularly given the length and breadth of the investigation. Their conciliatory tone this morning suggests they are now trying to move on from the damage and repair reputations with customers," added Howett.

Following rule changes in 2015, Ofcom has since taken a more aggressive approach to sanctions, particularly against telecommunication companies. Since the changes, the severity of the fine would be determined by the seriousness of the breach, which Howett believes is reflected in today's announcement.

"While the number of affected customers is minimal compared to the total 20 million Vodafone users in the UK, the investigation has been an unwanted headache," said David Cheetham, market analyst at XTB.

"Investors will hope that the firm can move on and look to build on a solid if not spectacular year so far which has seen the stock rise around 10%. The telecommunications company will likely be pleased to have drawn a line under the whole incident and take their medicine in the form of a sizeable fine."

The 4.6 million fine against Vodafone stands as the largest ever penalty issued by the regulator. Last year Ofcom issued a 1 million fine against mobile network EE for similarly failing to handle customer complaints, while TalkTalk and Tiscali were hit with a 3 million penalty in 2011 for breaching billing rules.

BT has played down its control of Openreach amid calls for the subsidiary, responsible for rolling out fibre network across the UK, to be broken off from its parent company.

The telecoms firm said the fibre delivery company is "heavily regulated" and operates at "arm's length from the rest of BT", as industry regulator Ofcom seeks views on whether Openreach should be fully split from BT.

Its cables are used by BT but also leased to competitors to provide broadband and phone services, and Ofcom is considering fully separating the firms to ensure BT cannot discriminate against competitors.

However, in a company reshuffle following the acquisition of mobile provider EE, BT said Openreach would carry on as it is.

"Openreach will be unaffected by the re-organisation," BT said. "It provides all companies with equal access to BT's local access network in Great Britain and is heavily regulated with more than 90 per cent of its revenues coming from price regulated services."

Competitor TalkTalk and the Labour party supported a separation, and Ofcom is expected to make a decision next month.

If it does not instruct BT to drop its local access network, then it will likely impose tougher regulations on its dominance of the consumer broadband market.

Excluding Openreach, BT has split its business into five other branches to serve consumers, enterprise, the public sector and other industry players. Specifically, Openreach and its new Global Services division will provide wholesale services to other industry players.

Commenting on the restructure, Gavin Patterson, chief executive of BT Group, said: "The acquisition [of EE] provides us with a chance to refresh our structure and we have done that by creating a major new division that will focus on businesses and the public sector in the UK and Ireland.We want to support those sectors by offering customers the very best services whether that be dedicated private lines, network products such as fibre broadband, mobile solutions, IT services or cyber expertise to keep them safe.

"We will continue to offer many of these services to multinational companies and major overseas customers via our Global Services division. It is an important part of the company and this new structure will enable it to sharpen its focus on its key areas of strength."

BT's restructure will take effect from April.

BT also posted its results for the three months to December 31, which showed revenue rose three per cent to 4.6 billion.

25/01/2016: BT CEO opposes Openreach spinoff

BT's CEO Gavin Patterson has hit out at suggestions Openreach should be sold off, claiming it would create uncertainty in the market.

However, he admitted on the Today Programme on Radio 4 that Openreach, BT's arm responsible for rolling out fibre networks, needs to do more to provide broadband in rural areas and improve its business performance, following the publication of a damning report by British Infrastructure Group (BIG).

"Over 90 per cent of the UK can get super fast broadband today - which means that 10 per cent today cannot. Within the next 18 months that will only be 5 per cent and we are working with the Government to find ways to address the last five per cent," Patterson said.

"But even Department for Culture, Media and Sport and Ofcom have pointed out that we will get to 95 per cent of the UK by the end of next year."

The BIG report said that unless BT and Openreach are separated, they will "continue to paper over gaping cracks."

It added: "Whilst rural SMEs (small and medium-sized enterprises) and consumers are left with dire speeds, or even no service at all, Openreach makes vast profits and finds little reason to invest in the network, install new lines or even fix faults in a properly timely manner."

BT's operations have come under scrutiny over the last year, as part of Ofcom's Strategic Review of Digital Communications that is investigating into how the communications market is operating in the UK.

The regulator is considering splitting BT and Openreach to remove any incentive for the provider to discriminate against rivals, who rely on Openreach's fibre network that spans the UK to offer their own services to consumers.

Splitting BT and Openreach is not the only option Ofcom is considering other possibilities include allowing rivals to build their own networks, strengthening the existing model of functional separation', or making no changes at all.

The assessment also includes aspects such as pay TV regulation and broadband in rural areas, which has caused a great amount of controversy as BT, Virgin and Sky compete to become the leading broadband provider in the country.

19/11/2015: Ofcom lifts pay TV regulation as Sky-BT war continues

Ofcom has decided to remove the regulation requiring Sky to offer Sky Sports 1 and 2 on a wholesale basis, because the channels are available on other pay TV services on commerical terms.

Sky Sports is now available via commercial wholesale deals with various pay TV competitors, including BT, TalkTalk, and Virgin Media, as well as Sky's own NOW TV service, meaning the regulator deemed the stipuation to no longer be appropriate.

Ofcom has been looking at the pay TV market in the UK as part of the Strategic Review of Digital Communications, the first formal assessment of the sector for 10 years.

18/09/2015: Sky and BT have come to blows over the future of Openreach as Ofcom holds a 10-year review of the communications market in the UK.

In an opinion piece in the Telegraph, Mai Fyfield, Sky's chief strategy officer, accused BT of holding back the broadband market in the UK.

"BT's case for the status quo is built on unfounded or exaggerated claims about the benefits of vertical integration and the risks of separation," she said.

"Underinvestment by BT has led to unacceptable levels of faults and service problems that continue to affect consumers and businesses."

She added that creating Openreach as a separate division would be the only practical way of making sure the UK had proper investment in its broadband network.

"An independent Openreach would be a new, highly investable, FTSE 100 company that could catalyse the transformation of Britain's broadband infrastructure," she said.

"BT constantly emphasises that Openreach is entirely functionally separate, with its own assets, employees and accounts. So it is contradictory to argue that the next step of full separation is impracticable."

Her op-ed came hot on the heels of Openreach chief executive Joe Garner's article in the Telegraph, dated 13 September, in which he said that hiving off Openreach would be a "hugh mistake".

"Britain has gained, and will continue to gain, from Openreach as a part of BT benefiting from more investment, more coverage and more speed," he said.

"On investment, BT provides us with ready access to capital. BT's capital allowed us to meet the rapidly rising demand for internet services by rolling out superfast broadband which is, incidentally, 20 times faster than in 2005 and half the price."

24/08/2015: Labour has called for Ofcom to fully split BT from its fibre arm, Openreach, claiming the telecom giant is failing in its duty to bring high-quality broadband to UK homes.

The telecoms regulator is currently reviewing the state of the market amid concerns raised by BT's rivals that their access to the telco giant's vast fibre network suffers from poor service.

As a consequence, the watchdog is considering splitting BT from its fibre roll-out arm, Openreach, to remove the ability for BT to discriminate against competitors.

Writing today in the Telegraph, shadow culture secretary Chris Bryant urged Ofcom to pursue this option, claiming that under BT the UK's broadband rollout has been "too slow, too late".

He wrote: "The situation is now so bad that Ofcom's review should work on the presumption that Openreach should be split from the rest of BT unless their review produces conclusive evidence to the contrary."

Bryant's article comes after Ofcom launched a Strategic Review of Digital Communications, its first formal assessment of the sector for 10 years, which criticised Openreach for delays in providing superfast broadband to homes.

Under a government scheme called Broadband Delivery UK (BDUK), BT is aiming to deliver superfast broadband to 95 per cent of the UK by 2017.

But Bryant claimed the telco giant fears it won't reach the target until 2018 and also criticised the quality of broadband it is providing.

"What are Openreach and the Government delivering? Broadband that is too slow, too late," he said.

BT became the sole contractor for the BDUK project after Fujitsu dropped out and Bryant claimed this monopoly is not helped by BT owning Openreach, the arm responsible for delivering new fibre to homes and workplaces across the country.

Splitting BT and Openreach is not the only option Ofcom is considering other possibilities include allowing rivals to build their own networks, strengthening the existing model of functional separation', or making no changes at all.

However, Bryant said separating the telco giant from its division is the only one that would deliver benefits, while Ofcom believes it could lead to more focus on network investment and performance issues.

Bryant wrote: "It is right that Ofcom is now considering whether this provides an unfair advantage to BT and whether it should be split off in the interests of transparency and fair competition."

Ofcom itself needs to be "brought into focus", he argued, saying its ability to make big decisions is undermined by an "overly burdensome appeals process" that leaves its rulings vulnerable to companies with lots of money to spend on lawsuits.

BT has declined to comment on the matter and IT Pro was still waiting to hear from Ofcom at the time of publication.

A consultation period in which people can respond to the proposals put forward in Ofcom's review continues until 8 October.

Ofcom won't be intimidated by BT, says CEO

The news comes after Ofcom's CEO Sharon White told the House of Commons Culture, Media and Sport Committee in July that she has not come to a decision regarding whether BT should hive off Openreach.

She also said she would not be intimidated by any opposition by the provider or threats of litigation should Ofcom decide to separate the core BT operations and its Openreach internet offshoot.

"I can't say I'm easily intimidated, our drive is what's going to be the best possible deal for the consumer?" she said. "We don't start with a position that the Openreach separation is broken because if you look at how the market over the last ten years in which regulation has been a part of it, although most if it has been through the companies themselves, it's not a broken position."

She said she is happy to consider leaving the situation as is, splitting the company up into two and deregulating the current model.

"I would like to have an evidence-based conversation with BT and the other players about how we, for the next ten years, work towards a settlement that's best for the consumer," White added.

The fact BT owns Openreach means "it still has the incentive to discriminate against competing providers", according to the regulator.

It is now considering four different proposals under the Strategic Review of Digital Communications, one of which is to split BT and Openreach apart.

"This has the potential to deliver benefits, since it would address BT's underlying incentive to discriminate against competitors, and enable a simplified regulatory framework," said Ofcom in the report published in July.

"It may also increase Openreach's management focus on, and control over, network investment decisions and performance issues."

But such a decision would also be an intrusive and complex step for the industry as a whole, Ofcom admitted, with "substantial implementation challenges".

Other moves mooted include making no changes to the current regulations, strengthening the existing model of "functional separation", or allowing rivals to build their own networks.

Some operators, like Virgin Media, already do this, but Ofcom warned it would result in duplicated infrastructure.

White said in a statement: "This review is about ensuring people get the best possible communications services, wherever they live and work.

"Our priorities are clear. We want to promote competition, investment and innovation, so that everyone benefits from even better coverage, choice, price and quality of service in years to come."

BT believes Openreach separation would harm broadband investment

This is the first strategic review since 2005, which resulted in BT creating Openreach to separate itself from its network access division, and BT has warned that further separation would harm broadband investment in the UK.

However, Sky has called for Ofcom to pursue greater separation, with chief strategy officer Mai Fyfield today repeating a call for a full competition enquiry.

She said: "For too long, consumers and businesses have been suffering because the existing structure does not deliver the innovation, competition and quality of service that they need. We believe Ofcom should now move quickly to ask the Competition and Markets Authority (CMA) to undertake a full competition inquiry."

However, analysts do not believe the regulator will separate BT and Openreach, with such a move not necessarily the best one to deliver competition benefits to consumers.

Analyst Paolo Pescatore, director of multiplay and video at CCS Insight, said: "The big news here is the proposed break-up of BT. Many of its rivals have been lobbying hard for this for some time and they've clearly mounted enough pressure to raise concerns.

"The major focus of the latest strategic review of the digital communications market is all about how well competition is delivering benefits to consumers and businesses. With this in mind, it seems that a full separation is unlikely as stated by Ofcom."

Ovum's regulation analyst, Matthew Howlett, added that additional separation wouldn't necessarily solve competition issues.

"While Ofcom recognises there are challenges with Openreach, in particular in relation to service quality, it heavily suggests that further separation will not address these, and could ultimately be disproportionate," he said. "That's not to say that tweaks to the Openreach model aren't likely."

Pay TV

The review is taking place as the CMA considers BT's proposed 12.5 billion takeover of mobile operator EE, with BT set to offer landline, mobile, broadband and pay TV services if it is passed.

While rivals are trying to separate BT and Openreach, BT has responded by calling for a detailed review of the pay TV market.

Ofcom then announced in November 2015 that the regulation requiring Sky to offer Sky Sports 1 and 2 on a wholesale basis will be removed, due to the channels being available on other pay TV services on commerical terms.

Sky Sports is available through various pay TV competitors, including BT, TalkTalk and Virgin Media, as well as Sky's own NOW TV service, and the regulation was thus deemed to no longer be appropriate.

The pay TV market as a whole is being reviewed by Ofcom, with BT claiming the UK pays half a billion pounds more a year than the European average for such services.

However, Ofcom conducted an inquiry into pay TV just five years ago, when it forced Sky to provide certain channels to rivals, and is currently investigating its agreement with BT on this sharing set-up.

Still, a BT spokesman told IT Pro pay TV remains its focus, adding that Ofcom would find the broadband market to be "vibrant and healthy".

He also said: "There has been huge progress this past ten years with an explosion in competition and broadband usage. Consumers are getting more for less and the UK has outpaced its European peers in terms of superfast broadband.

"Much of that progress is down to BT investing billions of pounds in fibre at the height of the recession. That investment wouldn't have occurred had BT been split in two a decade ago and our ambitious plans for ultrafast broadband also depend on BT remaining intact.

"Ofcom have overseen a regime that has balanced investment with competition and we hope they will once again put the needs of the UK and its consumers ahead of those who have tried to keep the UK in the digital dark ages."

The watchdog's consultation is open to comments until 8 October 2015, before it publishes its initial findings in January next year.

This article was originally published on 16 July 2015 but has since been updated to reflect developments in the story, most recently on 25 January 2016.

Technology and life sciences law firm Osborne Clark has called for the EU to scrap plans stopping devices being able to access health data generated by wearables and other health and fitness devices.

The EU's European General Data Protection Regulation would apply the same restrictions given to medical records to data measured by mobile devices, possibly preventing analysis by third party apps, despite technology users saying they're happy for their information to be shared.

"At a time when The Government is looking to find a 10bn budget surplus over the next 5 years, the NHS is predicted to be staring at an annual deficit of 2bn. This research shows that people are open to the idea of data-based healthcare, which could drive such cost savings, whilst also improving quality of life," John Fell, a partner at Osborne Clark said.

"The report also highlights that younger generations have a more liberal attitude to sharing data. If health providers act on this and embrace such services, they will realise massive savings. To encourage this, tech companies need to think big and demonstrate real world consumer benefits, for example, will it cut waiting times, or improve people's health?"

The company's study asked 4,000 people around Europe about their health data and how it can be used, with more than half of respondents saying they are happy for their heart rate, sleep patterns, exercise regimes and other information about their bodies to be used for recommendations of treatment. 62 per cent said they would want to be alerted if the data predicted a serious illness.

Fell added that smart use of data is more than just measuring how fast someone is running or their heart rate while exercising. It could potentially result in patients being diagnosed conditions faster and may even save lives.

"A discussion is already taking place amongst manufacturers around self-regulation. However, governmental bodies need to come to the table to add the most important ingredients here, trust and clarity. They need to work with these smart companies to find a path forward."

The war between Uber and taxi drivers across Europe may be ongoing, but the outcome is a fait accompli, according to France's digital champion, Gilles Babinet.

Babinet, himself a serial entrepreneur, told delegates at the Hack4Europe conference in Paris: "Think about this: an average taxi is in commercial usage 45 per cent of its time, which means that 55 per cent is just waiting for a client."

"Do you know how much is the ratio of usage for an Uber car? It's 85 per cent and just because of this they are going to win. Whatever we do, whatever the regulations we try to put in place, just because it is hugely efficient. It cannot be beaten by any type of regulation," he said.

Uber is currently mired in controversy in France, with the company's two top executives having been arrested and charged with misleading commercial practices, complicity in the illegal operation of taxis, and illegal handling of data on Monday this week. 202 Uber drivers were fined the following day, with 79 cases still pending.

Amid the furore, Uber France has temporarily suspended UberPOP - the service at the centre of the dispute between the company and the country, which connects users with drivers who charge for rides but are unlicensed and untrained - in order to protect drivers and their vehicles from alleged attacks by taxi drivers.

Nevertheless, Uber was well represented at the event, which was the culmination of a Europe-wide hackathon to build new apps in the categories of Smart Cities, E-commerce, Mobility, Social Positive (having a benefit for society at its heart as well as commerce), Internet of Things, and Energy.

The Mobility award was sponsored by Uber and the winning app built on the company's API. Thibauld Simphal, MD of Uber in France and one of those charged on Monday, was also a panellist at the event speaking on the topic of "How to create European GAFAs" alongside representatives of ride-sharing app Blablacar, Alcatel OneTouch, and Iris Capital Management.

The EU plans to take a closer look at cross-country e-commerce, after it was revealed online transactions were only growing very slowly in comparison to the number of overall transactions taking place.

In 2014, almost half of EU citizens bought products or services online, but only 15 per cent of the transactions used services in other EU states.

Although the EU has noted that part of this may be down to language barriers, consumer preferences and differences in legislation across member states, the body said it suspects some countries are restricting cross-border e-commerce, possibly by geo-blocking consumers from accessing their websites.

Additionally, retailers may only accept credit cards from the host nation, meaning they are unable to complete the purchase online and so will head elsewhere to find the same product - often paying more than on the original website. Not only is this bad cross-border business, it is also a bad experience for the consumer too.

Commissioner Margrethe Vestage, who is responsible for competition policy, said she will refer the inquiry the College of Commissioners and their findings will contribute to the commission's objectives of achieving a Digital Single Market.

Vestager said: "It is high time to remove remaining barriers to e-commerce, which is a vital part of a true Digital Single Market in Europe. The envisaged sector inquiry will help the commission to understand and tackle barriers to e-commerce to the benefit of European citizens and business."

Vestager hopes the study will determine where the key issue lies and will also help enforce competition law in the e-commerce sector.

The aims of the Digital Single Market are to make Europe more competitive in the global economy by boosting cross-country trade and eradicate geoblocking.

If Scotland votes yes on Thursday, customers in the country could be faced with increased communication costs, service provders have warned.

In an open letter, chief executives from BT, TalkTalk, O2, Vodafone, EE and Three, claimed costs would rise from splitting networks apart and implied that this would lead to prices increases post-split.

"We may need to modify our networks to reflect the reality of an independent Scotland," the letter said. "And we may need to consider whether to modify the services offered in Scotland, given its relatively demanding topography and relatively low population density. Any of these factors could lead to increased industry costs."

However, the providers said they would commit to continuing to operate in Scotland and this would be "completely unaffected" by the outcome of the vote.

While it warned of price increases north of the border, the letter stopped short of cutting prices for the rest of the UK.

The CEOs said there were "a number of strategic and operational factors" that had to be determined fro their organisations. The letter stated that it would be necessary to know how a Scottish telecoms industry would be regulated and how the current EU telecoms framework would be applied, if at all.

The letter continued: "Would there be continuity with the current European Union regulatory framework so that we would continue to operate across the border with common infrastructure under a single set of rules? What approach would the government of an independent Scotland take to the radio spectrum currently licensed on a UK-wide basis without which mobile networks cannot operate?"

Ofcom currently regulates and licences spectrum in the UK and chiefs asked what approach an independent Scotland would take. The CEOs said it would be necessary to modify networks to reflect the new political reality and this could force costs upwards.

"We may need to consider whether to modify the services offered in Scotland, given its relatively demanding topography and relatively low population density. Any of these factors could lead to increased industry costs."

However, SNP MSP Mike MacKenzie said there was no need for mobile phone costs to rise. "A Yes vote will not change Scotland's topography or geography," he told STV.

"In fact independence is an opportunity for Scotland to address Westminster's dreadful record of developing mobile phone coverage in Scotland."

Nokia has received approval from the Chinese Ministry of Commerce to sell its phone business to Microsoft.

"Nokia and Microsoft have now received regulatory approvals from the People's Republic of China, the European Commission, the US Department of Justice and numerous other jurisdictions," Nokia said in a statement.

Nokia agreed to sell its Lumia phone line to Microsoft for 5.4 billion last year, minus its extensive set of patents.

The news was greeted positively, bumping the Finnish manufacturer's stock by three per cent.

Reuters cites analysts as hoping Nokia can operate with more flexibility with its patents and without a mobile business.

Dropping its phone business could allow Nokia to change its pricing structure with patent licensees such as Google and Samsung. Competitors would not be able to raise prices on Nokia phones in retaliation if it started charging more.

Nokia denied any previous wrongdoing in a press release.

"No authority has challenged Nokia's compliance with its FRAND undertakings related to standard-essential patents (licensing on fair, reasonable and non-discriminatory terms) or requested that Nokia make changes to its licensing program or royalty terms," it wrote.

Others remained concerned. Google and Samsung asked Chinese regulators to prevent it from raising prices. The Finnish company already makes 500 million annually from licensing fees.

One vice president of the European Commission's Competition Unit warned Nokia not to abuse its patents.

"If Nokia were to take illegal advantage of its patents in the future, we will open an antitrust case," Joaqun Almunia said. "I sincerely hope we will not have to."