Tech & Sourcing @ Morgan Lewis

The European Banking Authority (EBA) recently published a consultation paper (Consultation) that proposes to expand third-party risk management requirements for certain EU-regulated financial entities. The Consultation would extend the EBA’s current guidelines around outsourcing arrangements (EBA Guidelines) to all third-party services arrangements, excluding those services that are within scope of the EU Digital Operational Resilience Act (DORA), and would add further requirements to the existing guidelines, aligning with those requirements introduced under DORA.

The United Kingdom’s Online Safety Act (OSA or the Act), which received Royal Assent in October 2023, establishes a new statutory framework to address harmful online content, protect children, and promote accountability among digital service providers. For counsel advising platforms, publishers, and other organizations operating in the digital space, the OSA introduces a complex set of compliance considerations, particularly given its extraterritorial scope, risk-based obligations, and substantial enforcement powers.

The UK Information Commissioner’s Office has launched two consultations as part of the transition to the Data User and Access Act framework. These consultations will be of particular interest to organisations operating UK-facing websites, analytics tools, and online advertising services.

On 19 June 2025, the UK Parliament enacted the Data (Use and Access) Act 2025 (DUAA), marking the most significant UK data protection reform since the UK General Data Protection Regulation (UK GDPR). Rather than overhauling the current regime, DUAA introduces targeted amendments to the UK GDPR, the Data Protection Act 2018, and Privacy and Electronic Communications Regulations (PECR), aiming to support responsible data use while preserving core privacy protections.

In our March 2024 blog post Study Finds Average Cost of Data Breaches Continued to Rise in 2023, we highlighted the key findings of the Ponemon Institute’s Cost of a Data Breach Report 2023. Each year, the report sets forth a vast dataset analyzing data breaches at hundreds of organizations to spot trends and developments in security risks and best practices. The Ponemon Institute recently published its Cost of a Data Breach Report 2024, showing an increase in data breach costs in many areas of business.

We are excited to welcome Mathilde Carle as a partner in Morgan Lewis’s Paris office and as a guest contributor to our Tech & Sourcing Spotlight series to discuss intellectual property (IP) protection and other related issues in agreements to design, build, license, host, and support digital solutions, including automation, AI, and software as a service (SaaS) products.

As noted in our recent blog, business process outsourcing (BPO) providers are promising big savings and improved outputs tied to the design and implementation of digital solutions that will monitor, quality check, facilitate, and sometimes perform the applicable business processes.

Data issues—collection, usage, optimization, commercialization, and protection—are at the forefront of more and more transactions in the sports industry.

Artificial intelligence (AI) is reshaping modern society, enabling the automation and modification of routine human activities and, consequently, enhancing efficiency and productivity. Like any technological development, AI presents both benefits and risks. Concerns include potential biases, privacy intrusions, and ethical dilemmas.

While artificial intelligence has not quite yet achieved singularity, the last fortnight brought about a substantial update to the AI regulatory landscape. As of February 2, Chapters I and II of the EU AI Act have entered into force. This includes Article 5, which prohibits certain AI systems whose use may intrude upon an individual’s privacy. This includes certain AI systems relating to emotion recognition in the workplace, subliminal manipulation, and predictive policing. Separately, EU AI Act obligations relating to AI literacy have also gone into effect.