Clifford Chance

As the global digital policy landscape enters a new phase of regulatory activism, governments from the United Kingdom to Nigeria are recalibrating their approaches to technology, data, and AI. This month’s developments underscore a growing determination among policymakers to balance innovation with accountability.

Against a backdrop of rapid technological change and geopolitical competition, regulators are moving with renewed urgency. Australia has issued a government-wide AI Technical Standard and published a landmark report on multi-agent AI risks. India’s reserve bank has released a responsible AI framework for the financial sector, and Indonesia’s Constitutional Court has clarified Data Protection Officer (DPO) appointment rules, granting greater flexibility to data controllers. Japan is considering introducing administrative fines for data brokers under the Act on the Protection of Personal Information (APPI), and Malaysia has launched a national cloud computing policy to drive digital transformation. The Philippines has forged a cybersecurity and privacy alliance between its data protection authority and police, signalling a more coordinated approach to enforcement.

From the UK’s phased rollout of the Data (Use and Access) Act (DUAA) to the National Cyber Security Centre’s (NCSC) sharpened focus on cyber resilience and Ofcom’s assertive enforcement of online safety, the message in the UK is clear: compliance is no longer optional, and the cost of inaction is rising. The UK has also newly appointed Jade Leung as Keir Starmer's AI Adviser who will focus on delivering the UK's Plan for Change. The EU continues to advance its digital and media regulatory agenda. France and Germany have jointly issued “zero trust” security guidelines for large language model systems, addressing prompt injection and privilege escalation risks. The European Media Freedom Act has entered into force, establishing binding rules for editorial independence, transparency, and pluralism. The European Union Agency for Cybersecurity (ENISA) has also updated its Cybersecurity Threat Landscape methodology, aiming for greater automation and situational awareness. These developments reflect a drive for supervisory convergence and resilience across the EU’s digital and financial sectors.

In the United States, the federal government has announced a historic $8.9 billion equity investment in Intel to secure domestic semiconductor leadership, underscoring the strategic importance of technological self-sufficiency. President Trump has signed executive orders to modernise government service design and to expand 401(k) investor access to digital assets, signalling a pro-innovation policy stance. These moves collectively reinforce the region’s focus on national security, digital innovation, and the recalibration of platform regulation.

For organisations and their advisers, the imperative is to stay ahead of the regulatory curve, anticipate enforcement priorities, and engage proactively with evolving standards.

APAC (excluding China)

Australia

Australia issues Artificial Intelligence (AI) Technical Standard for government transparency and accountability

On 31 July 2025, the Digital Transformation Agency released an AI Technical Standard[CC1]  to promote transparency, accountability, and safety in government AI use. It applies to the full AI lifecycle, from design to decommissioning, across diverse delivery models. The AI Technical Standard organises the lifecycle into ‘Discover,’ ‘Operate,’ and ‘Retire’ phases, emphasising ethical risk management, addressing biases, upholding human oversight, and ensuring regulatory compliance. Agencies are encouraged to adopt these guidelines in developing and operating AI systems.

Australia unveils report on risks in multi-agent AI systems

On 29 July 2025, the Department of Industry, Science and Resources (DISR) published a Gradient Institute report detailing risks associated with multi-agent AI systems, which involve interconnected AI agents. The key risks identified include inconsistent outcomes, communication failures, and coordination challenges. The report provides practical risk assessment tools and guidance for early detection of issues, recommending progressive testing for safe deployment.

OAIC announces regulatory priorities for 2025-26

On 29 July 2025, the Office of the Australian Information Commissioner (OAIC) shared their regulatory priorities for 2025-26, focusing on rebalancing power and information disparities, protecting rights amid emerging technologies, and strengthening information governance. Target sectors include rentals, property, credit, data brokers, and areas like ad tech and AI. The OAIC will emphasise privacy protections, particularly regarding facial recognition, biometrics, and surveillance, and aims to ensure timely public access to government information.

India

The RBI sets out responsible AI framework

On 13 August 2025, the Reserve Bank of India (RBI) released a report establishing a framework for responsible and ethical AI in the financial sector. The report centres on seven principles, including trust, fairness, and accountability, and provides 26 actionable recommendations for financial entities, regulators, and the government. It stresses the importance of AI governance, board-level competence, employee training, and data governance in line with the Digital Personal Data Protection Act.

Indonesia

Indonesia’s Constitutional Court clarifies DPO appointment rules

On 30 July 2025, a decision of Indonesia’s Constitutional Court was published  which has clarified the interpretation of Article 53(1)(b) of the Personal Data Protection Law (PDPL), stating that the criteria for appointing a Data Protection Officer (DPO) should be read as ‘and/or’ rather than cumulative. This ruling significantly affects the obligations of data controllers and processors under the PDPL, providing greater flexibility in meeting DPO appointment requirements.

Japan

PPC Chair emphasises consideration of penalty system in future amendments to the APPI

On 16 August 2025, in an  article published in the Nikkei, the newly appointed Chair of the Personal Information Protection Commission (PPC), Mr. Satoru Tezuka, highlighted the potential introduction of a penalty (administrative fine) system under future amendments to the Act on the Protection of Personal Information (APPI). Mr. Tezuka explained that the primary objective of such a system would be to eliminate malicious data brokers, rather than to impose broad punitive measures on businesses.

Japan is currently one of the two G7 members, along with Canada, that do not have a sanction regime. Mr. Tezuka noted that discussions are already underway in Canada and, without similar measures, Japan risks falling behind international practice. At the same time, he acknowledged strong opposition from business groups and emphasised that they would engage in careful communication to build understanding.

Mr. Tezuka also commented more broadly on AI-related regulation. He stated that Japan should avoid overly strict, ex-ante regulatory frameworks that may hinder innovation. Instead, he suggested that a system placing greater weight on ex-post measures, such as sanctions or corrective actions when issues arise, would be more appropriate, striking a balance between data utilisation and the protection of individual rights.

Malaysia

Malaysia announces national cloud computing policy to drive digital transformation

On 13 August 2025, the Ministry of Digital launched the National Cloud Computing Policy (NCCP) effective as of August 2025, to support digital transformation. The policy outlines a strategic roadmap emphasizing data protection, privacy, resilience, digital literacy, and sustainability. While adoption is voluntary for the private sector, the policy aims to bolster local cloud providers and promote best practices.

Philippines

Philippines’ NPC and Police forge cybersecurity and privacy alliance

On 1 August 2025, the National Privacy Commission (NPC) and the Philippine National Police Anti-Cybercrime Group (PNP-ACG) announced that they have signed a Memorandum of Understanding to enhance the protection of citizens’ rights online. The agreement establishes protocols for collaboration, including referral mechanisms, joint investigations, and information sharing. It also features enforcement support and training activities and is effective immediately for three years unless otherwise amended or terminated.

Europe

European Union

France and Germany release joint guidelines on securing LLM systems with “zero trust” architecture  

On 11 August 2025, France’s national cybersecurity agency ANSSI (Agence nationale de la sécurité des systèmes d'information) and Germany’s Federal Office for Information Security, BSI  (Bundesamt für Sicherheit in der Informationstechnik), jointly issued a set of six foundational principles aimed at enhancing the security of large language model (LLM) systems through a “zero trust” approach. The zero trust approach is based on the following principles: authentication and authorisation; principle of least privilege whereby permissions are granted as granularly as possible; and no implicit trust. The guidance addresses emerging threats such as prompt injection, data leakage, and privilege escalation in agent-driven LLM environments. The document advocates for robust access restrictions, the use of sandboxing techniques, and ongoing system monitoring. Although it does not specifically address cloud-native risks, the recommendations are applicable to cloud-based LLM deployments, especially those incorporating plugins, retrieval-augmented generation, or multi-agent orchestration. The agencies also underscore the importance of maintaining human oversight in high-stakes decision-making processes and caution against allowing LLM systems to operate in a fully autonomous manner.  

European Media Freedom Act enters into application  

On 8 August 2025, the European Media Freedom Act (EMFA) came into force. It sets a binding framework to protect media freedom, independence, and pluralism across the EU. The right for users to customise the media offer on devices and interfaces will only apply from 2027, but all other provisions are now in force. The Act also created the Media Board, which brings together national regulators. It can issue opinions on media market concentrations, on measures that could affect editorial independence, and on foreign media threats to public security. It also monitors how very large online platforms treat editorially responsible media content. Under the EMFA, Member States must now guarantee editorial independence. They must ensure transparent governance of public service media, fair distribution of state advertising, and clear disclosure of media ownership and funding. Audience measurement providers also have to follow rules of transparency and impartiality. However, the effective implementation of EMFA depends on national legal alignment and adequate resourcing of regulatory authorities.  

EU consultations on financial governance and cybersecurity  

In August 2025, two EU consultations were launched, reflecting parallel efforts to strengthen resilience in the financial and digital sectors. The first of these was launched on 7 August 2025, when the European Banking Authority (EBA) opened a consultation on revised internal governance Guidelines under CRD VI. The draft integrates requirements of the Digital Operational Resilience Act (DORA), with the aim of reinforcing governance frameworks, clarifying management duties, and aligning with diversity and remuneration standards. The consultation remains open until 7 November 2025, with a public hearing scheduled for 5 September. Four days later, on 11 August 2025, the NIS Cooperation Group published a draft roadmap on post-quantum cryptography and invited public comment. The consultation seeks input from critical infrastructure operators, industry and academia on how to manage the transition to quantum-resistant solutions. Contributions are due by 29 September 2025 and should address sector-specific challenges and open-source development, while excluding product promotion.  

EIOPA issues opinion on AI governance in insurance  

On 6 August 2025, the European Insurance and Occupational Pensions Authority (EIOPA) published an opinion to national supervisors clarifying how existing insurance-sector legislation applies to the governance and risk management of AI systems. The opinion builds on the AI Act, in force since 2024, which classifies certain insurance uses (such as AI systems for risk assessment and pricing in life and health insurance) as high-risk. These high-risk or prohibited systems fall outside the opinion’s scope. Instead, the focus is on clarifying how sectoral legislation, principally the Solvency II Directive and the Insurance Distribution Directive, already frames governance and risk responsibilities in relation to AI. EIOPA stresses a risk-based and proportionate approach, aiming to balance innovation with consumer protection. Supervisory expectations cover data governance, record-keeping, fairness, cybersecurity, explainability and human oversight. The opinion does not create new legal obligations but seeks to promote supervisory convergence across Member States and provide clarity to market participants. Looking ahead, EIOPA plans to use the framework set out in the opinion to guide more detailed work on specific AI use cases and to issue further guidance as necessary.  

ENISA updates its Cybersecurity Threat Landscape methodology     

On 1 August 2025, the European Union Agency for Cybersecurity (ENISA) released a revision of its Cybersecurity Threat Landscape (CTL) methodology. This update, aligned with ENISA’s mandate under the EU Cybersecurity Act (Regulation (EU) 2019/881), codifies seven distinct phases: direction, collection, processing, analysis and production, dissemination, and feedback. The direction phase sets the scope and audience, focusing on threats to NIS2 sectors and cross-border incidents. Collection involves a validated Intelligence Collection Plan using the Admiralty scale and sources ranging from OSINT to institutional partners like CSIRTs and EUROPOL. Processing integrates taxonomies such as STIX 2.1 and MITRE ATT&CK, and enriches data with geopolitical and sectoral context, including CVE mapping via the EU Vulnerability Database. Analysis and production rely on Structured Analytical Techniques (SATs) and expert judgement to generate assessments in both textual and machine-readable formats. Dissemination is increasingly digital, using push/pull models and interactive platforms like LinkedIn and X. Feedback mechanisms ensure continuous refinement through stakeholder input. ENISA anticipates greater automation in processing and dissemination, aiming to bolster situational awareness among EU cybersecurity stakeholders.  

United Kingdom

UK Data (Use and Access) Act implementation begins

The Data (Use and Access) Act (DUAA) has officially become UK law, marking a significant overhaul of the domestic data protection framework. On 20 August 2025, Stage 1 of the UK Government’s four-phase implementation plan came into force, initiating the transition to the new regime.

The Information Commissioner’s Office (ICO) launched three public consultations on 21–22 August 2025, seeking views on draft guidance concerning:

• Recognised legitimate interests under the DUAA;
• Draft guidance for organisations handling data protection complaints; and
• How the ICO itself will manage complaints under the new framework.

Separately, the ICO’s governance structure is evolving. On 30 June 2025, Paul Arnold was appointed as the first CEO of the future Information Commission, which will comprise a Chair (John Edwards), a CEO, and non-executive directors, reflecting the DUAA’s institutional reforms.

We have published an article – UK data reform: What you need to know about the Data (Use and Access) Act – that outlines the key changes to UK data laws.

NCSC published new Cyber Assessment Framework

On 6 August 2025, the UK’s NCSC released Version 4.0 of its Cyber Assessment Framework (CAF), aimed at enhancing cyber resilience across essential sectors including energy, healthcare, transport, digital infrastructure, and government.

The updated framework introduces new guidance on:

• Understanding adversarial tactics and threat actors;
• Secure development and maintenance of software used in essential services;
• Enhanced security monitoring and threat hunting practices;
• Addressing AI-related cyber risks, reflecting growing concerns around emerging technologies.

The CAF continues to support compliance with the Network and Information Systems (NIS) Regulations and anticipates future obligations under the forthcoming Cyber Security and Resilience Bill.

Ofcom investigates 4chan for safety failures

On 13 August 2025, Ofcom issued a provisional notice of contravention to 4chan, an online discussion board, following an investigation opened on 10 June 2025. The notice cites failure to respond to a statutory information request, failure to conduct and retain an illegal content risk assessment, and broader non-compliance with safety duties relating to illegal content.

This reflects Ofcom’s growing assertiveness in enforcing the Online Safety Act, particularly around platforms hosting high-risk or unmoderated content.

Jade Leung appointed as Prime Minister’s AI Adviser

On 15 August 2025, the UK Government announced the appointment of Jade Leung, Chief Technology Officer of the AI Security Institute, as the Prime Minister’s new AI adviser. In this newly created role, Leung will work directly with the Prime Minister and the Secretary of State for Science, Innovation and Technology to position the UK as a global leader in harnessing the benefits of transformative AI.

Her remit includes supporting the delivery of the government’s Plan for Change, with a focus on economic growth and technological resilience. Leung will split her time between Number 10 and the AI Security Institute, reflecting the strategic importance of AI policy across both political and technical domains.

Americas

The United States of America

Trump Administration plans to acquire 9.9% equity stake in Intel to advance U.S. semiconductor leadership

On 22 August 2025, Intel Corporation announced a landmark agreement with the Trump Administration under which the U.S. government will acquire a 9.9% equity stake in Intel through the purchase of 433.3 million primary shares at USD20.47 per share. The USD8.9 billion investment will be funded by previously awarded but unpaid USD5.7 billion grants under the U.S. CHIPS Act and Science Act and the USD3.2 billion award as part of the Secure Enclave program, bringing total federal investment in Intel to USD11.1 billion.

The government’s stake will be passive, with no board representation or governance rights, and includes a five-year warrant for an additional 5% of common shares under specific conditions. The agreement eliminates claw-back and profit-sharing provisions tied to earlier CHIPS Act grants, providing Intel with permanent capital to expand its U.S. manufacturing footprint. Intel reaffirmed its commitment to secure semiconductor production for the Department of Defense and continues its USD100 billion domestic expansion, including high-volume production in Arizona later this year. The transaction underscores the Administration’s strategic focus on national security and technological leadership through domestic semiconductor investment.

Trump signs Executive Order “Improving Our Nation Through Better Design” to modernise government service interfaces

On 21 August 2025, President Trump signed an Executive Order, titled “Improving Our Nation Through Better Design,” launching the “America by Design” initiative to modernise federal service interfaces. The order establishes the National Design Studio (NDS) within the Executive Office of the President and creates the role of Chief Design Officer, tasked with improving the usability and aesthetics of government websites and physical sites. Agencies must produce initial results by 4 July 2026 and ensure government-wide compliance with the 21st Century Integrated Digital Experience Act.

Joe Gebbia will be appointed as the first Chief Design Officer. Gebbia previously led efforts to digitise the federal retirement process and described the federal bureaucracy as a “design desert.” His mandate includes redesigning high-volume government services such as tax filings, Medicare enrolment, Social Security applications, and immigration systems. The NDS will report directly to the White House Chief of Staff and replaces the Obama-era 18F office, which was dissolved earlier this year. 

Supreme Court of the United States allows Mississippi law restricting minors’ access to social media

In an 14 August 2025 order, U.S. Supreme Court declined to block a Mississippi state law that restricts minors from using social media websites. The law mandates parental consent for minors to create accounts on sites such as Facebook, Instagram, and YouTube, citing concerns over mental health and online safety. However, a trade group representing social media companies argues that the law violates the First Amendment by limiting free speech. 

The Court’s decision is provisional, and legal challenges are expected to continue as the case progresses through lower courts. Other states have similar laws and courts have blocked such laws. However, the decision to allow the law to take effect, even provisionally, may signal a shift in judicial attitudes regarding the regulation of online platforms, especially when it comes to protecting minors. This case is expected to proceed through lower courts, where constitutional arguments will be more fully examined, and the outcome could influence how courts handle these laws nationwide and shape the future of digital rights for young users.

Trump signs Executive Order allowing 401(k) investors access to digital assets

On 7 August 2025, President Trump signed an Executive Order titled “Democratizing Access to Alternative Assets for 401(k) Investors,”  directing the Department of Labor, the Department of the Treasury, and the Securities and Exchange Commission to change investment rules applicable to defined contribution retirement plans in the United States. The intention is to make defined contribution plan investments in alternative asset classes, including cryptocurrency and other digital assets, easier to achieve and more likely to happen. The move gives alternative asset managers access to the nearly USD12 trillion market for defined contribution plans and aligns with the Trump Administration’s crypto-forward policies.

Middle East

Saudi Arabia

Report on Agentic AI

On 3 August 2025, the Saudi Data and Artificial Intelligence Authority (SDAIA) released a report relating to Agentic AI. The report sets out Agentic AI’s core capabilities; perception, reasoning, learning, action-taking, communication, and autonomous operation. It also explains the best way of integrating this technology across various sectors, such as healthcare, education, and energy.

The report also charts the progression of AI agents from early rule-based systems to sophisticated multi-agent frameworks driven by LLMs. It also surveys global policy trends and regulatory landscapes. In the context of Saudi Arabia, the report evaluates national preparedness under Vision 2030, highlighting flagship initiatives such as the Arabic LLM and smart city developments in NEOM and the Red Sea.

The report identifies several critical challenges, including gaps in causal reasoning, lack of transparency, shortages in skilled personnel, cybersecurity vulnerabilities and cultural sensitivities. To mitigate these, the SDAIA proposes a governance model that integrates data stewardship, ethical AI principles, and human oversight.

The report further outlines a phased roadmap for adopting Agentic AI technologies: beginning with strategic visioning and planning, followed by pilot implementations, broader integration, and ongoing innovation. This roadmap is underpinned by strategic alliances, infrastructure investment, and capacity-building efforts to ensure the responsible, secure, and sustainable deployment of AI systems.

United Arab Emirates

Cyber Risk Management of Abu Dhabi has been published

On 29 July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Markets, announced amendments to its regulatory framework for authorised persons and recognised bodies concerning cyber risk management. Compliance with these amendments will be required from 31 July 2026.

This implementation follows extensive consultation with industry stakeholders, particularly feedback on Consultation Paper No. 3 of 2025: Proposed Enhancements to Cyber Risk Management, 30 April 2025.

The outcomes of this initiative have been implemented through amendments made to the FSRA Rules, with most of the new content housed in a new Cyber Risk Management section of the General Rulebook, which can be accessed here.

Africa

Nigeria

Nigeria Data Protection Commission (NDPC) launches sector-wide investigations into Nigeria Data Protection Act (NDPA) compliance

On 26 August 2025, the NDPC announced the commencement of a sector-by-sector investigation into suspected non-compliance with the Nigeria Data Protection Act NDPA. The announcement was made via the Commission’s official LinkedIn channel and press communications.

The NDPC has issued compliance notices to organisations across key sectors including banking, insurance, pensions, and brokerage. Affected entities are required to submit, within 21 days:

• Evidence of filing NDPA Compliance Audit Returns for 2024;
• Details of the appointed Data Protection Officer (DPO), including contact information;
• A summary of technical and organisational measures for data protection; and
• Proof of registration as a Data Controller or Processor of Major Importance.

The Commission warned that failure to comply may result in enforcement actions, including administrative fines, enforcement orders, and criminal prosecution under the NDPA.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.