Trowers Tech News - March 2026

Welcome to the latest edition of Trowers Tech News.

This month, we examine major developments in data protection reform, AI copyright policy, and the expanding scope of EU cybersecurity regulation. From the latest provisions of the Data (Use and Access) Act to the Government’s long‑awaited findings on AI and copyright, and the European Commission’s draft guidance on the Cyber Resilience Act, organisations face an increasingly complex and fast‑moving regulatory landscape.

We begin with the new DUAA provisions that came into force in February, including the introduction of a recognised legitimate interest basis for processing, enhanced safeguards for children accessing online services, and a streamlined approach to international data transfers. The changes also bring key clarifications on DSAR handling, an extended soft opt‑in for charities, and a statutory definition of research - all signalling a continued shift towards more flexible but closely supervised data governance.

Next, we explore the Government’s latest position on AI and copyright. While legislative reform is on hold, transparency, licensing and enforcement have been identified as priority areas as policymakers navigate the competing interests of rights holders and AI developers. With questions emerging around computer‑generated works and digital replicas, businesses using or developing AI systems should expect prolonged uncertainty and rising compliance expectations.

Finally, we assess the European Commission’s draft guidance on the Cyber Resilience Act, which provides much‑needed clarity on how the new cybersecurity regime will apply to software, hardware and open‑source ecosystems. The guidance addresses scope, lifecycle requirements, substantial modifications, component‑level risk assessments and new vulnerability reporting duties - marking a pivotal step towards full implementation.

Top tech trends:evolving digital regulation 

Jessie Jiao, Trainee Solicitor

New provisions under the Data (Use and Access) Act 2025 (DUAA)

On 5 February 2026, a significant number of provisions came into force via the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026.

One of the most significant changes is the introduction of a "recognised legitimate interest" as a new lawful basis for processing under section 70. Qualifying interests include processing necessary for national security purposes, the investigation of crime, responding to requests from public bodies, and the safeguarding of vulnerable individuals. Controllers relying on this basis are not required to carry out a balancing test weighing the benefits of processing against the impact on individuals' rights.

The DUAA also introduces enhanced safeguard requirements for online services likely to be accessed by children. Such services must now account for "children's higher protection matters," recognising the vulnerabilities of children and the specific protections their personal data warrants. This obligation reinforces that child safety online is a compliance priority that businesses must take seriously.

On international data transfers, the Act introduces a simplified test for transferring personal data to third countries or international organisations under section 85, requiring the Secretary of State to assess whether the standard of protection in the transferee's country is "not materially lower" than the UK.

Further changes include clarifications to data subject access requests (DSARs), such as controllers demonstrating that clarification is reasonably required to respond to DSARs and if a clarification is requested, the time limit is paused until the information is received. The soft opt-in exemption for electronic marketing is extended to charities to allow regular contact with existing supporters. Additionally, there is a new statutory definition of "research" along with confirmation that broad consent can be given for data processing in certain research contexts.

Looking ahead, the ICO has published good practice guidance on data protection complaints handling. Organisations must provide a formal complaints mechanism, acknowledge receipt within 30 days, and deal with complaints without undue delay. With new data protection enforcement frameworks, businesses should start the process of reviewing and updating their data protection policies.

Anna Horsthuis, Senior Associate, Alice Stripe, Senior Associate and Vaughan Somerville, Associate

AI and copyright: reform on hold, but the stakes keep rising

The UK Government released its long-awaited report and impact assessment on copyright and AI, as required under the Data (Use and Access) Act 2025.  After receiving over 11,500 responses from rights holders, AI developers, publishers, and legal professionals, the reports represent the most substantial policy statement on this issue to date.

In short, the Government's previously preferred general text and data mining exception and opt-out option approach has been abandoned following significant opposition. Rather, the Government is taking a step back, collecting further evidence and pursuing further stakeholder engagement before any legislative reform. In place of legislative change, the Government is prioritising three areas:

1. Transparency - over 90% of respondents supported AI developers disclosing their training data sources, and the Government proposes to develop industry best practice in this area. While supportive of the principle, there were no specific proposals and the Government will consider the granularity of disclosure requirements in light of the cost and time implications for developers, which may impact advancement.
2. Licensing - there is an increasing market for AI training data, but with most negotiations private, the Government proposes not to intervene in the licensing market at this stage, instead monitoring market-led approaches and global developments.
3. Enforcement - while the UK has a strong IP enforcement framework, AI creates new practical challenges, particularly around transparency and enforcement difficulties leading to costly litigation. The Government will continue to work with the courts, law enforcement and stakeholders to ensure enforcement is for purpose.

AII developers should plan for continued legal uncertainty and be aware of the EU AI Act requirements and US market developments, which are already shaping global practice. With transparency and licensing taking centre stage, all businesses using AI, whether for document summarisation or retrieval-augmented generation, should audit their copyright exposure at both the input and output stages.

In addition, the report also signals emerging issues beyond training data, including the potential removal of copyright protection for computer-generated works without a human author, and the possibility of a new personality right to address non-consensual digital replicas of voices and likenesses. Whilst no immediate legislation is proposed on these points either, they signal the broader direction of policy development. 

Where to next? Only time will tell, as the Government has committed to a period of evidence-gathering, stakeholder engagement, and close monitoring of international developments (EU AI Act implementation and ongoing litigation) before considering any legislative reform.

Alina Kazmi, Trainee Solicitor

Open source, cloud, legacy products: does the Cyber Resilience Act apply to you?

On 3 March 2026, the European Commission published its first draft guidance on the EU Cyber Resilience Act (CRA). This is a pivotal moment for manufacturers, developers and distributors of hardware and software products across the EU market, providing the clearest signal yet of how mandatory cybersecurity requirements will apply in practice.

The guidance resolves several long-standing grey areas on software scope. Software made available by download or remote access is in scope, while demo and tutorial code is not. A genuine data connection is required; using electricity alone is insufficient.

On open source, responsibility turns on who controls a project through governance rather than who holds commit rights. Free software can trigger full manufacturer obligations where it is monetised.

Updates that introduce new threat vectors may constitute a substantial modification, resetting CRA obligations entirely and making the modifier the manufacturer. The five year minimum support period is not a universal default and must reflect realistic product lifecycles, with each software version requiring its own declared period.

Product classification depends on core functionality as a whole rather than individual components, and third party and open source components must be actively risk assessed. Remote data processing falls within scope only where the product functionally depends on it and the manufacturer controls the software. Vulnerability reporting obligations include a 24 hour early warning and 72 hour full notification requirement.

Key dates to note:

• 11 June 2026: conformity assessment body notification rules apply
• 11 September 2026: vulnerability and incident reporting obligations begin
• 11 December 2027: full CRA obligations apply

For businesses in regulated sectors such as automotive or medical devices, the guidance also touches on interactions with other EU legislation and sector-specific scope exclusions. The consultation closes 31 March 2026. Businesses should review the draft against existing CRA programmes, reassess scoping and product classifications, refine support period strategies and establish clear criteria for identifying substantial modifications.