February 2025 Newsletter

Litigation is unpleasant. Our adversarial court system in the UK is one of the oldest and most rigorous justice systems in the world but it often isn’t much fun for the litigants. Fighting in the UK courts (and it can feel like combat at times) is expensive, complex, time-consuming and, all too often, disappointing for both sides. We are here to help.

Our expanded offering of Litigation Management Services helps our clients navigate the troubled waters of legal disputes. Led by Charlie Temperley, our new Head of Litigation Services, Charlie and the wider team can assist clients with all manner of dispute resolution. Charlie joins us from one of the largest litigation funders in the UK bringing skills and expertise from his time as a commercial litigator at top law firms and his unusual perspective of litigation as an investment.

Managing litigation and other legal disputes effectively requires not just expert legal knowledge but also a commercial attitude and an uncompromisingly objective perspective. Our Litigation Management Services supplement work by the law firm and barristers on the case to drive better results for clients.

1.  Legal Procurement: Helping you instruct the right legal team for your case at the right price. If necessary, maximising alignment between you and the legal team by negotiating appropriate contingent fee agreements.

2.  Strategy Advice: Providing you with advice about all aspects of your dispute, not just the legal merits. This includes interpreting or supplementing advice from the legal team and ensuring that you are supported to make strategic and tactical decisions commercially.

3.  Spend Management: Supporting you in discussions with your legal team about budgeting, forecasting and invoicing. Scrutinising invoices from the legal team to help you ensure that good billing practices are maintained.

4.  Case Economics: Working with you and your legal team to improve understanding of the value, outcome scenarios, uncertainties and costs of the case. Ensuring that the case economics are not lost in discussions about the legal merits or procedure.

We understand litigation in with all its complexity and challenges. All disputes come with uncertainties but litigating smarter, not harder, is the best way to meet that challenge. We can help our clients to understand, mitigate and manage their litigation exposure like an expert.

Future-proof data strategies for your company are more important than ever in the current context of development of technological tools, solutions and capabilities. Companies recognise that data is an essential asset allowing them to benefit from significant advantages such as gaining a competitive edge, reducing operational costs, increasing business growth or improving working conditions. However, many struggle to implement a data-driven strategy that embraces both flexibility and expandability while promoting innovation and compliance. Such strategies are key tools in allowing you to work with data solutions that evolve with the ever-changing landscape in terms of data legislation and regulation.

Improper data management can also have legal repercussions. Regulatory and legislative initiatives are sprouting in multiple jurisdictions, making it difficult for growing and evolving companies to keep up with the pace and the regulatory layering. Confidentiality, privacy, intellectual property, artificial intelligence (to name a few) are concerns that are (and should be) at the forefront of the C-suite/Board agenda. CEOs, CIOs, CTOs, and General Counsel’s must address the compliance challenge in a flexible manner and find the right balance between limiting their organisation’s exposure to costly consequences (e.g., fines under GDPR) and fostering innovation to remain current and keep (or gain) a competitive edge.

1. Discovery Phase and Closing the Existing Gap: The audit is your starting point. With self-audit, you are at the discovery phase of what your organisation already does (and does not). It is the ideal starting point for you to identify all data you are using or wish to use and classify it into different categories depending on their nature and the use you make out of them. The cross-classification between data nature and data use will allow you to then identify and map for each category and subcategory, the restrictions which apply to the contemplated use for each data category. Here you are merely looking at identifying the legislation and regulations which apply: Is the data confidential? Is it the result of a processing by a vendor with specific SaaS solutions? Is it personal data? Is it integrated into an AI-supported system? This audit will also help you close the gap between what your organisation does and what it should do.

2. Organising and Structuring a Legal Baseline Framework: a global overview: Once done with the audit (keeping in mind this is iterative work which you will need to review periodically), it is time to dig deeper into which restrictions apply, and which do not. As such, your organisation will have in the blink of an eye an exhaustive view of each category of data and contemplated use, what it may do and need to do. A framework, with criteria and standards of use and restrictions applicable in the regions and jurisdictions in which you operate, will give you global and local visibility regarding use restrictions and possibilities. When your company operates in various jurisdictions, it is likely that some of the possibilities granted in one jurisdiction may not be permitted in another. The way you operate in a specific country for a specific industry does not necessarily allow you to do so everywhere. And this should be taken into consideration for a thorough view of your possibilities and obligations when it comes to data use and protection.

3. Document Your Compliance by Establishing Clear Processes and Response Mechanisms:
After having established this legal baseline framework, you will need to document how you cascade and communicate within your organisation the obligations and conditions applicable to each department making use of such data. Human Resources, Product Development, Innovation Center, Centers of Excellence, IT Security, etc. each department handles data differently and not all obligations and conditions apply to each use, category or even department. Further, internal education is not the only aspect of the processes you will need to handle. All companies work with various contractors, suppliers and vendors which also process or use some of that data. Establish processes with key stakeholders within your organisation and develop a specific plan with your vendors and suppliers to ensure compliance is addressed. This may include renegotiating existing contracts and updating policies that vendors must comply with, such as your code of conduct or other privacy-related documents.

4. Develop a Culture of Data Ownership Within Your Organisation and Implement Training: Developing a culture of data ownership within your organisation is crucial in your success to a compliant and effective data-driven strategy. The human factor is undeniable and, following clear responsibilities allocation within your organisation, training key stakeholders and conducting regular follow-ups and reviews is fundamental to demonstrating compliance programs are implemented carefully, helping everyone understanding the ins and outs of what can and cannot be done. This will go together with a response process. Communication goes both ways and while you cascade obligations and restrictions to specific departments, you must also develop a dialogue between each department and your organisation. What happens in the case of a misuse? How does your organisation respond when it comes to data breaches impacting confidentiality of personal data or trade secrets? Etc. While those processes do not by themselves prevent all risks, they allow you to respond confidently and swiftly in case of a crisis and increase the understanding and the relationship between all departments and stakeholders, promoting synergy and innovation capabilities.

5. Follow Up Regularly with Iterative and Cross-Disciplinary Cycles of Updates and Reviews: When you work on legal baseline frameworks and compliance mechanisms such as dialogue processes within your organisation and with third-parties, you stop isolating the legal restrictions and obligations from a centralised model and you start generating iterative initiatives which benefit each other. Accountability at all levels of your organisation, paired with a proper implementation of safeguards, whether contractual, technical, or operational for instance, all participate in the success of your compliance strategy and help you minimize cross-functional risks while also uncovering hidden vulnerabilities within your organisation.

In this article, we have seen why you must establish a well-structured and detailed data-driven strategy that embeds a thorough compliance program in all cycles of your business development. This minimizes risks, promotes innovation and provides the tools to confidently navigate an evolving regulatory and legislative landscape in data use. This data management approach will enable sustainable growth in the digital economy.

Whether you need to get support in one of the phases above or for each of them, at Kennedy Cater we specialize in supporting growing organisations and helping them tackle the issues triggered by the new challenges of an ever-growing regulation, while enabling their business confidently.

Want to know more? Reach out to Kennedy Cater for more information on how we may support you in your business development.

The European Union’s AI Act, the world’s first comprehensive legal framework for artificial intelligence, is now on the path to full enactment. The first binding provisions have now taken effect, targeting AI systems deemed to pose unacceptable risks.

It is important to note that the AI Act has extraterritorial effect and will cover organisations supplying AI systems, or AI generated output, in the EU.

As of February 2nd 2025, the EU AI Act bans the following AI applications outright:

•  Biometric Categorisation Based on Sensitive Attributes: AI systems that classify individuals by sensitive characteristics such as race, political beliefs, or religious affiliation are prohibited due to their potential for discrimination and misuse.

•  Real-Time Remote Biometric Identification in Public Spaces: Law enforcement agencies are restricted from using live facial recognition in public spaces, except in specific, narrowly defined circumstances such as targeted crime prevention.

•  Emotion Recognition in Workplaces and Educational Institutions: AI systems that claim to detect human emotions for monitoring employees or students are banned due to concerns over accuracy, ethics, and privacy.

•  Social Scoring by Governments: The use of AI to evaluate and rank individuals based on their behaviours or characteristics is strictly prohibited, preventing potential societal manipulation and discrimination.

•  Manipulative or Exploitative AI: AI systems that employ subliminal techniques or exploit vulnerabilities—such as targeting children or individuals with disabilities—are banned to prevent coercive or deceptive practices.

The European Commission has released guidelines on prohibited artificial intelligence practices available here. Concurrently to the outright prohibitions, the provisions related to AI literacy for providers and deployers of AI systems also came into force in February, meaning that businesses must ensure a sufficient and appropriate level of understanding of AI for their staff (and other persons using AI systems on their behalf) to be able to make informed use of AI systems understanding not only the opportunities but also the risks of potential harm. We expect a voluntary code of conduct to be issued by the AI Office by 2 May 2025.

While AI literacy and the outright prohibitions take immediate effect, other requirements will be implemented in a phased manner:

•  Mid-2025: High-risk AI systems (such as those used in healthcare, law enforcement, and critical infrastructure) must begin compliance preparations, including mandatory risk assessments and transparency obligations.

•  2026: Compliance deadlines for high-risk AI systems take full effect. Providers must demonstrate conformity with regulatory standards through documentation, human oversight mechanisms, and bias mitigation strategies.

•  2027: Broader obligations, including registration of general-purpose AI models in the EU database and transparency requirements for AI-driven chatbots and deepfakes, become enforceable.

•  2028: Full implementation of all remaining provisions, including governance structures for AI compliance and continued adaptation of enforcement measures.

From August 2025, the AI Act permits EU member states to impose substantial penalties (akin to those applicable to GDPR breaches) for non-compliance. That means, in some cases fines of up to EUR 35 million or 7% of global annual turnover (whichever is higher).

Organisations using AI should immediately review their systems to assess applicability of the AI Act and (if in scope) ensure compliance with the outright bans. Those operating high-risk AI applications must begin assessing potential obligations under the Act to avoid future non-compliance risks. Companies should also prepare for evolving enforcement measures and regulatory guidance as the AI Act transitions into full effect.

For tailored advice on how the EU AI Act may impact your business, please reach out to the Kennedy Cater team.

With the coming into effect of the EU’s Digital Operational Resilience Act (DORA) on 17 January 2025 (which has the overarching goal of enhancing the financial sector's operational resilience) there is a flurry of activity from both financial services firms outsourcing to ‘ICT Providers’ (Outsourcers) and from the IT outsourced providers themselves (Providers).

Following on from our previous article on DORA which can be found here, there have recently been a couple of key updates:

1.  The European Commission and the European Insurance and Occupational Pensions Authority (EIOPA) have shared guidance clarifying the definition and scope of ICT services under DORA, which will assist Outsourcers grappling with DORA implementation on how to categorise services involving ‘ICT components’ and applies to all Outsourcers in-scope of DORA. The guidance clarifies that where Outsourcers receive services from Providers, they must perform a two-part assessment to assess the service they receive. They must

i.  Establish if the service meets DORA’s definition of an ICT service; and

ii.  Check whether the relevant service is a regulated financial service anywhere in the world.

Providers assessed by Outsourcers as meeting both tests are out of scope of DORA (though potentially still in-scope of the EBA Guidelines on Outsourcing).

Outsourcers must then determine if the service meets an ‘independence test’ such that it is unrelated to or independent of their regulated financial services. If the services are judged to be provided on a standalone basis, they should be classified as ICT services under DORA, (although again the EBA Guidelines on Outsourcing may also apply).

Outsourcers will now need to review previous classifications they have made, update their DORA-required register of Providers in light of the new guidance and revisit their list of outsourced contracts to ensure they are DORA (and EBA as applicable) compliant (to ensure they contain the mandatory contractual requirements).

2. On 21 January 2025, the European Commission rejected the draft Regulatory Technical Standards (RTS) on subcontracting under DORA, claiming that the European Supervisory Authorities (ESAs) have exceeded their legal mandate set out in DORA. The main text of DORA is supplemented by technical detail in a body of secondary legislation, such as the draft RTS, which was submitted by the three ESAs for approval, outlining specific technical requirements related to the management and oversight of subcontracting arrangements.

The issue centred on Article 5, which requires financial entities to identify and maintain an up-to-date record of the entire chain of subcontractors. This blanket requirement contrasted with other sections of the draft RTS, which limited this obligation only to subcontractors responsible for material parts of the relevant ICT services. For those involved in remediating contracts to comply with DORA, Article 5 has caused concerns that even subcontractors providing minor parts of the services could be subject to this requirement. This approach was regarded by many as disproportionately onerous, creating practical challenges for financial entities seeking to comply.

The ESAs now have six weeks to resubmit the draft Subcontracting RTS as per the Commission’s proposed amendments, which the Commission has indicated it will now accept. Should the Parliament and the Council not object within the one month from the date of the Commission’s acceptance, the draft RTS will be adopted and published in the Official Journal. The publication process could however be expedited if both the Parliament and the Council confirm that they do not intend to object to the RTS. Conversely, if the draft RTS is rejected, it will be returned to the ESAs for further review.

The rejection of the draft RTS has caused uncertainty for Outsourcers and Providers, as until the RTS is finalised, there is a lack of clarity with respect to auditing requirements and the extent of the subcontracting chain. Consequently, contracts cannot be drafted with certainty, leaving both Outsourcers and Providers awaiting clarification. Indications are that regulators may adopt a “best efforts” approach to contractual arrangements during this interim period.

In the meantime, Outsourcers should:

1.  Complete their DORA registers with respect to their contracts with Providers: Regulators will ask for the registers containing this information in March/April this year;

2.  Continue to make DORA-compliant changes to their contracts with their Providers; and

3.  Keep an eye on regulatory developments which may impact implementation including further technical standards (such as the above referenced RTS).

Should you require any advice on the impact of DORA on your business and contractual negotiations please get in contact.

Jon Brassey, Senior Consultant