Happy New Year. It’s New Year’s Eve, which means a rare quiet week in legal, but that’s often when the real shifts are easier to see. As we head into 2026, regulators across the UK and EU are done setting the rules and are starting to use them. As always our focus is what legal trends mean for keeping you ahead, demonstrating value, and accelerating your impact in 2026. Scroll down for a snackable Risk Radar, our end of year poll and some NYE links. 🎉
— Philip
BRIEFING ROOM
Legislators are done setting the rules - 2026 is about using them
ChatGPT
It’s been a quiet news week, but something more important is happening in the background. Across the UK and EU, regulators are moving from building regimes to actively supervising and enforcing them. The common thread for 2026 is power becoming operational.
🇬🇧 Start with the ICO. By June 2026, the UK Data (Use and Access) Act 2025 completes its phasing in, giving the ICO a fuller enforcement toolkit. That includes interview notices to individuals and the ability to force organisations to commission independent reports at their own cost. This is an operating model shift. The ICO is moving away from education-led nudging towards a more standardised, investigations-first approach.
Ofcom shows the same pattern. The Online Safety Act has materially expanded its role, giving it fining powers of up to £18m or 10% of global turnover and, in extreme cases, the ability to seek ISP blocking. Their December bulletin is understated, but this is also an operating model shift. Ofcom is moving away from a complaints-led media regulator and towards something closer to a financial supervisor, expecting evidence of effective systems and controls on an ongoing basis rather than reactive fixes.
The CMA completes the UK picture. In 2026, it enters its first full year of direct consumer enforcement under the Digital Markets, Competition and Consumers Act 2024. It can now enforce without first going to court, impose turnover-based fines, and order compensation. Early cases on drip pricing and misleading urgency show consumer protection risk shifting from court-led litigation towards direct regulatory enforcement.
Why it matters: supervision-focused regulation pushes risk upstream. When regulators assess systems, controls and outcomes - rather than just responding to complaints - the highest-risk decisions are made at the design stage, not after launch. 💡 This is your clear reason to be in product and growth meetings early, testing pricing, UX and governance choices before they ship, rather than defending them later in response to a regulator’s information request or a consumer litigation threat.
🇪🇺 At EU level, the same dynamic is playing out.
DG-CONNECT has become the Commission’s digital engine room, responsible for turning the Digital Services Act (DSA) and AI Act from statutes into supervised regimes. In 2026, DSA investigations are expected to produce decisions that define what “systemic risk” and “effective mitigation” actually mean in practice. The AI Act enters its most operational phase, with guidance and supervisory coordination taking centre stage, despite political noise about simplification. Alongside this, DG-COMP’s Digital Markets Act enforcement machine is maturing, with less tolerance for “wait and see” compliance and more expectation that obligations are built into products by design.
Why it matters: across regulators, the shift is the same. The rules are largely written. The tools are in place. 2026 is about supervision, enforcement, and outcomes. For in-house teams, that means less time debating abstract compliance and more exposure to real interventions, real costs, and real scrutiny of how products actually work. We’ll be with you all the way.
RISK RADAR
🍟 New UK rules on less healthy food & drink advertising. From Monday, the ASA will enforce new restrictions on advertising “identifiable less healthy food and drink products” on pre-watershed TV/video-on-demand and paid online media. Food and drink SMEs (under 250 employees) are exempt. “Less healthy” is a technical classification and maps directly onto the familiar HFSS regime for foods high in fat, salt and sugar.
Why it matters: Combined with the ASA’s ongoing roll-out of AI-assisted monitoring, non-compliant placements - even programmatic or long-tail inventory - are more likely to be caught proactively. Legal teams should be ready to advise on placement decisions, targeting logic and monitoring controls early, not just defend against retrospective “flags”.
🛡️ UK Cyber Security Bill moves into Parliament The UK Cyber Security & Resilience Bill gets its second reading in Parliament on Tuesday. The draft law expands the UK’s existing cyber regime, widening the scope of organisations in play, tightening incident reporting requirements, and giving regulators (including the ICO and sector regulators like Ofcom) clearer investigation and enforcement powers. Yes, another regulator power-up.
Why it matters: Broader operational resilience, governance and preparedness are moving up the agenda for board-level risk. CTOs will want clarity on scope, reporting thresholds and timing, and whether today’s incident response would survive regulatory scrutiny rather than a post-mortem.
🗂️ Regulators invite feedback on how enforcement actually works
Both the ICO and Ofcom have live consultations heading into January 2026 that go beyond policy and into operating mechanics. The ICO is consulting on how it will investigate, escalate and enforce under its expanded powers, while Ofcom is consulting on the Online Safety fees regime that will fund ongoing supervision. Together, they give a rare window into how these regulators expect to run their new regimes in practice, not just what the rules say on paper.Why it matters: this is one of the few moments where legal teams can influence how regulation is applied, not just react to it. For in-house lawyers, it’s an opportunity to feed real-world experience into processes that will shape investigations, costs and engagement for years. Even a short response can help surface friction points before the shutters come down.
HIRING BOARD
🇬🇧 John Lewis, 6+ pqe, commercial, London
⚽️ The FA, 4+ pqe, commercial, London
🇩🇪 Deepl, 2+ pqe, AI regulatory and privacy, Berlin or London
IN THE CALENDAR
🇪🇺 Tomorrow, 1 January - Bulgaria joins the euro; Cyprus assumes the rotating EU Council presidency
🍔 13 January - UK ASA webinar on less healthy food and drink ad restrictions
🇳🇱 14 April 2026 - Legal Geek Europe, Amsterdam
FROM THE SIDEBAR
💰 The FCA ranks its biggest fines of the year
🥂 Should auld acquaintance be forgot (my favourite New Years’ scene)
Enjoying Profiles in Legal?
Our readers are curious, commercially sharp and allergic to legalese. If that’s you - welcome.
💬 Forward to a fellow innovator in Legal
ABOUT THE EDITOR
I work with start-ups and scale-ups as a fractional GC, covering commercial, regulatory and AI governance. Fixed days per month, fixed fee. Typical work includes contract strategy, regulatory triage, and board-level risk decisions.
- Philip
Too much legal content is dull and jargon-filled. Profiles in Legal is for lawyers who want to think clearly, sound credible in the room and get promoted.
🪃 Reply to this email with what you think we should cover
📣 Request to partner with us
This newsletter is for general information only and does not constitute legal advice. Seek professional advice for specific situations.