Commercially Connected Shorts - 10 June 2026

Round-up of knowledge

Welcome to Commercially Connected shorts, our weekly bitesize newsletter summarising the latest updates in UK and EU commercial law.

This week we look at:

• Technology: EU Technological Sovereignty Package

• Cyber: The Resilience Landscape – An Update to Practical Implementation

• AI UK: Ofcom’s strategic approach to AI for the year ahead

• AI EU: When is AI “High-Risk” under the EU AI Act?

EU Technological Sovereignty Package

On 3 June 2026 the European Commission presented the Technological Sovereignty Package to reduce Europe's dependence on non-EU technology providers. It will be most relevant to cloud providers, semiconductor manufacturers, energy operators, and public-sector entities.

The package comprises four pillars:

• the Cloud and AI Development Act introduces a tiered cloud sovereignty framework with four assurance levels for public data. It seeks to expand EU cloud capacity for AI workloads and establish clear criteria for sovereignty claims by providers

• the Chips Act 2.0 proposes to strengthen EU semiconductor design, production, and packaging capacity. It also seeks to streamline permitting and align chip production with key demand drivers, including data centres and AI infrastructure

• an Open Source Strategy which aims to build open source development in Europe, support start-ups, and improve the long term maintenance and security of open source products

• a Strategic Roadmap for Digitalisation and AI in Energy which looks at accelerating the deployment of digital and AI solutions in the energy sector, improving security and enhancing data centre sustainability

The proposals will now be examined by the European Parliament and the Council. The package introduces the first formal EU-level definition of digital sovereignty, redefining market access and procurement. It is expected to benefit EU-based tech, cloud, and industrial players by expanding domestic capacity in chips, cloud, and AI. This is likely to reduce reliance on non-EU suppliers and create new opportunities across the value chain. The tiered cloud framework may require businesses to classify data by sensitivity level. For highly critical areas, such as defence or public administration, EU-based cloud capacity may be required. US hyperscalers are not excluded completely from the EU market as providers. Except at the highest assurance level, they could continue to be considered sovereign services.

To prepare for these changes, businesses should:

• review all external technology providers they rely on and map out where dependencies exist
• assess cloud infrastructure against the four-tier sovereignty classification and identify where stricter requirements apply
• evaluate semiconductor supply chain exposure and explore alignment with new resilience requirements

With thanks to Nils Müller, Maarten Stassen, Caroline Lyannaz, Olaf van Haperen and Paola Paccani

Cyber Resilience Landscape – An Update to Practical Implementation

The UK government is tightening cyber resilience expectations through the proposed Cyber Security and Resilience Bill and the NCSC's Cyber Assessment Framework (‘CAF’) 4.0 (which sets outcome-focused security standards). The changes expand the scope of organisations caught by the regime, introduce stricter incident reporting obligations, strengthen supply chain accountability, and place greater emphasis on board-level governance, operational resilience and cyber maturity.

Businesses should move beyond “tick-box” compliance and adopt an integrated approach covering cyber security, data protection, AI governance, outsourcing and incident response. Supply chain scrutiny is also expected to increase, even for organisations not directly in scope.

With cyber resilience rapidly becoming a commercial and regulatory differentiator, organisations that prepare early will:

• be better placed to meet evolving UK and international requirements
• respond effectively to incidents, and satisfy growing customer and regulator expectations

For a deeper dive on the Bill and our step by step approach to preparation see: Cyber Resilience Landscape – An Update to Practical Implementation

With thanks to our Privacy team.

Ofcom’s approach to AI (including agents) 2026-2027

On 4 June 2026, Ofcom published its strategic approach to AI for 2026-27. This sets out how it plans to support AI adoption across the communications sectors it regulates (telecoms, online safety, broadcasting, spectrum and digital infrastructure) while responding to the risks AI can create. The message is broadly pro-innovation with a clear reminder that Ofcom expects its oversight and existing regulatory obligations to continue to manage where AI affects outcomes for consumers, markets or creates security risks.

What is Ofcom planning over the next year?

• Tackling AI-enabled harms such as deepfakes, fraud, misinformation and cyber threats, including further work on watermarking, attribution and online safety enforcement

• Testing how AI can support its own research, policymaking and internal processes

• Working more closely with SMEs to understand where regulatory uncertainty may be holding back AI adoption

• Continuing to track international AI developments, including the EU AI Act, and staying active in domestic and international regulatory forums

• Monitoring new AI technologies, products and services and making clear that providers using in-scope AI tools must meet their obligations under the Online Safety Act (which is in phased implementation)

• Seeking input on how AI is being used in cybersecurity and whether existing telecoms and network security rules may unintentionally slow adoption.

The report also includes some helpful use case commentary on Agentic AI highlighting the direction of travel here and the opportunities and risks to have awareness of. This is insightful to any business developing or deploying agentic AI for matters such as software development, managing harmful content, managing supply chains, dynamic pricing and troubleshooting. Whilst the opportunities in these use cases demonstrate efficiencies (time/cost), these are balanced against the familiar risks of AI use (such as lack of transparency in process, risk of error cascade, lack of human in the loop to challenge decisions or processes, cyber-attacks, and consumer scepticism).

For businesses in Ofcom-regulated sectors, the direction of travel is clear. Ofcom wants to support AI adoption, but it is not creating a separate compliance lane for AI. Instead, it expects existing rules on online safety, consumer protection, security and resilience to apply to AI-enabled products and services in the usual way. Businesses deploying AI should therefore focus on practical governance: identifying where AI changes risk profiles, checking whether existing controls remain fit for purpose, and being ready to explain how AI tools are being used, tested and monitored in practice. Businesses developing more autonomous or customer-facing AI tools should also expect closer scrutiny as Ofcom’s work on agentic AI and AI-related harms develops.

When is AI “High-Risk” under the EU AI Act? Key Takeaways from the Commission’s Draft Guidelines

The European Commission’s draft guidelines on “high-risk” AI under the EU AI Act clarify that classification of a system as “high risk” depends largely on an AI system’s intended purpose, how it is marketed and the context in which it is used. Businesses should note that human oversight alone will not avoid a high-risk designation, and some seemingly supportive AI tools in HR, education and customer decision-making may still fall within scope (see Annex III use cases). The guidance also confirms that changing or repurposing AI systems can shift compliance obligations across the supply chain.

Organisations should review AI governance, product positioning and documentation now to assess compliance exposure. For more detail, see When is AI “High-Risk” under the EU AI Act? Key Takeaways from the Commission’s Draft Guidelines

With thanks to Robbert Santifort, Ilham Ezzamouri and Emile Leffring