UK Trends and Developments Contributed by: Alison Beal, Joel Harrison and Michelle Kirschner, Gibson, Dunn & Crutcher LLP
A focus of the proposed Bill is supply chain risk man - agement. The Policy Statement indicates that sec - ondary legislation will clarify operators’ and service providers’ duties to assess and manage cyber risks across their supply chains. These obligations are expected to require “appropriate and proportionate” measures – such as contractual security clauses and continuity planning – to prevent vulnerabilities in third parties from undermining the resilience of essential services. Accordingly, if implemented as set out in the Policy Statement, specific contractual requirements will need to be addressed in outsourcing arrange - ments in the future. While the Policy Statement indicates that the Bill will include material amendments to the NIS Regulations to align more closely with lessons from the EU’s NIS2 regime, it will not necessarily align completely with the NIS2 Directive. UK-based technology and service providers providing covered services in the EU will need to comply with obligations arising from the NIS2 AI has moved from concept to core capability, rede - fining how services are delivered in practically every industry sector. In outsourcing and technology trans - actions, AI is no longer a peripheral capability – it is central to the supplier’s offering, and increasingly a key differentiator in the RFI/RFP process. As AI systems mature, negotiations increasingly revolve around ownership, use rights and account - ability. Customers often seek to prevent the training of the supplier’s and third-party models on their data, while suppliers aim to protect and reuse proprietary algorithms and training methodologies. Clauses now commonly address how fine-tuned or retrained mod - els may be reused or commercialised after contract termination. Directive in addition to the UK regime. Artificial Intelligence in Technology and Outsourcing Transactions The UK does not have overarching AI legislation (like the EU) and relies on existing legal frameworks to regulate the use of AI. This principles-based, sectoral stance towards AI differs from the EU’s EU AI Act, which provides a more prescriptive framework that
classifies systems by risk level and imposes compli - ance obligations accordingly. Because the EU regime applies extraterritorially, UK suppliers offering AI systems in the EU must ensure parallel compliance. Many are therefore adopting hybrid governance models aligned with both UK and EU frameworks to maintain credibility with customers and regulators alike, and to avoid the interoperabil - ity issues that can arise with bifurcated development processes. AI systems introduce new categories of risk and amplify others such as bias, error, opacity and dependency on external data. Contracts are evolv - ing to address these through warranties on the qual - ity and provenance of training data, indemnities for misuse, IP infringement or bias, obligations in relation to transparency, explainability and model auditability, and continuous monitoring and validation clauses. Data protection remains pivotal. The use of person - al data in training and automated decision-making engages UK GDPR principles on fairness and trans - parency. Clients now expect detailed disclosure of data-use practices and mitigation of bias, while pro - viders seek to preserve IP protection and confiden - tiality. Ethical governance (for example, responsible AI and human oversight) is increasingly reflected in contracts or supplier codes of conduct. AI tools are also transforming the transaction pro - cess itself. Generative AI systems are now used in due diligence, contract analysis and drafting, provid - ing efficiency gains but raising concerns about data leakage and output reliability. Many firms are develop - ing internal frameworks for secure and responsible AI adoption, balancing productivity with confidentiality and risk management. Cross-Border Data Transfers The regulation of data, particularly personal data, continues to have a significant impact on delivery models for data-driven technology and outsourcing agreements. Different countries are pursuing distinct strategies for regulating data that reflect their national
87 CHAMBERS.COM
Powered by FlippingBook