UK CMA consults on Apple and Google app store payment rules

The UK Competition and Markets Authority has opened consultations on new requirements for Apple and Google under the country’s digital markets competition regime.

Proposed steering requirements would allow app developers to direct UK users to payment options outside Apple’s App Store and Google’s Play Store. The CMA said Apple currently bans steering in the UK, while Google restricts it.

According to the regulator, allowing developers to communicate with customers about off-platform options could increase competition, reduce payment costs and support innovation across mobile services.

Consultation proposals also cover principles to ensure that any steering fees charged by Apple and Google are fair and reasonable. The CMA said such fees should be based on evidence and should be lower than current app store charges.

Alongside the steering proposals, officials are seeking views on a potential requirement for Apple to provide developers with access to near-field communication functionality on iOS.

Broader NFC access could allow UK fintechs and developers to support contactless payments from within their own apps. It could also support future payment methods, including account-to-account payments, digital currencies and stablecoins, as well as non-financial uses such as digital ID and car keys.

Responses to the steering conduct requirement are due by 28 July 2026, while views on the potential NFC requirement are due by 21 July 2026. The CMA will decide later this year whether to impose new obligations.

Why does it matter?

The consultations show the UK’s digital markets regime moving into targeted conduct rules for major mobile platforms. If adopted, the measures could weaken Apple and Google’s control over in-app payments and give developers more freedom to offer alternative purchasing channels. The NFC proposal also widens the debate beyond app store commissions, addressing Apple’s control over device functionality that can shape competition in mobile payments, digital identity and other services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

New UK regime targets systemic stablecoin issuers

The Bank of England and the Financial Conduct Authority have set out how they will jointly regulate stablecoin issuers whose activities could pose risks to UK financial stability.

The joint approach forms part of the UK’s emerging stablecoin regime. Under the planned framework, the FCA will regulate UK-issued qualifying stablecoins, while issuers recognised as systemic by HM Treasury will also be subject to Bank of England oversight.

The authorities said the two-part regime is intended to provide clarity for firms while supporting innovation, consumer protection, market integrity and financial stability.

Stablecoin issuers may become systemic if their coins are widely used in payments and could create risks for the UK financial system. In those cases, the Bank would supervise prudential and financial-stability risks, while the FCA would continue to oversee consumer protection, competition and market integrity issues.

The framework includes transition arrangements for firms moving from FCA-only supervision to joint regulation. The Bank and FCA said this should help issuers scale without facing conflicting or duplicative requirements.

The approach also allows for issuers to be recognised as ‘systemic at launch’ where they are not yet operating at systemic scale but are likely to do so. Such firms could enter a phased supervisory pathway while meeting both FCA and Bank requirements.

The Bank is separately consulting on draft rules for sterling-denominated systemic stablecoin issuers. It intends to finalise its Code of Practice by the end of 2026, with regulated stablecoins expected to operate in the UK from 2027.

Why does it matter?

The UK framework is important because it creates a pathway for stablecoins to move from crypto-market products towards regulated payment instruments. By scaling supervision as issuers grow, the UK aims to support innovation without allowing systemically important stablecoins to develop outside financial stability oversight. The model could influence how other jurisdictions regulate digital money, especially where stablecoins are expected to support retail payments, wholesale settlement or cross-border transactions.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

UK CMA consults on Apple App Store steering rules

The UK Competition and Markets Authority has opened a consultation on a proposed conduct requirement that would allow app developers to steer users outside Apple’s App Store to complete digital purchases.

The proposal applies to Apple’s Mobile Platform, which the CMA designated as having Strategic Market Status in October 2025. The consultation is part of the UK’s digital markets competition regime and closes on 28 July 2026.

The CMA said Apple’s App Store is a key gateway for developers distributing native apps in the UK. Its proposal focuses on apps that sell digital goods and services, where developers are generally restricted from directing users to alternative offers or purchases outside Apple’s in-app payment system.

Under the proposed steering conduct requirement, Apple would have to allow developers to communicate with UK users and include redirection mechanisms, such as links or buttons, that lead to external websites for purchases.

Apple could still impose restrictions where they are strictly necessary and objectively justified, including to address malware, fraud, scams, unlawful content or content harmful to children.

The proposal would also regulate how external purchasing options are presented. Apple could use a single interstitial screen to inform users that they are leaving its in-app purchase system, but the screen would need to use neutral language and must not discourage users from completing transactions elsewhere.

The CMA is also proposing that any fee Apple charges on steered transactions must be fair and reasonable. It would also prohibit Apple from discriminating against developers that use redirection mechanisms, including through app review, search ranking, platform functionality or access to interoperability features.

The CMA said effective steering could give developers more control over pricing, billing, refunds and customer support, while giving users more choice and potentially lower prices.

Why does it matter?

The consultation shows the UK’s digital markets regime moving from platform designation to targeted behavioural rules. If adopted, the requirement could weaken Apple’s control over in-app transactions for digital goods and services in the UK and give developers more room to offer alternative payment channels. It also tests how the CMA will balance competition, consumer choice, security, privacy and platform investment under the new Strategic Market Status framework.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Google proposes a balanced approach to AI governance in the US

Google has published a policy paper proposing a two-track approach to AI governance in the United States, separating oversight of frontier AI models from rules for widely deployed AI applications.

The paper argues that AI policy should avoid what Google describes as a false choice between over-regulation and no regulation. Instead, the company calls for a pragmatic, evidence-based framework that treats the most advanced AI systems differently from everyday AI tools such as chatbots.

For frontier AI, Google proposes the creation of a Frontier AI Regulatory Organisation, or FARO. The industry-funded body would operate under federal oversight and develop standards for safety, security, incident reporting and transparency.

Google says FARO could set scientific benchmarks for frontier capabilities, particularly in areas such as cybersecurity and chemical, biological, radiological and nuclear risks. It could also oversee independent audits and require frontier AI companies to publish and follow safety frameworks before releasing highly capable models.

For widely deployed AI applications, Google argues that the federal government should rely mainly on existing legal frameworks, with targeted updates where needed. The paper says policy should focus on real-world harms and outputs rather than micromanaging AI development.

The company identifies several priority areas, including workforce preparedness, child safety, information integrity, copyright, privacy and energy infrastructure for data centres.

Google supports measures such as AI interaction guidelines for children, disclosures that chatbots are not sentient, rules for self-harm-related queries, watermarking and provenance standards for generative AI, privacy-enhancing technologies and workforce reskilling.

The paper presents the model as a way to address national security and consumer protection risks while preserving US leadership in AI development.

Why does it matter?

Google’s paper is a significant industry intervention in the US AI policy debate. Its two-track model reflects a broader governance trend: frontier AI is increasingly being treated as a national security and safety issue, while everyday AI applications are being handled through consumer protection, child safety, privacy, copyright and labour policy. The proposal could influence federal discussions, but it also reflects Google’s own regulatory preferences, including industry-funded oversight, confidential audit reports and reliance on existing law for many AI applications.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

EU targets AWS and Azure under the DMA

The European Commission has informed Amazon and Microsoft of its preliminary view that their cloud computing services, Amazon Web Services and Microsoft Azure, should be designated as gatekeepers under the Digital Markets Act.

The move could extend the DMA’s reach into cloud infrastructure, a sector the Commission describes as critical to Europe’s digital economy and AI development.

The Commission opened market investigations into AWS and Azure in November 2025. It has now been provisionally concluded that both services act as important gateways between businesses and customers in the EU, despite not meeting the DMA’s standard quantitative thresholds.

According to the Commission, AWS and Azure benefit from large and established user bases, high switching costs, loyalty effects, broad cloud ecosystems and long-standing market positions. It also said their AI tool portfolios and partnerships are becoming increasingly important for cloud customers.

Amazon and Microsoft now have the opportunity to examine the investigation files and respond to the preliminary findings. If the Commission confirms its assessment, AWS and Azure would be designated as gatekeepers, and the companies would have six months to comply with DMA obligations.

The Commission said fair and competitive cloud markets are important for secure, sustainable and interoperable cloud services in Europe. It also linked the case to Europe’s wider technological sovereignty objectives, as cloud infrastructure underpins AI systems, enterprise software and public services.

Why does it matter?

The case shows how the EU competition policy is moving deeper into the infrastructure behind the AI economy. Cloud platforms are no longer just business services; they shape access to compute, data, AI tools, software ecosystems and switching options for companies and public institutions. If AWS and Azure are designated as DMA gatekeepers, the decision could affect cloud interoperability, customer lock-in and the balance of power between US hyperscalers and European cloud providers.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU approves tariff package under US trade agreement framework

The Council of the European Union has formally adopted two regulations implementing tariff commitments under the EU-US Joint Statement of 21 August 2025.

The adoption completes the EU legislative process for the tariff package, which aims to support a stable and predictable transatlantic trade relationship while preserving safeguards for European economic interests.

The regulations remove remaining EU customs duties on US industrial goods and introduce preferential market access for selected US seafood and non-sensitive agricultural products through tariff-rate quotas and reduced tariffs.

The package also extends the suspension of duties on lobster imports, including processed lobster, from all countries under most-favoured-nation rules.

The regulations include strengthened safeguards and suspension mechanisms. These would allow the Commission to respond to significant import surges that cause or threaten serious injury to the EU operators, and to suspend tariff preferences if the US does not respect its commitments or disrupts balanced trade relations.

The regulations will enter into force the day after publication in the Official Journal. The main regulation will apply until the end of 2029, while the lobster regulation will apply retroactively from 1 August 2025 and expire on 31 July 2030 unless further action is taken.

The Council said EU-US trade in goods and services surpassed €1.7 trillion in 2025, underlining the scale of the transatlantic economic relationship.

Why does it matter?

The decision gives legal effect to the EU side of the tariff commitments in the 2025 EU-US Joint Statement. It shows how transatlantic trade policy is being managed through tariff reductions paired with safeguard tools, allowing the EU to preserve market access while retaining the ability to respond to disruption or non-compliance. For DW, the relevance is indirect but still useful: EU-US trade stability affects supply chains, industrial competitiveness and the broader economic environment in which digital and technology sectors operate.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Apple expands app distribution options in Brazil

Apple will introduce changes to iOS in Brazil following an agreement with the country’s competition regulator, Conselho Administrativo de Defesa Econômica.

The changes, beginning with iOS 26.5, will give developers new options to distribute apps through alternative app marketplaces, operate those marketplaces and process payments for digital goods and services outside Apple’s In-App Purchase system.

Apple said the changes reflect a recent agreement with CADE and are intended to create new options for developers in Brazil. The agreement follows competition scrutiny of Apple’s App Store rules in the country.

The company warned that alternative app distribution and payment options may create new risks, including malware, fraud, scams and privacy and security concerns. It said it has worked with CADE on measures designed to reduce those risks, including app notarisation, marketplace authorisation and protections for children.

Apple also said all current members of the Apple Developer Program must agree to updated licence terms by 6 July 2026 to access the new options in Brazil. The company has made online appointments available for developers seeking more information.

Why does it matter?

The changes show how competition enforcement is reshaping closed app ecosystems beyond the EU. Brazil’s intervention adds pressure on Apple to allow alternative distribution and payment models while preserving security and privacy safeguards. The case also highlights a recurring policy tension: regulators want more competition and developer choice, while Apple argues that opening iOS can increase risks for users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

The future of agentic AI: A cross-regulatory perspective from the UK

Published in March 2026, ‘The Future of Agentic AI‘ is a foresight paper from the Digital Regulation Cooperation Forum (DRCF), the joint body bringing together the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO) and Ofcom.

Drawn on a public call for views conducted through the DRCF Thematic Innovation Hub in autumn 2025 and a series of cross-regulatory workshops, it maps how agentic AI simultaneously activates the remits of all four regulators, and identifies the areas where cross-regulatory coherence will be most difficult to maintain as the technology advances.

The DRCF emphasises that regulation should function as an enabler of innovation rather than a barrier. All four regulators affirm that existing UK frameworks, across data protection, consumer protection, financial regulation and online safety, already apply to agentic AI.

Much of the analytical weight, therefore, lies not in proposing new rules but in mapping how the simultaneous application of those frameworks to a single agentic deployment creates coordination challenges that a sector-by-sector regulatory model was not designed to manage.

The document does not constitute regulatory policy and is explicitly framed as a contribution to the stakeholder debate.

Agentic AI: definition and current state of development

 Person, Security

Agentic AI is defined as systems of AI agents that behave and interact autonomously to achieve their objectives, where each individual agent is an increasingly autonomous AI capable of directly affecting real-world environments. The key distinction from standard generative AI lies in what agents do beyond generating outputs: they assess goals and decompose them into subtasks, retrieve real-time data from external services, execute actions such as making payments or sending communications, and retain memory of past interactions.

Information retrieval alone does not make a system an agent. The critical feature is the autonomous plan-act loop through which multi-step tasks are completed, often by invoking external tools, with limited or no human intervention at each step.

A five-level autonomy spectrum structures the analysis of the current and near-future agent landscape. At the base sits the ‘tool’, a reactive system with no initiative or memory. Above it is the ‘assistant’, capable of planning a few steps and using approved tools while deferring to the user for execution.

The ‘operator’ handles bounded workflows end-to-end once authorised. The ‘collaborator’ and ‘autonomous actor’ tiers, capable of initiating and coordinating multi-step work with minimal human approval, remain largely theoretical at the time of publication.

Most practical deployments today sit at the assistant or operator tiers: customer-support copilots that triage tickets, workflow agents that automate expense claims, or fraud detection systems in financial services. Agentic AI is not exclusively software-based. Embodied agents in robotics and the Internet of Things (IoT) represent an important adjacent development, with LLM-enabled humanoid robots already deployed in some industrial settings.

Emerging opportunities across the economy

 Blackboard, Text, Symbol

For individual users, the core opportunity lies in a ‘delegation layer’ between people and the digital services they rely on: agents that can translate natural-language intent into executable sequences of steps across tools, services and platforms, reducing friction and cognitive load. Specific consumer benefits highlighted include reduced search costs through conversational product comparison, improved deal quality through continuous price monitoring and automatic coupon application, and support for switching and cancellation journeys.

Particular potential is identified for users with disabilities or limited digital literacy, for whom conversational interfaces may substantially lower barriers to digital participation, touching directly on the future of work and labour market inclusion.

For businesses, a large-scale study of a generative AI assistant in customer support found improvements of around 14 to 15% in issues resolved per hour, with the greatest gains among less experienced workers.

Illustrations of current commercial deployment include Allianz’s agentic system for automating food spoilage claims, which uses seven specialised agents, and the UK Government Digital Service’s trial of Microsoft 365 Copilot across 20,000 staff, which reported time savings of 26 minutes per person per day.

For regulators, the CMA has already deployed agentic AI to detect consumer harms such as drip pricing. The DRCF discusses how agentic supervision tools could enable compliance monitoring at a scale and speed that would be impossible for human inspectors alone, pointing to a future in which regulators themselves are among the primary users of the technologies they oversee.

Amplified and novel risks

 Pen, Adult, Male, Man, Person, Text, Furniture, Table

Agentic AI does not merely introduce new hazards; it amplifies existing ones through the combination of autonomy, multi-step execution and access to sensitive data. The most structurally significant risk is accountability fragmentation, which the DRCF describes as the ‘many hands problem’: when a deployment involves a model provider, a system provider and a downstream deployer, each contributing distinct elements to an outcome, attributing liability for harm becomes substantially more complex than in conventional software.

Model providers have a role in monitoring and emergency controls, system providers in adapting those tools to the context, and downstream deployers in maintaining oversight during operation. Importantly, the foresight paper makes clear that ‘my agent did it’ is not a defence any UK regulator will accept as organisational responsibility for legal compliance remains unchanged regardless of the agent autonomy.

Data protection risks are particularly acute. Agentic systems frequently require broad access to personal and operational data, which may be shared across multiple agents and integrated with external tools in ways that make it difficult to maintain the data minimisation principle under the UK GDPR.

Action bundling, the tendency of agents to execute sequences of steps that would normally represent separate consumer decisions simultaneously and at speed, raises questions about whether consent remains meaningful.

Cascading errors, where a flaw in one agent propagates across interconnected systems with amplified effect, are identified as a governance challenge with potentially systemic consequences touching on critical infrastructure. The Moffatt v. Air Canada case, in which an automated system provided incorrect information and the airline was held accountable, is cited by respondents to the call for views as an illustration of how accountability challenges in automated deployments are already reaching the courts.

Cybersecurity risks are materially increased by agentic capabilities. Agents designed to ingest and act on content from diverse external sources are particularly vulnerable to prompt injection attacks, in which malicious instructions are embedded in the content the agent processes, raising direct cybersecurity concerns.

Agents may also operate under non-human identities (NHIs) without the session-based oversight that applies to conventional user authentication, creating surfaces for privilege escalation and data exfiltration. A documented attack in which agentic AI was used to perform 80 to 90% of the attack lifecycle illustrates how the same capabilities that make agents useful can be weaponised at speeds and scales beyond human capacity to manage.

Hyper-personalisation adds a further risk dimension. Agents with persistent memory and detailed user profiles can generate highly persuasive communications, and the same techniques can be turned to personalised fraud, as demonstrated in documented AI-driven influence campaigns. Where agents are optimised to advance the commercial objectives of deployers through undisclosed advertising arrangements or data-extractive digital business models, they may channel users toward platform-preferred outcomes while presenting themselves as neutral intermediaries.

Foresight scenarios and their regulatory implications

 Face, Head, Person, Photography, Portrait, Adult, Female, Woman, Skin

A methodologically distinctive feature of the foresight paper is its use of scenario analysis to stress-test the cross-regulatory implications of different agentic AI futures. Building on the ICO’s Agentic AI Tech Futures Report, the DRCF constructed a two-by-two matrix of four plausible futures defined by two critical uncertainties: the capability level of agentic systems and the degree of their adoption in the economy.

Subject-matter experts from all four regulators examined each scenario for regulatory synergies and friction points in a cross-regulatory workshop.

The first scenario, ‘scarce, simple agents’, describes low capability and low adoption, in which agents remain narrow tools used in controlled professional contexts with close human oversight. The regulatory challenges here are primarily about maintaining proportionality without over-regulating an immature technology.

The second scenario, ‘just good enough to be everywhere’, combines low capability with high adoption: agents are widely deployed despite significant limitations, creating systemic consumer harm at scale and widespread accountability confusion. Of the four scenarios, this is considered the most acute near-term risk.

The third scenario, ‘agents in waiting’, describes high capability but low adoption, in which powerful agents are held back by regulatory uncertainty, liability concerns or lack of consumer trust. The regulatory challenge shifts from harm prevention to enabling conditions: excessive caution risks suppressing valuable innovation.

The fourth scenario, ‘ubiquitous agents’, represents high capability combined with high adoption, a fully agentic future in which agents mediate most consumer-market interactions and manage enterprise workflows autonomously. Winner-takes-most market concentration, spontaneous algorithmic collusion, systemic accountability gaps and agent-to-agent communication operating beyond human-readable oversight are identified as the primary governance challenges in this scenario.

The cross-regulatory workshop exercise enabled the four regulators to map not only sector-specific risks within each scenario but also the points where their remits intersect or conflict. The DRCF presents this methodology as a model for ongoing interdisciplinary horizon scanning that other jurisdictions could adapt to stress-test their own frameworks before tensions manifest in real-world deployments.

The cross-regulatory challenge

 Art, Graphics, Adult, Male, Man, Person, Head

Using the example of a large UK retailer deploying an autonomous customer assistant, the DRCF demonstrates how a single agentic deployment can simultaneously raise data protection issues for the ICO through automated decision-making on credit or loyalty discounts, financial regulation concerns for the FCA if the assistant recommends or arranges financial products, online safety duties for Ofcom if the agent retrieves and synthesises information from third-party websites in ways that may constitute a regulated search service under the Online Safety Act 2023, and competition regulation and consumer protection matters for the CMA if the agent behaviour steers users away from competitors or constitutes algorithmic collusion.

No single regulator holds the full picture, yet each may need to act.

Each regulator sets out its current approach. The ICO launched a public consultation on updated automated decision-making and profiling guidance on 31 March 2026, responding to the reforms introduced by the Data (Use and Access) Act 2025, section 80 of which came into force on 5 February 2026.

That provision replaced Article 22 of the UK GDPR with new Articles 22A to 22D, substituting the previous near-prohibition on solely automated decision-making with a more permissive, safeguards-based framework. The consultation closed on 29 May 2026, with final guidance expected in summer 2026.

The ICO has also been formally commissioned under the Statutory Instrument 2026/425 to produce a statutory code of practice on AI and automated decision-making, which will carry evidential weight in enforcement proceedings and is expected to address agentic systems directly.

The FCA applies its outcomes-focused Consumer Duty to firms using agentic AI in financial services, with its AI Live Testing platform providing a supervised environment for firms to experiment with agentic use cases. Ofcom is assessing how agentic AI affects telecoms markets and whether agent-enabled services fall within the scope of its online safety regime.

The CMA draws on the Digital Markets, Competition and Consumers Act (DMCCA) to address strategic market status, self-preferencing and exclusionary conduct in agentic AI contexts, and has published guidance for businesses on complying with consumer law when using AI agents.

Governance, accountability and human oversight

 Pen, Chart

Observability, defined as the ability of deployers to understand what is happening within a system by examining its outputs, including logs of interactions, reasoning steps, action traces and performance metrics, is identified as a foundational governance requirement. Legal obligations under data protection law, consumer law, competition law, financial regulation and online safety requirements apply regardless of the degree of automation involved.

Nominal human oversight, where a person is present but has no genuine capacity to intervene, does not satisfy the human-in-the-loop requirement under UK data protection law when automated decisions have legal or similarly significant effects on individuals. Permissions controls that specify which data sources an agent may access are presented as both a data governance and a data minimisation tool, with the additional benefit of reducing consent fatigue: the risk that users who are repeatedly prompted to approve the agent actions begin doing so without meaningful deliberation.

Responsibility in multi-agent systems remains one of the most unresolved points in the analysis. As agents interact with each other and blend datasets without human involvement, identifying who controls which data and who is responsible for a given compliance failure under the UK GDPR becomes progressively harder.

Respondents to the call for views proposed that regulators require firms to adopt AI supply chain governance frameworks addressing component integrity, compatibility, and risk propagation. The DRCF raises the concept of ‘transparency agents’, systems designed specifically to monitor inter-agent transactions and maintain audit trails, noting that governing agentic AI may itself require agentic tools.

Consumer rights, market dynamics and algorithmic collusion

 Lighting, Architecture, Building, Wall

The Consumer Rights Act 2015 and the consumer protection provisions of the DMCCA apply fully to agentic AI providers. Drawing on the CMA’s research on agentic AI and consumers, published on 9 March 2026, the core risk identified is that systems optimised for the deployer’s commercial objectives through undisclosed advertising arrangements or data-extractive business models may influence consumer protection outcomes in ways users cannot anticipate or contest.

‘Choice outsourcing’ is identified as an emerging structural risk: when consumers delegate comparison and transaction decisions to agents that, in turn, respond to platform incentives, competition shifts from the product layer to the agent layer, with firms competing to be favoured by assistants rather than to offer the best price or quality.

Digital inequality receives dedicated analysis across two distinct risk groups. Users with lower media literacy and limited device access may struggle to recognise AI-generated responses, navigate privacy controls or correct agent errors. Users with higher digital literacy may nonetheless find their critical assessment skills weakened by the reduced visibility into multi-agent decision-making.

As agentic AI becomes embedded in everyday systems, the DRCF cautions that users may increasingly feel that non-adoption means being shut out of services entirely, a form of structural compulsion that existing consumer protection frameworks were not designed to address.

Algorithmic collusion is among the most technically specific risk areas addressed. Experimental evidence suggests that LLM-based agents may spontaneously converge on supra-competitive prices in price-setting, bidding and financial market simulations without explicit instruction, maintaining those prices even as conditions change.

Research also demonstrates that AI systems can develop covert communication strategies, including hiding messages within ordinary text, and may evolve faster non-natural-language communication protocols as alternatives to human-readable exchange.

All existing collusion evidence comes from controlled experimental conditions rather than from real-world markets, but the DRCF treats the findings as sufficient to warrant caution in deploying agents in pricing roles. The CMA’s paper on AI and collusion, published on 4 March 2026, provides the most detailed UK regulatory analysis of these risks to date.

Open communication protocols such as the Model Context Protocol (MCP) and Agent2Agent (A2A) are discussed as tools for supporting interoperability and reducing vendor lock-in, although their competitive implications remain to be addressed.

Further developments

 Computer, Electronics, Tablet Computer, Computer Hardware, Hardware, Monitor, Screen

Since the foresight paper was published in March 2026, the regulatory programme it outlines has moved forward on several fronts. Most notably, on 3 June 2026 the DRCF launched a call for input on consumer interest and AI, open until 3 July 2026. Structured in two phases, the call gathers the consumer evidence that the four regulators need to apply their existing rules more effectively.

Phase one examines consumer attitudes: how much risk consumers will tolerate from generative and agentic AI in exchange for convenience and cost savings, how well they understand the technology, and whether disclosures and consent mechanisms have a meaningful effect. Phase two asks what tools, frameworks and obligations can best deliver good consumer outcomes.

The call is significant as it represents the first concrete step toward building an empirical evidence base for enforcement rather than anticipatory guidance. Findings will feed directly into the autumn regulatory agenda of all four member bodies.

The ICO’s consultation on the updated automated decision-making and profiling guidance closed on 29 May 2026, with final guidance expected later in 2026. The FCA’s Mills Review, which examined how advanced AI models could reshape retail financial services by 2030, is on track to deliver recommendations to the FCA Board in summer 2026, with an external publication to follow. Cohort 2 of the FCA’s AI Live

Testing programme has launched, building on findings from the first cohort. Ofcom is expected to publish its 2026 to 2027 strategic approach to AI later in the year, covering agentic AI’s implications for telecoms markets and online safety.

The UK regulatory landscape is also developing in an international context. Spain’s data protection authority, the AEPD, published a detailed technical guide on AI agent architecture in February 2026, addressing prompt injection vulnerabilities and automated decisions under Article 22 of the GDPR, one of the most granular analyses produced by a European data protection authority to date.

In March 2026, an EU Parliament committee voted in favour of amendments pushing EU AI Act high-risk compliance deadlines to December 2027 and August 2028, reflecting continued implementation pressure at the EU level.

Together, these developments illustrate that the governance issues raised by the DRCF are being worked through simultaneously across multiple jurisdictions, with regulatory divergence as real a risk as convergence.

Implications for the broader digital governance landscape

 Person, Security

The DRCF’s multi-regulator framing reflects a structural reality that most national governance frameworks have not yet fully absorbed: agentic AI is not a sector-specific technology but a general-purpose capability that simultaneously activates legal obligations across multiple regulatory domains.

Countries that have assigned AI oversight to a single lead authority may find that agentic AI creates accountability gaps at the boundaries between those domains that a single-regulator model cannot address.

A fundamental difference between the UK approach and the EU AI Act is worth noting. The EU AI Act employs a risk-based classification system applied at the level of AI systems and their use cases, imposing pre-market obligations on high-risk systems before deployment.

The UK’s approach applies existing sector-specific rules to AI through the regulator most relevant to a given harm, without a central AI authority or horizontal AI statute. Both approaches acknowledge that deploying an AI agent does not transfer legal accountability to the agent; accountability remains concentrated on the deployer.

Where the two frameworks diverge is in their approach to ex ante versus ex post intervention. The UK model relies more heavily on enforcement after harm has occurred, supplemented by guidance and safe-space testing.

The EU model attempts to prevent certain harms before deployment. The ‘just good enough to be everywhere’ scenario, in which low-capability agents cause consumer harm at scale, implicitly raises the question of whether the post-hoc enforcement model is sufficiently robust for the near-term agentic AI risks the DRCF itself identifies as the most pressing.

On standards and interoperability, the governance of agent communication protocols is emerging as a question of digital standards and competition policy as much as a technical one. If open protocols such as the Model Context Protocol (MCP) and Agent2Agent (A2A) become widely adopted, they could reduce the ecosystem advantages that currently favour large incumbent platform operators.

If dominant firms instead establish proprietary standards, the market concentration risks in the ‘ubiquitous agents’ scenario could materialise more rapidly.

A related concept raised in the foresight paper is ‘know your agent’ protocols, analogous to ‘financial services ‘know-your-customer frameworks’ in financial services, as a tool for verifying agent identity, intent and permissions in commercial settings. Potential links are noted to the digital identity reforms currently under development in the UK. How these standards issues are addressed will significantly shape the competitive landscape of agentic AI markets over the next several years.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Apple delays Siri AI rollout on iOS and iPadOS in EU, citing DMA requirements

Apple has announced that its new Siri AI features will not be available to users in the European Union on iOS 27 and iPadOS 27 when the software is released later this year, citing concerns related to compliance with the EU’s Digital Markets Act (DMA).

According to the company, discussions with European regulators have not resulted in an agreement on how the new AI features could be introduced while maintaining what Apple describes as necessary privacy and security protections.

Apple said the features will remain available to EU users on macOS 27 and visionOS 27. However, users in the bloc will not have access to Siri AI on iPhone, iPad, or Apple Watch, as the watchOS functionality depends on a paired iPhone with Siri AI support.

The company stated that the DMA’s interoperability requirements would require broader access for competing virtual assistants to device functionality and user data than Apple considers appropriate from a privacy and security perspective.

Apple also said it proposed a solution called Trusted System Agent, which it described as an intermediary framework intended to provide third-party virtual assistants with access to device capabilities while maintaining additional security protections. According to the company, it also proposed a phased rollout of Siri AI in the EU while this framework was being developed.

The company said the European Commission did not accept its proposals and that there is currently no timeline for the availability of Siri AI on iOS and iPadOS in the EU.

The announcement highlights ongoing discussions between major technology companies and the EU regulators on implementing the Digital Markets Act. The DMA seeks to increase competition in digital markets by requiring designated gatekeepers to provide greater interoperability and access to certain platform services.

The European Commission has previously stated that the objective of the regulation is to promote contestability and fairness in digital markets while providing users and businesses with greater choice.

Apple’s decision means that some AI features announced at the company’s Worldwide Developers Conference (WWDC26) will not initially be available to EU users on mobile devices. These include new AI-powered assistance capabilities, expanded visual intelligence features, and AI tools integrated across iOS and iPadOS.

The company said it will continue discussions with EU regulators regarding a possible future launch of the features in the European Union.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU orders Meta to restore access for AI assistants

The European Commission has imposed interim measures requiring Meta to restore access to WhatsApp for rival general-purpose AI assistants while an EU antitrust investigation continues.

The measures require Meta to reinstate access to the WhatsApp Business Solution for third-party AI assistant providers under the same terms that applied before 15 October 2025. Meta must comply within five working days and maintain access until the Commission adopts a final decision.

The Commission opened the investigation in December 2025 after Meta changed the terms of its WhatsApp Business Solution to restrict AI providers from using the service when AI was the primary service offered. In February 2026, the Commission sent Meta a Statement of Objections setting out its preliminary view that the conduct could breach the EU antitrust rules.

According to the Commission, Meta appears at first sight to hold a dominant position in the EEA-wide market for consumer communication applications through WhatsApp. It also said Meta may have abused that position by preventing competing general-purpose AI assistants from accessing and interacting with users on WhatsApp.

Meta revised its policy in March 2026 to allow third-party AI assistants back onto WhatsApp, but introduced a fee that the Commission said was, at first sight, equivalent in practice to the previous ban. The Commission warned that the conduct could harm competition at a critical stage in the development of the market for general-purpose AI assistants.

The substantive investigation remains ongoing, and the interim measures do not prejudge the Commission’s final decision. The Commission said it may impose fines or daily penalty payments if Meta fails to comply.

Why does it matter?

The case shows how the EU competition enforcement is moving into the emerging market for general-purpose AI assistants. WhatsApp is not only a messaging service, but also a major access point for businesses and users. If dominant platforms can limit rival AI assistants’ access to such channels, competition in AI services could be shaped before the market fully matures. The interim measures also signal that the Commission is willing to act quickly where it believes platform conduct may create serious and irreparable harm to competition.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!