Digital standards

UK authorities issue guidance on frontier AI cyber risks in finance

The Bank of England, the Financial Conduct Authority (FCA), and HM Treasury published a joint statement on cybersecurity and operational resilience risks linked to frontier AI models.

According to the statement, current frontier AI models can perform certain cyber-related tasks at high speed and scale, potentially increasing operational and security risks if misused.

UK authorities said regulated firms should strengthen governance, vulnerability management, third-party risk oversight, and recovery capabilities. The statement also referred to the use of automated and AI-supported defensive measures in cybersecurity operations.

The guidance highlighted risks associated with third-party services, open-source software, and legacy systems. According to the statement, boards and senior management should maintain awareness of frontier AI-related operational and cyber risks.

The authorities said they will continue monitoring frontier AI developments and engage with industry through the Cross Market Operational Resilience Group (CMORG). The statement also references guidance published by the UK National Cyber Security Centre (NCSC) on vulnerability management and AI-related cyber risks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Global experts gather for CPDP 2026

The CPDP Conference 2026 has released its detailed programme, outlining a multi-day agenda of panels, workshops and cultural sessions focused on AI, data protection and digital governance. The conference will run from 19 to 22 May 2026, bringing together global experts across policy, academia and industry.

Across the programme, a wide range of panels and debates will explore key themes including AI regulation, digital governance, workplace data rights and platform power. Alongside panels and discussions, there will also be short movies and workshops offering conference topics in different formats.

Workshops are scheduled throughout each day, with structured breaks including coffee sessions and lunch intervals offering networking moments for participants. Topics range from AI in healthcare and advertising to digital conflict, governance under pressure and privacy-preserving technologies.

The programme also includes specialised tracks and cultural sessions, such as film screenings and artistic discussions on algorithmic systems, alongside academic panels and policy debates. The event will conclude after a final series of workshops and sessions on 22 May in Brussels, Belgium.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

UK proposes stronger streaming rules under new Ofcom standards

Ofcom has proposed new content and accessibility standards for major streaming platforms operating in the UK, expanding regulatory oversight across the rapidly growing on-demand media sector. The draft framework follows powers introduced through the Media Act and would align streaming services more closely with traditional broadcast television standards.

The proposed rules would apply to major platforms including Netflix, Amazon and Disney. Ofcom said audiences increasingly expect consistent protections regardless of whether content is viewed through conventional television or streaming services.

The draft Code includes requirements covering harmful or offensive material, fairness and privacy protections, and due impartiality and accuracy for news content. Additional safeguards for minors would also apply, alongside stronger expectations around contextual warnings and viewer information.

Ofcom also proposed new accessibility obligations for streaming providers. Under the draft rules, platforms would need to subtitle 80% of catalogue content, provide audio description for 10%, and provide signing for 5%. The regulator said that more than 18 million people with hearing or sight conditions could benefit from improved accessibility standards across streaming platforms.

Why does it matter?

The proposals signal a major shift in how digital media platforms are regulated in the UK, extending broadcast-style obligations into streaming ecosystems for the first time. The measures could influence global debates around platform accountability, online safety, accessibility standards, and regulatory convergence between traditional media and digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ICO warns organisations about growing AI cyber threats

The UK Information Commissioner’s Office has warned that AI is enabling faster, more advanced and harder-to-detect cyberattacks, urging organisations to strengthen their defences against emerging threats.

In a blog post, the regulator highlighted risks such as AI-generated phishing emails, deepfake social engineering, automated vulnerability scanning, AI-powered malware, credential attacks, data poisoning and indirect prompt injection. The ICO said cybersecurity must be treated as a shared responsibility, with organisations expected to take proactive steps to protect the personal data they hold.

The ICO said strong foundational security measures remain essential, but should be reinforced with layered defences to counter AI-powered threats. It pointed to practical steps such as patching systems, restricting access through multi-factor authentication, applying least-privilege principles and managing supplier risks.

The recommendations also include monitoring systems for unusual activity, carrying out vulnerability scanning and penetration testing, and maintaining regularly tested incident response plans. The ICO said AI can also support cyber defence, but should operate within a clear framework of human oversight and accountability.

Organisations are further advised to minimise data collection, conduct regular data audits and train staff to recognise AI-powered social engineering attacks. The ICO said AI tools processing high-risk personal data should be supported by data protection impact assessments and appropriate safeguards.

Why does it matter?

The ICO’s warning links AI-powered cyber threats directly to data protection obligations. As attackers use AI to scale phishing, exploit vulnerabilities and impersonate trusted contacts, organisations are expected not only to improve technical security, but also to limit the personal data they hold, strengthen governance and prepare for faster-moving incidents.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

CMA opens Strategic Market Status investigation into Microsoft business software

The UK Competition and Markets Authority has opened a Strategic Market Status investigation into Microsoft’s business software ecosystem, marking another major step in the country’s digital competition regime.

The investigation will examine Microsoft’s position across workplace software products widely used throughout the UK economy, including productivity software, personal computer and server operating systems, database management systems, security software and its growing AI assistant ecosystem, including Copilot. The CMA said more than 15 million commercial users across the UK rely on Microsoft’s software ecosystem.

Regulators will assess whether Microsoft has Strategic Market Status in business software and whether its position may limit customer choice. The CMA said it will examine concerns linked to product bundling, interoperability limits and default settings that could make it harder for businesses and public-sector organisations to switch providers or combine Microsoft tools with competing products.

The authority will also examine how competing AI services can integrate with Microsoft’s business software as workplace tools increasingly incorporate AI and agentic AI functions. The CMA said customers should be able to access software and AI services from a range of suppliers rather than being locked into a single ecosystem.

Cloud competition concerns are also linked to the probe. An SMS designation would allow the CMA to consider targeted interventions related to Microsoft’s software licensing practices, which were previously identified as reducing competition in cloud services.

The CMA will gather evidence from Microsoft, customers, rivals, challenger technology firms and other stakeholders before deciding whether to designate Microsoft with Strategic Market Status. The regulator said the investigation does not assume wrongdoing and that any future interventions would depend on the evidence and relevant legal tests.

Why does it matter?

The investigation shows how digital competition oversight is moving deeper into enterprise software, cloud infrastructure and AI-enabled workplace tools. As products such as Copilot become embedded in systems used by businesses and public services, regulators are increasingly treating interoperability, bundling and switching costs as strategic competition issues rather than narrow technical questions.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Norway and Romania expand EEA cooperation with anti-disinformation funding

Romania and Norway have signed a new EEA and Norway Grants agreement that introduces dedicated cooperation measures against disinformation, reflecting growing European concerns over information manipulation, democratic resilience and geopolitical instability.

Norwegian Foreign Minister Espen Barth Eide signed the agreement in Bucharest alongside Romania’s Minister for European Investments and Projects, Dragoș Pîslaru. The agreement forms part of the wider 2021-2028 EEA and Norway Grants framework, which supports social, economic and institutional development across Europe.

The new cooperation programme will fund initiatives aimed at strengthening resilience against disinformation through partnerships involving public institutions, specialist communities and civil society organisations in both countries.

The agreement also supports broader programmes covering justice and police cooperation, green transition projects, energy efficiency, and measures designed to strengthen the rights and living conditions of Roma communities.

Romania will receive €596.3 million under the current funding cycle, making it the second-largest beneficiary after Poland. Norway, Iceland and Liechtenstein together provide €3.268 billion through the EEA and Norway Grants programme, with Norway contributing approximately 97% of the overall funding.

Why does it matter?

The agreement shows how disinformation is becoming part of broader European cooperation on democratic resilience and institutional capacity, not only a media or platform issue. By funding partnerships between public institutions, expert communities and civil society, the programme links information integrity with governance, security and social cohesion at a time of heightened geopolitical pressure in Europe.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Poland launches campaign to boost business cybersecurity awareness

Poland’s Ministry of Digital Affairs has launched a campaign to encourage entrepreneurs and management teams to take a more active role in protecting their companies from cyber threats.

The campaign, titled ‘Build your company’s digital security click by click’, is aimed at businesses and senior decision-makers. The ministry says its main goal is to encourage firms to address cybersecurity at both organisational and operational levels.

The campaign stresses that cybersecurity is no longer solely the responsibility of IT departments but is a key part of responsible business management. The ministry points to growing risks such as phishing and ransomware as digital technology becomes central to company operations.

According to the ministry, effective cybersecurity depends on three pillars: knowledge, processes and people. The campaign encourages firms to analyse risks, develop incident response procedures, train employees regularly and use official guidance available through cyber.gov.pl.

A separate focus is placed on medium-sized and large companies subject to requirements under Poland’s national cybersecurity system. The ministry says firms in key sectors should understand obligations related to risk management, incident reporting and the protection of information systems.

The campaign also calls on company leaders to integrate cybersecurity into business strategy, including through security policies, investment in skills and the development of a culture of responsibility across organisations.

Why does it matter?

The campaign reflects a broader shift in cybersecurity policy from technical protection towards organisational responsibility. By targeting business leaders, Poland is emphasising that cyber resilience depends not only on tools, but also on governance, staff training, incident response and compliance with national cybersecurity obligations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

G7 working group advances cybersecurity approach for AI systems

The German Federal Office for Information Security published guidance developed by the G7 Cybersecurity Working Group outlining elements for a Software Bill of Materials for AI. The document aims to support both public and private sector stakeholders in improving transparency in AI systems.

The guidance builds on a shared G7 vision introduced in 2025 and focuses on strengthening cybersecurity throughout the AI supply chain. It sets out baseline components that should be included in an AI SBOM to better track and understand system dependencies.

The document outlines seven baseline building blocks that should form part of an AI Software Bill of Materials (SBOM for AI), designed to improve visibility into how AI systems are built and how their components interact across the supply chain.

At the foundation is a Metadata cluster, which records information about the SBOM itself, including who created it, which tools and formats were used, when it was generated, and how software dependencies relate to one another.

The framework then moves to System Level Properties, covering the AI system as a whole. This includes the system’s components, producers, data flows, intended application areas, and the processing of information between internal and external services.

A dedicated Models cluster focuses on the AI models embedded within the system, documenting details such as model identifiers, versions, architectures, training methods, limitations, licenses, and dependencies. The goal is to make the origins and characteristics of models easier to trace and assess.

The document also introduces a Dataset Properties cluster to improve transparency into the data used throughout the AI lifecycle. It captures dataset provenance, content, statistical properties, sensitivity levels, licensing, and the tools used to create or modify datasets.

Beyond software and data, the framework includes an Infrastructure cluster that maps the software and hardware dependencies required to run AI systems, including links to hardware bills of materials where relevant.

Cybersecurity considerations are grouped under Security Properties, which document implemented safeguards such as encryption, access controls, adversarial robustness measures, compliance frameworks, and vulnerability references.

Finally, the framework proposes a Key Performance Indicators cluster that includes metrics related to both security and operational performance, including robustness, uptime, latency, and incident response indicators.

According to the paper, the objective is to provide practical direction that organisations can adopt to enhance visibility and manage risks linked to AI technologies. The framework is intended to support more secure development and deployment practices.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

IPC New South Wales’ Generative AI guidance targets privacy risks in Australia

The Information and Privacy Commission New South Wales, has issued guidance for public sector agencies in Australia on managing privacy risks associated with the use of generative AI tools.

The guide states that the Privacy and Personal Information Protection Act 1998 applies to the handling of personal information through generative AI tools. It is intended to help agencies understand and comply with privacy obligations when adopting tools such as ChatGPT, Gemini, Claude, Perplexity, and Copilot.

Generative AI can support workplace tasks such as drafting, editing, document analysis, research, translation, transcription, and process automation. However, the IPC warns that these tools can create privacy risks when prompts, uploaded files, or outputs include personal or health information.

The guide highlights risks including unexpected use or disclosure of personal information, cross-border data transfers, unauthorised disclosure, data breaches, extended retention of personal information, generation of new personal information, inaccurate or discriminatory outputs, and loss of transparency or data subject control.

Some generative AI providers may collect customer data, including prompts, uploaded files, and outputs, to train or improve their models, according to the IPC. Agencies should assess whether personal or health information uploaded to a generative AI service may be processed offshore or used for purposes beyond the original collection purpose.

Recommended measures include privacy impact assessments, updates to privacy management plans and data breach response policies, clear public notices, consent where required, acceptable use policies for staff, training, pre-deployment testing, third-party vendor assessments, and data residency in Australia where possible.

Human review is also presented as an important safeguard, especially where generative AI outputs inform decisions affecting individuals’ access to services, opportunities, or benefits. The IPC urges agencies to avoid a ‘set and forget’ approach and continuously monitor generative AI use, governance, culture, and emerging privacy risks.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

China expands AI education strategy through global learning platform

China has launched a global AI education service platform to expand cross-border access to digital learning resources and support the integration of AI into education.

The initiative was announced during the 2026 World Digital Education Conference in Hangzhou and forms part of a broader upgrade to Smart Education of China, a digital education platform now accessible in around 220 countries and regions.

Chinese authorities said the upgraded platform will support cross-border sharing of educational resources and expand international services. New features include a lifelong learning hub and a Chinese language learning community.

The conference also saw the release of a report outlining China’s policy progress and practical experience in smart education. An AI education initiative was also unveiled, calling for better use of AI to support well-rounded and sustainable human development.

The initiative also urged stronger efforts to bridge the global digital divide by using smart education platforms to share high-quality resources and digital tools.

Why does it matter?

The launch shows how AI education is becoming part of digital infrastructure strategy, not only classroom reform. By linking AI tools, online learning resources and international access through a state-backed platform, China is positioning digital education as an area of both domestic development and global cooperation. It also points to wider competition over who builds the platforms, standards and learning ecosystems that will shape AI literacy and future workforce skills.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

Diplo chatbot can make mistakes. Consider checking important information.