Technology Sector Lookahead 2026
Introduction
In this Lookahead, we look at some of the hot topics for this sector in 2026 which include:
- AI – IP ownership and infringement
- AI – Legislative developments
- AI – Use in advertising
- Corporate activity overview
- Corporate – ECCTA
- Cybersecurity, business resilience and continuity
- Cybersecurity – Improving supply chain resilience and the NCSC
- Cyber attacks, data breaches, class actions and insurance
- Technology patents and the UPC
- Product Liability – Law Commission Review
AI - IP Ownership and Infringement
As indicated in our recent Insight AI and Intellectual Property: Ownership, Infringement and Reform, 2025 left many questions unanswered. 2026 should see some interesting developments including clarification of the government’s position in relation to the rights of copyright owners. The government’s view in its consultation appeared to favour a general text and data mining (TDM) exception, but a recent progress report indicated little support for this from respondents to the consultation. The full report should be published by 18 March 2026.
The long awaited decision in Getty left key copyright questions unanswered, but did confirm that use of trade marks in outputs may amount to trade mark infringement (see our Insight World Intellectual Property Review quotes Dewdney William Drew on the Getty Images vs Stability AI decision). The key copyright question of whether a LLM is itself an infringing copy will now be looked at by the Court of Appeal and its decision is eagerly awaited. We also expect to receive the Supreme Court’s view as to whether AI implemented inventions should be considered computer programs and the correct approach to considering the patentability of such inventions.
AI - Legislative Developments
2025 was a year that continued to see a divergence of approach between the UK and EU, as highlighted in our recent Insight AI Regulation and Ethics: Governance, Oversight and Legal Risk. In the UK, despite some government indications, no AI specific legislation materialised. It seems likely that the combination of voluntary regulation and application of existing laws to novel AI scenarios will continue in 2026.
In the key area of AI product liability, we look forward to the Law Commission’s formal public consultation on reform proposals in the second half of 2026 (see below). We expect the ICO and other key regulators to continue to be very active in the AI space. Although some provisions of the EU AI Act are already in effect, most of the remaining provisions were due to come into effect on 2 August 2026 and others on 2 August 2027. The proposed Digital Omnibus on AI Regulation may lead to an extension of these timelines.
AI – Use in Advertising
The use of artificial intelligence in advertising has accelerated rapidly, with AI-generated content now featuring prominently in campaigns across every sector. This presents both significant opportunities and complex challenges. 2026 marks a pivotal moment in the regulatory landscape, as legislators and regulators in the UK and EU respond to the rapid adoption of AI with new transparency obligations, disclosure requirements, and enforcement priorities. For advertisers and brands, understanding these developments is essential to navigating the year ahead. For more detail, please see our Insight.
Corporate Activity Overview
The UK IT services sector remained resilient but uneven in 2025, as organisations moved AI from pilots to real use, tightened cybersecurity, and adopted hybrid and sovereign cloud to control costs and meet regulatory demands. Deal volumes within the IT services space were broadly in line with 2024, the majority being private equity-backed, with buyers targeting capability-led AI, cloud security and data engineering capabilities, often adding sector expertise or partnering where full acquisitions were less practical. Particular hot spots appeared in regulated and mission critical sectors such as financial services, healthcare, government, energy and telecoms. Throughout this period, our international team of transactional and sector experts have guided clients through the opportunities and challenges presented. Some of our highlights this year include:
- Advising Nortal, a strategic innovation and technology company, on its acquisition of Nearsure, a US-based technology solutions provider with talent across 18 Latin American countries.
- Advising IFS, the leading provider of Industrial AI software, on its acquisition of 7bridges, an AI-powered supply chain management solution provider.
- Advising long-standing client Puma Growth Partners on various investments, including its investment into Semeris, a legal AI specialist that combines AI and human expertise to help financial institutions streamline legal document analysis and meet compliance standards, and a Series A investment round for YASO, the operating system for global brands in China.
- Advising long standing client Battery Ventures on its $165 million investment round into Signal AI, an intelligence platform that analyses billions of data points across news, regulations, litigation, social media and other sources to highlight emerging risks and reputational threats.
Looking forward, the 2026 outlook for UK IT services M&A is likely to be defined by capability-led consolidation and a sharper focus on enhancing technical prowess. We expect to see buyers prioritising acquisitions that add depth in AI, data engineering and cybersecurity, and deal flow to continue to track spend in the sectors referred to above. The impact of upcoming cyber security and supply chain regulation is presently unknown but will increase the cost of evidencing compliance and reporting complexity.
International expansion will remain a core strategy for some market participants, to gain access to new customers and markets and/or additional service delivery capabilities, for example in the Americas and Central and Eastern Europe to support blended cost, time zone coverage and access to scarce AI and data skills. Cross border integrations will therefore need disciplined attention to data location, data flows, localisation and evolving EU and UK rules on interoperability and switching, including under the EU Data Act.
Another notable shift in this space is the rise of AI “infrastructure like” services. As enterprises move from pilots to production, they are investing in proprietary data sets, model pipelines and governance that demand specialised compute, storage, security and observability. This is fuelling M&A in adjacent managed services, MLOps tools, model evaluation and safety, and in partners capable of operating within regulated environments. We expect to see competition for these assets intensifying.
M&A activity in the IT services segment in the UK is a practical response to clients’ AI, cloud and security driven investment priorities and to UK regulatory scrutiny of cloud and data intensive services. As we look to 2026, we expect capability led consolidation to continue, supported by data privacy, and AI infrastructure themes evident in UK 2024–2025 deal data.
We expect cyber security M&A to stay busy into 2026, with continuing consolidation, combining headline platform buys with active bolt on activity, and an ongoing shift towards larger platform plays, as buyers combine cloud, exposure management and identity capabilities to meet enterprise demand for integrated defences.
We expect deals to be negotiated with a sharper focus on cyber risk, including deeper, more technical due diligence, fuller disclosure of past incidents and vulnerabilities, and more explicit, warranty protection around technology, data protection and intellectual property. The threat landscape is also evolving, with AI improving detection on the one hand and enabling more sophisticated attacks on the other, with which we may see buyers focussing due diligence more in this area.
Corporate - Economic Crime and Corporate Transparency Act 2023 (ECCTA)
The Economic Crime and Corporate Transparency Act 2023 (ECCTA) contains wide-ranging reforms to the way companies and limited partnerships in the UK are formed, managed and operated, and is a key legislative effort by the Government to enhance the prevention of financial crime in the UK. Since ECCTA received Royal Assent in 2023, its implementation has been taking place in a gradual manner.
ECCTA is far-reaching and impact on all UK companies, whatever the sector they operate in. In November 2025, the new identity verification (IDV) regime came into force. IDV introduces mandatory identity verification procedures whereby all new directors, members of LLPs and PSCs will need to verify their identity before taking up their positions. In respect of all existing directors, members and PSCs, there is a transitional period so that:
- all existing directors and members of LLPs must have their identity verified before the company's next confirmation statement date following 18 November 2025; and
- all PSCs must have their identity verified within 14 days of the start of their next birthday month (e.g. if a PSC's birthday is 19 December, they must complete their IDV check by 14 December).
PSCs who are also directors of the same company must notify Companies House of their personal IDV code with the company's next confirmation statement, and separately in respect of their position as PSC, in each case respecting the time limits noted above.
From 18 November 2025, companies are also no longer required to maintain a local register of directors, register of directors’ residential addresses, register of secretaries and PSC register. Instead, companies must provide this information directly to Companies House, where it will be held centrally. New appointments and changes to information relating to existing appointments (for example, a director moves house) must be notified to Companies House within 14 days of the change.
Further implementation of ECCTA provisions is expected in 2026, though exact dates are yet to be announced. It is expected that by the end of 2026, Companies House will (amongst other things) make identity verification of the presenters a compulsory part of filing any document; require identify verification of nominated officers of RLEs, corporate directors and individuals, who file information on behalf of a company at Companies House, and facilitate greater cross-checking of information and data between Companies House and other public and private sector bodies.
Cyber security, business resilience and continuity
Cyber security, cyber resilience and related business continuity have been issues for UK public services and businesses through 2025. While the digital revolution has brought advantages for businesses and the economy, vulnerabilities and risks have been highlighted. It seems likely that 2026 will bring additional cyber threats and businesses will need to adapt to become more resilient to increased cyber attacks as well as a changing regulatory landscape.
The UK has a complex cybersecurity legal framework, which includes laws on data protection, the security of network and information systems, sector-specific requirements and regulations relating to national security. In Spring 2025, the UK government published a high-level policy statement outlining proposals to update the UK’s cybersecurity framework in order to minimise risk and provide improved resilience in years to come (see our Insight UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres for more on the proposals). Further to the statement, the government's proposed Cyber Security and Resilience (Network and Information Systems) Bill 2025 (the “Bill”) was introduced in November 2025 and is expected to make its way through Parliament in 2026.
The Bill introduces changes to the existing Network and Information Systems Regulations 2018, including bringing new services (data centres, critical supply chains and managed services) into scope, enabling regulators to designate "critical suppliers" and updating the incident reporting regime. There will also be improved powers for the Secretary of State, including to make regulations to update the UK’s regulatory framework and to issue directions to regulators and regulated entities, where it is necessary and proportionate for national security. The UK’s Information Commissioner broadly supports the new Bill and improvements to the UK's cyber defences through regulation, although it is acknowledged that much of the practical detail, for example, around reporting, will need to be defined through secondary legislation.
While regulations relating to ransomware and related payments were not included as part of the Bill's proposals, we anticipate new legislative proposals in 2026 in this area following the government’s response to feedback on its recent ransomware consultation.
While this regulation does not affect public sector bodies, the Government has published a Cyber Action Plan to improve the resilience of public services. This will be relevant for suppliers to relevant public services to assist the public sector in addressing their cyber challenges.
The Product Security and Telecommunications Infrastructure Act 2022 introduced regulation of consumer connected devices in the UK, and we anticipate that the Government will seek to extend regulation, in time, to B2B connected devices.
In the EU, new obligations under the Cyber Resilience Act 2024 come into force in 2026 and 2027 relating to hardware and software products with digital elements sold in the EU, aiming to make them secure by design and with obligations on manufacturers to provide security updates and support during the lifetime of products. Additionally, the EU’s Digital Omnibus simplification package is likely to simplify digital and AI regulation and streamline cybersecurity incidence reporting. In January 2026, the European Commission put forward proposals for an updated EU Cybersecurity Act and amended NIS 2 Directive to address cyber risks in supply chains, which include possible prohibition of high risk suppliers and designation of third countries who may pose cybersecurity concerns. The Regulation will also enable EU regulators to create cyber security certification schemes which will seek to secure ICT products, services and processes.
Cybersecurity - Improving supply chain resilience and the NCSC
In 2026 we anticipate that businesses will look to adapt and improve supply chain arrangements to minimise risk and improve resilience in the face of cyber threats. The UK’s National Cyber and Security Centre (NCSC) has recently published a Cyber Essentials Supply Chain Playbook aimed at helping businesses to protect themselves from cyberattacks and build the cyber resilience of UK supply chains by championing the Cyber Essentials scheme and making the scheme a standard requirement for suppliers. The playbook champions improved policy, including auditing of processes, assessment of risks, detailing expectations of suppliers, strengthening of contractual clauses and improving the procurement process.
Cyber attacks, data breaches, class actions and insurance
Cyber attacks not only lead to business interruption but can also result in data breaches. Cyber insurance is one of the tools that businesses use in managing risks. We anticipate that more businesses will incorporate insurance in their cyber security risk management processes in 2026.
In the US and more recently in the UK, we have seen increasing numbers of class actions brought by groups of litigants affected by data breaches resulting from cyber attacks. Improving risk management processes to reduce the risk of data breaches and prevent legal action can help save businesses money as well as minimise damage to reputation.
Technology patents and the UPC
2025 brought continuing development and expansion of case law from the Unified Patents Court (UPC) alongside further expanding use of its courts. This included the development of a long-arm jurisdiction following the decision in BSH v Electrolux.
Following the further development of the jurisprudence of the UPC and strategies deployed by the associated litigants will remain a key source of know-how when planning any enforcement / defensive strategies for 2026. This includes for states outside of the UPC, but which might potentially fall within its long-arm jurisdiction (such as the UK).
It is also anticipated that the interim licence will continue to be a source of IP news through 2026, and an important topic to follow for anyone involved in standards work. It will also be interesting to see whether the developing interim licence declaration jurisprudence in the UK leads to more standards related litigation being brought in the Patent Court in London, particularly from new technological areas.
Product Liability – Law Commission Review
The Law Commission has launched a review on the UK’s product liability framework, assessing whether the current framework for civil liability of defective products in the UK is fit for purpose, especially in relation to recent developments in digital technologies such as artificial intelligence (AI). This follows the European Union’s update to its policies, with Directive 2024/2853 coming into force on 9 December 2024.
The current framework is based on the Consumer Protection Act 1987 (the Act). It perhaps goes without saying that, since then, the products that consumers purchase and the way they are produced and used has changed drastically since, particularly in terms of technological advancements including the emergence of digital technology such as online platforms and smart devices which, of late, further integrate AI to their systems. Accordingly, products can now “evolve” in a manner that was unlikely to have been contemplated at the time of the Act.
This concern is reflected in the Terms of Reference of the Review, which outline its scope and considerations, querying whether the definition of “product” requires updating to account for emerging technologies. Similarly, the review will also consider whether the definition of ‘producer’ needs to be reformed for these developments. The review also recognises developing issues facing claimants due to technological advances under the Act, including whether the current longstop date for bringing a claim should be extended from ten years of the product being supplied, noting that a product may change significantly in and beyond that period owing to iterative software updates.
It is clear from these Terms of Reference that the UK is following in the EU’s footsteps of updating product liability in line with technological advancements. The public consultation in relation to this is planned for the second half of 2026 and guidance is likely to follow.
Conclusion
In this article, we have picked out only a few of the challenges and opportunities that businesses in the Technology sector will face in the year ahead. We remain ready to assist all of our clients in this sector to achieve their strategic goals.
