The Council of the EU and the European Parliament have reached an agreement on delays and amendments to the EU AI Act, as part of the EU’s ongoing digital simplification programme. Most notably, compliance obligations for stand-alone high-risk AI systems will now come into effect on 2 December 2027 rather than August 2026, as originally planned. Despite the attention surrounding…

On April 29, 2026, the New York State Department of Financial Services (“DFS”) issued its first cybersecurity enforcement action of 2026—a Consent Order against Delta Dental Insurance Company and Delta Dental of New York, Inc. (the “Companies”) imposing a $2,250,000 civil monetary penalty for violations of the Part 500 Cybersecurity Regulation. The action is notable as the Department’s first—and to…

In some ways, the dominant mode of legal service delivery resembles the old VHS or DVD model, whereby everyone rented movies by walking or driving to their local video store. For most legal services, a client identifies a need, contacts outside counsel, and receives a tailored product in response to a discrete request. The model reflects the nature of most…

Debevoise & Plimpton’s Data Strategy & Security (DSS) team is pleased to contribute to the Legal 500 Country Comparative Guides: Data Protection & Cybersecurity with a new “Hot Topic” chapter examining key cyber trends and critical legal considerations for incident response. In this chapter, the team explores how the cyber threat landscape evolved through 2025 and what organizations should expect…

Cybersecurity incidents have become an ever-growing threat to companies as attacks become more sophisticated, particularly in the face of AI-enabled threat actors. When a cyberattack occurs, while the immediate focus is typically on containing the impact and restoring systems, it is equally as important for businesses subject to the EU/UK Market Abuse Regulation (“MAR”) to consider their disclosure obligations.  A…