This year, it’s one hundred years since one of Ernest Hemingway’s characters asked, “how did you go bankrupt?” The answer: “two ways” – “gradually and then suddenly.” This exchange from one of Hemingway’s classic novels sums up how change can creep up on us. And then suddenly, without warning, everything changes overnight.

As 2026 beds in, the regulatory pace is quickening, not slowing. From AI governance and consumer enforcement to data portability and online safety, senior management and general counsel need to work hand-in-hand to stay ahead of the game.

This article distils some of the key takeaways from Lewis Silkin’s 2026 Commercial, Technology & Regulatory Handbook into actionable priorities for leadership teams. Without doubt, there will be changes which will come unexpectedly – that’s the nature of living in a complex world – but there is plenty which such teams can prepare for now, before ‘gradually’ turns into ‘suddenly.’

Be ready for enhanced CMA consumer enforcement

The internet has inspirational – often anonymous – quotes for every situation. “You can’t put a price tag on standards and legacy,” says one. As it happens, you can: failing your customers can now be a significantly costlier mistake than in previous years. The Competition and Markets Authority now has enhanced enforcement powers: financial penalties for breaking consumer law can be up to ten percent of your business’ global annual turnover or £10 million, whichever is the higher.

As well as drip pricing and pricing claims, the CMA has said that this is the year when it’s particularly interested in aggressive sales tactics, fake reviews, unfair or unbalanced consumer terms, and objectively false claims. It’s also likely to focus on sectors involving essential consumer spend, such as food, drink, travel, entertainment and clothing. Act now to audit your consumer facing journeys and review terms before the CMA comes knocking.

Prioritise AI governance and reap the trust dividend

2026 is a big year for the EU AI Act. Despite suggestions of it being watered down and timescales being put back, full enforcement of most of the Act is due to start on 2 August 2026, just as everyone rushes off on holiday. Act now so you don’t come back from your summer break to worried faces – and potential fines of up to seven percent of your business’ global annual turnover or €35 million, whichever is the higher.

As for the UK, in 2026, don’t expect anything momentous from Westminster. The upshot? The centre of gravity for risk management will continue to be increasingly contractual. GCs be warned!

Whatever your legal and contractual regime, getting AI right is all about trust. And, ultimately, trust is the glue which helps to keep customers, clients and employees happy.

Don’t forget the EU Data Act

In 2019, a year after the General Data Protection Regulation came into force, 93% of those surveyed by Ipsos had heard of the GDPR. As laws go, it’s an A-list superstar with a Hollywood-Walk-of-Fame swagger to it. But the GDPR isn’t the last word in data. The EU has long looked at other types of data, such as non-personal, industrial, and Internet of Things (IoT) data. It might not have the A-list glamour of personal data, but such data is the uncelebrated C-list workhorse of the economy. Enter the EU Data Act which continues to impact businesses this year, particularly “around termination rights and transferring data to competitors.” 

Access the Handbook and checklists on what to do next

Staying safe in an online world

The Online Safety Act 2023 made the UK one of the first countries to regulate social media platforms. One Whitehall source told the BBC in July 2025, “if it does what it says it does, it should be really big”. There’s no doubt that there’s a lot of ambition on online safety – in more and more countries. During 2026 there will be further compliance obligations in the UK for relevant businesses on highly-effective age assurance (HEAA) processes and reviewing risk assessments to comply with Ofcom recommendations. Be aware of the new super-complaints regime too. The good news? A proactive, risk-based approach to online safety, which treats compliance as a floor rather than a ceiling, can strengthen brand reputation and user loyalty. 

Make ‘gradually’ your advantage, or inherit ‘suddenly’ as your problem.

Change rarely feels sudden if you do the groundwork. The disciplines outlined here – trust centred AI, credible consumer standards, fair data mobility, and proactive online safety – are the quiet, gradual investments that compound. Leaders who treat 2026 as the year of disciplined preparation will find that when ‘suddenly’ arrives, it’ll looks a lot like business as usual.

Read more: Lewis Silkin’s 2026 Commercial, Technology & Regulatory Handbook

An essential resource for legal counsel and C-suite decision makers to help navigate all things commercial, tech and regulatory in a fast-changing world.

Authors