Legal Practice Notes

This Practice Note offers practical guidance on the security duties that apply to communications providers in the UK. It covers the Telecommunications ( Security) Act 2021 ( T( S) A 2021), secondary legislation such as the Electronic Communications ( Security Measures) Regulations 2022 (the Security Regulations), SI 2022/933, and the Telecommunications Security Code of Practice. It also outlines Ofcom’s role in supervising and enforcing these obligations. For a broader overview of the UK regulatory landscape, see Practice Note: The UK regulatory framework for telecommunications. Background and legislative framework T( S) A 2021 establishes the mechanism for the UK’s telecoms security regime. Using powers under that Act, the government may make regulations imposing targeted security requirements on providers of public electronic communications networks ( ECNs) and public electronic communications services ( ECSs). In essence, those duties require providers to: reduce the likelihood of security...

New starter guide This new starter guide introduces the technology, media and telecoms ( TMT) practice area and the kinds of transactions lawyers in this field routinely handle. It is aimed at trainee solicitors and anyone unfamiliar with any of the topics within TMT. What technology lawyers do What media lawyers do What telecoms lawyers do Key TMT topics Q& As Further reading materials Essential external links for TMT lawyers Key resources tab This guide helps you make the most of Lexis Nexis® TMT materials by showing how to locate them, sign up for email alerts, access Q& As and send a query to the Lexis Ask team. If a point is not covered here, use the Topics tab on the TMT homepage, or the Topics dropdown on any page, to explore further practice area...

This Practice Note sets out the principal legal and commercial considerations for a purchaser contemplating the acquisition of a software business. It concentrates in particular on technology and intellectual property ( IP) matters, together with broader points that commonly arise on any business purchase. Dedicated and detailed treatment is given to due diligence. The analysis is primarily from the buyer’s viewpoint, while signposting issues that may concern the seller where appropriate. See also Practice Note: Corporate transactions for technology lawyers for deeper coverage of topics relevant to the IT dimensions of corporate deals. Matters of data protection fall outside the ambit of this Practice Note, but should still be taken into account as needed. For guidance on data protection considerations that might arise in a corporate acquisition (including in relation to IT systems), refer specifically to Practice Note: The impact of the UK GDPR on...

This Practice Note explains and outlines the legal and regulatory framework that applies to mobile satellite services ( MSS) in the UK at present. The principal categories of communications satellite service are as follows: the MSS the fixed satellite service the broadcast satellite service Broadly, in general, both within the UK and internationally, the regimes for these services are alike when it comes to securing spectrum access (even though they may operate in distinct spectrum bands) as well as when applying for a launch and operations licence. However, they can materially diverge regarding the need for associated terrestrial licences and in particular certain elements of the International Telecommunication Union ( ITU) filing processes and relevant obligations under the ITU Radio Regulations. An MSS network may additionally need spectrum for communications between an Earth station and a satellite, and vice versa (feeder links), required for...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill obtained Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025), with parts taking effect that same day. Provisions addressing matters such as dealing with data subject access requests and granting powers to make further regulations commenced immediately on 19 June 2025. Other measures, covering notices from the Information Commissioner and certain facets of law enforcement processing, began on 19 August 2025 (two months after Royal Assent). The bulk of DUAA 2025’s measures still require additional regulations, in the form of statutory instruments, before they can commence. Parts 5 and 6 update elements of UK data protection and e Privacy law, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data Protection Act 2018 and the Privacy and...

Many UK industries are overseen by their own regulator—some (though not all) also possess concurrent competition powers, giving them authority to enforce competition law within their particular sector, alongside their routine supervisory functions. The framework for supervising distinct industries in the UK is intricate because of the interaction between a regulator’s sector‑specific rules and the application of competition law, and the need to balance both sets of powers coherently in practice. This regime developed after the privatisation of various sectors and through the steady refinement of regulation over time, reflecting incremental changes rather than a single redesign within the UK context. Every regulated area is governed by its own specific and comprehensive framework, in considerable detail. Accordingly, although many issues and procedures are shared across most regulated sectors, the particulars frequently diverge in material and sometimes fundamental ways in practice....

Public procurement—general principles UK public bodies’ purchase of goods, services or works is governed by EU‑derived regulations, notably: Public Contracts Regulations 2015 ( PCR 2015) for central and local government and public bodies Utilities Contracts Regulations 2016 for utility operators Concession Contracts Regulations 2016 where suppliers are paid by exploiting the works or services Framework agreements under PCR 2015 provide an efficient, flexible route to buy common or off‑the‑shelf needs and, save exceptionally, are limited to four years. The Crown Commercial Service ( CCS)—an executive agency of the Cabinet Office—aligns policy, advice and direct buying, using collective purchasing to deliver value. Its compliant frameworks include G‑ Cloud 13 (cloud hosting, software and support; now extended to 8 November 2024). CCS reported £3.8bn in benefits for 2022/23. Where needs are highly bespoke or ill‑suited to CCS frameworks, authorities may run their own procurement, typically using Cabinet Office/ Government Legal...

PSTIA 2022 PSTIA 2022 is a two-part statute shaped over several years, drawing chiefly on the government’s 2018 Code of Practice for consumer internet of things security (the Code) and the Electronic Communications Code (see below). It was introduced with two declared policy goals: to enhance digital connectivity and stimulate UK economic growth by removing barriers to deploying essential infrastructure to strengthen the security of consumer connectable or Internet of Things ( Io T) products This Practice Note focuses primarily on PSTIA 2022, Pt 1 ( PSTIA 2022, ss 1–56), which addresses product safety alongside Io T security. PSTIA 2022, Pt 2 relates to telecommunications infrastructure and is touched on only briefly here to set the legislation in context. The Act applies to ‘relevant connectable products’ (see below), also described as Io T products or devices. While Io T has no formal legal...

Prize promotions are undertaken for a range of purposes, from building brand recognition and publicising new products to attracting additional subscribers/customers. As these activities are typically consumer-facing, promoters must follow a set of established rules and obligations. If they do not, they risk breaching the law and becoming liable for penalties. This Practice Note delivers a practical ‘how to’ on running a prize promotion, summarising the key rules to observe when planning and executing the promotion, alongside the legal issues and considerations that may arise. For fuller guidance, see Practice Note: Prize promotions. For sample terms and conditions, see Precedents: Prize promotion terms and conditions—short form Prize promotion terms and conditions—long form Prize promotions terms and conditions—holiday prize clause Prize promotion terms and conditions—copyright ownership clause See also: Prize...

IT procurement This Practice Note examines IT procurement (also known as information technology procurement, tech procurement or technology procurement), outlining the main stages in the IT procurement process, key contract documentation, the principal legal and commercial issues, and some particular cloud computing and open source software ( OSS) considerations. The emphasis is on customer concerns, while also flagging some supplier-side considerations where relevant to IT procurement. Matters unique to public sector IT procurement are not covered here; for these, see: Public sector technology sourcing—overview, and Practice Notes: Public procurement—private sector considerations and Freedom of information and public contracts......

ARCHIVED: This has been archived and is not maintained. This Practice Note explains the legal framework governing premium rate services ( PRS) in the UK, and includes guidance on the 15th Code of Practice (the Code) issued by the Phone-paid Services Authority ( PSA) when it acted as the regulator for the PRS industry at the time. Information, entertainment and other similar services delivered via electronic communications networks ( ECNs), with charges typically recovered through a user’s electronic communications services ( ECSs) bill, are treated as PRS and are regulated by Ofcom and were previously overseen by the PSA. Up to February 2025, the PSA regulated PRS as Ofcom’s agent, with the governing principles set out in the Code. Following a market review, Ofcom assumed direct responsibility for PRS regulation from the PSA. The Code has been superseded by the Regulation of Premium Rate...

ARCHIVED: This Practice Note is archived and is not being maintained. How has Brexit affected the supply of services? Brexit influences service provision wherever delivery crosses between the UK and the EU, as fresh trading rules between the UK and EU have applied since 1 January 2021. Careful attention should be paid to service contracts, particularly where they touch on intellectual property, data protection and competition law considerations, the position on access to EEA staff, and adjustments to the VAT framework. Sector-specific factors will also arise. In practice, impacts turn on cross-border elements, reflecting the new UK- EU trading arrangements that took effect on 1 January 2021. Review is therefore advisable for affected services. Contracts for the supply of services The rules governing the supply of services in business-to-business dealings stem from UK law; accordingly, a contract for purely domestic services (ie services exchanged by two...

Commercial Q& As— Brexit collection Commercial Brexit Q& As How far do contract references to UK and EU law change under the European Union ( Withdrawal) Act 2018? Post‑ Brexit, must UK courts and tribunals follow Court of Justice of the European Union decisions? From 1 January 2021, which factors set the correct customs duty rate on imported goods? What do the UKCA and UKNI marks mean, and when are they required? What is an authorised economic operator (trusted trader), and when should a business seek this status? From 1 January 2021, what are commodity and procedure codes, and where can I find them? If no amending SI alters the Commercial Agents ( Council Directive) Regulations 1993 (the Commercial Agents Regulations), SI 1993/3053, after IP completion day, what is the effect of Regulation 1(3)(b) allowing agents in member...

Regulation ( EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services and corporate website users of online search engines Often called the EU Platform-to-business Regulation ( EU P2B Regulation), Regulation ( EU) 2019/1150 took effect on 31 July 2019. It was created to integrate the online platform economy into the EU Digital Single Market strategy and to recognise the pivotal part played by online intermediation services (platforms) in enabling access to cross-border markets throughout the EU. While the UK remained an EU Member State, the EU P2B Regulation applied directly and continued to do so until the Brexit implementation period ended at 11 pm on 31 December 2020. From that moment, Retained Regulation ( EU) 2019/1150—referred to domestically as the UK Platform-to-business Regulation ( UK P2B Regulation)—became part of the body of retained EU law ( REUL) in the UK under the...

An individual can deliver their services in several distinct forms indeed. The predominant model is an employment relationship, broadly requiring the employer to run PAYE on sums paid to the employee, comply with real time information ( RTI) reporting duties, pay employer National Insurance contributions ( NICs), and observe a wide range of relevant employment law obligations. The employee is typically paid earnings only after income tax and employee NICs. A notable minority in the UK operate as self-employed, often providing their services straight to their customers and clients. These individuals must personally report and settle their own income tax and NICs liabilities independently. It is, in the end, a (sometimes intricate) factual assessment in every case whether a worker is self-employed or not. For further detail on how this is assessed, see Practice Note: Establishing employment status—from a tax and NICs...

STOP PRESS: On 19 June 2025, the Data ( Use and Access) Bill secured Royal Assent, becoming the Data ( Use and Access) Act 2025 ( DUAA 2025) and partially commencing on that date. Certain parts of DUAA 2025, addressing matters such as replies to data subject access requests and the conferral of powers to make additional regulations, took effect immediately on 19 June 2025. Other elements, dealing with notices from the Information Commissioner and particular aspects of law enforcement processing, commenced on 19 August 2025 (two months after Royal Assent). Most of DUAA 2025’s measures require further regulations (as statutory instruments) to be made before they take effect. Parts 5 and 6 of DUAA 2025 amend elements of data protection and e Privacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation ( EU) 2016/679 ( UK GDPR), the Data...

What is outsourcing? Outsourcing refers broadly to arrangements where one party ( A) supplies services to another ( B) that B could otherwise deliver internally, for instance via its own staff. In these scenarios, A delivers the services and B consumes them within their respective businesses. B may choose to outsource to A for several commercial, non-tax reasons, including lowering operating expenditure, tapping into A’s specialist know‑how or independence, or allowing B to concentrate on expanding and developing its core activities. For example, banks and insurance firms often hand over back‑office operations to dedicated specialist service providers. Tax can also be a material consideration when assessing whether an outsourcing deal is cost effective. Such structures may leave B with tax liabilities on the services that are higher or lower than if the work were done in‑house, though they may equally be tax neutral,...

This Practice Note This Practice Note explores the principal provisions found in a standard outsourcing contract, including transition and transformation, service scope, service level measures, pricing structures, intellectual property, TUPE in outsourcing, benchmarking, data protection, customer obligations, governance, step-in, limits on liability, termination and exit. It also considers the impact of the UK GDPR on outsourcing arrangements... Outsourcing involves engaging a third party supplier to run certain business processes, functions or responsibilities that were previously performed by the customer in a first generation outsourcing, or by another third party supplier in a second or subsequent generation outsourcing. This Practice Note outlines the key terms relevant to most outsourcing arrangements (including information technology ( IT) and business process ( BPO) outsourcing)... Transition and transformation Service description Service levels Charges Intellectual property Employment and TUPE Data protection and the UK GDPR ...

It is crucial for any organisation to have suitable safeguards in place so it can keep trading if faced with disruption or catastrophe. This supports continued operations during and after any such event. In most outsourcing deals, the client hands over responsibility for running material elements of its operations to a third-party provider to manage on its behalf. That handover extends to accountability for maintaining continuity and restoring the business. This is the role of the business continuity and disaster recovery ( BCDR) terms within an outsourcing contract, and accordingly the parties embed appropriate BCDR commitments in the agreement. This Practice Note looks at the following legal and commercial dimensions of BCDR in outsourcing: What is business continuity and disaster recovery? Drafting the BCDR provisions BCDR governance Financial services Civil Contingencies Act 2004 ( CCA 2004) For...

In brief UK data protection legislation is designed to make sure information about living people (falling within the meaning of ‘personal data’) is treated fairly and responsibly. To achieve this, UK data protection law places extensive duties on anyone ‘processing’ personal data, as well as on those controlling such activities in practice. ‘ Processing’ is interpreted widely, covering almost any operation on data, such as collecting, storing, deleting, disclosing, or otherwise using it. A central safeguard within UK data protection law is, in particular, the framework of obligations imposed on ‘controllers’—generally the parties determining the purposes and means of processing—and on ‘processors’, being those who handle personal data for a controller in line with the controller’s instructions. Among other requirements, UK data protection law typically obliges controllers and processors to enter into contracts containing specified minimum terms and to ensure that any...