Commercially Connected Shorts


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Competition, Trade and Foreign Investment overview International Sanctions and Export Controls Construction and Engineering Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Information Law Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Diversity, Pay and Discrimination Employee Benefits and Executive Compensation Employment Employment Litigation Financial Services Regulation Insurance Intellectual Property Litigation and Dispute Resolution Litigation and Dispute Resolution overview Commercial Litigation Construction Disputes Energy Disputes Financial Services Disputes and Investigations Fraud Procurement Disputes Real Estate Disputes Regulatory Investigations and Enforcement Private Client Private Client overview Family offices services Real Estate and Planning Real Estate and Planning overview Corporate Real Estate Real Estate Disputes Real Estate Finance Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Industries Consumer Consumer overview Luxury Retail and Wholesale Energy Energy overview Hydrogen Financial Services Financial Services overview Corporate and Investment Banking Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Industrials Industrials overview Automotive Manufacturing and Industrial Engineering Life Sciences and Healthcare Real Estate Real Estate overview Real Estate Investment Technology & Digital Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices Czech Republic Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Commercially Connected Shorts - 22 April 2026 Home Resources Insights Home Resources Insights Commercially Connected Shorts - 22 April 2026 Commercially Connected Shorts - 22 April 2026 April 22, 2026 AustriaBelgiumBulgariaCzech RepublicEstoniaFinlandFranceGermanyHungaryIrelandItalyLatviaLithuaniaLuxembourgNetherlandsPolandPortugalSlovakiaSpainSwedenUnited Kingdom AustriaBelgiumBulgariaCzech RepublicEstoniaFinlandFranceGermanyHungaryIrelandItalyLatviaLithuaniaLuxembourgNetherlandsPolandPortugalSlovakiaSpainSwedenUnited Kingdom Austria Welcome to Commercially Connected shorts, our weekly bitesize newsletter summarising the latest updates in UK and EU commercial law. This week we look at: Are you within scope of Martyn’s Law – The Terrorism Protection of Premises Act 2025? Cyber: Is your organisation sufficiently cyber secure? Trade: Commission updates rules on technology transfer agreements Tech: EU Digital Fitness Check – implications for multinational businesses Are you within scope of Martyn’s Law – The Terrorism Protection of Premises Act 2025? On 15 April 2026, the Home Office published statutory guidance on the legal duties under section 27 of the Terrorism (Protection of Premises) Act 2025 (Martyn’s Law). The Act applies UK-wide and is designed to improve preparedness and protective security at certain publicly accessible premises and events. Importantly, the regime operates on the assumption that an attack could occur anywhere - it is not based on assessing likelihood at a particular venue. The guidance includes information on the legal requirements under the Act and steps that must be taken to meet these ahead of the Act’s substantive requirements being commenced (likely Spring 2027). Premises are in scope if they: include a building accessible to the public (including part or a group of buildings) are wholly or mainly used for a Schedule 1 use (for example shops, hospitality, leisure, venues, transport hubs, healthcare, education, public authorities) can reasonably expect 200+ individuals (including staff) at the same time from time to time are not excluded under Schedule 2 (premises used by either House of Parliament, and parks, gardens, or sports grounds that meet Schedule 2 conditions) There is a tiered regime for qualifying premises: “standard tier” applies where 200 to 799 individuals can reasonably be expected at the same time from time to time, and “enhanced tier” applies where the figure is 800 or more. Special rules mean that places of worship and childcare, primary, secondary and further education remain in the standard tier even if the 800+ threshold is reached. “Qualifying events” - generally those with 800 or more people at some point, public access, and entry checks such as tickets or membership - can bring locations into scope even where they would not be qualifying premises. This includes “other land” without buildings. However, events at already enhanced tier premises are not treated as qualifying events. The “responsible person” is defined by the Act and is generally the party who controls the premises: for qualifying premises, this is whoever controls the premises for the principal Schedule 1 use; for qualifying events, this is whoever controls the premises for the purposes of the event. All in-scope premises and qualifying events must have appropriate public protection procedures (so far as reasonably practicable): evacuation, invacuation (bringing people inside to a place of safety), lockdown and communication, taking account of the premises or event and its immediate vicinity. Enhanced tier premises and qualifying events have additional duties: appropriate public protection measures (monitoring, movement, physical safety and security, and security of information), keeping measures under review, designating a senior individual (where the responsible person is an organisation), and producing and submitting a compliance document to the regulator, keeping it updated (including within 30 days of revisions). The Security Industry Authority (SIA) is the regulator with inspection and information-gathering powers. It has a graduated enforcement toolkit including compliance notices, restriction notices, penalty notices, and - in serious cases - prosecution. Maximum civil penalties are up to £10,000 for most standard tier contraventions. For enhanced tier premises and qualifying events, penalties can reach up to £18 million or 5% of qualifying worldwide revenue (whichever is higher), plus potential daily penalties. With these responsibilities, the SIA has launched a consultation on its role as regulator with a view to publishing further guidance on its functions. The guidance emphasises that organisations do not need to buy third-party products or services to comply, and that the Act does not override other legal regimes (for example fire safety, health and safety, licensing and Equality Act duties) which must still be complied with. It also contains useful examples to help organisations assess their scope. The new Martyn’s Law framework will impose baseline counter-terrorism preparedness duties on many public-facing businesses and event organisers across the UK, with significantly tougher requirements (and potential penalties) for larger venues and qualifying events. Businesses should use the statutory guidance now to confirm whether any sites or events fall within scope, identify the “responsible person”, and document proportionate procedures for evacuation, invacuation, lockdown and communication, aligned with existing safety and licensing processes. Larger venues and organisers that may be “enhanced tier” should also start planning the required protective measures, governance (including a designated senior individual) and the compliance documentation that will need to be maintained and submitted to the SIA once the regime is commenced. Is your organisation sufficiently cyber secure? On 15 April 2026, the Department for Science, Innovation and Technology published an open letter to businesses regarding AI cyber threats. In it the government signals a clear escalation in cyber risk as AI tools make sophisticated attacks cheaper, faster and more accessible to criminals. The letter highlights: AI is materially changing the cyber threat landscape. Frontier AI models can now identify vulnerabilities and generate exploit code at speed and scale, lowering the skill barrier for cyber-attacks and accelerating risk for all businesses Capabilities are progressing faster than expected. Testing suggests frontier AI cyber capabilities are doubling roughly every four months, increasing the likelihood and sophistication of attacks in the near term Businesses of all sizes are targets. AI enabled attackers will focus on organisations with weaker defences, not just government or critical infrastructure Basic cyber hygiene remains the first line of defence. Measures such as board level oversight, Cyber Essentials certification, strong password policies, patching and backups remain highly effective against the majority of attacks, including AI enabled ones Government support and guidance are available. Businesses are encouraged to follow National Cyber Security Centre guidance, sign up to its free Early Warning Service and use the Cyber Governance Code of Practice and Cyber Action Toolkit as appropriate The Cyber Security and Resilience Bill will strengthen protection for critical services, and the forthcoming National Cyber Action Plan will look at national security. In the meantime, organisations should respond now by treating cyber security as core governance rather than an IT issue. Recommendations include: brief the board review incident response and insurance arrangements achieve Cyber Essentials certification (and flow requirements through supply chains) align internal practices with National Cyber Security Centre guidance Early action will materially reduce risk and disruption as AI enabled cyber threats continue to accelerate. Commission updates rules on technology transfer agreements On 16 April 2026, the European Commission adopted the revised Technology Transfer Block Exemption Regulation (TTBER) and updated Guidelines on the application of Article 101 TFEU to technology transfer agreements, following its 2025 review and consultation process. Technology transfer agreements allow a company to license its technology rights—like patents or copyrights—to another firm for production purposes. The TTBER provides exemptions for technology transfer agreements from EU anti-competitive rules if specific conditions are met. The Guidelines offer businesses advice on interpreting the TTBER and assessing agreements not covered by the exemption. The revised TTBER introduces targeted clarifications to definitions and to the ‘hardcore restrictions’ (i.e., the most serious competition law infringements that prevent exemption), and extends the grace period for exceeding market share thresholds from one to three years during the life of an agreement. The Guidelines have been expanded to include additional guidance on technology pools, licensing negotiation groups, and the licensing of certain types of data. The new TTBER and Guidelines were published in the Official Journal on 21 April and enter into force on 1 May 2026 and businesses should now check if their technology licensing agreements comply with these revised EU competition laws. EU Digital Fitness Check consultation – implications for multinational businesses The European Commission is assessing how EU digital rules work in practice and where they overlap across data protection, cybersecurity and AI. As part of its Digital Fitness Check consultation, we submitted a response setting out the main friction points for multinational businesses. In our latest insight, we highlight key concerns which include inconsistent national interpretation of NIS2, cross-border incident reporting conflicts, and duplicated obligations across overlapping regimes. The direction of travel is not deregulation, but clearer and more workable implementation. For businesses, this is an opportunity to identify duplication, stress-test reporting pathways and clarify internal ownership ahead of any follow-on simplification measures. In particular, businesses should consider the following actions: Map overlap across different regimes: identify where the same systems, datasets, products or processes fall within more than one EU regime Test cross-border interaction: examine how obligations interact across Member States, especially where national implementation diverges Check scope and reporting triggers: assess whether differences in national rules affect scope, notification thresholds or supervisory touchpoints Review incident response processes: test whether overlapping regimes impose different timelines, thresholds or disclosure requirements Clarify internal ownership: check whether data, cybersecurity and AI responsibilities are split across teams dealing with the same activity The objective is not to redesign compliance frameworks but to identify existing duplication, uncertainty or operational tension. For more on the key practical challenges and regulatory direction see: EU Digital Fitness Check consultation – implications for multinational businesses With thanks to Maarten Stassen, Nils Müller, Olaf van Haperen, Robbert Santifort, Caroline Lyannaz and Joanna Kulewska. The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Insights series Commercially Connected Services Cybersecurity Strategic Contracts Key contacts Sara C. Ellis Professional Support Lawyer United Kingdom Angela Kindness Principal Associate United Kingdom Latest Insights legal updates Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts Tax NOLs in Cross-Border Structures Webinar legal updates EU Pay Transparency Directive legal updates Trade secrets and the Digital Omnibus: key risks and safeguards Latest News client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire client news Eversheds Sutherland advises Schroders Greencoat on acquisition of Dutch biomethane platform Latest Events virtual \| June 02, 2026 Spanish employment law training virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 Introduction to Swiss employment law Tabs Label legal updates May 29, 2026 Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts May 29, 2026 Tax NOLs in Cross-Border Structures Webinar legal updates May 28, 2026 EU Pay Transparency Directive legal updates May 27, 2026 Trade secrets and the Digital Omnibus: key risks and safeguards Legal notices Terms & conditions Privacy notice Cookies LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.

Welcome to Commercially Connected shorts, our weekly bitesize newsletter summarising the latest updates in UK and EU commercial law.

This week we look at:

Are you within scope of Martyn’s Law – The Terrorism Protection of Premises Act 2025?
Cyber: Is your organisation sufficiently cyber secure?
Trade: Commission updates rules on technology transfer agreements
Tech: EU Digital Fitness Check – implications for multinational businesses

Are you within scope of Martyn’s Law – The Terrorism Protection of Premises Act 2025?

On 15 April 2026, the Home Office published statutory guidance on the legal duties under section 27 of the Terrorism (Protection of Premises) Act 2025 (Martyn’s Law). The Act applies UK-wide and is designed to improve preparedness and protective security at certain publicly accessible premises and events. Importantly, the regime operates on the assumption that an attack could occur anywhere - it is not based on assessing likelihood at a particular venue.

The guidance includes information on the legal requirements under the Act and steps that must be taken to meet these ahead of the Act’s substantive requirements being commenced (likely Spring 2027).

Premises are in scope if they:

include a building accessible to the public (including part or a group of buildings)
are wholly or mainly used for a Schedule 1 use (for example shops, hospitality, leisure, venues, transport hubs, healthcare, education, public authorities)
can reasonably expect 200+ individuals (including staff) at the same time from time to time
are not excluded under Schedule 2 (premises used by either House of Parliament, and parks, gardens, or sports grounds that meet Schedule 2 conditions)

There is a tiered regime for qualifying premises: “standard tier” applies where 200 to 799 individuals can reasonably be expected at the same time from time to time, and “enhanced tier” applies where the figure is 800 or more. Special rules mean that places of worship and childcare, primary, secondary and further education remain in the standard tier even if the 800+ threshold is reached.

“Qualifying events” - generally those with 800 or more people at some point, public access, and entry checks such as tickets or membership - can bring locations into scope even where they would not be qualifying premises. This includes “other land” without buildings. However, events at already enhanced tier premises are not treated as qualifying events.

The “responsible person” is defined by the Act and is generally the party who controls the premises: for qualifying premises, this is whoever controls the premises for the principal Schedule 1 use; for qualifying events, this is whoever controls the premises for the purposes of the event.

All in-scope premises and qualifying events must have appropriate public protection procedures (so far as reasonably practicable): evacuation, invacuation (bringing people inside to a place of safety), lockdown and communication, taking account of the premises or event and its immediate vicinity. Enhanced tier premises and qualifying events have additional duties: appropriate public protection measures (monitoring, movement, physical safety and security, and security of information), keeping measures under review, designating a senior individual (where the responsible person is an organisation), and producing and submitting a compliance document to the regulator, keeping it updated (including within 30 days of revisions).

The Security Industry Authority (SIA) is the regulator with inspection and information-gathering powers. It has a graduated enforcement toolkit including compliance notices, restriction notices, penalty notices, and - in serious cases - prosecution. Maximum civil penalties are up to £10,000 for most standard tier contraventions. For enhanced tier premises and qualifying events, penalties can reach up to £18 million or 5% of qualifying worldwide revenue (whichever is higher), plus potential daily penalties. With these responsibilities, the SIA has launched a consultation on its role as regulator with a view to publishing further guidance on its functions.

The guidance emphasises that organisations do not need to buy third-party products or services to comply, and that the Act does not override other legal regimes (for example fire safety, health and safety, licensing and Equality Act duties) which must still be complied with. It also contains useful examples to help organisations assess their scope.

The new Martyn’s Law framework will impose baseline counter-terrorism preparedness duties on many public-facing businesses and event organisers across the UK, with significantly tougher requirements (and potential penalties) for larger venues and qualifying events. Businesses should use the statutory guidance now to confirm whether any sites or events fall within scope, identify the “responsible person”, and document proportionate procedures for evacuation, invacuation, lockdown and communication, aligned with existing safety and licensing processes. Larger venues and organisers that may be “enhanced tier” should also start planning the required protective measures, governance (including a designated senior individual) and the compliance documentation that will need to be maintained and submitted to the SIA once the regime is commenced.

Is your organisation sufficiently cyber secure?

On 15 April 2026, the Department for Science, Innovation and Technology published an open letter to businesses regarding AI cyber threats. In it the government signals a clear escalation in cyber risk as AI tools make sophisticated attacks cheaper, faster and more accessible to criminals. The letter highlights:

AI is materially changing the cyber threat landscape. Frontier AI models can now identify vulnerabilities and generate exploit code at speed and scale, lowering the skill barrier for cyber-attacks and accelerating risk for all businesses
Capabilities are progressing faster than expected. Testing suggests frontier AI cyber capabilities are doubling roughly every four months, increasing the likelihood and sophistication of attacks in the near term
Businesses of all sizes are targets. AI enabled attackers will focus on organisations with weaker defences, not just government or critical infrastructure
Basic cyber hygiene remains the first line of defence. Measures such as board level oversight, Cyber Essentials certification, strong password policies, patching and backups remain highly effective against the majority of attacks, including AI enabled ones
Government support and guidance are available. Businesses are encouraged to follow National Cyber Security Centre guidance, sign up to its free Early Warning Service and use the Cyber Governance Code of Practice and Cyber Action Toolkit as appropriate

The Cyber Security and Resilience Bill will strengthen protection for critical services, and the forthcoming National Cyber Action Plan will look at national security. In the meantime, organisations should respond now by treating cyber security as core governance rather than an IT issue. Recommendations include:

brief the board
review incident response and insurance arrangements
achieve Cyber Essentials certification (and flow requirements through supply chains)
align internal practices with National Cyber Security Centre guidance

Early action will materially reduce risk and disruption as AI enabled cyber threats continue to accelerate.

Commission updates rules on technology transfer agreements

On 16 April 2026, the European Commission adopted the revised Technology Transfer Block Exemption Regulation (TTBER) and updated Guidelines on the application of Article 101 TFEU to technology transfer agreements, following its 2025 review and consultation process.

Technology transfer agreements allow a company to license its technology rights—like patents or copyrights—to another firm for production purposes. The TTBER provides exemptions for technology transfer agreements from EU anti-competitive rules if specific conditions are met. The Guidelines offer businesses advice on interpreting the TTBER and assessing agreements not covered by the exemption.

The revised TTBER introduces targeted clarifications to definitions and to the ‘hardcore restrictions’ (i.e., the most serious competition law infringements that prevent exemption), and extends the grace period for exceeding market share thresholds from one to three years during the life of an agreement. The Guidelines have been expanded to include additional guidance on technology pools, licensing negotiation groups, and the licensing of certain types of data. The new TTBER and Guidelines were published in the Official Journal on 21 April and enter into force on 1 May 2026 and businesses should now check if their technology licensing agreements comply with these revised EU competition laws.

EU Digital Fitness Check consultation – implications for multinational businesses

The European Commission is assessing how EU digital rules work in practice and where they overlap across data protection, cybersecurity and AI. As part of its Digital Fitness Check consultation, we submitted a response setting out the main friction points for multinational businesses.

In our latest insight, we highlight key concerns which include inconsistent national interpretation of NIS2, cross-border incident reporting conflicts, and duplicated obligations across overlapping regimes.

The direction of travel is not deregulation, but clearer and more workable implementation. For businesses, this is an opportunity to identify duplication, stress-test reporting pathways and clarify internal ownership ahead of any follow-on simplification measures.

In particular, businesses should consider the following actions:

Map overlap across different regimes: identify where the same systems, datasets, products or processes fall within more than one EU regime
Test cross-border interaction: examine how obligations interact across Member States, especially where national implementation diverges
Check scope and reporting triggers: assess whether differences in national rules affect scope, notification thresholds or supervisory touchpoints
Review incident response processes: test whether overlapping regimes impose different timelines, thresholds or disclosure requirements
Clarify internal ownership: check whether data, cybersecurity and AI responsibilities are split across teams dealing with the same activity

The objective is not to redesign compliance frameworks but to identify existing duplication, uncertainty or operational tension.

For more on the key practical challenges and regulatory direction see: EU Digital Fitness Check consultation – implications for multinational businesses

With thanks to Maarten Stassen, Nils Müller, Olaf van Haperen, Robbert Santifort, Caroline Lyannaz and Joanna Kulewska.

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.