In one of the most dramatic and widespread cyber attacks to date, on Friday 12 May 2017, a worldwide ransomware attack known as "WannaCrypt" or "WannaCry" began infecting hundreds of thousands of computers in over 150 countries. Starting in the UK and Spain, critical infrastructure operators around the world including those in the health, transport, finance, telecoms and energy sectors, as well as manufacturers and service providers were affected.

The attack uses the "EternalBlue" exploit which was leaked into the public domain earlier this year. Following the publication of the exploit, in March 2017, Microsoft released a security patch addressing the vulnerability for the latest versions of its Windows operating systems. However, many organisations, including the UK's National Health Service, either did not apply the patch or were running older and unsupported versions of the Windows operating systems (for which no patch was available) and so were still vulnerable. On 13 May 2017, in an attempt to slow the spread of the malware and prevent future variants, Microsoft took the unusual step of releasing security updates for certain of its older and now unsupported versions of Windows (including Windows XP and Windows 8).

The malware works by first encrypting a user's files (so that they are not accessible without a unique cryptographic key), before then providing the user with an on screen prompt which includes: a ransom demand, a countdown timer and a Bitcoin wallet into which to pay the ransom. Even if the ransom is paid, there is no guarantee that the hackers will provide the payor with the unique decryption key. The cyber attacker(s) are thought to have received over $70,000 in Bitcoin payments within the first week of the initial attack.

It is still unclear how the WannaCry malware infected the first machine, but the most likely methods are considered to be either via a phishing email or attachment, or via a Windows system with an exposed and unpatched implementation of the Server Message Block ("SMB") protocol (SMB being the Windows network file sharing protocol and the vector which EternalBlue and WannaCry exploit). Once a computer is infected, in addition to the encryption and blackmail steps referred to above, the malware scans for and spreads from machine to machine via other unpatched implementations of SMB – all with no user interaction required. As with most forms of ransomware attack, WannaCry is not believed to access personal data.

The European Union Agency for Network and Information Security (self-designated as "ENISA") and several European Member States have worked together since the attack began to assess the situation from a European perspective. A dedicated team was set up at ENISA to support the first ever case of cyber cooperation at the European level. The EU Standard Operating Procedures (developed by ENISA and Members States to manage multinational cyber crises) are currently being used to this end.

The incident places the spotlight firmly back on the forthcoming EU Network and Information Security Directive (known as the "Cyber Security Directive") which requires certain "operators of essential services" to adopt risk management practices and report major security incidents on their core services to the appropriate national authority. Member States have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive and such legislation will apply from 10 May 2018. The Directive also intends to provide legal measures to boost the overall level of cybersecurity in the EU, by ensuring:

cooperation among Member States; Member States are adequately equipped to respond to cyber threats for example via a Computer Security Incident Response Team and a national authority; and a culture of cyber security.   

The "WannaCry" attack is "easily the biggest and most complex cyber incident the NCSC has had to manage so far" according to Alex Dewdney, the director for engagement and advice at the National Cyber Security Centre ("NCSC"). He went on to comment that, whilst unwelcome, "if you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this".

The NCSC was set up to help protect critical services in the UK from cyber attacks, manage major incidents and improve the underlying security of the UK internet through technological improvement and advice to citizens and organisations. In light of the attack, the NCSC has reemphasised the importance of following its guidance (first published last year) on how organisations can help to protect themselves from ransomware attacks. The National Cyber Security Centre guidance can be found here.  

[Back to top] Back

2. EBA publishes guidance on (i) outsourcing to cloud service providers and (ii) ICT Risk Assessment by competent authorities  

On 18 May 2017, the European Banking Authority ("EBA") published its draft recommendations on outsourcing to cloud service providers (the "EBA Recommendations"). Under Article 16 of the Regulation (EU) No 1093/2010, the EBA is required to issue guidelines and recommendations addressed to both national competent authorities (NCAs) and financial institutions, with a view to establishing consistent, efficient and effective supervisory practices and ensuring the "common, uniform and consistent application of the European Union Law".

Stakeholders have previously expressed concern at the high level of uncertainty regarding the "supervisory expectations that apply to outsourcing to cloud service providers" as well as differences in national regulatory and supervisory frameworks for cloud outsourcing (e.g. the duty for outsourcing institutions to adequately inform their competent authority about material (cloud) outsourcing). The EBA Recommendations therefore intend to clarify the EU-wide expectations and enable organisations to harness the benefits of cloud computing whilst ensuring that risks are appropriately identified and managed. The recommendations build on the existing general outsourcing guidance provided in the CEBS Guidelines which have been in place since 2006.

The EBA Recommendations acknowledge that cloud outsourcing services provide a much higher level of standardisation which allows the services to be provided to a large number of different customers on a large scale (when compared with more traditional forms of outsourcing offering more tailored solutions for clients). Whilst cloud services "offer a number of advantages such as economies of scale, flexibility, operational efficiencies, and cost-effectiveness", they also raise challenges in terms of data protection and location, security issues and concentration risk (both in respect of individual institutions as well as at an industry level where large suppliers of cloud services can become a single point of failure where many institutions rely on them).

Key areas covered by the EBA Recommendations include the following:

How to perform materiality assessments prior to any outsourcing. Assessments should take into account: the criticality and inherent risk profile of the activities (with particular reference to ensuring business continuity and meeting obligations to customers); the operational impact of outages (and related legal and reputational risks); the impact disruption of service may have on revenues; and the impact of confidentiality breaches or data integrity failures on the institution and/or its customers. NCAs should expect adequate information from institutions about the outsourcing of material activities to cloud service providers. The EBA sets out a range of information to be provided and highlights that NCAs should be able to request additional information from institutions. Outsourcing institutions should maintain a register of all material and non-material outsourced activities at institution and group level, including information about the approval given by the management body or the committee designated by it. Access and audit rights are key principles of the CEBS Guidelines and are restated in the EBA Recommendations in respect of cloud service providers. Given the likely multi-tenanted nature of the cloud, the draft recommendations allow for practical approaches to be used by outsourcing institutions such as pooled audits performed jointly with other clients, and third party certifications and third party or internal audit reports made available by the cloud service provider, subject to robust oversight being applied by the outsourcing institution. Whilst the CEBS Guidelines already provide guidance on areas such as information confidentiality and system availability, the draft recommendations elaborate further on the need for integrity and traceability, setting out an approach as to how security should be assessed where institutions outsource activities to cloud service providers. The recommendations also aim to ensure supervisory expectations are appropriate in respect of the technical security of cloud computing services – with the recommendation that this should be in line with a proportionality principle, taking account of the need for protection of the particular data and the systems. Appropriate traceability mechanisms aiming to keep records of technical and business operations will also be key to detecting malicious attempts to compromise the security of data and systems. Outsourcing institutions will be expected to carefully assess related risks when entering into and managing outsourcing arrangements undertaken outside the EEA. Risks should be kept within acceptable limits commensurate with the materiality of the outsourced activity. These considerations should run in parallel with restrictions under data protection legislation in respect of the international transfer of personal data outside the European Economic Area. On chain outsourcing, (i.e. where cloud service providers subcontract elements of service provision), the draft recommendations acknowledge the need to clarify the conditions under which subcontracting can take place in the case of outsourcing to the cloud. The cloud service provider should be obliged to notify the outsourcing institution in advance of any significant changes to subcontractors or subcontracted services initially set out in the agreement between the provider and the outsourcing institution. The EBA Recommendations state that a reasonable notification period should be specified to allow the outsourcing institution time to terminate the contract if the proposed subcontracting is not appropriate. Contingency plans and exit strategies, contracts should include termination and exit management provisions, not least to ensure the transfer to another cloud service provider without undue disruption. Outsourcing institutions are expected to have in place appropriate exit plans, to have tested these plans and to have in place key risk indicators that assist in the identification of unacceptable service levels/indicators that trigger the exit plan.  

Whilst the EBA Recommendations appear reasonable and perhaps reflect existing best practice in a number of Member States, they seem relatively light alongside other broader, all-encompassing – and potentially overlapping – policy efforts such as the EU General Data Protection Regulation ("GDPR"). Organisations should therefore consider those overlapping frameworks alongside the EBA Recommendations, for example, to consider whether the outsourcing activities include the processing of personal data, and therefore whether there are additional requirements and/or restrictions arising from applicable data protection legislation as well (such as those in the forthcoming GDPR). The EBA Recommendations are just one of a number of initiatives by regulatory bodies to try to accomodate cloud services where appropriate. The recommendations follow the Financial Conduct Authority's national guidance issued in November of last year for firms outsourcing to the cloud and other third party IT services.

The deadline for responses to the consultation is 18 August 2017 and the EBA is expected to hold a public hearing on the EBA Recommendations on 20 June 2017.

Click here to read the EBA's draft recommendations on outsourcing to cloud service providers.

The EBA Recommendations follow new Guidelines on ICT Risk Assessment by competent authorities or regulators (the "Guidelines") issued by the EBA on 11 May 2017. The Guidelines were produced "in view of the growing importance and increasing complexity of ICT risk within the banking industry and individual institutions". They are intended to take effect from 1 January 2018 and apply in parallel to the current guidance that regulators already follow to determine the operational risk to which banks are exposed. The Guidelines make it clear that financial institutions are expected to be subject to assessment of their operational risk, including in respect of their security, business continuity and data integrity among other areas.

In particular, the Guidelines introduce some common terms to be used by all regulators in the EEA when conducting the assessment. While there are a range of options, to date there has been no broadly adopted global standard for ICT risk terminology in financial services. The EBA's definitions do not solve the problem at a global level, but they at least offer some consistency within the EEA area.

Click here to read the EBA's Guidelines on ICT Risk Assessment. The firm will be issuing a more detailed article on the Guidelines in due course.  

[Back to top] Back

3. Digital Economy Act 2017: The pick 'n' mix assortment of provisions receives Royal Assent

The Digital Economy Act (the "Act") finally received Royal Assent on 27 April 2017 and the final text was published at the beginning of May. First introduced in the House of Commons in July 2016, it has been the subject of much scrutiny and debate by both Houses of Parliament. In the run up to the General Election, the legislation was passed in a final sweep as part of the so-called "wash up" period before the dissolution of Parliament.

It covers a wide assortment of areas falling under the "digital economy" umbrella but at its heart it seeks to "modernise the UK for enterprise" – focusing on improving access to digital communication services (including through improved connectivity and infrastructure), supporting new digital industries and enhancing protections for citizens using those services.

Some of the areas covered by the Act include:

a new direct marketing code to be introduced by the Information Commissioner's Office ("ICO") that will have statutory status, strengthen enforcement action and further protect individuals' rights against so-called nuisance calls and spam emails a range of measures relating to government digital services including those intended to improve the delivery of public services and sharing of personal data between certain public authorities a new Broadband Universal Services Obligation providing end users with a legal right to request a minimum broadband connection (initially set at 10Mbps) increasing penalties for online copyright infringement to equalise the penalties with the laws on physical copyright infringement extending certain powers of Ofcom including in respect of regulating the BBC  

 Much of the Act is not yet in force. With staggered commencement dates and many of the provisions being commenced (and the detail provided) by secondary legislation - it is currently unclear whether (and how) these diverse provisions will fit together, including with other measures being progressed in parallel. For example the potential overlap of the new direct marketing code with the current European reform of the e-privacy framework. And that is without the added layer of complexity that Brexit may bring. In addition, the combination of Brexit and the outcome of the recent General Election may well reduce the Government's bandwidth to pass such secondary legislation - with anything not regarded as "critial path" being progressed less quickly. 

The Digital Economy Act also supports a number of the key concepts set out in the UK Digital Strategy 2017, the government's long-awaited strategy for a post-Brexit digital Britain published in March 2017 (refer to the article below).

Faced with potential political and economic change, it remains to be seen whether the Digital Economy Act 2017 will in fact achieve its aim of building "a more connected and stronger economy", as envisaged by Matt Hancock, Minister of State for Digital and Culture. However one thing is for sure, let us hope it is more successful than its older sibling, the Digital Economy Act 2010 – which was also hurried through the "wash up" process in a similar manner then but many of its provisions were either repealed or never implemented. 

To read the firm's full article on the Digital Economy Act 2017 please click here.

To access the Digital Economy Act 2017 click here.  

[Back to top] Back

4. Secretary of State for Media, Sport and Culture publishes UK Digital Strategy

In March 2017, the Secretary of State for Media, Sport and Culture published its long-awaited strategy for a post-Brexit digital Britain. The UK Digital Strategy aims to support the growth of the UK digital economy. It builds on the framework of the government’s Industrial Strategy green paper published earlier this year - which the House of Commons Science and Technology Committee has since warned does not go far enough in discussing the evolutionary implications that Brexit will have on the UK's industrial strategy. Whilst the impact of the recent General Election is not yet known, the UK Digital Strategy is not seen as particularly controversial and we are likely to expect continuity in respect of the strategy going forward.

The digital strategy is comprised of the following seven strands:

Starting and growing digital businesses: The government will play a key supporting role in the growth of digital businesses, including by creating effective tax structures for businesses and investors, working with independent regulators to encourage innovation-friendly regulation, and supporting emerging technologies such as the Internet of Things ("IoT"), connected and autonomous vehicles, artificial intelligence ("AI") and virtual reality. The government also intends to create five international tech hubs in emerging digital economies around the world. Helping businesses become digital: There will be continued support for initiatives like the Productivity Council which helps local businesses to get online and sell, and to embrace digital functions such as for payroll. Siemens and Southampton University will conduct reviews of industrial digitisation and AI respectively. Online security and safety: The government will support the National Cyber Security Centre (part of GCHQ) as the single point of contact for businesses that provide "critical national infrastructure". The aim is to secure Britain’s technology, data and networks. Broadband filters will be strengthened to combat illegal online content. Digital Government: The government is committed to its own digitisation alongside the new Government Transformation Strategy. Single cross-government platform services will continue to be developed, including by increasing GOV.UK Verify users and adopting new services on the GOV.UK Pay and GOV.UK Notify platforms. Supporting the data economy: The government recognises the data economy as a key contributor to the UK’s growth and future prosperity. It aims to ensure strong data infrastructure, a high level of regulatory compliance, develop a data-literate workforce and increase the number of people with advanced data skills. The government will also help businesses prepare for the implementation of the European General Data Protection Regulation, which will enter into force in May 2018. Access to digital skills: Free basic digital skills training will be provided across the country. A new Digital Skills Partnership will be established to tackle the digital skills gap and help people access jobs in the digital economy at a local level. The UK government will also support business-led programs such as Google’s Summer of Skills digital skills training programs aimed at accelerating digitisation in UK seaside towns. Digital skills will also be embedded in education. Digital infrastructure and connectivity: Digital infrastructure and connectivity will be improved by completing the rollout of superfast broadband and 4G across the country, and creating a universal service obligation for high speed broadband. Over £1 billion will be invested in accelerating the “development and uptake of the next generation of digital infrastructure”, including full fibre networks and 5G.  

To facilitate the development of the government's digital strategy, the Secretary of State for Culture, Media and Sport will convene a forum for government and the technology community to work together to support the growth of the UK digital economy, however the strategy has already been criticised by some in the technology industry for lacking detail and measurable targets.

Click here to access the UK Digital Strategy.

Click here to access the Government's Industrial Strategy green paper.

Click here to access the Government Transformation Strategy.  

[Back to top] Back

5. EU Council publishes Progress Report on draft EU ePrivacy Regulation

On 15 May 2017, the Council of the European Union published its progress report (the "Report") on the first draft of the ePrivacy Regulation (the "Draft Regulation").

The Draft Regulation focuses on the processing of personal data and protection of privacy in electronic communications. Among other areas, it covers direct marketing, cookies and other forms of online tracking; principally seeking to bring e-privacy law up to date with the "evolution of technological and market reality" and align the law with the incoming EU General Data Protection Regulation ("GDPR"). It was published by the European Commission in January of this year and is expected to replace the existing Privacy and Electronic Communications Directive (the "ePrivacy Directive").

The Report's main focus is a summary of comments made by delegations during a line-by-line examination of Articles 1-8 of the Draft Regulation in meetings of the Working Party on Telecommunications and Information Society ("WP TELE") held on 29 March and 3 May 2017. The WP TELE is made up of experts from each EU member state and "handles internal and external policy issues related to information and communication technologies and infrastructure, internet and the creation of the digital single market in Europe".

On the whole, delegations welcomed the Draft Regulation and accompanying impact assessment (which is carried out on initiatives expected to have significant economic, social or environmental impact). However they also warned that the introduction of a regulation (as opposed to a directive) demands a higher level of scrutiny of the text, and consider the proposed date of application of 25 May 2018 (to align with the GDPR coming into force) to therefore be unrealistic. General concerns raised include:

Overlap with other legislation - the need for a more detailed examination of possible overlaps with other legislation (in particular the GDPR and the proposal on the European Electronic Communications Code) National data protection authorities - a lack of evidence that the appointment of national data protection authorities as supervisory authorities would solve the problem of inconsistent implementation and enforcement across the EU Scope – the need for a more detailed explanation of which organisations fall within the extension of scope to over-the-top players and providers of "ancillary services" Confidentiality of electronic communications - deviance from the equivalent provisions in the former ePrivacy Directive was flagged by some as a cause for concern, while others fear that the provisions may be too broad and general Protection of information stored in or emitted by end-users' terminal equipment - further clarification on "cookies", "device tracking" and other exceptions is also sought  

Some of the concerns raised by the WP TELE reiterate those raised by the opinions of the Article 29 Working Party and the European Data Protection Supervisor, (both published in April 2017) – for example the interaction of the regulation with the GDPR and the need for greater explanation on the expansion of the scope.

Future WP TELE meetings will analyse the remainder of the Draft Regulation, with the aim of finalising the first examination by the end of the Maltese Presidency of the Council of the EU in June 2017.

Click here to view the EU Council's Progress Report.

Click here to view the Article 29 Working Party opinion.

Click here to view the European Data Protection Supervisor opinion.  

[Back to top] Back

6. EU-US Privacy Shield first annual review announced following a challenging introduction.  

On 12 July 2016, the European Commission adopted an “adequacy decision” allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the "Privacy Shield").

Two privacy advocacy groups have however since filed actions in the European General Court to annul the adequacy decision. On 28 October 2016 the Irish privacy advocacy group, Digital Rights Ireland, filed an "action for annulment" on the basis that the Privacy Shield does not sufficiently protect the privacy rights of EU citizens. If successful, the action would invalidate the European Commission's adequacy decision that approved and adopted the Privacy Shield. The group filed the challenge in the General Court based in Luxembourg, the second highest EU Court after the CJEU. A further challenge was also filed in the General Court by a French civil society group at the end of October 2016. It could take the General Court twelve months or more before a decision is handed down. 

More recently, in April 2017, the EU justice commissioner, Vera Jourovà confirmed the first annual joint review of the Privacy Shield will be conducted by the Commission and the US Department of Commerce in September 2017. Following the review, the Commission will issue a public report to the European Parliament and the Council of the EU. The European Parliament has also adopted a non-legislative resolution which outlines its concerns on the adequacy of the protection afforded by the Privacy Shield and calls on the Commission to conduct a "thorough and in-depth examination of [its] shortcomings".

Whilst over 2000 US companies are currently certified under the Privacy Shield scheme, in light of the above challenges (and the referral of the so-called Model Clauses to the Court of Justice of the European Union), we still await and welcome further clarification regarding the status of international data transfers. In the meantime, whilst some organisations are currently dealing with this uncertainty by taking a hybrid approach and using a combination of different data transfer options, others are likely to just closely follow any developments and alternative mechanisms subsequently suggested.  

[Back to top] Back

7. Outsourcing and as-a-service highs and lows for the first quarter of 2017  

Global technology research and advisory firm Information Services Group ("ISG") recently published its findings on the global outsourcing and "as-a-service" industry for commercial and public sector contracts for the first quarter of 2017.

The findings show that the combined traditional sourcing and as-a-service annual contract value (ACV) award for the commercial market in Europe, the Middle East and Asia (EMEA) reached € 3.5 billion in the first quarter (up more than 19% sequentially year on year) - the as-a-service ACV rising steadily as organisations increasingly embrace digital solutions (increasing by 48% compared to last year) and traditional sourcing also increasing with an ACV award of € 2.5 billion.

Traditional sourcing still far exceeds as-a-service contracts in EMEA. By comparison, in the Americas, traditional and as-a-service sourcing comprise equal shares of the market and in Asia Pacific, as-a-service sourcing is now approximately double the size of the traditional sourcing market.

In contrast to the commercial market, the public sector ACV in EMEA fell in the last twelve months – the € 6.3 billion of ACV awarded was down by almost half compared with the previous year, thought to be due to a slow-down in contracting brought about by political uncertainty across Europe. ISG suggests, however, that the public-sector market should return to its usual € 8 – 10 billion mark. Globally, ACV for the combined commercial and public sector market was € 18.7 billion for the first quarter of 2017 (up 15% from the fourth quarter of 2016).

The UK registered its highest ever ACV in a quarter for traditional sourcing, with € 1.4 billion awarded for the first quarter of 2017 and thought to be due in part to the award of four particularly large outsourcings. This follows three consecutive weak quarters in the sourcing sector attributed to political and technological uncertainty following the UK's vote to leave the EEA in June of last year.

Looking at industry sector breakdown, the figures reveal a more varied picture. The financial services sector saw "robust growth" over the last 12 months (particularly in the as-a-service market with banks and insurers embracing new technologies to take advantage of cost reductions). The business services sector also performed well, with an ACV of just over € 1 billion in the last 12 months and as-a-service accounting for more than half of that figure, indicating rapid adoption of cloud-based solutions. ACV in the manufacturing sector fell by 37% in the last 12 months.

The growth trends seem set to continue as John Keppel, partner and president of ISG, reflected on the "EMEA market showing strength in both traditional sourcing and as-a-service contracting" and suggesting "we expect high single-digit gains in the EMEA market for the rest of 2017.

Click here for the ISG Index – EMEA Combined Sourcing and As-a-Service Market Insights and here for the related ISG press release.  

[Back to top] Back

8.Fintech: Bank of England launches fintech community and FCA publishes discussion paper on distributed ledger technology

In March 2017, the Bank of England FinTech Accelerator launched a new fintech community. The new community has three main objectives:

to share developments, trends and insights to facilitate learning within the Bank and across the sector; to ensure the Bank is engaging with a range of fintech firms; and to increase networking across fintech-related organisations.  

The Accelerator was launched in June 2016 and works in partnership with firms, working with new technology to explore how fintech innovations could be used in central banking. The Accelerator also provides those firms with a chance to demonstrate their solutions for real issues, gain knowledge from Bank experts and obtain a valuable client reference.

Membership of the community is currently limited to "those firms most relevant to the Bank's remit and fintech objectives, and who have contacted the Bank for knowledge sharing purposes". Firms that have completed a proof of concept with the Bank are automatically invited to join the community, for example:

BMLL (who have created a machine learning platform that provides access to historic limited order book data to analyse and check anomalies in data); BitSight (who have created a tool that assesses a firm's cyber resilience based on publically available data); and PWC (the Bank worked with PWC on a project looking at possible applications of block chain and distributed ledger technology).  

The current 18 members also include the British Bankers' Association, BT, the Department for Business, Energy and Industrial Strategy, Deloitte LLP, Thomas Reuters and the Financial Conduct Authority (the "FCA").

The members will meet individually with the Bank two to four times a year to discuss market trends and developments, and will also meet together with the Accelerator to discuss specific topics of interest on a quarterly basis.

In parallel, and in light of recent high levels of innovation and interest in developing financial services further through technology, in April 2017, the FCA published a discussion paper on the potential of distributed ledger technology ("DLT") in financial services. A distributed ledger is a system for recording transactions via a peer-to-peer network, rather than a central database. While the FCA usually takes a "technology neutral" approach (i.e. it does not regulate specific types of technologies, but rather activities and firms), it is particularly interested to receive comments on whether the current regulatory framework limits the potential advantages of DLT products and business models. The FCA has called on users and providers of DLT solutions operating in the sectors that it regulates to submit responses by 17 July 2017, following which the FCA will either provide a Summary of Responses or (if further discussion is required), a Consultation Paper.

Click here to view the Bank of England news release.

Click here to view the FCA discussion paper on distributed ledger technology.  

[Back to top] Back

9. Spring Budget 2017: Technology-related initiatives

On 8 March 2017, Chancellor Phillip Hammond presented the first and last Spring Budget, setting out the UK government's tax, spending and borrowing plans. It remains to be seen whether the Government will follow through with all of these relatively long term plans given the outcome of the General Election.

The main technology-related announcements (some of which are new, some of which expand on announcements made in the Autumn Statement 2016), are set out below:

Disruptive technologies: A new Industrial Strategy Challenge Fund will see £270 million invested to support the development of disruptive technologies such as biotechnology, artificial intelligence, robotic systems and electric vehicles in 2017-2018. Digital infrastructure: By 2020-2021, £740 million of the National Productivity Investment Fund, (which will be invested in priority transport, digital communications and R&D programmes), will be invested to support the next generation of mobile and broadband communications. 5G: £16 million will be spent on a new 5G mobile technology hub that will run trials and demonstrate 5G applications. Read more about the government's 5G strategy in our Communications and Media e-bulletin here. Full-fibre broadband networks: £200 million has been allocated for local projects to leverage private sector investment. Science and innovation: £300 million will be invested to support research talent, including 1000 new PhD places and fellowships focussed on STEM subjects - "to enhance the UK's position as a world leader" in the field. R&D: Changes will be made to the R&D Expenditure Credit to increase certainty and simplicity of claims, and action will be taken by the government to improve awareness of R&D tax credits among SMEs.  

Click here to access the Spring Budget 2017.