Richard Manfredi, Author at Gibson Dunn

Join Gibson Dunn lawyers as they explore the evolution of global whistleblower regimes around the world, including across the United States and Europe, in this recorded webcast. They discuss new initiatives, the protections that have been afforded whistleblowers and companies under these regimes, and how companies can take steps to ensure they are complying with their statutory obligations while mitigating enforcement risk.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

PANELISTS:

Michael S. Diamant is a Washington, D.C.–based partner in Gibson Dunn’s White Collar Defense and Investigations group. He leads internal investigations, defends corporations and executives in criminal and regulatory matters (including FCPA work), and advises on compliance program design and privilege strategy in high-stakes environments.

Katharina E. Humphrey is a partner in Gibson Dunn’s Munich office and a member of the firm’s White-Collar Defense and Investigations practice. She advises clients on internal investigations and compliance matters across Europe and beyond, with particular expertise in anti-bribery (including German laws and the U.S. FCPA), sanctions, AML, and the design and evaluation of compliance management systems.

Poonam G. Kumar is a partner in Gibson Dunn’s Los Angeles office and a member of the firm’s White-Collar Defense and Investigations practice. A former Assistant U.S. Attorney with substantial trial and prosecutorial experience, she leads internal and regulatory investigations and defends clients—across industries such as healthcare, financial services, and technology—in high-stakes matters.

Greta B. Williams is co-partner in charge of Gibson Dunn’s Washington, D.C. office and a member of the firm’s Litigation Department, Labor & Employment Practice, and Media, Entertainment & Technology Practice. She has deep experience conducting sensitive workplace investigations and advising clients on a wide range of employment issues.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: This week, ESMA and ISDA were particularly active, especially regarding carbon markets and loan-originating Alternative Investment Funds (AIFs). Due to the federal government shutdown, regulatory activity continues to stall in the U.S.

New Developments

No New Developments in the U.S.

New Developments Outside the U.S.

ESMA Finds EU Carbon Markets Functioning Smoothly in New Report. On October 22, ESMA published its annual market report on EU carbon markets. Looking at the data for 2024, ESMA has not identified any significant issue in the integrity or transparency of EU carbon markets. Emission allowance auctions and secondary markets trading dynamics remain largely unchanged, with the market organized in a way that facilitates the flow of allowances from financial intermediaries to non-financial firms with compliance obligations. The analysis of trading and derivatives positions in the non-financial sector further highlights that the market accommodates different acquisition strategies, reflecting the different needs and capabilities of participants. [NEW]

ESMA Publishes Implementing Rules on Loan-originating AIFs. On October 21, ESMA published the draft Regulatory Technical Standards (RTS) on open-ended loan-originating AIFs (OE LO AIFs). The draft rules determine the requirements with which LO AIFs must comply to maintain an open-ended structure. Those requirements include a sound liquidity management system, the availability of liquid assets and stress testing, as well as an appropriate redemption policy having regard to the liquidity profile of OE LO AIFs. The RTS also set out a list of factors AIFMs shall consider to determine the redemption policy and assess the liquidity of OE LO AIFs. [NEW]

ESMA Publishes Second Consolidated Report on Sanctions. On October 16, ESMA published its second consolidated report on sanctions and measures imposed in Member States in 2024. Building on this report, ESMA will further foster discussions between national securities markets authorities on the effective and consistent implementation of capital markets rules and continue working towards ensuring that similar breaches lead to similar enforcement outcomes across the EU, irrespective of where they have been initiated.

ESAs’ Joint Committee Publishes Work Program for 2026. On October 16, the Joint Committee of the European Supervisory Authorities (ESAs) presented its 2026 Work Program, outlining key areas of collaboration for the coming year. The Program aims to strengthen the financial system’s digital operational resilience, ensure the continued protection of consumers, and identify risks that could undermine financial stability.

EBA and ESMA Recommend Targeted Revisions to the Investment Firms’ Prudential Framework Investor Protection. On October 15, the European Banking Authority (EBA) and ESMA have issued their technical advice in response to the European Commission’s Call for Advice on the Investment Firms Regulation and Investment Firms Directive. They propose limiting significant changes to the framework, which has proven to be fit-for-purpose, as confirmed by stakeholder feedback during the joint consultation.

New Industry-Led Developments

ISDA and Trade Associations Call on the EC to Delay Application of Third-Country CCP Reporting under EMIR 3.0. On October 21, ISDA and nine other trade associations – the Alternative Investment Management Association, the European Association of Co-operative Banks, the European Association of Corporate Treasurers, the European Banking Federation, the European Fund and Asset Management Association, the European Principal Traders Association, the European Venues and Intermediaries Association, FIA and the Managed Funds Association – wrote to the European Commission (EC) to ask that it provide guidance that counterparties are not required to report information on clearing activity on third-country central counterparties (CCPs) under Article 7d of the European Market Infrastructure Regulation (EMIR 3.0) until the corresponding regulatory technical standards and implementing technical standards are applicable. [NEW]

IOSCO Reviews Implementation of Recommendations for Crypto and Digital Asset Markets. On October 16, IOSCO published its report on its Thematic Review Assessing the Implementation of IOSCO Recommendations for Crypto and Digital Asset Markets. In recognition of the rapid development and growth of crypto-asset markets, IOSCO and other relevant bodies, including the Financial Stability Board, have developed comprehensive policy frameworks for the regulation and oversight of crypto-assets and global stablecoins.

ISDA Publishes New Report that Shows the Importance of Derivatives to Japan’s Asset Management Ambitions. On October 16, ISDA published a report drawing on discussions with 20 senior asset managers based in Japan. The report revealed that reducing barriers in the market would enable them to utilize derivatives more efficiently, which, in turn, could enhance Japan’s competitiveness in the global market.

ISDA Expands Digital Regulatory Reporting Solution to Cover Hong Kong’s Revised Reporting Rules. On October 15, ISDA has expanded its Digital Regulatory Reporting solution to support revised derivatives reporting rules in Hong Kong, enabling in-scope firms to implement the changes cost-effectively and accurately. The amendments from the Hong Kong Monetary Authority and the Securities and Futures Commission came into effect on September 29.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, Karin Thrasher, and Alice Wang*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus, New York (212.351.3869, alapidus@gibsondunn.com )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com )

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Alice Yiqian Wang, Washington, D.C. (202.777.9587, awang@gibsondunn.com)

*Alice Wang, a law clerk in the firm’s Washington, D.C. office, is not admitted to practice law.

Final provisions of the DOJ’s audit, recordkeeping, and reporting obligations came into effect on October 6, 2025; accordingly, companies are now expected to have fully implemented and operationalized a DSP compliance program relating to access by countries of concern to U.S. bulk sensitive personal data.

While many of these requirements apply specifically to companies who engage in restricted transactions, notably, reporting requirements for rejected transactions that involve data brokerage apply to all U.S. Persons – making an understanding of the October 6th obligations critical to the compliance efforts of all U.S. companies.

Background

On December 27, 2024, the Department of Justice (DOJ) issued a final rule pursuant to Executive Order 14117 that established a new federal regulatory framework imposing restrictions on transactions that could provide certain persons with access to “bulk sensitive personal data” and “United States government-related data.”[1] This regulatory framework, which came into effect on April 8, 2025, is referred to by DOJ as the Data Security Program (DSP).[2]
The DSP restricts or prohibits certain transactions that could involve access to bulk U.S. sensitive personal data or U.S. government data by covered persons and countries of concern (most notably, China), and imposes diligence, security, audit, and recordkeeping requirements.

Violations of the DSP carry significant potential penalties, including civil penalties up to the greater of $377,700 or twice the value of the transaction and/or criminal penalties up to $1 million and 20 years’ imprisonment for willful violations.

A 90-day de-prioritization of civil enforcement for entities making “good faith” compliance efforts expired on July 8, 2025. DOJ now expects that “individuals and entities should be in full compliance with the DSP and should expect [the DOJ National Security Division] to pursue appropriate enforcement with respect to any violations.”[3]

Requirements as of October 6, 2025

As of October 6, 2025, DSP provisions have come into effect requiring companies engaging in restricted transactions to meet certain ongoing operational compliance obligations, including audit program implementation, reporting and certification requirements, and long-term recordkeeping.

Key requirements for U.S. companies engaged in restricted transactions that are now in effect include:

Audits for restricted transactions: All U.S. Persons that engage in restricted transactions on or after October 6, 2025, must conduct a comprehensive audit, using an independent auditor that is neither a covered person nor from a country of concern.
- The audit must be scoped to cover (1) the restricted transactions; (2) assessment of the data compliance program (discussed in detail below) and its implementation; (3) review of relevant records; and (4) examination of required security controls.
- The audit must be conducted by an independent auditor. This independent auditor “should be objective, fact-based, nonpartisan, and nonideological with regards to both the U.S. person and to the transactions that are subject to the audit.”[4] While DOJ permits U.S. companies to use internal auditors to audit compliance with the DSP, it cautions that many internal audits in the national security, criminal, and other contexts lack the necessary independence of external audits.[5] Even when a U.S. company uses an external auditor, DOJ could reasonably question the objectivity of such an audit if the company uses the same firm to build and audit its compliance program.
- The audit must be completed once for each calendar year in which the U.S. person engages in any restricted transactions and must cover the preceding 12 months, in addition to certain other requirements with respect to the scope and auditor qualifications.[6] For those companies who have engaged in a restricted transaction since the DSP regulations first came into effect in April 2025, this means that an audit must be completed by the end of the 2025 calendar year.
- The audit must be maintained by the company for a period of 10 years, but is not automatically required to be submitted to DOJ.[7]
Recordkeeping: U.S. Persons must also preserve the records associated with any restricted transactions for at least 10 years, including the due diligence conducted to verify restricted transaction data flows, the types and volume of data involved, the transaction parties, the dates of the transaction, the method of data transfer and other details of the transaction and end-use of the data. In addition, records must be retained regarding required compliance measures, including copies of applicable data compliance program policies, audit results, and any relevant licenses or advisory opinions.[8]
Annual reports for companies partially owned by a covered person or country of concern and that engage in restricted cloud computing transactions: As of October 6, 2025, U.S. Person companies that (1) engage in restricted transactions involving cloud computing services, and (2) are 25% or more owned by a country of concern or covered person, must file annual reports with DOJ. This report, among other requirements, must include detailed information on the transacting entity, the restricted transaction, and any relevant documentation created in connection with the transaction.[9]

U.S. Person companies that engage in restricted transactions must have a fully implemented data compliance program, including:

Risk-based procedures for verifying data flows involved in any restricted transaction, and for verifying and logging certain key metrics and data points;
For transactions involving vendors, risk-based procedures for verifying the identity of vendors;
A written policy that describes the data compliance program and that is annually certified by an officer, executive, or other employee responsible for compliance; and
A written policy that describes the implementation of necessary security requirements and that is annually certified by an officer, executive, or other employee responsible for compliance.[10]

In addition to the newly effective requirements for U.S. Persons engaging in restricted transactions, all U.S. Persons are required to report prohibited transactions that they reject and that involve data brokerage. Specifically, any U.S. Person that has received and affirmatively rejected an offer from another person to engage in a prohibited transaction involving data brokerage on or after October 6, 2025, must report that transaction to DOJ within 14 days of the rejection. The report must include information on the rejecting entity and a detailed description of the transaction.[11]

Summary Requirements:

To achieve DSP compliance, companies engaged in restricted transactions should:

Create and implement a data compliance program that includes risk-based procedures to understand data flows and track vendor identities.
Develop written policies that outline the company’s data compliance program and describe implementation of Cybersecurity and Infrastructure Security Agency (CISA) security requirements. These written policies must be certified annually by an officer, executive, or other employee responsible for compliance at the U.S. Entity.[12]
Conduct and document independent audits that examine the company’s restricted transactions, data compliance program, required records, and implementation of CISA security requirements.
Maintain relevant records for 10 years.

Key Best Practices:

Given that the DSP regulatory requirements are now fully in effect, companies potentially subject to the DSP should consider whether their compliance programs adhere to best practices, including:

Understand Organizational Data Flows: Review whether persons associated with countries of concern may have direct or indirect access to covered data. Map data flows and confirm access controls and logs are in place.
Evaluate Vendors, Customers, Employees, and Affiliates: Identify relationships that may involve restricted or prohibited transactions under the DSP.
Implement a DSP Compliance Program: Develop and implement appropriate policies and procedures, including aligning roles and responsibilities, to achieve initial and on-going compliance with the DSP.
Implement Security Measures: U.S. Person entities engaged in restricted transactions must implement CISA-specified cybersecurity measures, which effectively operate to fully restrict access by covered persons.
Train Staff and Document Controls: Ensure internal teams understand DSP obligations and can evidence proactive compliance, especially in policies and incident response protocols.
Review Public Disclosures: SEC registrants should periodically revisit risk factors and cybersecurity governance disclosures in light of DSP requirements and attendant business impact.

Current Enforcement Posture:

As of this writing, DOJ has not publicly announced any DSP-specific enforcement actions, license denials, or advisory opinions. However, on September 24, 2025, DOJ updated its FAQ regarding the process and financial incentives for reporting possible violations of the DSP, which suggests that the rule and its enforcement remain on DOJ’s radar.[13] DOJ may also begin enforcement with non-public inquiries or informal outreach, consistent with how other national security and export-control regimes operate. U.S. Person companies—particularly those undertaking restricted transactions or with significant data exposure to countries of concern—would be prudent to assume that they could be asked for information or documentation related to possible restricted transactions at any time.

Self-Test for DSP Compliance:

Some preliminary questions to help guide analysis of DSP compliance, particularly with respect to the key audit, recordkeeping, and reporting obligations that recently came into effect, include:

Do we know whether we, our vendors, or our data processors provide access to covered data to covered persons?
For companies not engaged in restricted transactions:
- Have we documented the procedures by which we confirmed that the company does not engage in restricted transactions or is at low risk of engaging in restricted transactions?
- Do we have measures in place to periodically affirm that this remains the case, and to monitor for any material changes in risk profile?
- Do we have contractual provisions for suppliers, vendors, or other third parties with access to company data prohibiting the onward transfer or resale of government-related data or bulk U.S. sensitive personal data to countries of concern or covered persons?
- Is there a named officer or governance body accountable for DSP compliance?
For companies engaged in restricted transactions:
- Can we produce documentation of compliance measures, including security measures, implemented since April 8, 2025, or at least October 6, 2025?
- Is there a named officer or governance body accountable for DSP compliance?
- Are our audit, monitoring, and (as appropriate) reporting tools live and tested—not just drafted?
- Can we log and trace covered transactions, access rights, and training efforts?

[1] Exec. Order No. 14117, “Preventing Access to Americans’ Bulk Sensitive Personal Data and U.S. Government-Related Data by Countries of Concern,” 89 Fed. Reg. 15421 (issued Feb. 28, 2024; published Mar. 1, 2024).

[2] See Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern, 90 Fed. Reg. 1636 (Jan. 8, 2025); Pertaining to Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern, 90 Fed. Reg. 16466 (Apr. 18, 2025) (codified at 28 C.F.R. §§ 202 et seq.); see also Dep’t. of Justice, DSP Compliance Guide (Apr. 11, 2025), https://www.justice.gov/opa/media/1396356/dl; Dep’t. of Justice, DSP: Frequently Asked Questions (Sept. 24, 2025), https://justice.gov/nsd/media/1415006/dl; Dep’t. of Justice, DSP: Implementation and Enforcement Policy Through July 8, 2025 (Apr. 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline.

[3] Dep’t. of Justice, DSP: Implementation and Enforcement Policy Through July 8, 2025, at p. 3 (Apr. 11, 2025), https://www.justice.gov/opa/media/1396346/dl?inline.

[4] Dep’t. of Justice, DSP Compliance Guide (Apr. 11, 2025) at 15, https://www.justice.gov/opa/media/1396356/dl.

[5] Dep’t. of Justice, DSP: Frequently Asked Questions (Sept. 24, 2025) at 35 (Question 85), https://justice.gov/nsd/media/1415006/dl.

[6] Audits for restricted transactions, 28 C.F.R. § 202.1002 (2025), https://www.ecfr.gov/current/title-28/section-202.1002.

[7] Records and recordkeeping requirements, 28 C.F.R. § 202.1101 (2025), https://www.ecfr.gov/current/title-28/section-202.1101.

[8] Records and recordkeeping requirements, 28 C.F.R. § 202.1101 (2025), https://www.ecfr.gov/current/title-28/section-202.1101.

[9] Annual reports, 28 C.F.R. § 202.1103 (2025), https://www.ecfr.gov/current/title-28/section-202.1103.

[10] Due diligence for restricted transactions, 28 C.F.R. § 202.1001 (2025), https://www.ecfr.gov/current/title-28/section-202.1001.

[11] Reports on rejected prohibited transactions, 28 C.F.R. § 202.1104 (2025), https://www.ecfr.gov/current/title-28/section-202.1104.

[12] See Dep’t. of Justice, DSP Compliance Guide (Apr. 11, 2025) at 17, https://www.justice.gov/opa/media/1396356/dl.

[13] Dep’t. of Justice, DSP: Frequently Asked Questions (Sept. 24, 2025) at 39–40 (Question 106), https://justice.gov/nsd/media/1415006/dl.

The following Gibson Dunn lawyers prepared this update: Vivek Mohan, Stephenie Gosnell Handler, Mellissa Campbell Duru, Melissa Farrar, Christine Budasoff, Hugh Danilack, and Sarah Pongrace.

Gibson Dunn lawyers are advising clients across sectors in building and validating their DSP compliance programs. We remain closely engaged with evolving guidance and agency posture and are available to assist in addressing any questions you may have about these developments and your own DSP readiness. Please contact the Gibson Dunn lawyer with whom you usually work, any of the following leaders and members of the firm’s DOJ DSP Task Force or its Privacy, Cybersecurity & Data Innovation, International Trade Advisory & Enforcement, or Securities Regulation & Corporate Governance practice groups, or the authors:

Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Mellissa Campbell Duru – Washington, D.C. (+1 202.955.8204, mduru@gibsondunn.com)
Melissa Farrar – Washington, D.C. (+1 202.887.3579, mfarrar@gibsondunn.com)
Christine Budasoff – Washington, D.C. (+1 202.955.8654, cbudasoff@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)

Privacy, Cybersecurity & Data Innovation:
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)

International Trade Advisory & Enforcement:
Matthew S. Axelrod – Washington, D.C. (+1 202.955.8517, maxelrod@gibsondunn.com)
Adam M. Smith – Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, ctimura@gibsondunn.com)
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, mweinbaum@gibsondunn.com)
Roxana Akbari – Orange County (+1 949.475.4650, rakbari@gibsondunn.com)
Karsten Ball – Washington, D.C. (+1 202.777.9341, kball@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Anna Searcey – Washington, D.C. (+1 202.887.3655, asearcey@gibsondunn.com)

Securities Regulation & Corporate Governance:
Aaron Briggs – San Francisco (+1 415.393.8297, abriggs@gibsondunn.com)
Mellissa Campbell Duru – Washington, D.C. (+1 202.955.8204, mduru@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
Brian J. Lane – Washington, D.C. (+1 202.887.3646, blane@gibsondunn.com)
Julia Lapitskaya – New York (+1 212.351.2354, jlapitskaya@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Michael A. Titera – Orange County (+1 949.451.4365, mtitera@gibsondunn.com)
Geoffrey E. Walter – Washington, D.C. (+1 202-887-3749, gwalter@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)

Gibson Dunn joins the broader legal community in celebrating Pro Bono Week. During this week we recognize the incredible work of our lawyers on behalf of their pro bono clients, while also acknowledging our continued professional obligation to use our unique skillsets to enhance access to justice for the most marginalized members of our communities.

This year, it has been inspiring to see lawyers across the firm answer the call to service by taking on pro bono matters large and small. From impact litigation to nonprofit advice work to one-day clinics, these matters change lives and help everyone — not just the privileged few — access the justice system and exercise their rights. Lawyers across the firm have dedicated more than 184,000 hours to pro bono work this year, putting us on pace for our highest-ever pro bono totals.

Domestic C corporations will now count as domestic shareholders for purposes of the Domestically Controlled REIT Qualification Test.

On October 20, 2025, the IRS and Treasury issued proposed regulations removing the “look-through” rule for a domestic C corporation for purposes of determining whether a real estate investment trust (a REIT)[1] qualifies as a “domestically controlled qualified investment entity” (a DREIT) and the proposed regulations, the “2025 Proposed Regulations”). The 2025 Proposed Regulations would modify certain provisions of the final regulations issued by the IRS and Treasury on April 25, 2024 (the “2024 Final Regulations”), detailed in our previous Client Alert.

Background

Subject to certain exceptions discussed below, section 897 [2] and related sections added to the Code by the Foreign Investment in Real Property Tax Act of 1980 (FIRPTA) require foreign persons that recognize gain from the sale or disposition of a United States real property interest (a USRPI) to file U.S. federal income tax returns reporting that gain and pay U.S. federal income tax on that gain at regular graduated rates, even if the gain is not otherwise effectively connected with the conduct of a U.S. trade or business.

The definition of a USRPI is broad. In addition to including a wide array of interests in U.S. real estate (which itself is defined broadly) and in disregarded entities and certain partnerships that own U.S. real estate, USRPIs include equity interests in domestic corporations that are or have been during a specified look-back period United States real property holding corporations (USRPHCs).[3] Generally, a USRPHC is any corporation, including a REIT, if the value of its USRPIs represents at least 50 percent of the aggregate value of its real estate (both U.S. and non-U.S.) and business assets.[4]

Even though an equity interest in a domestic USRPHC generally is a USRPI, section 897(h)(2) provides that an interest in a DREIT is not a USRPI. Under section 897(h)(4), a REIT is a DREIT if less than 50 percent of the value of its stock is held “directly or indirectly” by “foreign persons” at all times during the shorter of (1) the 5-year period ending on the relevant determination date and (2) the period during which the REIT was in existence (the “Testing Period”). Importantly, gain recognized by a foreign person on the disposition of an interest in a DREIT is not subject to U.S. federal income tax under FIRPTA, even if the DREIT is a USRPHC.[5] Foreign persons seeking to invest in U.S. real estate generally prefer a DREIT structure because they can exit the investment via a sale of DREIT stock without being subject to FIRPTA.

Previous Regulations

Prior to December 2022, informal IRS guidance treated a domestic C corporation as a non-foreign owner of a REIT for purposes of determining DREIT status.[6] However, in December 2022 the IRS and Treasury issued proposed regulations (the “2022 Proposed Regulations”) that included a broad look-through rule for purposes of determining when the stock of a REIT owned by one person was treated as held “indirectly” by another person for DREIT testing purposes (the “Look-Through Rule”).[7] The Look-Through Rule applied to various types of passthrough and quasi-passthrough entities, including REITs, partnerships (other than publicly traded partnerships), S corporations, and RICs.

The Look-Through Rule in the 2022 Proposed Regulations also applied to any non-publicly traded domestic C corporation if foreign persons held directly or indirectly 25 percent or more of the value of the domestic C corporation’s outstanding stock, applying certain look-through rules (a “foreign-owned domestic corporation”).[8] Thus, under the 2022 Proposed Regulations, a foreign-owned domestic corporation was not treated as a domestic owner of a REIT; rather, ownership of the REIT’s stock was imputed to the owners of the foreign-owned domestic corporation to determine if the REIT qualified as a DREIT. The 2022 Proposed Regulations applied to dispositions of interests in REITs that occurred after the date on which the 2022 Proposed Regulations were finalized. However, the preamble indicated that “the IRS may challenge positions” taken by taxpayers that were contrary to the 2022 Proposed Regulations prior to the regulations’ being finalized.[9]

The 2022 Proposed Regulations were finalized by the 2024 Final Regulations on April 25, 2024. The 2024 Final Regulations generally maintained the Look-Through Rule for domestic C corporations, but increased the threshold of foreign ownership that would cause a domestic C corporation to be a foreign-controlled domestic C corporation from 25 percent or more to more than 50 percent.[10] Generally, the Look-Through Rule and other provisions of the 2024 Final Regulations applied to transactions (e.g., sales of REIT shares) occurring on or after April 25, 2024.[11] Importantly, however, the 2024 Final Regulations did not apply the Look-Through Rule to existing REITs until April 24, 2034, provided certain requirements were satisfied (the “Transition Rule”).[12]

2025 Proposed Regulations

The 2025 Proposed Regulations eliminate the Look-Through Rule entirely for domestic C corporations. As a result, a domestic C corporation that owns REIT stock is treated as a non-foreign person in determining whether that REIT is a DREIT, regardless of the domestic C corporation’s ownership. The 2025 Proposed Regulations make conforming changes to Treas. Reg. § 1.897-1(c) to account for the removal of the Look-Through Rule for domestic C corporations, including eliminating the Transition Rule.

Effective Date

The 2025 Proposed Regulations, upon finalization, would apply to all transactions occurring on or after October 19, 2025 and, if a taxpayer chooses, to transactions occurring on or after April 25, 2024 (or before April 25, 2024 as a result of a check-the-box election filed on or after April 25, 2024).[13] The preamble to the 2025 Proposed Regulations provides that taxpayers may rely on the 2025 Proposed Regulations for transactions occurring before the date the 2025 Proposed Regulations are finalized. As a result, taxpayers can effectively elect to treat domestic C corporations as non-foreign owners of REIT stock for purposes of DREIT qualification.

Takeaways

Investment in U.S. real estate will be more attractive to foreign investors due to simpler DREIT administration and reduced legal uncertainty.
Gibson Dunn can assist sponsors and investors in structuring U.S. real estate investments using DREITs.
Sponsors and investors should evaluate whether existing REITs that may have lost or not qualified for DREIT status under the 2024 Final Regulations now qualify under the 2025 Proposed Regulations.
Sponsors and investors should consider evaluating the impact of the 2025 Proposed Regulations to transactions occurring before April 25, 2024.
Sponsors and investors in existing REITs should consider lifting any limitations on the acquisition of new USRPIs put in place to comply with the former Transition Rule.

[1] The rules also apply to certain registered investment companies (RICs). In our discussion, however, we focus on REITs and DREITs because foreign persons are more likely to invest in U.S. real estate through REITs than through RICs.

[2] Unless indicated otherwise, all “section” references are to the Internal Revenue Code of 1986, as amended (the “Code”), and all “Treas. Reg. §” references are to the Treasury regulations promulgated under the Code.

[3] Section 897(c)(4)(B), (c)(1)(A)(ii).

[4] Section 897(c)(2).

[5] Section 897(h)(2).

[6] See, e.g., PLR 200923001. See our previous Client Alert for a discussion of the available guidance before the promulgation of the Proposed Regulations.

[7] Prop. Treas. Reg. § 1.897-1(c)(3)(ii)(B) (2022).

[8] Prop. Treas. Reg. § 1.897-1(c)(3)(v)(B) (2022).

[9] 87 F.R. 80103 (Dec. 29, 2022)

[10] Although the 2022 Proposed Regulations refer to these entities as “foreign-owned domestic corporations,” the 2024 Final Regulations refer to these entities as “foreign-controlled domestic corporations.” 89 F.R. 31621 (April 25, 2024); Treas. Reg. § 1.897-1(c)(3)(v)(B).

[11] Treas. Reg. § 1.897-1(a)(2).

[12] Treas. Reg. § 1.897-1(c)(3)(vi).

[13] Prop. Treas. Reg. § 1.897-1(a)(2).

The following Gibson Dunn lawyers prepared this update: Jennifer Fitzgerald, Emily Leduc Gagné, Evan Gusler, Brian Kniesly, Kate Long, Hayden Theis, Letian Wang*, and Daniel Zygielbaum.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding this proposed legislation. To learn more about these issues or discuss how they might impact your business, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Tax, Tax Controversy and Litigation, or Real Estate Investment Trust (REIT) practice groups:

Tax:
Sandy Bhogal – Co-Chair, London (+44 20 7071 4266, sbhogal@gibsondunn.com)
Evan M. Gusler – New York (+1 212.351.2445, egusler@gibsondunn.com)
Brian W. Kniesly – New York (+1 212.351.2379, bkniesly@gibsondunn.com)
Pamela Lawrence Endreny – Co-Chair, New York (+1 212.351.2474, pendreny@gibsondunn.com)
Kate Long – New York (+1 212.351.3813, klong@gibsondunn.com)
Eric B. Sloan – Co-Chair, New York/Washington, D.C. (+1 212.351.2340, esloan@gibsondunn.com)
Lorna Wilson – Los Angeles (+1 213.229.7547, lwilson@gibsondunn.com)
Daniel A. Zygielbaum – Washington, D.C. (+1 202.887.3768, dzygielbaum@gibsondunn.com)

Tax Controversy and Litigation:
Saul Mezei – Washington, D.C. (+1 202.955.8693, smezei@gibsondunn.com)
Sanford W. Stark – Chair, Washington, D.C. (+1 202.887.3650, sstark@gibsondunn.com)
C. Terrell Ussing – Washington, D.C. (+1 202.887.3612, tussing@gibsondunn.com)

Real Estate Investment Trust (REIT):
Eric M. Feuerstein – New York (+1 212.351.2323, efeuerstein@gibsondunn.com)
David Perechocky – New York (+1 212.351.6266, dperechocky@gibsondunn.com)
Jesse Sharf – Los Angeles (+1 310.552.8512, jsharf@gibsondunn.com)

Letian Wang, an associate in the New York office, is not admitted to practice law.

Join our lawyers for a recorded in-depth discussion of recent developments at the U.S. Food and Drug Administration, including the FDA’s crackdown on direct-to-consumer drug advertising and the impact of the Make America Healthy Again initiative, and their implications for the food, drug, device, and cosmetics industries. Our panel of attorneys provide practical insights and strategies for navigating emerging FDA policy, as well as regulatory and enforcement trends.

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.5 credit hours, of which 1.5 credit hours may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.5 hours.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.5 hours. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 1.5 hours toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia, and Washington State Bars.

PANELISTS:

Jonathan Phillips is a partner in Gibson Dunn’s Washington, D.C. office and co-chairs the firm’s FDA & Health Care Practice. His practice centers on FDA and health care enforcement, compliance, and litigation — including False Claims Act, Anti-Kickback, and regulatory defense work for pharmaceutical, medical device, and health-services clients. Prior to joining Gibson Dunn Jonathan served as a Trial Attorney in the Civil Division, Fraud Section of the U.S. Department of Justice where his work included handling a variety of health care enforcement cases.

Gustav Eyler is a partner in Gibson Dunn’s Washington, D.C. office and co-chairs the firm’s FDA & Health Care and Consumer Protection Practice Groups. Leveraging years of experience as Director of the U.S. DOJ Consumer Protection Branch — where he led enforcement actions involving drugs, medical devices, food, deceptive marketing, and public health statutes — he defends clients in government investigations and counsels on the design and implementation of compliance programs.

Katlin McKelvie is a partner in Gibson Dunn’s Washington, D.C. office and co-chairs the firm’s FDA & Health Care Practice. With over twenty years of experience in food and drug law, including as Deputy General Counsel at the Department of Health and Human Services (HHS), senior staff on the Senate HELP Committee, and various roles at FDA, she advises clients on regulatory, enforcement, legislative, and compliance strategies across FDA-regulated product categories.

John Partridge is a partner in Gibson Dunn’s Washington, D.C. office and co-chairs the firm’s FDA & Health Care Practice. He specializes in white-collar defense, government and internal investigations, and complex litigation for life sciences and health care clients and brings deep experience defending corporations in enforcement actions under the False Claims Act, Anti-Kickback Statute, FCPA, and the Federal Food, Drug, and Cosmetic Act.

Join partners Branden Berns and Stewart McDowell as we continue our discussion on alternatives to IPOs. This recorded one-hour CLE webcast focuses on reverse mergers and Reg A+ offerings as alternative paths to access the public capital markets. Viewers will gain valuable insight into the benefits of (and considerations for) these transaction structures, which can be attractive alternative transactions that lack some of the disadvantages of a traditional IPO.

Key topics include:

Overview of reverse merger transaction structures and legal frameworks
Identifying the most beneficial transaction for your company
Recent examples

MCLE CREDIT INFORMATION:

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.0 hour. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 1 hour toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

PANELISTS:

Branden C. Berns is a partner in the San Francisco office of Gibson Dunn where he practices in the firm’s Transactional Department. He represents leading life sciences companies and investors on a broad range of complex corporate transactions, including mergers and acquisitions, asset sales, spin-offs, joint ventures, PIPEs, as well as a variety of financing transactions, including initial public offerings, secondary equity offerings and venture and growth equity financings. Branden also serves as principal outside counsel for numerous publicly-traded life sciences companies and advises management and boards of directors on corporate law matters, SEC reporting and corporate governance.

Stewart L. McDowell is a partner in the San Francisco and New York offices of Gibson Dunn where she is Co-Chair of the firm’s Capital Markets Practice Group. Stewart represents companies, investors and underwriters in a variety of complex capital markets transactions, including IPOs, convertible and non-convertible debt and preferred equity offerings, PIPEs and liability management transactions. She also represents companies in connection with U.S. and cross-border M&A and strategic investments, SEC reporting, corporate governance and general corporate matters.

The treaty has now reached 60 ratifications, triggering its entry into force. Once it has entered into force, this treaty will impact activities in the high seas and seabeds beyond States’ continental shelves.

On 19 September 2025, the “Conservation and Sustainable Use of Marine Biological Diversity of Areas beyond National Jurisdiction Agreement” (the BBNJ Agreement), adopted by the UN General Assembly in June 2023, reached 60 ratifications. This triggers its entry into force on 17 January 2026. The BBNJ Agreement establishes a binding, international governance framework aimed at safeguarding marine ecosystems and addressing threats posed by climate change, pollution and biodiversity loss. The Agreement is an implementing agreement to the United Nations Convention on the Law of the Sea (UNCLOS), furthering States’ existing commitments thereunder.

Although the BBNJ Agreement does not directly apply to corporate actors, State Parties’ implementation of the treaty may—for example, where a company’s activities are subject to Environmental Impact Assessment (EIAs), and take place in ocean areas which are designated Marine Protected Areas (MPAs).

Objectives Of The BBNJ Agreement

The overarching objective of the BBNJ Agreement is to ensure the conservation and sustainable use of marine biological diversity of “areas beyond national jurisdiction” (ABNJ). This term includes ocean areas beyond countries’ 200-mile exclusive economic zones—referred to as the “high seas”—and the seabed beyond countries’ continental shelves.

The BBNJ Agreement is structured around four main topics: (i) marine genetic resources (MGRs), including the fair and equitable sharing of benefits; EIAs; (ii) geographically targeted measures such as area-based management tools (ABMTs), including MPAs; (iii) EIAs; and (iv) capacity-building and the transfer of marine technology.

Institutional Bodies And A Financial Mechanism

The BBNJ Agreement sets up institutional bodies, including a Conference of the Parties (the COP)—the regular meeting of all State Parties which also serves as the BBNJ Agreement’s principal decision-making organ—as well as various subsidiary bodies, a “Clearing-House Mechanism”, and a secretariat. The first COP is expected to be convened towards the end of 2026.

The BBNJ Agreement also establishes a financial mechanism to support its implementation, which will function under the authority of the COP. The financial mechanism will comprise (i) a “voluntary trust fund”, to facilitate the participation of representatives of developing States in meetings; and (ii) a “special fund” and “Global Environment Facility trust fund” to fund capacity-building projects, support conservation and undertake other activities decided by the COP, among other things.

Key Provisions Of The BBNJ Agreement

(i) MGRs and Benefit-Sharing

The BBNJ Agreement establishes a benefit-sharing mechanism to ensure fair access to MGRs of ABNJ, as well as digital sequence information (DSI). MGR means “any material of marine plant, animal, microbial or other origin containing functional units of heredity of actual or potential value”. While DSI is not defined in the BBNJ Agreement, it refers to digitalized information of an MGR.

The BBNJ Agreement sets out two categories of benefits: (i) monetary, meaning royalties from commercialization of a product, or other types of payments associated with utilization of MGRs and DSI of ABNJ; and (ii) non-monetary, such as data and information.

Monetary benefits must be shared fairly and equitably through the Treaty’s financial mechanism for the conservation and sustainable use of marine biological diversity of ABNJ. For non-monetary benefits, the BBNJ Agreement establishes a notification system related to MGRs, requiring Parties to take the necessary legislative, administrative and policy measures to ensure that information is submitted to the Clearing House Mechanism—including information prior to the collection in situ of MGRs from ABNJ, and information after the collection. Non-monetary benefits are also shared through the transfer of technology and capacity building provisions, discussed further below.

The precise modalities of these benefits will be decided by the COP.

(ii) ABMTs, including MPAs

The BBNJ Agreement creates a global mechanism for Parties to establish ABMTs—including large-scale MPAs on the high seas. This mechanism is designed to facilitate achieving the Kunming-Montreal Global Biodiversity Framework target of protecting 30% of the ocean by 2030 (see our previous reporting, here).

Under the BBNJ Agreement, Parties can individually or collectively propose an MPA by submitting a proposal to the secretariat. This triggers a consultation period, which is open to States—including States that are not signatories to the BBNJ Agreement—as well as global, regional, subregional and sectoral bodies, civil society, the scientific community, the private sector, Indigenous Peoples, and local communities.

Considering information from the stakeholder consultation (which will be made publicly available by the secretariat), the “Scientific and Technical Body”—an expert panel elected by the COP to provide multidisciplinary advice to support the COP’s decisions—reviews the proposal and sends a recommendation to the COP. If the COP decides to establish the MPA, it will then adopt a “Management Plan”, which will include specific measures for Parties to implement (for example, the prohibition of mining activities or large-scale commercial fishing). Any corporate actors operating in MPAs would then be required to perform activities in compliance with the MPA’s Management Plan.

(iii) EIAs

Under the BBNJ Agreement, there are two circumstances where a Party must conduct an EIA—where a planned activity is in ABNJ or within national jurisdiction, and where that activity may cause substantial pollution of, or significant and harmful changes to, the marine environment in ABNJ. The EIA must be conducted before the planned activity under a Party’s jurisdiction or control is authorized.

The BBNJ requires the following steps for the EIA process: (i) screening; (ii) scoping; (iii) impact assessment and evaluation; (iv) prevention, mitigation, and management of potential adverse effects; (v) public notification and consultation; and (vi) preparation and publication of an EIA report.

When an EIA determines that the activity may cause substantial pollution of, or significant and harmful changes to, the marine environment, a State Party conducting the EIA under its national processes must make relevant information available through the Clearing-House Mechanism—an open-access, centralized platform managed by the secretariat.

A State Party can decide to authorize the planned activity only after—taking into account mitigation or management measures—the Party has determined that it has made all reasonable efforts to ensure that the activity can be conducted in a manner consistent with the prevention of significant adverse impacts on the marine environment.

(iv) Capacity-Building and Transfer of Marine Technology

The BBNJ Agreement provides that Parties must, within their capabilities, ensure capacity-building for developing States Parties that need and request it for conservation and sustainable use related to the Agreement. Regarding the transfer of marine technology, State Parties are required to “cooperate to achieve” the transfer of marine technology. Such transfer, if it occurs, is to be done on fair and most favourable terms and on mutually agreed terms and conditions, and with due regard for all rights and legitimate interests of the technology holders.

Dispute Settlement Procedure

Part IX of the BBNJ Agreement provides a mechanism for the settlement of disputes between State Parties arising under the BBNJ Agreement and incorporates the compulsory dispute resolution procedures of Part XV of UNCLOS. Where a State Party to the BBNJ Agreement is not a party to UNCLOS, it has the option to choose, by means of a written declaration, settlement of disputes before the International Tribunal for the Law of Sea, the International Court of Justice, or an Annex VII arbitral tribunal (an ad hoc arbitral tribunal composed of five members established under UNCLOS). Where a dispute concerns a matter of a technical nature, the Parties to the dispute may refer the dispute to an ad hoc expert panel established by them.

Current Status Of Ratification And Implementation

States Parties are at different stages of the ratification process of the BBNJ Agreement. For example, the UK signed the BBNJ Agreement in September 2023 but remains in the process of ratifying the treaty. The Government introduced a “landmark bill” on 10 September 2025, which will provide the legal framework to enable the UK to meet its obligations under the BBNJ Agreement.[1] After the bill is passed in the UK, further secondary legislation will be required for ratification of the BBNJ Agreement.

Meanwhile, the European Union—which ratified the BBNJ Agreement in May 2025—is “already working on a fast implementation” and has launched a EUR 40 million commitment through its “Global Ocean Programme” to support developing nations in building readiness for the BBNJ Agreement’s requirements.[2] France ratified the BBNJ Agreement in February 2025,[3] while Germany is in the process of preparing domestic legislation to do so.[4]

The United States signed the BBNJ Agreement in September 2023 but has yet to ratify it.[5]

Observations

The BBNJ Agreement is a landmark international treaty, which creates a comprehensive legal framework for the conservation of ABNJ. As well as imposing new obligations on Parties to the Agreement, its implementation may also impact companies and private actors from a range of sectors, including in the following ways:

The BBNJ Agreement may affect the trajectory of deep-sea mining. While deep sea mining is not explicitly referenced, the BBNJ Agreement emphasizes the “precautionary principle” approach to human activities on the seabed, as well as in sea water, which may prompt more States to join calls for an outright ban, moratorium or precautionary pause on deep-sea mining (see our previous reporting, here). As we have noted in another previous alert (see here), the rules and regulations governing deep sea mining are yet to be issued by the International Seabed Authority (which operates under UNCLOS), though the BBNJ Agreement provides clarification of the type of EIAs that would need to be conducted.

Companies and private actors planning activities in the high seas such as deep-sea mining, offshore energy, shipping and fishing may be subject to strict EIA requirements under the BBNJ Agreement, including public disclosure, and, potentially, international review of the proposed activities.

Companies and private actors which utilize MGRs in their products—such as the biotechnology, pharmaceutical, cosmetics, and agriculture sectors—may face new requirements for disclosure, as well as benefit-sharing requirements.

The creation of new MPAs could limit the types of operations that may take place in certain ocean areas—or even exclude certain activities altogether.

States may also impose obligations on companies and private actors to transfer technology and assist in capacity-building—particularly companies and private actors with advanced marine technologies—in order to support developing countries’ participation in high seas activities.

In sum, companies and private actors operating in or sourcing from ABNJ should closely monitor the implementation of the BBNJ Agreement and regularly assess their compliance and risk exposure in an evolving regulatory landscape.

[1] See UK Government, Press Release, “UK introduces landmark legislation to protect world’s ocean”, 10 September 2025, available at: https://www.gov.uk/government/news/uk-introduces-landmark-legislation-to-protect-worlds-ocean.

[2] See European Commission, Press Release, “Global ocean conservation treaty enters into force”, 20 September 2025, available at https://ec.europa.eu/commission/presscorner/detail/da/ip_25_2151.

[3] See UN Permanent Mission of France, Ministry of Europe and Foreign Affairs Spokesman Statement, “France’s ratification of the UN agreement on marine biodiversity”, 5 February 2025, available at https://onu.delegfrance.org/france-s-ratification-of-the-un-agreement-on-marine-biodiversity.

[4] See Ecologic Institute, Article “Implementing Legislation for the BBNJ Agreement”, July 2024, available at: https://www.ecologic.eu/19770.

[5] See The US Congress, C. Keating-Bitonti, “The Biodiversity Beyond National Jurisdiction Agreement (High Seas Treaty)”, 19 December 2024, available at: https://www.congress.gov/crs-product/IF12283.

The following Gibson Dunn lawyers prepared this update: Charline Yim, Stephanie Collins, and Leo Métais.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Geopolitical Strategy & International Law or ESG: Risk, Litigation & Reporting practice groups:

Robert Spano – Co-Chair, ESG and Geopolitical Strategy & International Law Groups,
London/Paris (+33 1 56 43 13 00, rspano@gibsondunn.com)

Rahim Moloo – Co-Chair, Geopolitical Strategy & International Law and International Arbitration Groups, New York (+1 212.351.2413, rmoloo@gibsondunn.com)

Patrick W. Pearsall – Co-Chair, Geopolitical Strategy & International Law Group,
Washington, D.C. (+1 202.955.8516, ppearsall@gibsondunn.com)

Lindsey D. Schmidt – New York (+1 212.351.5395, lschmidt@gibsondunn.com)

Charline O. Yim – New York (+1 212.351.2316, cyim@gibsondunn.com)

Ceyda Knoebel – London (+44 20 7071 4243, cknoebel@gibsondunn.com)

Stephanie Collins – London (+44 20 7071 4216, scollins@gibsondunn.com)

*Leo Métais, a trainee solicitor in the London office, is not admitted to practice law.

Our lawyers present a practical discussion of critical attorney-client privilege and work product considerations at every stage of internal and government investigations and internal audits. This recorded session addresses a variety of subjects including:

Establishing and preserving privilege from day one
Defending privilege during engagement with the government and other third parties
Privilege considerations in global investigations

MCLE CREDIT INFORMATION:

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour in the General category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

PANELISTS:

Michael S. Diamant is a Washington, D.C.–based partner in Gibson Dunn’s White Collar Defense and Investigations group. He leads internal investigations, defends corporations and executives in criminal and regulatory matters (including FCPA work), and advises on compliance program design and privilege strategy in high-stakes environments.

M. Kendall Day is a Washington, D.C.–based partner in Gibson Dunn’s White Collar Defense and Investigations group. A nationally recognized white-collar practitioner, he focuses on internal investigations, regulatory enforcement defense, and complex compliance counseling. Prior to joining Gibson Dunn, Kendall had a distinguished 15-year career as a white collar prosecutor with the Department of Justice, rising to the highest career position in the Criminal Division as an Acting Deputy Assistant Attorney General.

Melissa Farrar is a Washington, D.C.–based partner in Gibson Dunn’s White Collar Defense and Investigations group. Her practice is concentrated in white-collar defense, internal investigations, and corporate compliance. She advises multinational clients on matters such as the FCPA, False Claims Act, anti-money laundering, export controls, and securities and accounting fraud, and also supports organizations in structuring privilege strategy and compliance program assessments.

George J. Hazel is a Washington, D.C.–based partner in Gibson Dunn’s White Collar Defense and Investigations and Litigation groups. A former federal prosecutor and U.S. District Judge, he brings extensive trial experience across criminal and civil matters, having presided over approximately 50 jury trials in federal court and handled 20 jury trials and 30 bench trials as an attorney in federal and state court.

Benno Schwarz is the partner in charge of Gibson Dunn’s Munich office and co-chairs the firm’s Anti-Corruption & FCPA practice. He brings over 30 years of experience in cross-border white-collar defense, internal and independent investigations, compliance program design, and defense of companies and executives before domestic and international authorities.

If implemented, the changes could materially increase penalties, reduce discounts for voluntary disclosure, and introduce new ways of resolving cases involving breaches, such as settlement options.

The UK Office of Financial Sanctions Implementation (OFSI)—the UK government entity in charge of financial sanctions implementation and enforcement—is considering substantial reforms to its enforcement practices for financial sanctions breaches. If implemented, these changes could materially increase penalties, reduce discounts for voluntary disclosure, and introduce new ways of resolving cases involving breaches, such as settlement options. These proposed changes would move OFSI even closer to the enforcement model used by its U.S. analog—the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)—with which it has had an increasingly comprehensive partnership since 2022. OFSI—which celebrates its 10th anniversary in 2026—is also drawing inspiration from other more-established UK regulators, such as the Financial Conduct Authority (FCA), with which it is collaborating extensively. OFSI is evolving, and with it are the UK sanctions risks faced by banks and companies within UK enforcement jurisdiction.

Background: OFSI’s Expanding Enforcement Activity

Much like sanctions enforcers throughout the G7, the inflection point for OFSI’s development as a consequential enforcer can be traced to Russia’s invasion of Ukraine in 2022. Since then, OFSI has more than doubled its staff—with a particular focus on licensing and enforcement—to 135 current employees and created a dedicated Compliance Enforcement team in 2024-2025 to better identify and enforce against breaches of license terms. During the 2023-2024 financial year, OFSI opened a record 396 investigations, more than double the previous year’s figure. This trend continued into 2024-2025, during which OFSI opened 394 investigations. This increased activity has brought growing recognition that OFSI’s enforcement procedures, largely unchanged since OFSI’s establishment in 2016, need updating to handle the volume and complexity of current sanctions cases.

The UK enforcement landscape fundamentally shifted in June 2022 when the UK moved to enforce financial sanctions breaches on a strict liability basis, i.e. using the same standard that OFAC uses. This means that OFSI no longer needs to demonstrate that a person knew or suspected they were breaching sanctions to impose a penalty. While OFSI may choose not to pursue such cases, even a de minimis misstep can be a violation. Similarly (and also in line with OFAC practice), OFSI now has the power to publicize breaches even when it chooses not to impose a monetary penalty. These changes, combined with the unprecedented expansion of the UK sanctions list, which now includes over 4,700 designated persons and entities, the increase in scope and sophistication of the UK’s sanctions programs, and the increasingly extraterritorial reach of UK sanctions, leads to a material increase in compliance challenges and enforcement risk for those subject to UK jurisdiction.

OFSI has already demonstrated its willingness to use this expanded toolkit. For the first time in August 2023, OFSI publicized details of sanctions breaches without imposing a monetary penalty. It used this power again in March 2025, indicating that this will likely be common practice for OFSI in cases of non-serious breaches. In August 2024, OFSI issued its first penalty related to the 2022 Russia sanctions, and has indicated that several more Russia-related enforcement actions are in its pipeline. In April 2025, OFSI issued a penalty to a company solely for the failure to respond to an information request, and in September 2025 it reduced voluntary disclosure credit from 50% to 35%, having deemed that a four month delay between detection of breaches and initial notification to OFSI mitigated the positive effects of cooperation.

Proposed Changes to OFSI’s Enforcement Approach

Material changes to OFSI’s enforcement practices are under consideration. As part of the review, OFSI published a consultation paper, on which it invited comment, setting out five main areas of reform. This process of consultation is also similar to how OFAC proceeded when it proposed its current enforcement guidelines.

I. Increased Statutory Maximum Penalties

OFSI has proposed raising the maximum penalties that it can impose. The current statutory maximum is the greater of £1 million or 50% of the breach value. OFSI proposes increasing this to the greater of £2 million or 100% of the breach value.

It is important to note that these changes would not automatically result in higher penalties across the board. OFSI would still assess what penalty is reasonable and proportionate within the new maximum. Indeed, eight of OFSI’s twelve penalties to date have only been 5% or less of the maximum available. However, the higher ceiling would give OFSI more scope to impose substantial penalties in the most serious cases.

OFSI is also seeking feedback on alternative approaches to calculating maximum penalties, such as basing them on a percentage of company turnover or setting a maximum penalty per breach rather than per case. The idea of basing breaches on percentages of turnover resembles the practices of the UK’s Competition and Markets Authority. The European Union has recently also recently adopted this idea, and issued EU-wide legislation requiring Member States to set maximum corporate fines of at least 1–5% of worldwide turnover, or €8–€40 million, depending on the violation’s gravity.

II. Clearer Assessment Framework and Adjusted Discounts

OFSI has proposed publishing a more transparent matrix showing how it combines severity and conduct factors to reach an overall case assessment. This also mirrors the OFAC model which is based on a matrix. The proposed OFSI matrix would guide businesses on likely outcomes: less severe cases would typically receive warning letters, moderately severe cases would be publicly disclosed without penalties, while serious cases would face monetary penalties.

Importantly, OFSI has proposed to increase not only the maximum potential penalty, but also the baseline penalty ranges for serious cases. Currently, serious cases attract baseline penalties of 0-50% of the statutory maximum, while most serious cases range from 50-100%. Under the proposals, serious cases would attract up to 75% of the maximum, and most serious cases would range from 75-100%.

OFSI has also proposed altering how it rewards voluntary disclosure. The current system offers up to 50% discount for serious cases and up to 30% for most serious cases. The proposal would cap the disclosure benefit at 30% for both categories, and would make the discount conditional on more stringent requirements: in order to benefit a respondent would have to demonstrate prompt reporting, the provision of a complete account of the facts, and fully cooperate with OFSI throughout the investigation. Where OFSI considers that the requirements are only partially met, a discount of lower than 30% could still be applied. These changes reflect OFSI’s view that the current 50% discount for a voluntary self-disclosure can sometimes undermine the penalty’s deterrent effect.

III. Streamlined Resolution Through Settlement

Drawing inspiration from the FCA’s approach (and OFAC’s process), OFSI has proposed introducing a formal settlement scheme. Under this model, once OFSI completes its investigation and determines a penalty is warranted, it could offer companies an opportunity to settle the case within 30 business days.

The proposed settlement process would proceed as follows: OFSI would provide a draft penalty notice to a party found to have violated sanctions and would allow without-prejudice discussions about the terms. If OFSI and the party reach agreement within the timeframe, the party under investigation would receive a 20% discount on top of any voluntary disclosure discount already applied. In exchange, the company would accept OFSI’s findings and waive their rights to ministerial review and tribunal appeal.

OFSI has indicated it would not offer settlement in cases involving knowing or intentional breaches, suspected circumvention, or where the company has failed to cooperate in good faith. During settlement discussions, companies may be able to negotiate the wording of the public penalty notice, potentially avoiding explicit admissions of liability (though OFSI has mentioned that such an approach could reduce the significance and deterrent effect of its enforcement notices). This process allowing for the negotiation of language in public notices is also parallel to the OFAC approach.

IV. Early Account Scheme for Expedited Investigations

While the suite of proposed changes could prove seismic, OFSI’s most innovative proposal is the Early Account Scheme (EAS), which would allow investigation subjects to effectively investigate themselves and provide OFSI with a comprehensive factual account. A similar scheme was introduced by the Prudential Regulation Authority, part of the Bank of England, in 2024. This option would be particularly attractive for well-resourced organizations with strong compliance functions.

Under the EAS, a company would conduct an internal investigation (or engage a third party to do so) and provide OFSI with a detailed report covering all suspected breaches, relevant materials, and an assessment against OFSI’s case factors. A senior officer would need to attest that the account is complete and fair. OFSI anticipates this process would typically take six months. The EAS will not be available in all cases. For instance, OFSI may not deem that it is appropriate when cases involve circumvention breaches, particularly serious breaches, or when the company has previously been investigated or penalized. Similarly, OFSI considers it would be very unlikely to permit access to the EAS to a company that had failed to report suspected breaches.

The incentive for using the EAS is significant: if the case proceeds to a penalty and settles, the settlement discount would increase from 20% to 40%. However, OFSI would retain discretion to reduce this discount if it determines the account was incomplete or required substantial additional investigation.

OFSI has made clear it would be highly unlikely to introduce the EAS without also introducing the settlement scheme, as the two mechanisms are designed to work together.

V. Streamlined Process for Information and Licensing Breaches

Recognizing that not all breaches are equal, OFSI has proposed a simplified process for certain categories of less serious offences. These more minor breaches would include failures to respond to information requests, non-compliance with license conditions, and late reporting.

Under this proposal, OFSI would publish indicative penalty amounts: £5,000 for standard failures and £10,000 for aggravated failures (such as repeated non-compliance or recklessly providing false information). These cases would follow a shortened timeline, with just 15 business days for representations at each stage rather than the standard 30 days.

OFSI is also considering whether these penalties should be set out in legislation as fixed penalties, which would provide greater legal certainty but reduce OFSI’s flexibility to adjust amounts based on circumstances.

What Happens Next: The Consultation Process

The consultation on OFSI’s paper closed on October 13, 2025. OFSI will now analyze all input received and publish a government response setting out its next steps. Some proposed changes could be implemented relatively quickly through updated OFSI guidance. However, changes to statutory maximum penalties would require secondary legislation (regulations), while changes to the percentage of breach value in the penalty calculation would require primary legislation (an Act of Parliament).

Practical Implications for Businesses

These proposed changes reflect OFSI’s evolution into a more sophisticated and robust enforcement regulator. In order prepare for the likely changes, businesses could consider several actions:

Review compliance programs. With higher baseline penalties and more stringent disclosure requirements proposed, the cost of compliance failures is likely to increase. This is an opportune moment to conduct gap analyses of sanctions screening, due diligence, and reporting processes. Businesses can also ensure that existing policies specifically cater for UK sanctions risks, as opposed to just U.S. or EU sanctions risks. While the degree of overlap between U.S., EU and UK sanctions remains significant, material differences exist.

Understand voluntary disclosure requirements. If the proposals are adopted, achieving the full voluntary disclosure discount will require not just prompt reporting but complete cooperation throughout an investigation. Businesses should ensure they have processes in place to identify potential breaches quickly and gather relevant information efficiently.

Consider settlement and EAS implications. Well-resourced organizations may find the EAS attractive, but it requires the ability to conduct thorough, independent, internal investigations. Smaller businesses may prefer the standard settlement route. Businesses should understand these options and how they might apply to potential cases.

Prepare for increased enforcement. With 240 active investigations as of April 2025 and a significantly expanded enforcement team, OFSI has made clear that more public enforcement actions are coming. The combination of expanded resources, enhanced tools, and streamlined processes means businesses should expect heightened scrutiny.

The following Gibson Dunn lawyers prepared this update: Irene Polieri, Adam M. Smith, Scott Toussaint, and Josephine Kroneberger*.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding UK enforcement practices and advising on engagement with UK regulators. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade Advisory & Enforcement practice groups:

United States:
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, asmith@gibsondunn.com)
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, rkirk@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Donald Harrison – Washington, D.C. (+1 202.955.8560, dharrison@gibsondunn.com)
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, ctimura@gibsondunn.com)
Matthew S. Axelrod – Washington, D.C. (+1 202.955.8517, maxelrod@gibsondunn.com)
David P. Burns – Washington, D.C. (+1 202.887.3786, dburns@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, cmbrown@gibsondunn.com)
Amanda H. Neely – Washington, D.C. (+1 202.777.9566, aneely@gibsondunn.com)
Samantha Sewall – Washington, D.C. (+1 202.887.3509, ssewall@gibsondunn.com)
Michelle A. Weinbaum – Washington, D.C. (+1 202.955.8274, mweinbaum@gibsondunn.com)
Roxana Akbari – Orange County (+1 949.475.4650, rakbari@gibsondunn.com)
Karsten Ball – Washington, D.C. (+1 202.777.9341, kball@gibsondunn.com)
Sarah Burns – Washington, D.C. (+1 202.777.9320, sburns@gibsondunn.com)
Hugh N. Danilack – Washington, D.C. (+1 202.777.9536, hdanilack@gibsondunn.com)
Justin duRivage – Palo Alto (+1 650.849.5323, jdurivage@gibsondunn.com)
Zach Kosbie – Washington, D.C. (+1 202.777.9425, zkosbie@gibsondunn.com)
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, cmullen@gibsondunn.com)
Sarah L. Pongrace – New York (+1 212.351.3972, spongrace@gibsondunn.com)
Anna Searcey – Washington, D.C. (+1 202.887.3655, asearcey@gibsondunn.com)
Erika Suh Holmberg – Washington, D.C. (+1 202.777.9539, eholmberg@gibsondunn.com)
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, asyarief@gibsondunn.com)
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, stoussaint@gibsondunn.com)
Lindsay Bernsen Wardlaw – Washington, D.C. (+1 202.777.9475, lwardlaw@gibsondunn.com)
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, szhang@gibsondunn.com)

Asia:
Kelly Austin – Denver/Hong Kong (+1 303.298.5980, kaustin@gibsondunn.com)
David A. Wolber – Hong Kong (+852 2214 3764, dwolber@gibsondunn.com)
Fang Xue – Beijing (+86 10 6502 8687, fxue@gibsondunn.com)
Qi Yue – Beijing (+86 10 6502 8534, qyue@gibsondunn.com)
Dharak Bhavsar – Hong Kong (+852 2214 3755, dbhavsar@gibsondunn.com)
Hui Fang – Hong Kong (+852 2214 3805, hfang@gibsondunn.com)
Arnold Pun – Hong Kong (+852 2214 3838, apun@gibsondunn.com)

Europe:
Attila Borsos – Brussels (+32 2 554 72 10, aborsos@gibsondunn.com)
Patrick Doris – London (+44 207 071 4276, pdoris@gibsondunn.com)
Michelle M. Kirschner – London (+44 20 7071 4212, mkirschner@gibsondunn.com)
Penny Madden KC – London (+44 20 7071 4226, pmadden@gibsondunn.com)
Irene Polieri – London (+44 20 7071 4199, ipolieri@gibsondunn.com)
Benno Schwarz – Munich (+49 89 189 33 110, bschwarz@gibsondunn.com)
Nikita Malevanny – Munich (+49 89 189 33 224, nmalevanny@gibsondunn.com)
Melina Kronester – Munich (+49 89 189 33 225, mkronester@gibsondunn.com)
Vanessa Ludwig – Frankfurt (+49 69 247 411 531, vludwig@gibsondunn.com)

*Josephine Kroneberger, a trainee solicitor in the London office, is not admitted to practice law.

From the Derivatives Practice Group: This week, ESMA and ISDA were particularly active, especially with respect to the derivatives markets in Japan, the UK, and the EU. Due to the federal government shutdown, regulatory activity has stalled in the U.S.

New Developments

White House Withdraws Nomination for CFTC Chair. On September 30, according to various sources, Brian Quintenz confirmed that the White House had withdrawn his nomination for CFTC Chair.

CFTC Staff Issues Advisory on Certain Contract Markets. On September 30, the CFTC issued an advisory to futures commission merchants, introducing brokers, designated contract markets, derivatives clearing organizations, and registered futures associations about certain contract markets regarding preparations with respect to potential market disruption during a lapse in government appropriations. The advisory is a reminder of certain applicable regulatory requirements and does not create new obligations.

CFTC Issues Federal Register Notice Regarding Operations During Lapse in Appropriations. On September 30, the CFTC issued a notice to provide for the continuation, shutdown, and resumption of certain operations in the event of a lapse in appropriations, and to alert all persons regulated by or engaged in proceedings at the Commission of these provisions. The CFTC also published a Plan for Lapse in Appropriations.

CFTC Staff Issues No-Action Letter Regarding Electricity Binary Options. On September 30, the CFTC’s Division of Market Oversight and the Division of Clearing and Risk announced they have taken a no-action position regarding swap data reporting and recordkeeping regulations for binary options in response to a request from Electron Exchange DCM LLC, a designated contract market, and Electron Exchange DCO LLC, a derivatives clearing organization. In the request, Electron Exchange DCM LLC represented that it intends to list cash-settled binary options with underlying commodities relating to electricity and/or power markets. The divisions stated that they will not recommend the CFTC initiate an enforcement action against either entity or their participants for failure to comply with certain swap-related recordkeeping requirements and for failure to report to swap data repositories data associated with binary option transactions executed on or subject to the rules of Electron Exchange DCM LLC and cleared through Electron Exchange DCO LLC, subject to the terms of the no-action letter.

CFTC Announces Participation in World Investor Week 2025. On September 30, the CFTC’s Office of Customer Education and Outreach announced its participation in World Investor Week, a global effort to emphasize the importance of investor education and protection. The CFTC said that, during the week, from October 6-12, it will warn the public about current scam trends and red flags through social media and webinars.

New Developments Outside the U.S.

ESMA Announces 2025 European Common Enforcement Priorities and Results of Fact-finding on Materiality Considerations in Sustainability Reporting. On October 14, ESMA outlined the European Common Enforcement Priorities for the 2025 annual financial reports of listed issuers. This year’s priorities reaffirm ESMA’s commitment to simplification and burden reduction, while maintaining a strong focus on investor protection and market stability. [NEW]

ESMA Proposes Key Reforms to Settlement Discipline, Supporting the Transition to T+1. On October 13, ESMA published its final report recommending significant amendments to the Regulatory Technical Standards on Settlement Discipline. These changes aim to enhance settlement efficiency across the EU, facilitate the transition to a shorter settlement cycle (T+1) by October 11, 2027 and reduce the administrative burden on central securities depositories and market participants. [NEW]

ESMA Consults on CCP Participation Requirements. On October 9, ESMA launched a public consultation on draft Regulatory Technical Standards on the elements to be considered when central counterparties (CCPs) define participation requirements. ESMA encouraged stakeholders to share their views about the elements that a CCP should consider when establishing its admission criteria, and assessing the ability of non-financial counterparties acting as clearing members to meet margin requirements and default fund contributions.

ESMA Publishes Technical Standards on CCP Authorizations, Extensions, and Validations. On October 9, ESMA published its Final Reports on the Regulatory Technical Standards on CCPs’ authorizations, extensions of authorization and model validations, following the review of the European Market Infrastructure Regulation (EMIR 3). According to ESMA, EMIR 3 introduces several measures to make EU clearing services and EU CCPs more efficient and competitive, notably by streamlining and shortening supervisory procedures for initial authorizations, extensions of authorization and validations of changes to models and parameters.

ESMA Organizes First Data Day Focused on Burden Reduction and Digitization. On October 7, ESMA announced that the first ESMA Data Day will be held on December 2, 2025. ESMA said that this flagship event will showcase how smarter data use and digitalization can simplify the regulatory framework and reduce reporting burdens while steering clear of deregulation.

EU Supervisory Authorities Warn Consumers of Risks and Limited Protection for Certain Crypto-assets and Providers. On October 6, the European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) issued a warning to consumers, reminding them that crypto-assets can be risky and that legal protection, if any, may be limited depending on the crypto-assets at issue. The warning was accompanied by a factsheet explaining what the new EU regulation on Markets in Crypto-Assets means for consumers. The ESAs recommended concrete steps consumers can take to make informed decisions before investing in crypto-assets, such as checking if the provider is authorized in the EU.

ESMA Releases 2026 Work Program – Advancing on More Integrated, Accessible, and Competitive Financial Markets in the EU. On October 3, ESMA published its 2026 Annual Work Program. Guided by its multi-annual strategy for 2023–2028 which sets out three strategic priorities and two thematic drivers, ESMA’s 2026 work program focuses on delivering on core policy and supervisory mandates while contributing to ambitious reforms for more integrated, accessible, and innovative EU capital markets.

New Industry-Led Developments

ISDA Submits Supplementary Analysis to ESMA on Reporting Costs. On October 13, ISDA submitted to ESMA an analysis of the costs of regulatory reporting, which proposes where savings can be made most effectively. This document supplements the recent response submitted by ISDA, the Association for Financial Markets in Europe, Futures Industry Association, and the Global FX Division of the Global Financial Markets Association to ESMA’s call for evidence on a comprehensive approach for the simplification of financial transaction reporting. [NEW]

ISDA Publishes Joint Association Letter on Simplification of Application of the EU Taxonomy. On October 13, ISDA, the Association for Financial Markets in Europe, the European Fund and Asset Management Association, the European Association of Co-operative Banks and the European Banking Federation published a policy statement in support of the European Commission’s efforts to simplify the application of the EU taxonomy. The statement emphasizes that reporting companies need legal certainty that the intended amendments and simplifications will apply as planned from January 1, 2026. [NEW]

ISDA Publishes Joint Paper on Removal of SI Regime for Derivatives and Bonds in the EU and UK. On October 13, ISDA and the Association for Financial Markets in Europe published a paper on the practical implications of the recent discontinuation of the systematic internalizer regime for derivatives, bonds and other non-equity financial instruments in the EU, and the expected discontinuation in the UK in the near future. [NEW]

ISDA Publishes Clearing Model Comparison. On October 10, ISDA updated a comparison of available US Treasury (UST) clearing models, as well as models for clearing repos at other central counterparties globally and models for clearing derivatives. This comparison is intended to help market participants understand existing and potential new clearing models for UST cash and repo transactions as they implement the US SEC’s recent rules requiring clearing of such transactions.

ISDA Publishes Report on the Impact of the FRTB on Correlation Trading. On October 7, ISDA published a report on the capitalization of the correlation trading portfolio (CTP) under the Fundamental Review of the Trading Book. According to ISDA, the paper sets out the industry position on best practice as it is applied to the current regulation. It also makes recommendations for improvements that ISDA said would help to clarify regulatory requirements for the CTP to ensure alignment with how banks manage the risk of such products and support a globally consistent approach to the CTP to maintain liquidity in this important market.

ISDA CEO Comments on Path to Greater CFTC-SEC Alignment. On October 2, ISDA CEO Scott O’Malia offered informal comments on a path to greater CFTC-SEC alignment. He highlighted three key areas where greater coordination between the CFTC and SEC is critical and market participants can help to deliver solutions that would increase compliance, cut costs and create a robust collateral infrastructure. These three areas include (1) regulatory reporting, (2) Treasury clearing, and (3) market liquidity and collateral infrastructure.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, Karin Thrasher, and Alice Wang*.

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, jsteiner@gibsondunn.com)

Michael D. Bopp, Washington, D.C. (202.955.8256, mbopp@gibsondunn.com)

Michelle M. Kirschner, London (+44 (0)20 7071.4212, mkirschner@gibsondunn.com)

Darius Mehraban, New York (212.351.2428, dmehraban@gibsondunn.com)

Jason J. Cabral, New York (212.351.6267, jcabral@gibsondunn.com)

Adam Lapidus, New York (212.351.3869, alapidus@gibsondunn.com )

Stephanie L. Brooker, Washington, D.C. (202.887.3502, sbrooker@gibsondunn.com)

William R. Hallatt, Hong Kong (+852 2214 3836, whallatt@gibsondunn.com )

David P. Burns, Washington, D.C. (202.887.3786, dburns@gibsondunn.com)

Marc Aaron Takagaki, New York (212.351.4028, mtakagaki@gibsondunn.com )

Hayden K. McGovern, Dallas (214.698.3142, hmcgovern@gibsondunn.com)

Karin Thrasher, Washington, D.C. (202.887.3712, kthrasher@gibsondunn.com)

Alice Yiqian Wang, Washington, D.C. (202.777.9587, awang@gibsondunn.com)

*Alice Wang, a law clerk in the firm’s Washington, D.C. office, is not admitted to practice law.

The Trump Administration’s newly announced tariffs targeting branded drugs, softwood lumber and derivative products, and heavy trucks are based on very different legal grounds than the “emergency” tariffs, imposed pursuant to the International Economic Emergency Powers Act (IEEPA), currently being litigated before the Supreme Court.

The latest “Section 232” actions, as with “Section 301” measures, are based on express, congressionally delegated and judicially affirmed tariff authorities and are thus fundamentally less subject to challenge than the IEEPA tariffs. Their use underscores a reality quickly coming into focus: Even if the emergency IEEPA tariffs are overturned by the Supreme Court, the Administration can achieve very significant tariff increases (although certainly not as broad and categorical) through traditional trade authorities like Section 232 and Section 301, which rest on far firmer legal ground.

The new tariffs announced in general terms in a Truth Social post on September 25, 2025 target several core industries. Specifically, the President threatened to impose 100 percent tariffs on branded or patented pharmaceutical products, 30-50 percent tariffs on certain lumber products such as kitchen cabinets and vanities and 25 percent tariffs on heavy trucks. Each of these measures was initially said to take effect on October 1, and each has been delayed. Given side agreements with various jurisdictions that import these goods into the United States, the ultimate impact of each is uncertain.

Among these measures, only the tariffs on softwood lumber and certain specified “derivatives” (including kitchen cabinets and vanities and upholstered furniture took effect in October, pursuant to an official Section 232 proclamation titled “Adjusting Imports of Timber, Lumber, and Their Derivative Products into the United States,” issued on September 29, 2025. The heavy truck tariffs have been delayed to November 1, 2025—but no formal proclamation or regulatory notice has yet been issued. The pharmaceutical tariffs are likewise postponed, pending negotiations with major drug manufacturers over domestic investment commitments and potential pricing arrangements. Below, we assess the status of the tariffs on pharmaceuticals and softwood lumber in greater detail.

While most of the official proclamations remain forthcoming, the recent Section 232 actions signal a broader strategic shift amid ongoing litigation over whether the President has authority to impose tariffs under the “emergency” authorization provided in IEEPA, a statute that does not include any reference to “tariffs” or “duties” and prior to this year has never been used to impose increased tariffs or duties). Whether the President has this authority is an issue that will be heard by the Supreme Court this fall. However, even if the Supreme Court ultimately invalidates or limits the scope of IEEPA-based tariffs, the administration can pursue more focused trade objectives through traditional statutory authorities, notably Section 232 of the Trade Expansion Act of 1962 and Section 301 of the Trade Act of 1974, which rest on far firmer constitutional ground.

Section 232—How Does It Work and What Do the Courts Say?

Under Section 232 of the Trade Expansion Act of 1962 (19 U.S.C. § 1862), the Commerce Department may initiate an investigation—either on its own or at the President’s direction—to determine whether specific imports “threaten to impair” U.S. national security. The process typically involves an announcement of the investigation, a fact-finding investigation, and a public comment period, which may be abbreviated to expedite action. Commerce concludes its review by submitting a final report to the President with findings and recommended actions. The President then has broad discretion to impose tariffs, quotas, or other import restrictions as is deemed necessary. The statute provides for a Commerce Department decision and recommendation to the President within 270 days, a Presidential decision within 90 days, and the effective implementation of the decision within 15 days. There are, however, no statutory minimum timelines for the process, allowing investigations to move more quickly.

Courts have consistently upheld Section 232 tariff measures. In addition to affirming the statute’s constitutionality, courts have held that it is within the President’s statutory power to impose indefinite measures and to modify tariffs well after the initial proclamation. We note that President Trump’s recent Section 232 actions may well raise issues beyond those in previous Section 232 cases.

Section 301—How Does It Work and What Do the Courts Say?

Under Section 301 of the Trade Act of 1974 (19 U.S.C. § 2411), the U.S. Trade Representative (USTR) may investigate whether a foreign government’s trade practices are unjustifiable, unreasonable, or discriminatory and burden or restrict U.S. commerce. The process typically begins with an announcement and initiation of investigation, followed by public comment and hearings, and culminates in a USTR determination and recommendation to the President. If the statutory requirements are met, the President may direct the USTR to impose tariffs, quotas, or other trade restrictions until the offending measure is eliminated or a satisfactory agreement is reached.
Courts have also upheld Section 301 tariffs and recently affirmed Section 301 tariffs on Chinese goods. That recent case also confirmed the President’s ability to expand existing Section 301 actions to impose escalatory tariffs.

While they lack the immediacy and breadth of a Presidential decision imposed under IEEPA, Section 232 and Section 301 tariffs are nonetheless a nimble instrument for President Trump to exert leverage in deal-making with both foreign governments and companies in affected industries, particularly given the judicially affirmed flexibility to modify such measures under both authorities.

I. DELAYED PHARMA TARIFFS

On September 25, 2025, President Trump announced that “[s]tarting October 1st, 2025, we will be imposing a 100% Tariff on any branded or patented Pharmaceutical Product, unless a Company IS BUILDING their Pharmaceutical Manufacturing Plant in America.”

Branded, patent-protected drugs account for nearly 90 percent of U.S. prescription drug spending, and the United States remains heavily dependent on imports, particularly from the European Union. By contrast, the U.S. relies on lower-cost manufacturing in India and China for generic (non-branded) drugs, which are not the immediate target of the announced 100 percent tariffs. While the Administration has since paused implementation of the 100 percent tariffs to pursue pricing and investment negotiations with major drugmakers, the threat of Section 232 action remains active.

Section 232 Investigation. The threatened tariff stems from a Section 232 investigation on “pharmaceuticals, pharmaceutical ingredients, and derivative products” initiated in April 2025 under the Trade Expansion Act of 1962 (19 U.S.C. § 1862)—a national security authority unrelated to IEEPA-based tariffs and consequently unaffected by any IEEPA litigation. This investigation encompassed finished drugs, active pharmaceutical ingredients (APIs), chemical precursors, and related derivative products. The final scope and structure of any resulting tariffs remain uncertain, including whether they will align with the September 25, 2025 announcement. Typically, Section 232 actions are accompanied by an annex listing the specific items that will be covered; no such annex has yet been released.

Carve-Outs for Key Trading Partners. Based on this administration’s established practice, companies in jurisdictions that have reached trade agreements with the Administration will get more favorable treatment under these new tariffs:

European Union: Under the S.–EU Tariffs and Trade Framework Agreement, pharmaceutical imports from the EU are expected to be capped at a total tariff rate of 15 percent.
Japan: Pharmaceutical imports from Japan may receive similar treatment under the S.–Japan Agreement, particularly in light of the 15 percent cap applied to Japanese products under the recently announced Section 232 softwood-lumber tariffs (see Section II, infra). However, the Agreement itself is less explicit than the agreement between the United States and European Union—it excludes generic (non-branded) pharmaceuticals from reciprocal tariffs but does not specify whether future Section 232 measures would apply to either branded or generic drugs.

Negotiated Outcomes and Ongoing Leverage. The Administration has reportedly paused its tariff rollout while negotiating agreements with leading drugmakers to reduce prices and expand domestic manufacturing.

The White House has reached a deal with Pfizer, under which the company will invest $70 billion in U.S. manufacturing, sell drugs in the United States at “most-favored-nation” (MFN) pricing, and participate in the new TrumpRx.gov initiative—offering certain primary-care drugs at discounts averaging 50 percent (and up to 85 percent)—in exchange for a three-year tariff exemption. The MFN pricing component follows a May Executive Order directing drugmakers to deliver MFN-priced drug to U.S. patients, as discussed by Gibson Dunn lawyers here.
Several other major manufacturers—including Moderna, Eli Lilly, AstraZeneca, GSK, Novartis, and Sanofi—are already constructing or planning new U.S. facilities, which could mitigate the effect of the tariff increase on consumers.
Notably, the 100 percent tariff rate announced in September is not President Trump’s final offer. President Trump threatened to impose tariffs of up to 250 percent on pharmaceutical imports during an August CNBC interview, describing the measure as part of a phased escalation if companies failed to relocate manufacturing to the United States. He could potentially invoke the heightened rate under the Section 232 authority and use it as leverage to pressure pharmaceutical companies to reaching favorable deals or investment commitments.

Adding further pressure to the broader healthcare sector, the Administration also announced a new Section 232 investigation in late September covering personal protective equipment (PPE), medical equipment, and medical devices. The results of that investigation could also—and we assess very likely will—result in meaningful tariff exposure to companies in those sectors.

II. SOFTWOOD LUMBER SECTION 232 TARIFFS: PROCLAMATION DIGESTED

As noted above, on September 29, 2025, President Trump issued a Proclamation titled “Adjusting Imports of Timber, Lumber, and Their Derivative Products into the United States,” accompanied by a White House Fact Sheet. The Proclamation establishes that “imports of softwood timber and lumber, as set forth in Annex I to this proclamation, shall be subject to a 10 percent ad valorem duty rate,” effective October 14, 2025.

The new Section 232 duty, on top of long-standing antidumping and countervailing duties on Canadian lumber imports, adds immediate cost pressure for U.S. homebuilders, construction suppliers, and furniture manufacturers that rely on imported lumber—particularly from Canada, the United States’ dominant softwood lumber supplier.

Scope. The Proclamation imposes a 10 percent global tariff on imports of softwood lumber. It also establishes:

a 25 percent global tariff on certain upholstered furniture, rising to 30 percent on January 1, 2026; and
a 25 percent global tariff on kitchen cabinets and vanities, rising to 50 percent on January 1, 2026.

Exemptions. Products subject to the new Section 232 duties are expressly exempt from tariffs imposed under:

Executive Order 14257 (Apr. 2, 2025), titled “Regulating Imports With a Reciprocal Tariff to Rectify Trade Practices That Contribute to Large and Persistent Annual U.S. Goods Trade Deficits” (imposing worldwide reciprocal tariffs);
Executive Order 14323 (July 30, 2025), titled “Addressing Threats to the United States by the Government of Brazil”; and
Executive Order 14329 (Aug. 6, 2025), titled “Addressing Threats to the United States by the Government of the Russian Federation.”
However, products subject to the Section 232 duties are not exempt from the additional application of IEEPA-based fentanyl-related tariffs on imports from China, Canada, and Mexico.
- This is true even when the products would otherwise be “eligible for special tariff treatment under any of the free trade agreements or preference programs listed in general note 3(c)(i) to the tariff schedule,” such as the United States–Mexico–Canada Agreement.

Stacking. Absent the exemptions noted above, “the tariffs imposed in this proclamation are in addition to any other duties, taxes, fees, exactions, and charges applicable to such imported wood products.” In other words, the Section 232 tariffs apply cumulatively on top of existing duties, unless expressly exempted by the Proclamation.

We note that the exemptions under the Executive Orders listed above are each based on IEEPA authorities and consequently their durability in light of potential Supreme Court rulings is uncertain.

Carve-outs for existing and future trade deals. Similar to the pharma measures, trading partners party to existing or pending trade arrangements will receive meaningful reductions:

The Section 232 tariff on covered wood imports from the United Kingdom will not exceed 10 percent, effectively capping tariff rates on derivative products that could otherwise rise to 50 percent.
The combined Section 232 tariff and most-favored nation tariff on subject wood imports from the European Union and Japan will not exceed 15 percent.
Other partners that negotiate with the United States to address national-security concerns related to wood imports will almost certainly secure alternative tariff arrangements.

III. CONCLUSION

The recent Section 232 developments underscore how traditional trade authorities are re-emerging as tools for advancing the Administration’s trade and industrial policy objectives. Even as litigation tests the limits of IEEPA, these authorities continue to provide a nimble, highly adaptable mechanism for President Trump to exert leverage in negotiations with both foreign governments and private companies in targeted sectors. Gibson Dunn lawyers stand ready to assist clients across industries in assessing exposure and navigating changes as these measures evolve.

The following Gibson Dunn lawyers prepared this update: Hui Fang, Lindsay Wardlaw, Adam M. Smith, Don Harrison, and Samantha Sewall.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade Advisory & Enforcement practice groups:

Europe

09/23/2025

EDPB | Letter | Administrative Fines

The European Data Protection Board (“EDPB”) confirms that no amendments are needed to its GDPR fine calculation guidelines.

The EDPB published a letter to CCIA Europe confirming that no revisions are required to its Guidelines 4/2022 on the Calculation of Administrative Fines following the Court of Justice’s ruling in C-383/23. In that case, the Court of Justice of the European Union (“CJEU”) clarified that the concept of an “undertaking” under Article 83 GDPR corresponds to the one used in EU competition law, meaning that fines may be based on the total worldwide turnover of a corporate group. The EDPB emphasized that this interpretation is already reflected in its existing guidelines and therefore no amendments are necessary.

For more information: EDPB Website

09/17/2025

EDPS | Opinion | EU-US Data Exchange Agreements

The European Data Protection Supervisor (“EDPS”) urges stronger safeguards and redress mechanisms in upcoming EU-US data-sharing frameworks.

The EDPS issued opinions raising concerns about two planned EU-US data-exchange arrangements – one covering security-screening data and another concerning passenger and border-security information. The EDPS called for strict necessity and proportionality limits, exclusion of migration and asylum databases, and independent oversight to ensure compliance with EU fundamental-rights standards. It also stressed that any agreement must guarantee effective judicial redress in the United States for all individuals, regardless of nationality.

For more information: EDPS Website

09/16/2025

European Commission | Call for Evidence | Digital Omnibus

The European Commission collects feedback to simplify EU rules on data, AI and cybersecurity.

The European Commission has launched a call for evidence, running until 14 October 2025, to gather public and stakeholder feedback on its Digital Omnibus initiative. The initiative aims to streamline existing legislation, reduce regulatory overlaps and lower compliance costs. Areas targeted for simplification include rules on cookies and other tracking technologies, cybersecurity incident-reporting obligations, and the application of the AI Act.

For more information: European Commission Website

09/16/2025

European Union | Data Transfers | PIPC Adequacy Decision

The Personal Information Protection Commission of Korea (“PIPC”) has recognized the European Union’s data protection framework as equivalent.

This complements the European Commission’s 2021 adequacy decision on Korea, establishing a comprehensive, reciprocal framework that covers both the private and public sectors and facilitating seamless and secure data flows between the two jurisdictions.

For more information: European Commission Website

09/16/2025

European Commission | Conference | European Competitiveness

The European Commission hosted a high-level conference to mark the one-year anniversary of Mario Draghi’s report on the future of European competitiveness.

In his keynote speech, former European Central Bank President Mario Draghi reiterated the report’s key priorities, including the need to close the innovation gap in advanced technologies. He emphasized the demand from European businesses for a radical simplification of the GDPR, citing high compliance costs. Additionally, he recommended postponing the enforcement of high-risk AI rules until their impact is better understood.

For more information: European Commission Website

09/12/2025

EDPB | Draft Guidelines | Interplay between the DSA and the GDPR

The European Data Protection Board (“EDPB”) has adopted draft guidelines on the interplay between the Digital Services Act (“DSA”) and the General Data Protection Regulation (“GDPR”).

The guidelines seek to provide guidance on how the GDPR should be applied in the context of obligations under the DSA and address key areas such as recommender systems, protection of minors, advertising transparency, and profiling-based advertising. They also aim to clarify the cross-regulatory cooperation between authorities. The draft guidelines are open for public consultation until 31 October 2025.

For more information: EDPB Website

09/12/2025

European Union | Regulation | Data Act

The EU Regulation 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data (“Data Act”) entered into application.

The Data Act aims to empower consumers and businesses by granting them greater control over the data generated by their connected devices. Among its key objectives, it seeks to ensure that such devices are designed to enable data sharing, provide businesses in specific sectors with access to performance-related data from industrial equipment, and allow consumers to transfer their data and switch between cloud service providers more easily.

For more information: European Commission Website

09/05/2025

European Commission | Draft Adequacy Decision | Brazil

The European Commission published a draft adequacy decision recognizing Brazil’s data-protection regime as providing an equivalent level of protection to the EU.

Once adopted, the decision will enable unrestricted transfers of personal data between the EU and Brazil, complementing the broader EU-Mercosur partnership. Brazil is expected to reciprocate by granting adequacy status to the EU.

For more information: European Commission Website

09/04/2025

CJEU | Judgment | Pseudonymized Data

The Court of Justice of the European Union (“CJEU”) clarifies under what circumstances pseudonymized data may qualify as personal data.

The CJEU ruled in Case C-413/23 P that pseudonymized data can be considered anonymous for recipients who lack the means to re-identify individuals. The Court adopted a relative, recipient-based approach, finding that personal-data status must be assessed from the perspective of each recipient. However, controllers remain fully subject to GDPR transparency obligations and must inform data subjects of potential recipients at the time of data collection.

For more information: Curia Europa

09/04/2025

CJEU | Judgment | Non-Material Damages under the GDPR

The Court of Justice of the European Union (“CJEU”) confirms that emotional harm may constitute compensable damage under Article 82 GDPR.

In Case C-655/23, the CJEU held that non-material damage – such as fear or annoyance – can give rise to compensation under Article 82 GDPR, provided a causal link exists between the infringement and the harm suffered. The ruling reinforces that even intangible harms may trigger liability where a data-protection violation can be established.

For more information: Curia Europa

09/03/2025

General Court | Judgment | EU-US Data Protection Framework

The General Court of the European Union dismissed an action for annulment of the European Commission’s adequacy decision for the EU-US Data Protection Framework (“DPF”).

The challenge, brought by a member of the French Parliament, alleged that the Data Protection Review Court (“DPRC”) established in the US lacks independence and that US intelligence agencies engage in bulk data collection without sufficient safeguards. The General Court rejected these arguments, thereby confirming the continued validity of the adequacy decision.

For more information: Curia Europa

France

09/23/2025

French Supervisory Authority | Sanction | Hidden Surveillance System

On September 18, 2025, the French Supervisory Authority (“CNIL”) fined a department store €100,000 for unlawfully installing hidden cameras in its stockrooms to record employees.

The CNIL sanctioned a department store after it installed disguised cameras with microphones in its stockrooms without conducting a GDPR compliance analysis or involving the Data Protection Officer (“DPO”). The authority found violations of fairness, minimization, and accountability principles. The decision follows European Court of Human Rights (“ECHR”) case law on exceptional surveillance.

For more information: CNIL Website

09/18/2025

French Supervisory Authority | Injunction | Cookie

On September 11, 2025, the French Supervisory Authority (“CNIL”) closed its injunction against a telecom operator regarding cookie consent practices.

In November 2024, the CNIL issued an order, in addition to a €50 million fine, requiring a telecom operator to stop reading the cookies after individuals withdrew their consent, with a compliance deadline of three months. In response, the operator provided evidence within the specified timeframe demonstrating that, once the user consent was withdrawn, no further cookie reading or writing occurred on its website. Under these circumstances, the CNIL decided not to enforce the penalty payment (i.e. not to require the additional fine of €100.000 euros per day of delay) and closed the injunction.

For more information: CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an email provider €325 million for displaying advertisements between users’ emails and placing cookies without consent.

Following a complaint filed by the organization None Of Your Business (“NOYB”), the CNIL conducted several investigations and considered that the email provider encouraged users to accept personalized advertising cookies when creating accounts, without clearly informing them that this was required to access services, thereby making the consent invalid. In addition, the CNIL considered that the email provider displayed ads between users’ emails without obtaining consent. Along with the fine, the CNIL issued an order requiring the company to implement measures within six months to bring its cookie and email practices into compliance.

For more information: CNIL Website

09/03/2025

French Supervisory Authority | Sanction | Cookie

On September 1, 2025, the French Supervisory Authority (“CNIL”) fined an e-commerce platform €150 million for unlawful cookie practices.

The CNIL considered that the company placed advertising cookies on users’ devices without consent, failed to provide clear and complete information about cookies, and did not respect users’ choices to refuse or withdraw consent.

For more information: CNIL Website

Germany

10/01/2025

Federal Ministry of Health | Implementation | Electronic Health Record

Germany introduces a mandatory, opt-out digital health record giving patients granular control over their data.

As of October 1, 2025, German healthcare providers must use the electronic health record (“ePA”) for all publicly insured patients. Each insured person automatically receives a digital record unless they object. Patients can manage access permissions, restrict document uploads, and delete data directly through a dedicated app. The reform represents a major step in Germany’s healthcare digitalization.

For more information: Federal Ministry of Health Website [DE]

09/25/2025

German Supervisory Authority | Initiative | Data Barometer

The Federal Commissioner for Data Protection and Freedom of Information (“BfDI”) unveiled the “Data Barometer,” a recurring national survey measuring public attitudes toward data protection.

The initiative aims to ground regulatory debate in empirical data rather than perceptions. Early results show that 37 % of respondents view data protection as excessive or bureaucratic, which the BfDI described as a “wake-up call” to rebuild trust through more transparent and user-friendly frameworks.

For more information: BfDI Website [DE]

09/23/2025

Stuttgart Higher Regional Court | Judgment | “Paying with Data”

The Stuttgart Higher Regional Court decided in its ruling 6 UKI 2/25 that providing personal data for digital services does not constitute a “price” under EU or German consumer law.

According to the ruling, only monetary consideration qualifies as a price. As a result, services may be advertised as “free” if data-processing practices are sufficiently transparent. An appeal to the Federal Court of Justice (ZR 198/25) is pending.

For more information: Ruling [DE]

09/18/2025

German Supervisory Authorities | Resolution | Automated Data Analysis by Law Enforcement

The Data Protection Conference (“DSK”), bringing together Germany’s supervisory authorities, calls for clear legal limits on automated law enforcement data analytics.

The DSK adopted a resolution stating that automated data-analysis systems used by law enforcement must be grounded in specific, constitutionally compliant legislation and limited to combating serious offences. The DSK emphasized transparency, auditability, and the need to preserve digital sovereignty, warning against reliance on third-country providers with incompatible data-access regimes.

For more information: DSK Website [DE]

09/18/2025

German Supervisory Authorities | Resolution | Data Transfers for Scientific Research

The Data Protection Conference (“DSK”) provides guidance on international transfers for scientific research for medical purposes.

The guidance outlines applicable legal bases under Articles 6 and 9 GDPR, requirements for Standard Contractual Clauses and Transfer Impact Assessments, and the proper use of “broad consent.” It also highlights controllers’ obligations to inform data subjects about international transfers under Articles 13 and 14 GDPR.

For more information: DSK Website [DE]

Italy

09/18/2025

Italian Supervisory Authority | Order | Facial Recognition

The Italian Supervisory Authority (“Garante”) ordered an airport corporation to suspend the use of its facial recognition solution.

The solution was found to be non-compliant and incompatible with EU data protection rules, as clarified by the European Data Protection Board (“EDPB”) in its Opinion 11/2024 on the use of facial recognition to streamline passenger flow at airports. The Garante specified that other facial recognition solutions referenced in the EDPB Opinion 11/2024 remain permitted.

For more information: Garante Website [IT]

Netherlands

09/01/2025

Rechtbank Noord-Nederland | Judgment | GDPR Livestream

Court rules village livestream unlawfully infringed privacy rights despite blurring and residents’ partial non-objection.

The court confirmed AP’s sanction against a village livestream, finding serious infringements of private life and personal data rights. Even blurred images left individuals identifiable. Less intrusive alternatives existed, requiring compliance with data minimization. The fine was reduced for procedural delay.

For more information: Rechtspraak Website [Dutch]

United Kingdom

09/23/2025

UK Supervisory Authority I Announcement I AI Training

The Information Commissioner’s Office (“ICO”) announced that it will continue to monitor an online platform over newly announced AI training on user data.

On 18 September 2025, an online platform announced it will begin using user data from the EU and UK to train its generative AI models from 3 November 2025, reversing a 2024 commitment to exclude EU/UK data after regulatory backlash. The platform indicated it will rely on legitimate interests with an opt-out mechanism. The ICO emphasized the need to ensure the ongoing compliance of the platform’s approach. Further, supervisory authorities in the Netherlands (“AP”) and Belgium (“APD”) have issued public warnings, expressing concern and urging users to disable permissions if they do not want their data to be used.

For more information: ICO Website, AP Website, APD Website

09/11/2025

UK Supervisory Authority | Guidance | Encryption

The Information Commissioner’s Office (“ICO”) issues new guidance on implementing encryption to protect personal data and reduce breach risks.

The ICO has published guidance on encryption as an appropriate technical and organisational measure to secure personal data. This guidance is not a statutory code of practice; however, the ICO notes it will be taken into account by the ICO in breach assessments and compliance investigations.

For more information: ICO Website

08/28/2025

UK Government | Public Consultation | Telecommunications Security Code of Practice

UK Department for Science, Innovation and Technology has launched a consultation on updates to the 2022 Telecommunications Security Code of Practice.

These proposed updates are intended to help public telecoms providers protect UK telecoms networks and services in light of evolving threats and emerging technologies. Stakeholders may submit responses before the consultation closes on October 22, 2025.

For more information: UK Government Website

The following Gibson Dunn lawyers prepared this update: Ahmed Baladi, Vera Lukic, Kai Gesing, Joel Harrison, Thomas Baculard, Ioana Burtea, Billur Cinar, Hermine Hubert, Christoph Jacob, Yannick Oberacker, and Phoebe Rowson-Stevens.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Privacy, Cybersecurity, and Data Innovation:

United States:
Abbey A. Barrera – San Francisco (+1 415.393.8262, abarrera@gibsondunn.com)
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, sgans@gibsondunn.com)
Lauren R. Goldman – New York (+1 212.351.2375, lgoldman@gibsondunn.com)
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, shandler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, jhorvath@gibsondunn.com)
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, mkutscherclark@gibsondunn.com)
Kristin A. Linsley – San Francisco (+1 415.393.8395, klinsley@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)
Ashley Rogers – Palo Alto/Dallas (+1 650.849.5204, arogers@gibsondunn.com)
Sophie C. Rohnke – Dallas (+1 214.698.3344, srohnke@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)
Frances A. Waldmann – Los Angeles (+1 213.229.7914,fwaldmann@gibsondunn.com)
Debra Wong Yang – Los Angeles (+1 213.229.7472, dwongyang@gibsondunn.com)

Europe:
Ahmed Baladi – Paris (+33 1 56 43 13 00, abaladi@gibsondunn.com)
Patrick Doris – London (+44 20 7071 4276, pdoris@gibsondunn.com)
Kai Gesing – Munich (+49 89 189 33-180, kgesing@gibsondunn.com)
Joel Harrison – London (+44 20 7071 4289, jharrison@gibsondunn.com)
Lore Leitner – London (+44 20 7071 4987, lleitner@gibsondunn.com)
Vera Lukic – Paris (+33 1 56 43 13 00, vlukic@gibsondunn.com)
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, lpetersen@gibsondunn.com)
Christian Riis-Madsen – Brussels (+32 2 554 72 05, criis@gibsondunn.com)
Robert Spano – London/Paris (+44 20 7071 4000, rspano@gibsondunn.com)

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, coneill@gibsondunn.com)

Our lawyers unpack the evolving landscape of clean energy financing after the passage of the One Big Beautiful Bill Act (OBBBA) in a recorded webcast.

This webcast delivers actionable insights on navigating the changes arising from the OBBBA and on structuring tax credit monetization transactions and managing risk post-OBBBA.

Key topics include:

OBBBA-driven market shifts and developments
Foreign entity of concern (FEOC) restrictions introduced under the OBBBA
Structure of tax credit monetization transactions post-OBBBA

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of .50 credit hour, of which .50 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact CLE@gibsondunn.com to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of .50 hour in the General category.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

PANELISTS:

Matt Donnelly is a partner in the Washington, D.C. office of Gibson Dunn & Crutcher and a member of the firm’s Tax Practice Group. Mr. Donnelly regularly advises clients on tax issues relating to the development, financing, acquisition and disposition of energy projects, with a particular emphasis on federal tax credit eligibility and monetization. He has advised investors and developers in connection with numerous wind energy projects and residential, C&I and utility-scale solar projects, as well as in connection with investments in energy storage, carbon capture technologies and electrochromic glass.

Michael Cannon is a tax partner who dedicates the majority of his practice to energy, infrastructure and project finance tax matters, advising in connection with transactions involving a wide range of energy (both oil and gas, conventional power generation, and renewable energy) and other infrastructure assets. In addition to advising on mergers and acquisitions transactions, Michael has significant experience advising sponsors, tax-equity investors, and tax credit purchasers and sellers in connection with transactions designed monetize tax assets in connection with energy infrastructure investments.

Jennifer Sabin is a partner in the New York office of Gibson, Dunn & Crutcher. She represents clients in a broad range of domestic and international tax matters, including taxable and tax-free mergers and acquisitions (public and private), spin-offs, joint ventures, financings, and restructurings. Her practice also includes formation of, and transactions undertaken by, private equity, hedge funds, and asset managers. In addition, Jennifer advises on various aspects of information reporting, including matters relating to the Foreign Account Tax Compliance Act.

Nicholas Politan is a partner in the New York office of Gibson, Dunn & Crutcher, and Co-Chair of Gibson Dunn’s Energy (Power and Renewables) Practice Group. Nick is also a member of the Finance Practice Group. Nick focuses his practice on domestic and cross-border energy-related transactions, including mergers and acquisitions, financings of all types, project development, construction and operation, and restructurings. He has particular experience in wind power, solar power, battery storage and other renewable technologies. He represents developers, sponsors, strategic investors and lenders in connection with these transactions.

Daniel Alterbaum is a partner in the Mergers and Acquisitions and Private Equity Practice Groups, where he represents buyers, sellers, and investors in a wide variety of transactions in the private equity, fintech, renewable energy and infrastructure sectors. His experience includes joint ventures, acquisitions, divestitures and financings of wind and solar other renewable energy projects and project portfolio. He also represents issuers and investment funds in connection with venture capital, growth equity, and structured preferred equity investments in a variety of sectors.

Josiah Bethards is an associate in the Dallas office of Gibson, Dunn & Crutcher and is a member of the firm’s Tax Practice Group. Mr. Bethards represents clients in a broad range of tax matters, including public and private mergers and acquisitions, dispositions, financing transactions, joint ventures, cross-border transactions, and energy and infrastructure transactions, including tax equity financings and tax credit purchase and sale transactions. Mr. Bethards also has extensive experience advising sponsors and investors on clean energy tax credit qualification matters for a variety of technologies, including wind, solar, storage, clean fuels, nuclear, and carbon capture and sequestration, as well as other emerging technologies.

Gibson Dunn has extensive experience advising multinational companies operating online services on a wide variety of regulatory and law enforcement investigation, enforcement, strategic counseling, litigation, and appellate matters relating to youth online safety, including on privacy and AI-related issues.

The regulatory landscape governing safeguards around children’s online protection is evolving rapidly. While State Attorneys General (State AGs) are using existing statutes to increase enforcement efforts, a large number simultaneously support omnibus youth privacy legislation at the federal level. Meanwhile, many State AGs have opposed a federal Artificial Intelligence (AI) framework if such a law comes at the expense of states’ autonomy in AI oversight.

A. State AG Enforcement of Youth Issues: Regulation by Action & Policy Discourse

State AGs are not waiting for Congress to pass legislation relating to youth[1] online activity. Although State AGs have continuously advocated at the federal level for policy change, they have recently turned a focus towards enforcing existing privacy, consumer protection, child safety, and unfair competition laws. Social media platforms have been targets for such actions in the past, but there also is an increasing focus towards services not solely associated with children—like streaming services—with State AGs now probing companies on issues such as data monetization of minors. Many of these actions leverage general-purpose statutes, revealing a trend of regulation by enforcement in the absence of updated legislation.

1. State AG Investigation and Litigation

State AGs have frequently initiated action under state consumer protection frameworks to address a full range of youth protection issues, including those implicating privacy and artificial intelligence (AI) concerns. While some State AGs are more active than others (New York and Texas have shown a particular interest in this area), this a broad trend across states.

For example, in August, 44 State AGs issued a letter to 13 technology companies, asserting that failure to protect children will result in enforcement actions from the states. The letter raised concerns about the potential for AI chats to expose children to sexualized content. The outreach follows a similar letter in May 2025, issued by a coalition of 28 State AGs, which was prompted by reports of sexually explicit AI. In May, the State AGs sought responses regarding a technology company’s safeguards, content moderation practices, and plans to prevent further misuse of its AI technologies.

In addition, recent representative State AG enforcement and regulatory developments include:

Alabama. On April 29, Alabama’s Attorney General filed a complaint against a social media company under its deceptive trade practices law and for alleged wantonness and negligence pursuant to allegations that the company exploits children on its platform, among other things. The state is positioning the case as part of a broader effort to hold social media platforms accountable for their alleged impact on children’s well-being.

Michigan. On April 30, Michigan’s Attorney General filed a complaint against a streaming platform alleging systemic violations of Michigan consumer protection laws and the Children’s Online Privacy Protection Act (COPPA). The complaint alleges that the streaming service collects and monetizes personal data from children under the age of 13—including voice recordings, geolocation, IP addresses, and browsing histories—without obtaining verifiable parental consent or providing adequate notice. The AG asserts that the streaming platform lacks child-specific user profiles, thereby exposing minors to the same data collection practices as adults, and further alleges that the service facilitates third-party access to children’s data through partnerships with advertisers and data brokers, some of whom have been previously sanctioned by the FTC. Michigan is positioning the case as part of a broader regulatory push to enforce digital privacy standards for minors.

Missouri. In September 2025, the Missouri’s Attorney General’s office announced an age-verification regulation for websites and platforms where one-third or more of content is pornographic or sexually explicit. The regulation is promulgated under the Missouri Merchandising Practices Act, Missouri’s UDAP law which prohibits unfair and deceptive acts or practices. Failure to comply with the age-verification requirements will constitute an “unfair practice” under the Act. Missouri’s approach represents a novel one, as states have otherwise used statutes to impose age-verification requirements. The regulation will go into effect on November 30, 2025.

New Hampshire. In June 2024, the New Hampshire attorney general sued a social media company alleging that the platform’s design and operations harm the mental health of young users in violation of the state’s Consumer Protection Act (New Hampshire’s UDAP law which prohibits unfair and deceptive acts or practices). The Complaint also includes tort theories under strict liability and negligence for the allegedly “addictive features” of the platform. On July 8, 2025, the New Hampshire state Superior Court denied in large part a social media company’s motion to dismiss New Hampshire’s claims. The ruling found the State has standing to pursue consumer protection and public health claims on behalf of its residents, particularly minors, and signals judicial receptiveness to state-led efforts to regulate social media platforms through existing consumer protection frameworks. This decision may embolden other jurisdictions pursuing similar litigation and underscores the growing legal scrutiny of these platforms.

New Jersey. On April 17, New Jersey’s Attorney General filed a civil complaint in New Jersey state court against a communication platform alleging that the company violated the New Jersey Consumer Fraud Act and other state laws by failing to implement adequate safeguards to protect minors from harmful and illegal content on its platform. The complaint asserts that the platform knowingly facilitates access to graphic content—including sexual exploitation, self-harm, and drug-related material—though it markets itself as a safe space for youth. The State alleges that the company’s design choices and content moderation practices contribute to a public health crisis among youth and mislead consumers about the platform’s safety. New Jersey is positioning the case as part of a broader multistate initiative to hold tech companies accountable for the mental health impacts of their platforms on youth.

New York. In September 2025, New York Attorney General James issued proposed rules for compliance with New York’s Stop Addictive Feeds Exploitation (SAFE) for Kids Act.[2] The proposed rules identify “addictive feed” as an online platform, or portion of one, where media is “shared or generated by users” and “concurrently or sequentially, recommended, selected, or prioritized for display” based on either (i) “information persistently associated with the user or the user’s device” or (ii) the user’s previous online behavior including interactions with media generated on that platform or a different platform. The proposed rules make it unlawful for any covered operator (defined by the rules to mean a platform where monthly active users spend at least 20% of their time on an “addictive feed”) to provide an “addictive feed” to minors without parental consent. Absent parental consent, the rules also prohibit notifications to users between 12 a.m. and 6 a.m. (nighttime notifications) from covered operators.

Texas. In early 2025, Texas initiated broad investigative actions across numerous AI and platform operators, asserting precedent as “the largest data privacy and security initiative of any State AG office.” Specifically, the AG launched an investigation into 15 technology companies for potential violations of the state’s SCOPE Act[3] (Securing Children Online Through Parental Empowerment), which mandates parental consent for minors’ data collection and prohibits the sale of such data without authorization, and has already served as the basis of an action in late 2024 two months after the law’s effective date.

2. State AG Reporting: Shaping Tech Policy

Not only are State AGs bringing enforcement actions against tech companies, they are shaping the discourse around existing and emerging technologies accessible to youth. In September 2023, the National Association of Attorneys General (NAAG) sent a letter to Congress regarding Artificial Intelligence and the Exploitation of Children, calling on Congress to establish an expert commission “to study the means and methods” of AI “used to exploit children”, and to “propose solutions to deter and address such exploitation in an effort to protect America’s children.” NAAG highlighted protecting children “from the dangers of AI.” The following year, NAAG sent a letter to Congress on Requiring a Surgeon General’s Warning Label on Social Media Platforms, calling on lawmakers to pass legislation requiring a U.S. surgeon general warning on all algorithm-driven social media platforms.

Several State AGs also have released reports relating to emerging technology, including AI, as it relates to youth. For example, in February 2025, the Minnesota AG released a report examining design features purporting to cause harm to young people and providing policy recommendations to the state legislature.

These letters and reports signal State AGs are moving beyond case-by-case enforcement into agenda-setting, using research and public statements to advance their priorities.

B. State AG Support for Youth Privacy Legislation at the Federal Level:
COPPA 2.0 and KOSA

State AGs have also expressed support for two federal legislative efforts aimed at youth online privacy and safety: (i) updating the existing framework in the Children’s Online Privacy Protection Act (COPPA); and (ii) proposing a new, supplemental youth protections regime under the Kids Online Safety Act (KOSA). Both signal efforts to reduce the patchwork of state-by-state approaches, while giving robust enforcement authority to State AGs.

1. Children’s Online Privacy Protection Act

In March 2024, NAAG sent a letter to the FTC on behalf of a bipartisan coalition of 43 State AGs urging the federal government to update and strengthen the COPPA Rule—enforceable by both the FTC and State AGs—which governs how companies collect and process the data of children under the age of 13. The State AGs advocated to broaden the definitions of personal data to include for example, biometric identifiers and avatars generated from a child’s image and likeness. On January 16, 2025, the FTC voted 5-0 to approve updates to the COPPA Rule which was last updated over a decade ago, in 2013.[4]

On April 22, 2025, the FTC published the final amendments to the COPPA Rule in the Federal Register. The published amendments became effective on June 23, 2025, and operators will have until April 22, 2026 to come into full compliance (except for FTC-approved COPPA safe harbor programs, which must comply with certain amendments that specify earlier compliance dates). Violations of the updated COPPA Rule carry civil penalties up to $53,088 per violation for 2025.[5]

2. Kids Online Safety Act

In November 2024, a coalition of 32 State AGs penned an open letter to Congress to pass KOSA, which was first introduced in February 2022, and which purports to enhance online safety for minors beyond COPPA. First, KOSA would apply to youth ages 16 and under, as compared to COPPA which is applicable to youth ages 13 and under. Second, KOSA would require social media and other technology providers to take measures to reduce harms to minors, including mental health issues, addiction-like behaviors, sexual exploitation, and exposure to harmful content by imposing a duty of care, requiring highest privacy settings by default, and requiring the provision of parental oversight tools.

The coalition highlighted what it perceives to be improvements to prior drafts of KOSA, including the powers of State AGs to enforce KOSA’s duty of care provision. Since the letter, KOSA has again been redrafted to remove state AG enforcement authority over the duty of care provision following concerns raised by advocacy groups that states could censor certain types of information. State AG provisions, which give powers over specific provisions of the bill related to safeguards, disclosures, and transparency requirements, remain generally intact. As of this date, KOSA has not been enacted.

C. State AG Opposition to AI Legislation at the Federal Level

Despite supporting federal legislation relating to children’s privacy, State AGs have taken a different approach with respect to AI legislation. Even though State AGs have asserted that artificial intelligence poses new challenges and potential avenues of exploitation—such as the proliferation of non-consensual sexual imagery of minors—State AGs have pushed back against federal AI laws that would preempt state laws or strip the State AGs of their enforcement authority.

Federal efforts to prevent a state-by-state patchwork of AI laws failed in July 2025 when the Senate rejected a proposed 10-year moratorium on state-level AI laws by a vote of 99-1. The proposed moratorium, introduced as part of the One Big Beautiful Bill Act, would have broadly prevented states from imposing regulations on artificial intelligence. 40 State AGs signed a letter opposing the moratorium. The State AGs warned that “a broad moratorium on all state action while Congress fails to act in this area” would be “irresponsible” and “deprives consumers of reasonable protections.” They also noted that State-level enforcement is likely the future of AI governance, given Congress’s inaction. Likewise, a group of 260 state legislators representing all 50 states urged Congress to reject the moratorium. Now that the moratorium has failed, there has been renewed energy at the state level to regulate AI.

Despite their opposition to the moratorium and other federal legislation that would preempt state law, State AGs have staked out a position that they would support federal legislation that allows them to continue to enforce state laws. A bipartisan coalition of 23 State AGs submitted a comment to the National Telecommunications Information Administration urging the agency to ensure that the State AGs “have concurrent enforcement authority in any Federal regulatory regime governing AI.” While the fate of any federal AI legislation is hard to predict, it’s clear that many State AGs will not support it if they view it as infringing on their ability to oversee and govern this field—including issues like deepfakes, algorithmic targeting, and synthetic child abuse imagery.

Looking Forward

Businesses should stay apprised of the evolving environment where federal legislative momentum on privacy (COPPA 2.0/KOSA) coexists with AGs seeking to maintain state autonomy in AI governance. With State AGs aggressively enforcing both areas, businesses face the risk of multi‑jurisdictional investigations and litigation under prescriptive laws at the federal and state levels, and under generalist statutes like state consumer protection laws.

Additionally, any eventual AI preemption mandate could reshape enforcement capabilities, and might provoke new litigation or multi-state lobbying efforts.

Understanding this bipartisan push and dual federal‑state regulatory front is essential for anticipating legal risks and developing holistic compliance strategies.

Gibson Dunn’s State AG Task Force assists clients in responding to subpoenas and civil investigative demands, interfacing with state or local grand juries, representing clients in civil and criminal proceedings, and taking cases to trial.

[1] “Youth” or “child” means individuals under age 18 unless otherwise noted.

[2] 2024 N.Y. Laws ch. 120.

[3] Tex. H.B. 18, 88th Leg., R.S. (2023).

[4] For a comprehensive review of updates to the COPPA Rule, see our client alert FTC Updates to the COPPA Rule Impose New Compliance Obligations for Online Services That Collect Data from Children.

[5] See Adjustments to Civil Penalty Amounts, 90 Fed. Reg. 5580 (Jan. 17, 2025) (to be codified at 16 C.F.R. pt. 1). The FTC annually adjusts the civil penalty amount applicable to COPPA violations based on inflation, pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. See Press Release, Fed. Trade Comm’n, FTC Publishes Inflation-Adjusted Civil Penalty Amounts for 2024 (Jan. 11, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-publishes-inflation-adjusted-civil-penalty-amounts-2024. Accordingly, civil penalty violation amounts will rise in future years.

The following Gibson Dunn lawyers prepared this update: Ashlie Beringer, Theodore J. Boutrous, Keith Enright, Nicola T. Hanna, Natalie J. Hausknecht, Poonam G. Kumar, Vivek Mohan, Connor S. Sullivan, Eric D. Vandevelde, Sara K. Weed, James L. Zelenay Jr., Jacob Arber, Zoey Clark, Kate Googins, Alexus Payton Leach, Michael DJ Landell, and Billy Malmed.

Gibson Dunn lawyers are closely monitoring developments and are available to discuss these issues as applied to your particular business. If you have questions, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s State Attorneys General (AG) Task Force, who are here to assist with any AG matters:

State Attorneys General (AG) Task Force:

Artificial Intelligence:
Keith Enright – Palo Alto (+1 650.849.5386, kenright@gibsondunn.com)
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, evandevelde@gibsondunn.com)

Antitrust & Competition:
Eric J. Stock – New York (+1 212.351.2301, estock@gibsondunn.com)

Climate Change & Environmental:
Rachel Levick – Washington, D.C. (+1 202.887.3574, rlevick@gibsondunn.com)

Consumer Litigation & Products Liability:
Christopher Chorba – Los Angeles (+1 213.229.7396, cchorba@gibsondunn.com)

Consumer Protection:
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, geyler@gibsondunn.com)
Natalie J. Hausknecht – Denver (+1 303.298.5783, nhausknecht@gibsondunn.com)
Ashley Rogers – Palo Alto/Dallas (+1 214.698.3316, arogers@gibsondunn.com)

DEI & ESG:
Stuart F. Delery – Washington, D.C. (+1 202.955.8515,sdelery@gibsondunn.com)
Mylan L. Denerstein – New York (+1 212.351.3850, mdenerstein@gibsondunn.com)

False Claims Act & Government Fraud:
Winston Y. Chan – San Francisco (+1 415.393.8362, wchan@gibsondunn.com)
Jonathan M. Phillips – Washington, D.C. (+1 202.887.3546, jphillips@gibsondunn.com)
Jake M. Shields – Washington, D.C. (+1 202.955.8201, jmshields@gibsondunn.com)
James L. Zelenay Jr. – Los Angeles (+1 213.229.7449, jzelenay@gibsondunn.com)

Labor & Employment:
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242, jschwartz@gibsondunn.com)
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, ksmith@gibsondunn.com)

Privacy & Cybersecurity:
Ryan T. Bergsieker – Denver (+1 303.298.5774, rbergsieker@gibsondunn.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, cgaedt-sheckter@gibsondunn.com)
Vivek Mohan – Palo Alto (+1 650.849.5345, vmohan@gibsondunn.com)

Securities Enforcement:
Osman Nawaz – New York (+1 212.351.3940, onawaz@gibsondunn.com)
Tina Samanta – New York (+1 212.351.2469, tsamanta@gibsondunn.com)
David Woodcock – Dallas (+1 214.698.3211, dwoodcock@gibsondunn.com)
Lauren Cook Jackson – Washington, D.C. (+1 202.955.8293, ljackson@gibsondunn.com)

Tech & Innovation:
Ashlie Beringer – Palo Alto (+1 650.849.5327, aberinger@gibsondunn.com)

White Collar & Litigation:
Collin Cox – Houston (+1 346.718.6604,ccox@gibsondunn.com)
Trey Cox – Dallas (+1 214.698.3256,tcox@gibsondunn.com)
Nicola T. Hanna – Los Angeles (+1 213.229.7269, nhanna@gibsondunn.com)
Allyson N. Ho – Dallas (+1 214.698.3233,aho@gibsondunn.com)
Poonam G. Kumar – Los Angeles (+1 213.229.7554, pkumar@gibsondunn.com)

This edition of Gibson Dunn’s Federal Circuit Update for September summarizes the current status of petitions pending before the Supreme Court and recent Federal Circuit decisions concerning the definition of a prevailing party for purposes of 35 U.S.C. § 285, the patentability of functionally unrelated claim language, burden of proof for infringement, and untimely venue objections.

Federal Circuit News

Supreme Court:

The Supreme Court granted one petition originating in the Federal Circuit.

Trump v. V.O.S. Selections, Inc. (US Nos. 24-1287, 25-250): As we summarized in our August 2025 update, the en banc Federal Circuit held that the International Emergency Economic Powers Act (IEEPA) did not give the President the authority to impose the tariffs he ordered, and the Government’s reading of the term “regulate . . . importation” contained in the statute was too broad. Briefing before the Supreme Court will be completed by October 30, 2025, and argument has been set for November 5, 2025. So far, six amicus briefs have been filed in support of the President, one amicus brief has been filed in support of neither party, and two amicus briefs have been filed in support of the Federal Circuit’s holding.

Noteworthy Petitions for a Writ of Certiorari:

There were a few potentially impactful petitions filed before the Supreme Court in September 2025:

MSN Pharmaceuticals, Inc. v. Novartis Pharmaceuticals Corp. (US No. 25-225): The question presented is: “Whether, in a patent-infringement suit, a court may consider after-arising technology to hold that the patent is invalid under § 112(a) of the Patent Act.” After respondent waived its right to file a response, the Court requested a response, which is due November 7, 2025. Six amicus briefs have been filed.

Lynk Labs, Inc. v. Samsung Electronics Co. (US No. 25-308): The question presented is: “Whether patent applications that became publicly accessible only after the challenged patent’s critical date are ‘prior art . . . printed publications’ within the meaning of 35 U.S.C. §311(b).” The response brief is due November 17, 2025.

EcoFactor, Inc. v. Google, LLC (US No. 25-341): The questions presented are: (1) “Whether the Federal Circuit violated the Seventh Amendment by overturning the jury’s damages award . . . substituting its judgment for the jury’s on a question of fact.” (2) “Whether the Federal Circuit is permitted to apply a different, more stringent standard for the admission of expert testimony . . . [under] Federal Rule of Evidence 702.” (3) “Whether the Federal Circuit violated EcoFactor’s due process rights under the Fifth Amendment by deciding the appeal on a contract interpretation issue that was not raised in the district court, was not briefed by the parties on appeal, and was outside the scope of the en banc proceeding.” Google waived its right to file a response. The Court will consider this petition at its October 17, 2025 conference.

We provide an update below of the petitions pending before the Supreme Court, which were summarized in our August 2025 update:

In Gesture Technology Partners, LLC v. Unified Patents, LLC (US No. 24-1281), after one of the respondents waived its right to respond, the Court requested a response. The response was filed on September 26, 2025. The Court will consider this petition at its November 7, 2025 conference. The Court will consider this petition at its November 7, 2025 conference.

The Court denied the petitions in Lowe v. ShieldMark, Inc. (US No. 25-169), J. Reynolds Vapor Co. v. Altria Client Services LLC (US No. 25-158), D R Burton Healthcare, LLC v. Trudell Medical International Inc. (US No. 25-17), and Purdue Pharma L.P. v. Accord Healthcare, Inc. (US No. 24-1132).

Other Federal Circuit News:

Notice of Proposed Amendments to Federal Circuit Rules of Practice. The Federal Circuit has published proposed amendments to the Federal Circuit Rules of Practice available here: https://www.cafc.uscourts.gov/notice-of-proposed-amendments-to-the-federal-circuit-rules-of-practice-4/. Here is a summary of some of the proposed amendments:

Various rules have been updated to modify or clarify Federal Circuit procedures, including but not limited to, submission of documents by electronic filers, the hours of operation of the Federal Circuit’s night box, personally identifiable information, and page limits for appendix to briefs.
Rule 46 regarding attorneys has been amended to add a subsection on law student practice.
Practice Notes to Rule 50 has been amended to discuss the use of the cases pending list that a former court employee may not participate in or assist with.

Public comments must be received on or before October 16, 2025.

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website.

Key Case Summaries (September 2025)

Future Link Systems, LLC v. Realtek Semiconductor Corp., No. 23-1056, 23-1057 (Fed. Cir. Sept. 9, 2025): Future Link sued Realtek in two separate suits over patents related to improvements of electronic circuitry and integrated circuits with power-saving features. Several months into the litigation, Future Link entered into a licensing agreement that covered Realtek’s products. Future Link then voluntarily dismissed both cases without prejudice. Realtek sought attorneys’ fees asserting Future Link had filed objectively baseless suits. The district court denied the motion for attorneys’ fees; however, it awarded sanctions by ordering that the dismissals be with prejudice.

The Federal Circuit (Stoll, J., joined by Reyna and Bryson, JJ.) vacated-in-part, affirmed-in-part, and remanded. The Court held that Realtek was the prevailing party because the district court “awarded sanctions” to Realtek and “converted the voluntary dismissal to a dismissal with prejudice.” The Court explained that this conclusion applied even if “[p]erhaps the district court did not intend to make Realtek a prevailing party.” The Court accordingly vacated the district court’s § 285 decision and remanded for the district court to consider whether this case is exceptional and whether fees are appropriate.

Bayer Pharma Atkiengesellschaft v. Mylan Pharmaceuticals Inc. et al., No. 23-2434 (Fed. Cir. Sept. 23, 2025): Mylan petitioned for inter partes review (IPR) of Bayer’s patent claiming methods of reducing the risk of cardiovascular events in patients with coronary artery disease and/or peripheral artery disease by administering “clinically proven effective” amounts of rivaroxaban and aspirin. The Board concluded that “clinically proven effective” was non-limiting, and in the alternative, the claims were anticipated. Bayer appealed the Board’s final written decision, including the Board’s construction of “clinically proven effective.”

The Federal Circuit (Moore, C.J., joined by Cunningham and Scarsi (district judge sitting by designation), JJ.) affirmed-in-part, vacated-in-part, and remanded for further proceedings. The Court stated that it did not need to decide whether or not “clinically proven effective” was limiting, because it concluded that even if it were limiting, the term was functionally unrelated to the claimed method and therefore failed to make the claims patentable. As the Court explained, an “otherwise anticipated method of treatment was not made patentable simply by adding a limitation of ‘informing the patient’ about the benefits of the anticipated method.” Similarly, the Court “found it equally troubling that one could claw back from the public domain an anticipated method of treatment merely by adding a limitation that the method subsequently performed well in a clinical trial.” The Court therefore concluded that “clinically proven effective” was a functionally unrelated limitation that did not make the challenged claims patentable. The Court accordingly did not reach whether “clinically proven effective” was anticipated.

Finesse Wireless LLC v. AT&T Mobility LLC, No. 24-1039 (Fed. Cir. Sept. 24, 2025): Finesse owns patents related to methods for mitigating interference in radios. Following a jury trial, the jury found that AT&T and Nokia (defendants) infringed awarded Finesse over $166 million in damages. The district court then denied the defendants’ motion for judgment as a matter of law (JMOL) of noninfringement and motion for a new trial on damages.

The Federal Circuit (Moore, C.J., joined by Linn and Cunningham, JJ.) reversed the district court’s denial of judgment of a matter of law and vacated the damages award, holding that substantial evidence did not support the jury’s finding of infringement. In particular, for one of the patents, the Court concluded that Finesse’s technical expert offered self-contradictory testimony on which signals in the accused radios corresponded to the two claimed signals, which was insufficient to support a finding that the accused radios practiced the asserted claims. The Court held that “[w]hen the party with the burden of proof, such as Finesse, rests its case on an expert’s self-contradictory testimony, we may conclude the evidence is insufficient to satisfy that standard.”

Focus Products Group International, LLC v. Katri Sales Co., Inc., Nos. 23-1446, 23-1450, 23-2148, 23-2149 (Fed. Cir. Sept. 30, 2025): Focus sued Katri for infringement of patents related to hookless shower curtains. The district court denied Katri’s motion to transfer venue because it was not timely raised. It then granted summary judgment of infringement and awarded damages and attorneys’ fees to Focus.

The Federal Circuit (Chen, J., joined by Moore, C.J. and Clevenger, J.) affirmed-in-part, reversed-in-part, vacated-in-part, and remanded. TC Heartland was published on May 22, 2017, but Katri waited until September 18, 2017 to raise any venue objections. The Court therefore held that the district court did not abuse its discretion in holding that Katri forfeited its venue objection and denying its motion to transfer venue.

The following Gibson Dunn lawyers assisted in preparing this update: Blaine Evanson, Jaysen Chung, Audrey Yang, Evan Kratzer, and Michelle Zhu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:

Blaine H. Evanson – Orange County (+1 949.451.3805, bevanson@gibsondunn.com)
Audrey Yang – Dallas (+1 214.698.3215, ayang@gibsondunn.com)

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, tdupree@gibsondunn.com)
Allyson N. Ho – Dallas (+1 214.698.3233, aho@gibsondunn.com)
Julian W. Poon – Los Angeles (+ 213.229.7758, jpoon@gibsondunn.com)

Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, kdominguez@gibsondunn.com)
Josh Krevitt – New York (+1 212.351.4000, jkrevitt@gibsondunn.com)
Jane M. Love, Ph.D. – New York (+1 212.351.3922, jlove@gibsondunn.com)

This update provides a summary of the DOL Opinion and key takeaways for plan sponsors and fiduciaries in implementing this DOL guidance.

The Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor (DOL) recently issued Advisory Opinion 2025-04A (the Opinion), explaining that an investment management product with a guaranteed lifetime income option can meet the requirements for a qualified default investment alternative for defined contribution plans under the Employee Retirement Income Security Act of 1974 (ERISA). The Opinion also addresses how fiduciaries can comply with their duties under ERISA when selecting and monitoring insurers to provide these products.

I. Background on QDIAs

Most defined contribution plans allow participants to elect how to invest their accounts from among investment options made available by the plan fiduciary. In the absence of an investment election, a participant’s account will be invested in the plan’s qualified default investment option (QDIA) in accordance with 29 CFR § 2550.404c-5 (the QDIA regulation). When a plan complies with the QDIA regulation, plan fiduciaries remain responsible for the prudent selection and monitoring of the QDIA, but they are not liable for any loss that occurs as a result of an investment in the QDIA.

To qualify as a QDIA, an investment must fit within one of the five categories that the DOL has determined are appropriate to achieve meaningful retirement savings. In the Opinion, the DOL discusses the following three categories: “paragraph (e)(4)(i) describes an investment product with a mix of investments that takes into account the individual’s age or retirement date (e.g., a target date fund); paragraph (e)(4)(ii) describes an investment product with a mix of investments that takes into account the characteristics of the group of participants as a whole, rather than each individual (e.g., a balanced fund); and paragraph (e)(4)(iii) describes an investment management service that allocates contributions among existing plan options to provide an asset mix that takes into account the individual’s age or retirement date (e.g., a professionally-managed account).”

II. The AllianceBernstein Lifetime Income Strategy Program

The Opinion responds to a request from AllianceBernstein L.P. for clarification regarding whether its Lifetime Income Strategy (LIS) program satisfies the requirements to be a QDIA under ERISA. The LIS program as described by the Opinion is an investment option for participant-directed defined contribution plans, such as 401(k) plans, that uses investments in the plan’s lineup to create a portfolio unique to each participant (e.g., a professionally-managed account). Beginning when a participant reaches age 50 and ending two years before a participant’s designated retirement age, the LIS program allocates funds to a Secure Income Portfolio (SIP) that provides guaranteed lifetime income through a variable annuity contract. Participants may select the amount to be allocated into the SIP. If a participant does not make a selection, the plan sponsor selects a default allocation percentage. Participants can transfer their account balance from the LIS program to other plan options and can withdraw amounts from the SIP at any time.

According to the opinion, selected insurers submit bids for the guaranteed lifetime income allocations on a quarterly basis. Insurers are selected to be included in the LIS program based on their ability to pay claims and to provide quarterly guaranteed rates based on a fixed insurance fee. AllianceBernstein consults with an independent insurance research expert to assess the reasonableness of the guarantees and to confirm each insurer’s ability to meet their obligations.

III. DOL Guidance on Guaranteed Lifetime Income Products

The DOL concluded that investment management services like the LIS that incorporate lifetime income products and features may qualify as QDIAs, so long as they satisfy the transferability requirements and other provisions of the QDIA regulation. The Opinion confirmed that the DOL did not intend the language in the QDIA regulation to preclude the use of lifetime income products as QDIAs. Accordingly, the DOL determined that the LIS program, if operating as AllianceBernstein described, would satisfy the requirements of the QDIA regulation.

The DOL also addressed more generally how a fiduciary can comply with the fiduciary responsibilities set forth in ERISA § 404(a)(1)(B) when selecting and monitoring an insurance company to provide lifetime income products. The DOL explained that fiduciaries may qualify for two safe harbors—under either 29 CFR § 2550.404a-4 or ERISA § 404(e)—when selecting annuity providers for defined contribution plans. The Opinion further states that if a fiduciary complies with the conditions of one of these safe harbors in selecting and monitoring insurance companies selected to provide lifetime income products, it will satisfy its fiduciary obligations under ERISA.

IV. Takeaways

While the Opinion allows plan fiduciaries to consider providing guaranteed lifetime income options in defined contribution plans, it does not alter a plan fiduciary’s responsibility to prudently select and monitor investment options and plan service providers, including in designating the plan’s QDIA. The DOL made clear that whether a fiduciary has satisfied its duties under ERISA in selecting the LIS program, or any other investment alternative, continues to depend on the facts and circumstances with respect to each such investment. Furthermore, the DOL offered no opinion on the reasonableness of the fees associated with AllianceBernstein’s LIS program, stating only that a plan fiduciary must balance the fees and costs of the income protection offered by guaranteed lifetime income benefits against the payout rates and level of risk associated with the assets covered by the guarantees.

The Opinion follows President Trump’s Executive Order 14330, “Democratizing Access to Alternative Assets for 401(k) Investors,” which directed the DOL to reexamine its guidance regarding fiduciary duties under ERISA in connection with making asset allocation funds that include alternative asset investments available to participants. In an accompanying press release, the DOL stated that it intends to issue a notice of proposed rulemaking that clarifies the duties that a fiduciary owes to plan participants under ERISA when deciding whether to make available to plan participants an asset allocation fund that includes investments in alternative assets.

V. Practical Considerations for Plan Sponsors and Fiduciaries

The Opinion, like all Advisory Opinions, applies only to the particular facts presented. While the Opinion may have some persuasive impact on legal challenges, it is not dispositive.

QDIA selections have been increasingly targeted in recent litigation. This can be an attractive area of focus for plaintiffs because QDIA selection requires a plan fiduciary to consider the interests of a diverse group of participants who may not have otherwise indicated their investment preferences. Because such decisions at times can be fact specific, plaintiffs often seek to rely on sparse and conclusory allegations when challenging QDIA selections and other plan investment option decisions in an effort to survive initial pleading challenges and gain access to burdensome and expensive discovery. Where even tenuous claims survive to discovery and class certification, plan sponsors and administrators may feel compelled to pursue settlement over protracted plan litigation.

Broadening the range of potential financial products that can be considered to serve as a plan’s QDIA may create additional opportunities for plaintiffs to pursue even weak claims in the hope of surviving a threshold pleadings challenge. With the benefit of hindsight to second-guess plan administrator decisions, for example, lifetime income options could be criticized as underperforming and/or overly expensive during a bull market period. Alternatively, in a volatile market, failing to incorporate a lifetime income option could be criticized in retrospect as not taking an appropriately conservative approach to the default investment of passive plan participants’ balances. While a challenged plan administrator may have compelling responses to such claims, they may turn on the ability readily to demonstrate the administrator’s diligence in making prudent QDIA selection decisions. Accordingly, the inclusion of lifetime income options, or any other alternative asset investment, must be part of a carefully considered, appropriately balanced, and well documented strategy by plan fiduciaries.

Plan sponsors and fiduciaries should continue to monitor developments in this area, including any proposed regulations.

The following Gibson Dunn lawyers prepared this update: Karl Nelson, Ashley Johnson, Jennafer Tryck, and Rachel Iida.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s ERISA Litigation, Labor & Employment, or Executive Compensation & Employee Benefits practice groups:

ERISA Litigation:
Karl G. Nelson – Dallas (+1 214.698.3203, knelson@gibsondunn.com)
Ashley E. Johnson – Dallas (+1 214.698.3111, ajohnson@gibsondunn.com)
Heather L. Richardson – Los Angeles (+1 213.229.7409, hrichardson@gibsondunn.com)
Jennafer M. Tryck – Orange County (+1 949.451.4089, jtryck@gibsondunn.com)

Labor & Employment:
Jason C. Schwartz – Washington, D.C. (+1 202.955.8242, jschwartz@gibsondunn.com)
Katherine V.A. Smith – Los Angeles (+1 213.229.7107, ksmith@gibsondunn.com)

Executive Compensation & Employee Benefits:
Michael J. Collins – Washington, D.C. (+1 202.887.3551, mcollins@gibsondunn.com)
Sean C. Feller – Los Angeles (+1 310.551.8746, sfeller@gibsondunn.com)
Krista Hanvey – Dallas (+1 214.698.3425, khanvey@gibsondunn.com)

A quarterly update of high-quality education opportunities for Boards of Directors.

Gibson Dunn’s summary of director education opportunities has been updated as of October 2025. A copy is available at this link. Boards of Directors of public and private companies find this a useful resource as they look for high quality education opportunities.

This quarter’s update to the summary of director education opportunities includes a number of new opportunities as well as updates to the programs offered by organizations that have been included in our prior updates.

Read More

The following Gibson Dunn lawyers prepared this update: Hillary Holmes, Lori Zyskowski, Elizabeth Ising, Ronald Mueller, Jason Ferrari, Caroline Bakewell, and Deborah Gillis-Harry*.

Please view this and additional information on Gibson Dunn’s Securities Regulation and Corporate Governance Monitor.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Regulation and Corporate Governance practice group, or the following:

Hillary H. Holmes – Houston (+1 346.718.6602, hholmes@gibsondunn.com)
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, eising@gibsondunn.com)
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, tkim@gibsondunn.com)
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, rmueller@gibsondunn.com)
Lori Zyskowski – New York (+1 212.351.2309, lzyskowski@gibsondunn.com)

*Deborah Gillis-Harry, a recent law graduate in the Houston office, is not admitted to practice law.

The FCA’s consultation represents a significant step towards modernising the UK’s asset management regulatory framework to accommodate DLT and tokenisation.

The Financial Conduct Authority (FCA) has published Consultation Paper CP25/28, setting out proposals and a roadmap to accelerate the adoption of fund tokenisation in the UK asset management sector. The consultation aims to provide regulatory clarity, operational flexibility, and a future vision for the use of distributed ledger technology (DLT) in authorised funds, with the objective of enhancing operational efficiency, consumer protection, and the UK’s global competitiveness in digital asset management.

This consultation marks a pivotal moment for the UK’s asset management industry, signalling a shift from exploratory pilots to the mainstreaming of tokenisation. The FCA’s approach demonstrates a willingness to balance innovation with robust regulatory oversight, positioning the UK as a potential global leader in digital asset management. By providing a clear regulatory pathway, the FCA is not only responding to industry demand for clarity but also proactively shaping the future landscape of investment products and services.

Key Proposals

Guidance for Tokenised Funds under the Blueprint Model. The FCA proposes guidance to clarify how authorised fund managers can operate tokenised fund registers using DLT, including both private-permissioned and public blockchain networks. The guidance addresses how managers can meet regulatory obligations for consumer protection and market integrity, including the ability to make unilateral updates to the register, manage smart contracts, and ensure eligibility verification and KYC compliance.
Introduction of Direct Dealing (D2F) Model. The FCA proposes an optional, alternative dealing model – Direct to Fund (D2F) – allowing unit deals to take place directly between investors and the fund or its depositary, rather than through the authorised fund manager (AFM) as principal. This model is intended to reduce operational overheads, eliminate interim exposure to the AFM, and remove the need for client money safeguards, thereby simplifying fund operations and supporting the transition to tokenised funds.
Roadmap for Fund Tokenisation. The consultation sets out a staged roadmap for fund tokenisation, including:
- Phase 1: Tokenisation of fund units and registers using DLT (current position).
- Phase 2: Tokenisation of underlying assets, enabling direct holdings of tokenised assets by investors.
- Phase 3: Tokenisation of cash flows, allowing for highly customisable, client-specific investment solutions.
The roadmap also addresses the use of tokenised money market fund (tMMF) units as collateral, the integration of digital cash instruments and stablecoins for settlement, and the potential for fully on-chain fund operations.
Supporting Future Tokenisation Models. The FCA explores future regulatory changes to accommodate advanced tokenisation models, such as composable finance, on-chain portfolio management, and the use of smart contracts for embedded compliance. The paper discusses the need for evolving standards in digital identity, investor protection, and market integrity as the industry moves towards more personalised, retail-scale portfolio management.

Taken together, these proposals reflect a forward-thinking regulatory philosophy. The FCA is not only addressing current operational and legal barriers but is also anticipating the next wave of innovation—where tokenisation could fundamentally reshape the relationship between investors, asset managers, and underlying assets. The staged roadmap provides a pragmatic yet ambitious framework, allowing the industry to innovate incrementally while maintaining regulatory guardrails.

Regulatory and Operational Considerations

The proposals apply to UCITS management companies, UK AIFMs managing authorised funds, and depositaries of authorised funds, with broader relevance to portfolio managers, fintech firms, stablecoin issuers, and custodians.
The FCA confirms a technology-neutral, outcomes-based approach, allowing the use of both private and public DLT networks, provided regulatory outcomes are met.
The consultation addresses operational resilience, data privacy, anti-money laundering (AML) responsibilities, and the management of network risks, including contingency planning for DLT outages.
Amendments to the Collective Investment Schemes sourcebook (COLL) are proposed to facilitate the use of DLT in fund registers and to implement the D2F model, including the introduction of Issues and Cancellations Accounts (IACs) for direct settlement between funds and investors.

From a strategic perspective, the FCA’s technology-neutral stance is particularly noteworthy. By focusing on outcomes rather than prescribing specific technologies, the regulator is enabling a diverse range of market participants to experiment and compete. This approach is likely to foster innovation, attract international players, and support the development of a vibrant digital asset ecosystem in the UK. However, it also places the onus on firms to ensure that their chosen technological solutions are robust, secure, and compliant with regulatory expectations.

Cost-Benefit Analysis

The FCA estimates that the adoption of the D2F model could deliver a net present value benefit of £27m–£57m over ten years, primarily through reduced fund administration costs and lower fees for investors. The costs are expected to be minimal and largely limited to familiarisation with the new framework. The proposals are designed to be optional, allowing firms to adopt the new models where commercially appropriate.

While the projected cost savings are significant, the true value of these reforms may lie in their potential to catalyse broader market transformation. By lowering operational barriers and reducing friction in fund administration, the FCA is creating an environment where new entrants and innovative business models can thrive. This could lead to greater competition, more diverse product offerings, and ultimately better outcomes for investors. However, firms will need to carefully assess the operational and technological investments required to realise these benefits, particularly as the industry transitions from pilot projects to full-scale implementation.

Consumer Protection and Market Integrity

The FCA’s proposals are intended to maintain high standards of consumer protection and market integrity, including for vulnerable consumers. The consultation highlights the potential for tokenisation to broaden access to investment products, increase competition, and deliver cost savings to consumers, while also recognising new risks associated with DLT, such as cybersecurity and liquidity management in stress scenarios.

As tokenisation matures, the challenge for regulators and industry participants will be to ensure that innovation does not come at the expense of consumer trust or market stability. The FCA’s focus on operational resilience, data privacy, and AML controls is well-placed, but ongoing vigilance will be required as new risks emerge—particularly as more retail investors engage with tokenised products. The evolution of digital identity standards, smart contract auditing, and contingency planning for DLT outages will be critical to maintaining confidence in the system.

Next Steps

Comments on Chapters 2–4 are requested by 21 November 2025, and on Chapter 5 by 12 December 2025.
The FCA will review feedback and publish final regulatory requirements in a Policy Statement, expected in the first half of 2026.
The FCA will continue to engage with industry and international regulators to support the development of global standards and best practices for fund tokenisation.

Looking ahead, the FCA’s collaborative approach—working with industry, consumer groups, and international bodies—will be essential to shaping a regulatory framework that is both innovative and resilient. The UK’s ability to influence global standards and attract investment will depend on the successful implementation of these proposals and the industry’s willingness to embrace change.

In conclusion, the FCA’s consultation represents a significant step towards modernising the UK’s asset management regulatory framework to accommodate DLT and tokenisation. The proposals are designed to provide regulatory certainty, operational flexibility, and a clear pathway for innovation, supporting the UK’s ambition to be a global leader in digital asset management while safeguarding consumer interests and market stability.

For asset managers, depositaries, fintechs, and other stakeholders, this is a moment to reflect not only on compliance but on strategic positioning for the future. Those who engage early and help shape the emerging standards will be best placed to capture the opportunities presented by tokenisation. As the regulatory landscape evolves, firms should consider how to leverage DLT to deliver more efficient, transparent, and personalised investment solutions—while remaining vigilant to new risks and responsibilities. The FCA’s consultation is not just a regulatory update; it is an invitation to help define the next era of asset management in the UK and beyond.

The following Gibson Dunn lawyer prepared this update: Michelle Kirschner.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the author or any member of Gibson Dunn’s Fintech & Digital Assets or Financial Regulatory teams:

Michelle M. Kirschner – London (+44 20 7071 4212, mkirschner@gibsondunn.com)

Gibson Dunn is available to advise clients as they navigate the evolving Iran sanctions landscape, including by developing compliance assessments, tailored internal procedures, license applications, government engagement strategies, and transactional due diligence.

After a decade of multilateral sanctions relief under the 2015 Iran Nuclear Deal (the Joint Comprehensive Plan of Action – JCPOA), broad UN sanctions against Iran were reimposed on September 28, 2025. While this action was broadcast long in advance given Iran’s public non-compliance with its commitments under the JCPOA – it is nonetheless a sea change in risk for companies. While many firms had long since ended their engagements with Iran after the United States departed the Iran Nuclear Deal in 2018 and President Trump ordered a maximum pressure campaign on Iran, the reimposition of the UN’s sanctions represents a substantial increase in sanctions restrictions, imposes newly-meaningful risks of enforcement from regulators around the world, and counsels businesses to closely review their direct and indirect exposures to Iran-related trade.

Because UN sanctions are implemented by member states, the most significant change brought about by the snapback will be seen in the domestic imposition of the renewed restrictions. In this regard, the European Union and the United Kingdom have moved to the forefront of altering their sanctions regulations. Both jurisdictions acted swiftly to implement the new sanctions – some with immediate effect and others with very limited wind-down allowances. The combination of UN, UK, EU, and U.S. measures and the increasing appetite for enforcement of sanctions violations not just in the U.S. but also across the UK and the EU’s member states, creates a complex and highly restrictive environment which poses regulatory peril.

1. UN Sanctions: Historic Tools

The reimposed UN sanctions restore measures pursuant to six UN Security Council Resolutions adopted between 2006 and 2010: Resolutions 1696 (2006), 1737 (2006), 1747 (2007), 1803 (2008), 1835 (2008), and 1929 (2010). These resolutions addressed threats posed by Iran’s nuclear, ballistic missile, conventional arms, and regionally destabilizing activities via its support for terror proxy groups.

The reimposed UN measures include export controls, mainly targeting military and nuclear-related goods, software, and technology, financial and trade restrictions related to nuclear and missile programs, restrictions on banking activities and investment controls targeting Iran’s proliferation-sensitive sectors, powers to seize weapons and other prohibited cargo being transferred by Iran to state and non-state actors, as well as asset freeze measures targeting individuals and entities.

2. EU Response: Sweeping Reinstatement of Trade and Financial Restrictions

The European Union restored its entire pre-JCPOA nuclear-related sanctions regime, including an embargo on Iranian oil exports and substantial restrictions on the Iranian financial sector. This marks a significant shift in the EU sanctions policy on Iran. Until the snapback, the EU had committed to complying with the JCPOA and, via its Blocking Statute (which prohibits EU actors from complying with the U.S. embargo on Iran), encouraged its businesses to at least contemplate Iran-related activities.

a. Key Measures Restored under EU Nuclear-related Sanctions

The EU has moved rapidly to reimpose pre-JCPOA sanctions—comprising of UN measures which had previously been transposed into EU law, as well as EU autonomous measures—reintroducing them verbatim. The result is one of the most restrictive sanctions regimes the EU has maintained in the past decade.

I. Asset Freeze Measures

The EU implemented UN-mandated designations reimposed through Council Implementing Regulation (EU) 2025/1982, as well as autonomous EU designations restored via Council Implementing Regulation (EU) 2025/1980.

The EU designated several Iranian banks and entities in key sectors of the Iranian economy including Bank Melli, the Central Bank of Iran, the National Iranian Oil Company and various subsidiaries, the National Iranian Tanker Company, Naftiran Intertrade Company, the Ministry of Energy, the Ministry of Petroleum, among many others.

II. Trade Sanctions

The EU reimposed sweeping trade, financial, investment, and transport restrictions via amendments to Regulation (EU) No 267/2012 implemented by Council Regulation (EU) 2025/1975. These measures include, among others:

A prohibition on the import, purchase and transfer of Iranian crude oil, natural gas, petrochemical products, and petroleum products, as well as related services, and a prohibition on swapping Iranian natural gas;
A prohibition on the sale, supply, transfer and export of dual-use items, key equipment used in the energy sector and the petrochemical industry, key naval equipment or technology for shipbuilding, maintenance or refit (including items used in the construction of oil tankers);
A prohibition on the sale, supply, transfer and export of Enterprise Resource Planning software, designed specifically for use in nuclear, military, gas, oil, navy, aviation, financial and construction industries;
A prohibition on the sale, supply, transfer or export of graphite and raw or semi-finished metals;
A ban on all trade in gold, precious metals, and diamonds;
A prohibition on granting any financial loan or credit to, acquire or extend a participation in, or create a joint venture with, certain Iranian persons or entities, e.g. those involved in the exploration or production of crude oil and natural gas, the refining of fuels or the liquefaction of natural gas;
Correspondent banking prohibitions;
A prohibition on the transfer of funds between EU financial and credit institutions and Iran-domiciled financial and credit institutions and bureaux de change domiciled in Iran, including their branches and subsidiaries, and similar institutions non-Iran domiciled but controlled by the above (note: transfer restrictions are complex, and subject to various notification or authorization requirements);
Stringent conditions on the transfer of funds to and from any Iranian person;
A prohibition on the sale or purchase public or public-guaranteed bonds issued after September 30, 2025 by the Iranian government and other Iranian financial institutions, and those acting on behalf or at the direction of the latter;
Measures to prevent access to EU airports of Iranian cargo flights, and to prohibit the maintenance and service of Iranian cargo aircraft or vessels carrying prohibited items.

Certain restrictions are subject to short-lived wind-down periods (expiring on January 1, 2026) for pre-existing contracts. Note, in EU sanctions regulations the term “contract” refers to a binding commitment which contains all agreed terms including the parties, price, quantities, delivery dates, modalities of execution, etc. Mere framework agreements are typically not considered “contracts.” Purchase orders are not “ancillary contracts.”

While it has already acted in excess of what the UN snapback required, the EU has signaled a willingness to increase the pressure on Iran even further if the situation demands it (e.g. in response to any continued global destabilizing activities orchestrated by Iran).

III. Implications for the EU Blocking Statute

Despite restoring the EU nuclear-related sanctions regime on Iran, the EU did not make any amendments to the EU Blocking Statute laid down in Regulation (EC) 2271/96. This means that certain extraterritorial sanctions of the U.S. on Iran inconsistent with the EU’s own sanctions remain formally prohibited to be complied with by EU operators.

Nevertheless, the restored EU sanctions regime has significantly diminished the practical significance of the EU Blocking Statute as the regime now contains numerous measures that mimic U.S. rules. While there have been a very small number of cases of enforcement of the EU Blocking Statute, the newly reimposed sanctions will likely make the Statute mostly symbolic of the EU’s commitment to an independent Iran sanctions policy (while it remains significant insofar as U.S. sanctions on Cuba are concerned). Even if there is a violation – which will be hard to demonstrate given that the EU’s restrictions are now broadly parallel with the United States’ – enforcement appetite for pursuing such cases will likely be very limited.

3. UK Response: Rapid Implementation and New Designations

The United Kingdom also moved quickly to operationalize the snapback and signal London’s policy-shift towards Iran – moving to an even more aggressive footing than the snapback required. In line with its obligations as a UN Member State, the United Kingdom reimposed sanctions on 121 individuals and entities involved in Iran’s nuclear and ballistic missiles program, and amended its Iran (Sanctions) (Nuclear) (EU Exit) Regulations 2019 accordingly. The UK government also unilaterally designated 71 individuals and entities not subject to UN restrictions. The United Kingdom sanctioned a number of Iranian banks and targeted Iran’s most profitable sectors by designating entities such as Naftiran Intertrade Company, the National Iranian Oil Company and various subsidiaries, the National Iranian Tanker Company, the North Drilling Company, Mazandaran Cement Company, the Iran Aluminum Company, among many others. Even government ministries – the Ministry of Energy and the Ministry of Petroleum were designated.

By virtue of being designated, funds and assets of the sanctioned persons that come within UK jurisdiction are frozen, and those subject to UK jurisdiction are generally prohibited from dealing with funds or assets of sanctioned parties and their majority owned or controlled subsidiaries, unless authorized or exempt.

Recognizing that businesses need time to exit existing arrangements, the UK Office of Financial Sanctions Implementation (OFSI) has issued four general licenses allowing certain limited wind-down activities. These licenses are short-lived by design:

General License (GL) INT/2025/7345464 – UK-based Iranian banks: Permits wind-down or divestment of transactions involving Bank Melli, Bank Saderat Iran, Bank Tejarat, and Persia International Bank Plc. This GL expires on November 12, 2025 at 23:59. A six-year recordkeeping requirement applies.

GL INT/2025/7345664 – Iranian banks worldwide: Covers a broader set of Iranian financial institutions including Arian Bank, Bank Mellat, Bank Refah Kargaran, and others. This GL expires October 28, 2025 at 23:59. A six-year recordkeeping requirement applies.

GL INT/2025/7345264 – UK-based firms: Permits wind-down of transactions involving Iran Insurance Company and National Iranian Oil Company International Affairs Ltd. This GL expires on October 28, 2025 at 23:59. A six-year recordkeeping requirement applies.

GL INT/2025/7363752 – Shah Deniz Project: Allows non-designated parties and UK institutions to continue supporting the Shah Deniz Unincorporated Joint Venture under strict conditions. No direct payments to Naftiran Intertrade Company are permitted; any Naftiran Intertrade Company-related payments must be routed through offset or special purpose arrangements. This GL expires on October 28, 2025 at 23:59. A six-year recordkeeping requirement applies.

The UK government has indicated that it intends to introduce legislation to impose even further measures in line with its partners. Such new measures are expected to target finance, energy, shipping, software, and other significant industries which are advancing Iran’s nuclear program.

4. U.S. Position: Comprehensive Sanctions and Maximum Pressure Campaign

Unlike the United Kingdom and European Union, the United States has imposed comprehensive sanctions on Iran continuously for decades (including while the United States was still a party to the JCPOA). Indeed, beyond welcoming the recent snapback, earlier this year the current Trump administration restored its “maximum pressure” campaign against Iran.

As part of its efforts to tighten the screws on Tehran, the U.S. government has announced numerous waves of Iran-related sanctions over the past months. In July 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated networks smuggling Iranian oil disguised as Iraqi oil, targeting over 145 individuals, entities, and vessels—the largest Iran sanctions package since 2018. In October 2025, OFAC sanctioned a further 50 additional individuals, entities, and vessels that facilitate Iranian oil and liquefied petroleum gas sales and shipments from Iran. U.S. Secretary of the Treasury Scott Bessent made the goal clear: “[D]egrading Iran’s cash flow by dismantling key elements of Iran’s energy export machine.” OFAC has also recently pursued numerous Iran-related actions, including very aggressive enforcement against companies for violations by foreign employees of U.S. companies. Much such enforcement is likely to come.

5. Suggested Actions for Global Businesses

The reintroduction of EU and UK sanctions on Iran, coupled with the heightened focus of the current U.S. administration on Iran-related trade, create immediate compliance risks for companies globally. Businesses should consider revisiting their exposure assessments (including by reviewing supply chains, banking and payment channels and due diligence on existing counterparties with potential ties to Iran), re-screen counterparties against updated sanctions lists and reconsider licensing needs.

The following Gibson Dunn lawyers prepared this update: Irene Polieri, Nikita Malevanny, Adam M. Smith, Scott Toussaint, and Josephine Kroneberger*.

*Josephine Kroneberger, a trainee solicitor in the London office, is not admitted to practice law.