Summary:
The article outlines updates on the Digital Markets, Competition and Consumers Act 2024, UK payment practices, and a code of practice for software vendors, focusing on compliance and regulatory guidance in the UK.
Original Link:
Original Article:
This week we look at:
Digital Markets, Competition and Consumers Act 2024: CMA approach to enforcement of new consumer law regime
Updated guidance on UK payment practices and performance reporting
UK Government response to call for views on code of practice for software vendors and report on open source software best practice and supply chain risk management
Digital Markets, Competition and Consumers Act 2024: CMA approach to enforcement of new consumer law regime
On 6 April 2025, the Digital Markets, Competition and Consumers Act 2024 (Commencement No. 2) Regulations 2025 will bring into force the consumer law enforcement and unfair commercial practices elements of the Digital Markets, Competition and Consumers Act 2024 (DMCC). See our Consumer law team’s briefing for more details.
On 10 March 2025, in a speech to the techUK Policy Conference, the Chief Executive of the Competition and Markets Authority (CMA) announced that in early April 2025 the CMA will publish details of its DMCC enforcement priorities for the next 12 months.
It will also publish updated guidance on unfair commercial practices, which it says will be streamlined to make it “as clear and accessible as possible”.
However, following some confusion as to how to apply the new DMCC provisions on drip pricing, that guidance will initially only cover the well understood aspects of drip pricing, which the Chief Executive referred to as “the prohibition of genuinely unexpected and untrailed mandatory charges added on at the end of a purchasing journey”. The CMA intends to run a further consultation in the summer on the parts of the drip pricing guidance that have created more uncertainty for businesses (including fixed-term periodic contracts), with final form guidance to be published in the autumn. Until then, the CMA will only take enforcement action against drip pricing that is in clear breach of the rules covered in the April guidance.
In relation to fake reviews, for the first 3 months of the new regime the CMA intends to focus on supporting businesses to comply with the new rules, rather than enforcement. This will give businesses time to roll out compliance measures.
CMA enforcement action in relation to other DMCC breaches will initially focus on the most serious breaches, such as “aggressive sales practices that prey on vulnerability; providing information to consumers that is objectively false; contract terms that are very obviously imbalanced and unfair”.
This steer on enforcement of the new regime will be of interest to all businesses selling to consumers. These businesses should also carefully review the revised guidance when it is published in April, and consider responding to the further consultation on drip pricing guidance in order to ensure that this is as relevant and helpful as possible.
Updated guidance on UK payment practices and performance reporting
On 5 March 2025 the Department for Business and Trade updated its guidance on the statutory duty for large companies and LLPs to report on their payment practices.
The updates reflect:
the changes to the reporting regime introduced by The Reporting on Payment Practices and Performance (Amendment) Regulations 2024 which came into force on 5 April 2024, extending the regime to 6 April 2031 and expanding the categories of information that have to be reported on. For financial years beginning on or after 1 January 2025, businesses are required to report on the value of payments made and not made within the relevant payment period, as well as the percentage of payments made
changes to the thresholds for defining medium-sized companies introduced by the Companies (Accounts and Reports) (Amendment and Transitional Provision) Regulations 2024, which will remove some companies from the scope of the regime from 6 April 2025
new reporting requirements that apply for financial years beginning on or after 1 April 2025 for companies using qualifying construction contracts, introduced under The Reporting on Payment Practices and Performance (Amendment) Regulations 2025
The policy aim of the regime is to tackle late payment culture, which has a particularly detrimental impact on small businesses. Businesses in-scope of the regime should review the guidance and ensure that they are compliant with the changes to the law.
UK Government response to call for views on code of practice for software vendors and report on open source software best practice and supply chain risk management
On 3 March 2025 the Department for Science, Innovation and Technology (DSIT) published the Government’s response to its call for views on the draft code of practice for software vendors (Code).
The Code has been prepared as part of the armoury against widespread cyber threats and disruption. Given that software is the foundation for all digital tech, the Code aims to put software security and resilience at the heart of the software supply chain. It sets out principles of secure software design, development, deployment and maintenance, as well as good communication with customers to enhance risk management.
The Code is voluntary, and was produced with input from the National Cyber Security Centre (NCSC), as well as experts from industry and academia. The call for views ran in summer 2024. This revealed strong support for the Code, with some suggestions for improvements and refinement.
The Government now intends:
to make minor changes to the Code before publishing a final version later this year
for DSIT and the NCSC to refine technical controls (that set out minimum actions for software vendors) and implementation guidance that will accompany the final form Code. The Government will also look into developing guidance for the customer side of the software supply chain to help organisations factor software security and resilience into procurements and contract negotiations
for DSIT and the NCSC to develop an assurance regime so that software vendors can confirm compliance with the Code
to continue to map the Code against other standards, regulation and guidance (including international) to ensure no contradictions
All software vendors should be monitoring progress of the Code and should prepare for compliance.
Whilst the Code is aimed at organisations developing, distributing and maintaining software for profit, DSIT has published a separate report on open source software (OSS) best practices and supply chain risk management.
The report recommends the following as best practice for all organisations:
have an internal OSS policy against which the quality and trustworthiness of OSS can be evaluated. This policy may include a list of acceptable OSS licences, an approved OSS list, criteria for evaluating OSS, different evaluation and approval processes for using OSS, with the process potentially depending on the criticality of the OSS being considered
have a Software Bill of Materials to track all OSS components used in a software product, as well as dependencies and licences
continuous monitoring of the software supply chain using a software composition analysis tool to identify vulnerabilities and licensing issues
active engagement with the OSS community to ensure high quality OSS components and a sustainable OSS ecosystem, amongst other things
All organisations should evaluate their use of OSS and whether their current software development, deployment and procurement policies follow best practice in relation to OSS components.
Eversheds Sutherland’s global AI regulatory update
Global AI Regulatory Update – March 2025: in this edition of our global AI bulletin, we look at: