Commercially Connected Shorts - 17 June 2026

Round-up of knowledge

Welcome to Commercially Connected shorts, our weekly bitesize newsletter summarising the latest updates in UK and EU commercial law.

This week we look at:

• EU: Omnibus IV – simplifying business and product compliance
• ESG: your chance to influence due diligence guidelines under CSDDD
• Privacy: manufacturers called to improve transparency and data minimisation on smart devices
• AI: EU transparency code of practice ready for signatories

EU updates on Omnibus IV

On 9 June 2026, the European Parliament and Council of the EU reached political agreement on a package to simplify business compliance rules for small “mid cap” enterprises and digitalise EU product compliance rules – part of Omnibus IV.

Key measures include:

• a new “small mid-cap” (SMC) category for companies with under 1,000 employees and up to €200m turnover or €172m assets. Note the thresholds have increased from the Commission’s initial proposal. SMCs will benefit from existing SME regulatory easements across areas such as GDPR record-keeping, prospectus rules, and certain sectoral regimes, reducing compliance burdens as they scale up
• a “digital by default” approach to product documentation such as declarations of conformity
• digital instructions (albeit paper remains for accessibility and safety)
• mandatory electronic communication between businesses and authorities, supporting a paper‑free, interoperable single market and “once-only” data sharing
• new “common specifications” allowing the Commission (for a limited period) to set fallback technical requirements where harmonised standards are absent or insufficient

The rules will now be formally put to vote by Council and Parliament.

The SMC introduction seeks to reduce the “cliff-edge” increase in regulatory obligations when businesses grow beyond SME status, making it easier for scale-ups to expand, access capital markets and manage compliance costs more proportionately.

Product-wise, the digital reforms should reduce administrative burden and costs by encouraging more digital formats and engagement. Common specifications will improve regulatory certainty where standards are lacking. Businesses placing products on the EU market will need to adapt systems for digital compliance and data exchange, but should benefit from faster processes and greater consistency across Member States.

CSDDD consultation: shaping the rules on value chain accountability

On 12 June 2026, the European Commission launched a public consultation to inform forthcoming guidelines on implementing the Corporate Sustainability Due Diligence Directive (CSDDD).

The Directive requires large EU and certain non‑EU companies to identify, prevent, mitigate and end adverse human rights and environmental impacts across their operations, subsidiaries and value chains.

The forthcoming guidelines will provide practical direction for:

• companies on complying with due diligence obligations
• Member State authorities on enforcement
• stakeholders (including NGOs and workers) on exercising rights

The consultation seeks input from businesses, supply chain participants, regulators, investors and civil society to shape proportionate and workable guidance. The guidance will shape how due diligence obligations are applied in practice. Businesses should engage now to influence expectations and prepare for more detailed compliance standards affecting risk management, supply chains and contractual arrangements.

ICO publishes updated IoT data protection guidance

On 11 June 2026, the ICO issued final updated guidance on how the UK GDPR and Privacy and Electronic Communications Regulations apply to consumer Internet of Things (IoT) products and services. The updated guidance follows research showing only 14% of UK consumers understand how smart devices – including smart speakers, connected TVs, fitness trackers, smart doorbells, home hubs and domestic appliances – collect and use personal data, despite near‑universal ownership.

Alongside the guidance, the ICO published a statement aimed at the general public, setting out recommended steps to take to protect their privacy when using smart devices.

The guidance applies to manufacturers, app developers, operating system providers, cloud providers, and others in the IoT supply chain. It does not apply to smart meters, connected and autonomous vehicles, or IoT products used in enterprise and industrial settings.

Manufacturers and developers are reminded that IoT devices will often process personal data, including potentially special category personal data, and must comply with core data protection principles when doing so.

The ICO’s expectations for manufacturers and developers include:

• clear allocation of controller and processor roles across IoT ecosystems from the earliest stages of development
• baking in data protection by design and default to the connected device lifecycle, including carrying out data protection impact assessments, where relevant
• determining an appropriate lawful basis, with valid consent where required
• implementing layered, user-friendly transparency information across device interfaces
• applying robust security measures and data minimisation
• enabling users to exercise rights, including where multiple users interact with a device

Businesses designing or supplying IoT solutions are reminded to review data flows, user interfaces and accountability frameworks to mitigate regulatory risk and enforcement exposure and use the examples from the guidance to help refine their approach. Businesses may also reasonably expect an uptick in requests from individuals, such as subject access requests, complaints and erasure requests, as a result of the ICO’s statement.

The ICO plans to continue its work in this area by engaging with connected TV manufacturers this year, to assess whether they are complying with the law and offering consumers meaningful choice over how their data is used.

With thanks to Lizzie Charlton

EU introduces final transparency Code

On 10 June 2026, the European Commission published its final voluntary Code of Practice setting out how AI providers and deployers can meet upcoming transparency obligations under the EU AI Act. Organisations who sign up to the Code can demonstrate compliance with the EU AI Act requirements.

Key messages:

• the “ask” is for clear labelling of deepfakes and AI-generated or AI-manipulated content on matters of public interest
• users must be informed when interacting with AI systems (e.g. chatbots)
• providers should implement machine-readable marking to enable detection of AI content
• deployers must label content where there is no human editorial control
• the Code will be complemented by guidance

Our Jannick Thonemann (Principal Associate) comments: “In practical terms, the Code clarifies how providers and deployers must handle AI-generated content. Providers are expected to enable technical detection of AI outputs, while deployers must clearly label deepfakes and certain AI-generated content, especially where it influences public debate. Although voluntary, the Code will serve as the main benchmark for compliance. We consider this a decisive shift from principle to enforceable operational standards, particularly through the introduction of standardised AI labels.”

For more on this see our Flash Update on LinkedIn from our ES Netherlands team.