From mega-investments in AI to high-stakes cybercrime and geopolitical tech tussles, this week shows how innovation, regulation, and risk collide on the global stage. Nvidia doubles down on its AI dominance with a record-breaking bet, teenage hackers face trial after a multimillion-pound strike on London transport, and US investors line up for a controversial takeover of TikTok.

In this edition:

💸 Nvidia Invests in…Itself?

🕵️ Scattered Spider: Teens Charged in £39m TfL Cyber Strike

📱 TikTok Ticked Off: US Investors Step In

Nvidia Invests in…Itself?

Nvidia will invest up to $100bn (£73bn) in OpenAI, the company behind ChatGPT. The partnership will focus on building next-generation AI infrastructure, with Nvidia supplying the high-performance chips required to train and run advanced systems at scale.

The deal highlights Nvidia’s continued dominance in the semiconductor sector and its central role in powering generative AI. Already the world’s most valuable company, Nvidia has recently committed $5bn to Intel and £2bn to the UK’s AI sector. The collaboration with OpenAI represents its largest step yet in shaping the future of artificial intelligence.

In many ways, the investment is Nvidia investing in itself. By embedding its hardware at the heart of OpenAI’s systems, the company is creating sustained demand for its own products. As OpenAI expands, Nvidia secures a long-term role as the indispensable supplier driving that growth – strengthening both revenue streams and market control.

OpenAI, which now reports more than 700 million weekly active users, is working with a network of collaborators including Microsoft, Oracle, SoftBank and Stargate to expand access to advanced AI infrastructure. The Nvidia investment strengthens this ecosystem and positions both firms at the forefront of the global AI race.

The announcement comes amid mounting competition from China, where DeepSeek-R1 has emerged as a strong challenger. Nvidia also faces political and regulatory pressure: China has accused the company of anti-monopoly breaches and restricted chip sales, while in the US, it must comply with export levies on Chinese revenues.

🔴 Data Protection and Privacy

The Nvidia–OpenAI partnership involves processing vast amounts of personal data to train AI systems. In the UK and EU, this constitutes personal data under the UK GDPR and EU GDPR. Such processing requires a valid lawful basis, transparency, purpose limitation, and appropriate safeguards. Failure to comply could trigger enforcement action from regulators such as the ICO, the European Data Protection Board, or other authorities, potentially resulting in fines, corrective measures, or reputational harm.

🟡 Geopolitical and Export Control Risks

Nvidia’s investment exposes it to complex international regulatory requirements, including export controls and anti-monopoly rules. Restrictions on AI chip sales to countries such as China could result in breaches of trade laws if not carefully managed. Additionally, allegations of anti-competitive behaviour could lead to investigations or sanctions, which may disrupt business operations and delay technology deployment.

🟢 Regulatory Alignment and Market Advantage

The partnership positions both firms to lead in AI infrastructure, aligning with emerging regulatory expectations around responsible AI deployment. Compliance with privacy, cybersecurity, and trade laws – combined with transparency in AI usage and robust data governance – can enhance market credibility. Strategically, adherence to these frameworks may create a competitive advantage while demonstrating proactive risk management in a highly scrutinised industry.

Scattered Spider: Teens Charged in £39m TfL Cyber Strike

Two teenagers have been charged in connection with a cyber attack on Transport for London (TfL) that prosecutors say caused £39 million in losses and disrupted livelihoods.

Thalha Jubair (19) and Owen Flowers (18) appeared before Westminster Magistrates’ Court following arrests by the National Crime Agency (NCA) and City of London Police.

The alleged attack, described in court as “serious, extensive, sustained and highly sophisticated,” reportedly compromised TfL customer data, including Oyster card refund details and bank information. Prosecutors added that the breach posed “significant risk” to the UK economy and London residents.

Both defendants face charges under the Computer Misuse Act for conspiring to carry out unauthorised acts against TfL. Jubair also faces a further charge under the Regulation of Investigatory Powers Act for failing to disclose his device passwords.

Flowers, who was initially arrested in September 2024, is additionally accused of conspiring to infiltrate US healthcare networks, including SSM Health Care Corporation, and attempting to target Sutter Health.

Investigators believe the attack was carried out by the criminal hacking group Scattered Spider, linked to breaches at Jaguar Land Rover and Marks & Spencer. The NCA, working alongside UK policing and the FBI, has described the case as part of a wider crackdown on English-speaking cybercrime groups.

The CPS confirmed there was “sufficient evidence” to bring the case to trial, with prosecutors emphasising the public interest in pursuing proceedings. The defendants were remanded pending further hearings.

🔴 Computer Misuse and Fraud Liability

The two charged face charges under the Computer Misuse Act and related fraud offences for allegedly targeting TfL and US healthcare networks. In the UK, unauthorised access to computer systems and data carries criminal liability, including imprisonment and fines. If convicted, both defendants could face significant custodial sentences, while TfL and affected individuals may pursue civil claims for damages arising from data breaches and financial losses.

🟡 Reputational and Operational Risks for Organisations

The attack highlights the risk organisations face from sophisticated cybercrime. Failure to maintain adequate cyber security can lead to regulatory scrutiny under the UK GDPR, the Network and Information Systems (NIS) Regulations, and industry-specific obligations. Operational disruption, financial loss, and reputational damage can follow, particularly if personal or sensitive customer data is compromised. Companies must ensure robust incident response, security protocols, and staff training to mitigate these risks.

🟢 Regulatory Enforcement and Cyber Resilience

UK regulators, including the ICO and NCA, are increasingly focused on cyber threats to critical national infrastructure. Organisations that implement proactive security measures, threat monitoring, and rapid breach reporting can reduce enforcement risk and demonstrate compliance with legal obligations. Building cyber resilience not only aligns with regulatory expectations but also strengthens public trust and operational continuity in an increasingly digital economy.

TikTok Ticked Off: US Investors Step In

Rupert Murdoch and his son Lachlan are reported to be among a group of US investors preparing a bid for TikTok’s American operations. Other figures linked to the proposal include Oracle chair Larry Ellison and Dell founder Michael Dell.

The potential acquisition follows legislation passed in April 2024 requiring ByteDance, TikTok’s Chinese parent, to divest its US arm or face a nationwide ban. Lawmakers cited security concerns, warning that Beijing could access the personal data of TikTok’s 170 million American users. Enforcement of the law has been delayed while negotiations continue.

Any Murdoch involvement is expected to come through Fox Corp rather than personal investment. Lachlan Murdoch recently assumed control of the family’s media businesses, Fox Corp and News Corp, after a long-running succession battle, while Rupert Murdoch remains chairman emeritus of News Corp. Their media interests, including Fox News and the Wall Street Journal, would give them significant influence in both media and social media if the deal proceeds.

The White House has suggested that an agreement is close, with Oracle likely to oversee data storage and security for US users. The American government has emphasised that control of the platform’s algorithm must remain in domestic hands.

China has not confirmed the deal but has indicated a willingness to support commercial negotiations, provided they comply with Chinese law and balance the interests of all parties. ByteDance has not commented publicly on the reported bid.

The outcome of these talks will shape both TikTok’s future in the US and wider debates over data sovereignty.

🔴 UK Data Protection Pressure

Even if TikTok’s US arm changes hands, millions of UK users’ data remain subject to the UK GDPR and the Data Protection Act 2018. Any transfer of data linked to UK users must meet strict legal safeguards. Weak oversight of cross-border flows or inadequate privacy controls could trigger ICO investigations, fines, or corrective measures, while also harming user trust.

🟡 Media Power and Market Influence

The potential involvement of the Murdochs and other high-profile investors could create overlapping risks of media influence and competition concerns. Control over TikTok’s algorithm and content promotion could intersect with UK-facing media operations, raising questions for the Competition and Markets Authority and watchdogs over unfair market leverage or bias in content visibility. Transparency in governance and clear separation between ownership and editorial influence will be critical to mitigate these risks.

🟢 Regulatory Alignment as a Competitive Asset

Carefully designed governance could turn compliance into a strategic advantage. Demonstrating strong privacy controls, algorithmic transparency, and accessible user redress mechanisms could not only satisfy UK regulators but also bolster public confidence. TikTok could emerge as a model for reconciling foreign ownership with domestic privacy and competition expectations, giving it a long-term edge in UK and EU markets.