A new survey reveals 45 per cent of managed service providers (MSPs) are setting aside cash to pay ransomware demands, as fears over AI-fuelled cybercrime continue to mount.

MSPs Under Pressure as Ransomware Attacks Surge

The finding comes from the CyberSmart MSP Survey 2025, which examined the security posture of 900 MSPs across the UK, Europe, Australia, and New Zealand. According to the report, nearly half of those surveyed now maintain a dedicated pot of money in case they are hit by a ransomware attack, a tactic where cybercriminals encrypt a victim’s data and demand a payment for its return.

Counter To Guidance

This approach appears to run counter to guidance from insurers, governments, and law enforcement agencies, which consistently urge organisations not to pay. However, the growing scale and frequency of attacks, often powered by artificial intelligence, appear to be forcing MSPs to adopt a more pragmatic (if controversial) strategy.

“Organisations shouldn’t rely on ransomware payments; rather, they should partner with organisations that can help proactively secure them,” said Jamie Akhtar, CEO and co-founder of CyberSmart.

Be Prepared

The report’s findings highlight a deepening sense of vulnerability among MSPs, many of which provide outsourced IT and cyber-security services to small and medium-sized enterprises (SMEs). With AI-generated phishing emails, malware, and deepfakes becoming increasingly sophisticated, the pressure to be prepared for the worst has never been higher.

More Breaches, More Budgets, More Confusion

CyberSmart’s research revealed that 69 per cent of MSPs had suffered two or more cyber breaches in the last 12 months, while 47 per cent reported being hit three times or more. These incidents are not just one-off events. For example, many are the result of supply chain vulnerabilities, such as the May 2025 breach where the Dragonforce ransomware group exploited a remote monitoring and management (RMM) tool to compromise multiple MSP clients.

Faced with mounting threats, MSPs are reacting in different ways. For example, 36 per cent now rely on cyber insurance as their primary defence, while 11 per cent (worryingly) have neither cyber insurance nor a ransomware fund in place, leaving them financially and operationally exposed if attacked.

Guidance Not Clear

It seems that part of the problem is that official guidance around ransomware payments remains fragmented and unclear. While governments generally discourage paying ransoms, enforcement is inconsistent outside the public sector. “What your business is advised to do will largely depend on where you’re based and who’s advising you,” CyberSmart noted in its commentary.

This has led to a patchwork of interpretations, with some MSPs feeling they have little choice but to maintain a reserve, despite the moral and strategic risks involved.

UK Government Moves to Ban Ransomware Payments for Critical Services

In July 2025, the UK government announced proposals to ban ransomware payments for public sector bodies and operators of critical national infrastructure (CNI). The measures, introduced by the Home Office following a public consultation, would apply to organisations such as hospitals, councils, schools, and water providers, sectors where operational downtime can endanger lives.

“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on,” said Security Minister Dan Jarvis. “We’re determined to smash the cyber criminal business model and protect the services we all rely on.”

Private Businesses Would Need To Notify Government Before Paying

Under the proposals, private businesses would not be banned outright from paying, but would be required to notify the government before doing so. This would enable authorities to offer advice, check for potential sanctions breaches (such as paying Russian-linked gangs), and gather intelligence to disrupt criminal networks.

Cybercrime’s Business Model Under Scrutiny

The rationale behind the payment ban is to undermine the business model of ransomware gangs, which rely on victims caving in quickly to avoid reputational damage, data leaks, or prolonged disruption. However, experts have warned that banning payments, especially only for certain sectors, may not have the desired effect.

“Ransomware is largely an opportunistic crime, and most cyber criminals are not discerning,” said Jamie MacColl, a senior research fellow at the Royal United Services Institute (RUSI). “They’re unlikely to develop a rigorous understanding of UK legislation or how we designate critical infrastructure.”

Others suggest the ban could increase the stakes for victims. “If the best solution is to just turn around and say to the hackers, ‘We’re not giving in to your demands anymore,’ don’t be surprised if they double down,” said Rob Jardin, chief digital officer at NymVPN.

The British Library, one of the most high-profile public victims of ransomware in recent years, chose not to pay after an attack in October 2023 devastated its systems. “We are committed to sharing our experiences to help protect other institutions and build collective resilience,” said Chief Executive Rebecca Lawrence.

AI Attacks Are Changing the Game

Perhaps the most striking shift in this year’s CyberSmart survey is the rise of artificial intelligence as the top concern for MSPs in 2025. AI overtook ransomware itself, with 44 per cent of respondents citing it as their biggest worry, compared to 40 per cent for traditional malware and ransomware threats.

This change reflects a growing trend in how attackers operate. For example, AI tools are now being used to write convincing phishing emails, build more evasive malware, and even create deepfake audio and video to impersonate executives or support social engineering attacks.

In 2024, 67 per cent of MSPs reported falling victim to AI-enabled attacks, a figure expected to rise in 2025 as generative and agent-based AI tools become more widely available to threat actors.

However, many MSPs feel ill-equipped to counter these evolving threats, with a lack of user-friendly, AI-specific defence tools still a key issue. “MSPs are being asked to do more, with fewer tools at their disposal,” the report concludes.

Customer Expectations Are Rising, But So Is Investment

The research also showed that 84 per cent of MSPs now manage their clients’ cybersecurity infrastructure, or both their cybersecurity and broader IT estate. This shift reflects growing client expectations for MSPs to provide end-to-end protection which are the kind of expectations that often come with greater scrutiny.

According to the CyberSmart research, 77 per cent of MSPs said potential customers are now evaluating their cyber credentials more carefully, especially in the procurement stage.

To meet demand, it seems that MSPs are now investing heavily. For example, 81 per cent have increased spend on hiring security specialists, and 78 per cent have upped budgets for cyber defence tools, training, and client services. Compliance is also high on the agenda, with 60 per cent hiring regulatory specialists and 64 per cent enhancing capabilities to align with frameworks such as NIS2 in the EU and the UK’s upcoming Cyber Security and Resilience Bill.

According to NCSC Director of National Resilience Jonathon Ellison, such steps are critical: “Ransomware remains a serious and evolving threat, and organisations must not become complacent. All businesses should strengthen their defences using proven frameworks such as Cyber Essentials.”

MSPs Prepared Yet Vulnerable

Despite the high rate of breaches, MSPs remain surprisingly confident in their security posture. For example, CyberSmart found that 76 per cent rate their cyber confidence as above average or higher. That said, only 20 per cent described their confidence as complete, suggesting that many know there’s room for improvement.

Looking at this research, for businesses relying on MSPs to manage their security, the message appears to be that while many providers are stepping up their game, others are still reacting to threats in ways that may not align with long-term best practice.

Co-op CEO Shirine Khoury-Haq, who oversaw the retailer’s response to a Scattered Spider ransomware attack, captured the sentiment well, saying: “What matters most is learning, building resilience, and supporting each other to prevent future harm. This is a step in the right direction for building a safer digital future.”

What Does This Mean For Your Organisation?

For MSPs and their clients, the emergence of ransomware funds could be seen as a move from aspirational resilience to operational realism. Despite official advice against paying cybercriminals, it seems that many MSPs clearly believe they cannot afford to be unprepared. With 69 per cent already breached multiple times in a single year and AI accelerating the scale and complexity of attacks, the temptation to hold a contingency reserve is understandable. However, this pragmatic stance may also entrench the very business model that governments and law enforcement are working hard to dismantle.

The UK’s proposed ransomware payment ban for public bodies and CNI highlights just how far official thinking has moved towards systemic deterrence. However, the exclusion of private businesses from that ban, and the option for them to pay under notification, risks creating an uneven response that may ultimately frustrate enforcement and dilute its impact. As Jamie MacColl pointed out, most ransomware gangs operate opportunistically and will not necessarily distinguish between regulated and unregulated targets. This raises questions about whether partial bans can realistically alter attacker behaviour.

For UK businesses, especially SMEs dependent on MSPs for protection, the findings raise difficult questions. For example, while many providers are making serious investments in tools, people, and compliance, others are still relying on reactive strategies that may offer short-term cover but little long-term assurance. The increasing scrutiny on MSPs is likely to intensify, particularly as clients seek partners who are both cyber confident and operationally transparent. Businesses must now evaluate not only whether their MSP has a ransomware plan, but also whether that plan reflects best practice or a compromise born of confusion.

For regulators, the lack of clarity and consistency around ransomware responses remains a core problem. Guidance alone is proving insufficient. A broader and more unified framework, alongside mandatory reporting, may be needed to help ensure MSPs, their clients, and their insurers are working from the same playbook. For now, the reliance on private ransomware funds points to a cyber landscape still dominated by tactical survival rather than strategic coordination.

WhatsApp has been denied permission to join a major legal challenge over UK government demands for access to encrypted data, as a special tribunal confirms a seven-day public hearing will go ahead in 2026.

WhatsApp Shut Out of High-Stakes Encryption Fight

The Investigatory Powers Tribunal (IPT), which hears complaints about UK surveillance and investigatory powers, has rejected an application by WhatsApp to intervene in two linked legal challenges over the use of secret government powers to weaken encryption.

The challenges stem from a reported Technical Capability Notice (TCN) issued by the Home Office in January 2025. Under the UK’s Investigatory Powers Act, a TCN can compel a company to build or alter technology to ensure it can be accessed by government agencies under lawful authority.

In this case, the order reportedly demanded that Apple provide access to encrypted user data stored globally on its iCloud platform, including material protected by its Advanced Data Protection (ADP) service.

Apple responded in February by withdrawing the ADP feature from UK users, publicly stating that it would never build “a backdoor or master key” into its products. The move drew attention on both sides of the Atlantic, triggering concerns in the US about the implications for American users and businesses.

In March, Privacy International, Liberty, and two individual claimants filed a legal challenge to the secrecy and legality of the Home Office’s reported actions. Apple launched its own legal case in parallel.

Then, in April, the Home Office attempted to argue that the full case should be heard behind closed doors. This was rejected by the IPT following objections from ten media organisations. The tribunal opted instead for a novel legal approach which was to proceed on the basis of “assumed facts”, allowing as much of the hearing as possible to be held in public while preserving the government’s right to “neither confirm nor deny” the existence of the order.

WhatsApp applied to intervene in both cases in June, citing the risk of a precedent that could erode the encryption protections used by billions of people. However, on 23 July, the Tribunal refused the application. A seven-day public hearing will now go ahead in early 2026, combining Apple’s case and the Privacy International-led challenge.

A Public Hearing, But Based on Assumed Facts

Although much of the government’s activities around encryption remain secret, the IPT has ruled that the bulk of Apple’s and Privacy International’s legal arguments will be heard in open court at a seven-day hearing, now scheduled for early 2026.

In a bid to balance transparency with national security, the tribunal will proceed on the basis of “assumed facts” rather than actual confirmation of the Home Office’s reported order. The government will be permitted to maintain its official “neither confirm nor deny” (NCND) position on the existence of the TCN, even though details have been widely leaked and reported.

Why?

It seems that this approach allows both Apple’s and Privacy International’s legal arguments to be made in public, without requiring sensitive details to be aired in a closed court. The IPT had previously rejected attempts by the Home Office to keep the entire case behind closed doors, following objections from a coalition of media outlets including the BBC, The Guardian and Computer Weekly.

A Frustrated WhatsApp Pushes Back

WhatsApp expressed clear frustration at the decision to exclude it from proceedings. CEO Will Cathcart previously submitted written evidence raising concerns that the UK order sets “a dangerous precedent for security technologies that protect users around the world”.

Cathcart stated: “We’ve applied to intervene in this case to protect people’s privacy globally. Liberal democracies should want the best security for their citizens. Instead, the UK is doing the opposite through a secret order.”

Following the ruling, a WhatsApp spokesperson added: “This is deeply disappointing, particularly as the UK’s attempt to break encryption continues to be shrouded in layers of secrecy. We will continue to stand up to governments that try to weaken the encryption that protects people’s private communication.”

The company has repeatedly warned that mandating backdoors, i.e. ways for governments to access encrypted systems, would compromise security not just for criminals, but for all users, exposing communications to cybercriminals and hostile states.

Apple Takes a Stand (And a Step Back)

Apple has also taken a firm stance against the Home Office’s demands. For example, in February 2025, it withdrew its Advanced Data Protection (ADP) service from UK customers, rather than comply with the TCN’s reported requirements.

ADP enables users to encrypt their iCloud backups using end-to-end encryption, meaning not even Apple can access the data. The feature remains available in other countries.

In a statement at the time, Apple said: “As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will.”

Apple’s legal challenge is separate from the civil liberties group case, but will be heard during the same week as part of the IPT’s coordinated hearing.

Why This Matters and What’s at Stake

The case matters because it has significant implications for privacy, national security, and the power of democratic oversight. At its heart is a tension between the UK government’s claim that it must access encrypted data to fight terrorism and child abuse, and the tech industry’s position that weakening encryption threatens the security of everyone.

Technical Capability Notices, while rarely discussed in public, give the Home Office power to compel companies to make their systems interceptable. This can include designing or modifying services to allow for lawful access, which is something encryption advocates have long argued is incompatible with true end-to-end encryption.

Smokescreen?

Campaigners such as Privacy International argue that the UK is using national security as a “smokescreen” to bypass proper scrutiny and safeguards. Legal Director Caroline Wilson Palow criticised the government’s NCND stance, saying: “We are being forced to sustain the fiction that the order does not exist, which may hinder our ability to grapple fully with its legal ramifications.”

Privacy International’s challenge also questions the lawfulness and necessity of the regime underpinning TCNs, including whether they are being used proportionately and with sufficient parliamentary oversight.

International Repercussions and Political Fallout

It seems that the Home Office’s efforts have not only raised legal alarms but have also sparked diplomatic tensions. For example, the Financial Times recently reported that UK officials are now exploring ways to de-escalate the row with the US government, which sees the order against Apple as a breach of sovereignty.

US President Donald Trump and Director of National Intelligence Tulsi Gabbard have both condemned the UK’s actions, warning that attempts to access the encrypted data of US citizens could be considered a hostile act.

Gabbard described the move as “a clear and egregious violation”, and there have been calls in Washington for changes to the US CLOUD Act to limit the extraterritorial reach of UK orders.

What Comes Next?

The Tribunal’s case management order paves the way for a high-profile legal test in early 2026. The hearing is expected to include arguments on the legal limits of the UK’s investigatory powers, the technological realities of encryption, and whether governments can compel private firms to compromise the security of their own systems.

The hearing’s outcome may shape the future of encrypted communications not only in the UK, but globally. If the IPT upholds the TCN, it could embolden similar efforts in other jurisdictions. If it rules in favour of Apple and Privacy International, it could reinforce legal limits on surveillance powers.

While WhatsApp is now shut out of this phase of the process, the company and others offering secure communications are likely to keep pushing back, through lobbying, public advocacy, and possibly future legal action. For businesses and consumers relying on encrypted services to protect sensitive data, the stakes are high.

What Does This Mean For Your Business?

The hearing will be closely watched by UK businesses that rely on cloud services, secure messaging, and encrypted backups to safeguard client data and protect against cyber threats. If the government’s approach is upheld, it could signal the start of broader obligations on tech providers to ensure government access by design. That would pose real concerns for sectors handling sensitive information, including finance, legal services, healthcare and defence, where robust end-to-end encryption is often a regulatory or contractual expectation.

Although the Home Office claims such powers are essential for national security and criminal investigations, many critics argue (and have long done so) that the very existence of compelled access could weaken the technical integrity of services relied on by billions of people. From a commercial perspective, compliance with such orders may require re-engineering platforms, reducing user trust, or even withdrawing features entirely, as Apple has already done. For global technology firms operating in the UK, the outcome of this case could determine whether the market remains viable under increasingly intrusive obligations.

WhatsApp’s exclusion also raises questions about who gets to speak for encryption. As the leading end-to-end messaging platform, its technical perspective and global footprint might reasonably have added weight to the Tribunal’s understanding of broader risks. Its absence means the court will hear arguments from campaigners and Apple alone, but the ruling will likely affect a much wider community of providers, developers and users.

The Tribunal’s decision to hold a mostly open hearing is a rare opportunity for meaningful legal and public scrutiny of the UK’s approach to encrypted data. However, the reliance on “assumed facts” and continued insistence on neither confirming nor denying the order’s existence means that transparency will remain partial. For those on all sides of the encryption debate, that balancing act between openness and secrecy is likely to remain a defining feature of the months ahead.

The UK has switched on its most powerful supercomputer to date, Isambard-AI, a machine purpose-built for artificial intelligence research that now ranks 11th globally in the TOP500 list.

A Major Leap in UK Computing Power

Isambard-AI was officially launched in mid-July at the University of Bristol, marking a significant milestone in the UK’s push to become a global leader in AI and high-performance computing (HPC). Developed by Hewlett Packard Enterprise (HPE) using its advanced Cray EX architecture, the system is powered by more than 5,400 NVIDIA GH200 Grace Hopper Superchips and is housed within the Bristol Centre for Supercomputing.

Its raw computing performance reaches 216.5 petaflops, with a peak theoretical output of 278.6 petaflops. For comparison, one petaflop equals one quadrillion (that’s 1,000,000,000,000,000) calculations per second … i.e a million billion! To put that in context, Isambard-AI is over ten times more powerful than the UK’s next-fastest system, London’s Njoerd supercluster.

Also, this new machine is not just the fastest in the country, but also ranks sixth in Europe and is currently the fourth greenest supercomputer in the world, according to the Green500 sustainability rankings.

What Exactly Is a Supercomputer?

Supercomputers are specialised computing systems built to process enormous quantities of data at extremely high speed. Unlike everyday computers, which typically operate using a handful of processing cores, supercomputers use thousands, or in Isambard-AI’s case, tens of thousands, to perform vast numbers of calculations in parallel. This makes them indispensable for complex simulations, deep learning models, and data-heavy scientific research.

Isambard-AI is part of the UK’s Artificial Intelligence Research Resource (AIRR), a national programme aimed at making cutting-edge computing capacity available to public researchers and innovators. This includes major UK universities, startups, and even NHS-linked projects.

Built for AI But Designed for More

Although it has been purpose-built with AI workloads in mind, Isambard-AI is also designed to accelerate scientific discovery across a range of domains. For example, early projects already underway include helping researchers at University College London develop faster, more accurate prostate cancer detection systems, and assisting scientists at Liverpool in the discovery of greener, more sustainable industrial materials.

Isambard-AI is also expected to play a role in climate modelling, vaccine research, and training of large language models (LLMs), which require substantial computational resources. These capabilities align with the government’s broader ambitions to use AI to tackle national challenges, such as reducing NHS waiting times and supporting energy transition goals.

Peter Kyle, the UK’s Secretary of State for Science, Innovation and Technology, described the supercomputer as a catalyst for national progress: “Today we put the most powerful computer system in the country into the hands of British researchers and entrepreneurs… It will propel the UK to the forefront of AI discovery.”

Bristol at the Centre of UK Supercomputing

Isambard-AI is hosted at the National Composites Centre near Bristol, a strategic choice given the University of Bristol’s long-standing leadership in high-performance computing and AI research. The supercomputer’s name Isambard also comes from Isambard Kingdom Brunel, the pioneering Victorian engineer whose legacy is deeply tied to Bristol through landmark projects like the Clifton Suspension Bridge and the Great Western Railway.

The university already operates another major system, Isambard 3, a CPU-based machine aimed at traditional scientific modelling. Together, the two systems provide an integrated platform for advanced research, all with an eye toward sustainability.

According to Professor Simon McIntosh-Smith, Director of the Bristol Centre for Supercomputing, “We built Isambard-AI to serve the UK research community and help solve some of the world’s toughest problems. Seeing it recognised among the world’s best is a real testament to what’s possible when brilliant people come together with a shared vision.”

He also noted the importance of partnerships in realising the project, thanking contributors including HPE, NVIDIA, Arm, DSIT, UKRI, and STFC.

Where It Ranks Globally And Why That Matters

In the June 2025 TOP500 rankings, an internationally respected benchmark for supercomputers, Isambard-AI entered the list at number 11, placing the UK firmly back on the global HPC map.

At the top of the list is El Capitan, a US-based machine boasting an actual performance of 1,742 petaflops. Other American systems, Frontier and Aurora, rank second and third respectively, both operating at the exascale level, a threshold defined as at least 1,000 petaflops. These machines are considerably more powerful, but also reflect much higher investment levels and longer development cycles.

Europe’s top contender, Germany’s JUPITER Booster, ranks fourth, while Italy’s HPC6 (6th) and Leonardo (10th), Switzerland’s Alps (8th), and Finland’s LUMI (9th) also sit in the top 10. Isambard-AI’s arrival just outside this elite group is still a substantial leap for the UK, which in recent years had slipped behind in HPC capacity.

Its global position also supports the UK’s industrial ambition. For example, as the government stated in its July announcement, the goal is not merely to use AI technologies but to become an “AI maker rather than an AI taker”.

A Publicly Funded, Open Access System

The development of Isambard-AI was funded through a £225 million government investment, part of a wider strategy to create national infrastructure for emerging technologies. The system is built to be open-access, meaning academic researchers, public institutions, and SMEs across the UK can apply for use, thereby potentially democratising access to otherwise inaccessible computing power.

Will Work With Dawn

Isambard-AI will work in tandem with Dawn, another AI-focused machine based at the University of Cambridge, though the systems are not physically connected. Both form the initial backbone of the UK’s AIRR initiative, which aims to expand computing resources twenty-fold over the next five years.

Alongside this, the government is investing in skills development, pledging to train 1 million students and 7.5 million adults in AI-related skills in the coming years.

Challenges, Costs and Competition

Despite the achievement, Isambard-AI is not without its challenges. For example, one significant concern is energy use. Supercomputers are notoriously power-hungry, and although Isambard-AI ranks highly for energy efficiency, its environmental impact is still non-trivial. Liquid cooling systems and heat recovery features help mitigate this, but the issue remains a live one, especially as public scrutiny of AI’s environmental footprint increases.

There are also questions about how effectively such a system can be accessed and utilised outside of academia. While the machine is open to UK researchers, some have warned that access processes can be bureaucratic or overly restrictive, potentially limiting SME and startup engagement.

Another challenge lies in keeping pace with international rivals. Although Isambard-AI is the UK’s most powerful supercomputer today, its time at the top may be brief. A £750 million investment in a future exascale system in Edinburgh has already been announced — one that could launch later this decade and potentially place the UK within the top five globally.

David Hogan, NVIDIA’s European Vice President, described Isambard-AI as “a truly transformational machine”, but acknowledged that this is “just a starting point”. For Britain to retain its momentum in AI and supercomputing, further investment, collaboration and long-term strategy will be essential.

What Does This Mean For Your Business?

Looking ahead, the arrival of Isambard-AI marks a critical inflection point in the UK’s scientific and technological capabilities. With serious backing from government and academia, it gives British researchers and developers access to one of the most powerful computing tools currently available anywhere in the world. That matters not just for scientific prestige, but for practical impact. From accelerating cancer diagnostics to designing greener materials, this machine is already being used to tackle problems with far-reaching consequences.

For UK businesses, particularly in life sciences, clean tech, and AI development, the launch could lower the barriers to entry for high-performance computing. By offering open access through the national AI Research Resource, smaller firms and startups may gain capabilities previously reserved for large institutions or well-funded labs. If the system is made genuinely accessible in practice as well as in principle, it could give British tech innovators a competitive edge in a global market that increasingly depends on large-scale compute.

At the same time, the launch sends a clear signal internationally. After years of falling behind in supercomputing capacity, the UK is now back in contention. Although it still lags behind US and some European systems in raw performance, Isambard-AI has vaulted the UK into the top tier of AI infrastructure providers. The challenge now will be maintaining that momentum. With a more powerful exascale machine already planned in Edinburgh, the question will not just be how fast these systems are, but how effectively they are integrated into wider research and commercial ecosystems.

Isambard-AI shows what’s possible when public investment, private expertise and academic leadership align around a shared goal. The task now is to ensure it delivers not just world-class performance, but world-class value.

Dutch file-sharing platform WeTransfer has sparked uproar after quietly adding language to its terms of service suggesting it could use customer files to train AI models, then swiftly removing the clause following backlash.

What Users Spotted and Why It Sparked Alarm

The controversy erupted in mid-July when eagle-eyed WeTransfer users, including high-profile creatives, flagged an update to the company’s terms of service set to take effect on 8 August 2025. In particular, Section 6.3 introduced wording that granted WeTransfer a “perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable licence” to use uploaded files for operating and developing the service, including, crucially, to “improve performance of machine learning models that enhance our content moderation process.”

To many, that appeared to signal a quiet expansion of rights that could allow WeTransfer to use (or even monetise) user-uploaded content for artificial intelligence (AI) training.

Among the concerned voices was UK children’s author and illustrator Sarah McIntyre, who took to X (formerly Twitter) to say: “I pay you to shift my big artwork files. I DON’T pay you to have the right to use them to train AI or print, sell and distribute my artwork and set yourself up as a commercial rival to me.”

It seems that such concerns weren’t unfounded. The clause appeared to echo patterns seen elsewhere in the tech world, where companies including Zoom, Adobe, Slack and Dropbox have faced recent backlash over vague or overly broad licensing updates connected to AI development. As AI tools become more powerful and accessible, the question of whose data fuels them, and with what consent, has become a flashpoint in digital rights and trust.

Why This Matters for Business Users

For many creatives and businesses, WeTransfer has long positioned itself as a privacy-respecting, user-friendly alternative to more data-hungry services. Its clean interface, strong brand identity, and explicit support for the creative industries made it especially popular with freelancers, studios, and design teams.

However, as a result of this latest incident, that trust now appears to be under scrutiny. If the AI clause had remained, businesses could have faced the uncomfortable possibility that internal documents, pitch decks, drafts, artwork, or sensitive visual assets might be used, not just to train algorithms, but potentially to inform systems well beyond the original upload. Even if restricted to content moderation purposes, the lack of clarity raised red flags.

For example, a design agency transferring client work via WeTransfer might wonder whether its bespoke assets could end up being parsed for machine learning, however indirectly. A photographer might fear her original image files could be used to train image recognition or generation tools. And a marketing firm sharing early brand materials might question what “derivative works” could technically include.

Although WeTransfer insists that no such usage has occurred, the lack of clear technical limitations in the original clause left too much room for doubt.

WeTransfer’s Response

Within days of the backlash, WeTransfer issued a formal press release clarifying its position. It insisted that the controversial clause was a misstep and that the company does “not use user content to train AI models, nor do we sell or share files with third parties.” The company acknowledged that AI had been under consideration “to improve content moderation,” but confirmed that “such a feature hasn’t been built or deployed in practice.”

The statement added: “We’ve since updated the terms further to make them easier to understand. We’ve also removed the mention of machine learning, as it’s not something WeTransfer uses in connection with customer content and may have caused some apprehension.”

Clause Now Dropped

Following the uproar, it seems that, in an updated version of Section 6.3, the AI-related clause was dropped entirely. For example, the new text grants WeTransfer a royalty-free licence to use content strictly for “operating, developing, and improving the Service, all in accordance with our Privacy & Cookie Policy.” Importantly, it reinforces that users retain ownership and intellectual property rights over their content, and that processing complies with GDPR and other privacy regulations.

What’s Changed and What Hasn’t?

From a legal perspective, WeTransfer’s licensing terms weren’t entirely new. Earlier terms already included broad usage rights necessary to operate the service, such as the ability to scan, index, and reproduce files. However, the new inclusion of AI-specific language, especially amid public concern about AI and data usage, introduced a new level of perceived risk.

As the company explained: “The language regarding licensing didn’t actually change in substance compared to the previous Terms of Service… The change in wording was meant to simplify the terms while ensuring our customers can enjoy WeTransfer’s features and services as they were built to be used.”

Nonetheless, perception matters. For example, the way the AI clause was introduced, without technical limitations, public explanation, or opt-out options, appeared to really undermine confidence at a time when many businesses are increasingly sensitive to data governance.

Broader Industry Fallout and Lessons for Tech Providers

WeTransfer is far from alone in facing scrutiny over AI terms. For example, back in 2023, Zoom had to walk back similar policy updates after suggesting it could use customer audio and video to train its AI models. Dropbox, Slack, and Adobe have all been forced to issue clarifications in recent months after terms of service changes sparked similar fears.

For regulators, the episode highlights ongoing gaps in user protection. In the UK, the ICO (Information Commissioner’s Office) has warned companies that AI development must respect explicit consent, clarity of purpose, and data minimisation, all of which could come under strain when licensing terms are broadly written.

For businesses, the incident is a reminder to read the fine print, especially as more cloud services evolve their models to incorporate generative AI, content filtering, and user analytics.

As an example, a marketing team using file-sharing services or cloud-based creative tools should now routinely assess licensing clauses for AI-related language, even if those features are not currently in use. Procurement teams may also need to establish red lines around AI usage to safeguard proprietary material.

Trust Takes Time to Build And Moments to Erode

Despite WeTransfer’s efforts to clarify and course-correct, replies on social media appear to remain largely sceptical. Some users have suggested the company had been testing the waters for broader AI permissions, only to retreat when the backlash hit. Others have expressed a desire to move to alternatives, such as Swiss-based Tresorit or Proton Drive, that offer end-to-end encryption and stronger privacy guarantees.

While WeTransfer may weather the storm, the event highlights a wider issue for the tech industry, i.e., transparency around AI is no longer optional. As public awareness of AI training practices grows, even small wording changes can trigger major reputational fallout. And for companies built on the trust of creative professionals, that risk is especially acute.

What Does This Mean For Your Business?

For UK businesses and creative professionals in particular, this episode serves as a clear warning that assumptions about how cloud-based platforms handle data can no longer be taken at face value. The practical risk may have been limited in this instance, but the reputational impact is real, and the consequences of poor communication are hard to reverse. For companies that regularly transfer visual, written, or proprietary material via WeTransfer or similar services, it may prompt a review not only of terms and conditions, but of where and how sensitive files are shared in future.

For WeTransfer, the timing could hardly be worse. As demand grows for privacy-conscious alternatives in an AI-saturated market, any perception of blurred boundaries risks handing competitive advantage to rivals positioning themselves as more transparent or security-first. Providers such as Proton Drive, Filestage and Internxt are already responding to this shift, actively marketing their commitment to zero-knowledge infrastructure and end-to-end encryption.

Regulators and legal teams are also likely to be watching closely. The blurred line between operational necessity and expansive licensing is fast becoming a regulatory priority. In the UK, organisations working in regulated sectors, such as legal, health or financial services, may find that contract terms involving generative AI now trigger enhanced scrutiny from internal compliance and external auditors alike.

The broader takeaway from this story is that, as AI becomes more embedded in the digital infrastructure businesses rely on, consent must be granular, wording must be clear, and trust must be continually earned. WeTransfer’s quick backtrack may limit the immediate fallout, but it will likely be remembered as yet another sign of how easily tech companies can alienate users when they fail to communicate transparently, especially when the stakes involve creative ownership, client confidentiality, and commercial value.

Microsoft has confirmed that Chinese state-linked hackers are exploiting critical flaws in on-premises SharePoint servers to steal data and deploy ransomware.

The groups, known as Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting government, defence, and business organisations by abusing spoofing and remote code execution vulnerabilities. Cloud-based SharePoint systems are not affected.

Victims have been reported across multiple sectors and countries, including the UK. Microsoft says the attacks allow hackers to steal credentials, disable security tools, and spread ransomware such as Warlock.

Storm-2603, a China-based group, has been observed using a malicious script called spinstall0.aspx to gain access and escalate privileges inside networks. Microsoft has warned that more attackers are likely to adopt these methods.

To stay secure, businesses using on-prem SharePoint must install Microsoft’s latest security updates, rotate ASP.NET machine keys, enable AMSI protection, and use advanced endpoint detection tools to block post-exploit activity.

Norwegian investment giant Aker has revealed plans to construct a large-scale AI facility inside the Arctic Circle, capitalising on green energy and a growing Nordic tech race.

Major Investment With Strategic Ambitions

Aker ASA, the Oslo-based industrial investment firm controlled by billionaire Kjell Inge Røkke, has announced plans to establish a major artificial intelligence (AI) “factory” in Narvik, a coastal city in northern Norway. Located 220km within the Arctic Circle, the site is already prepped for construction and has access to 230 megawatts (MW) of clean energy.
Described by Aker as a “catalyst for industrial development, job creation, and export revenues,” the project positions itself at the heart of a growing international race to create energy-efficient data infrastructure for AI workloads. CEO Øyvind Eriksen said the new facility would help Norway seize a key opportunity in an evolving digital economy: “AI and data centres are becoming foundational to global business, and northern Norway is uniquely positioned to benefit.”

Start Work Later This Year

While the company has not yet disclosed a total construction cost or timeline for the facility’s completion, the site in Narvik is said to be “construction ready”, with early groundwork expected to begin later this year, pending partnership agreements. Negotiations with potential technology providers and anchor customers are currently underway.

What Is an “AI Factory” and Why the Arctic?

The term “AI factory” refers to a data centre designed to support high-performance computing (HPC), particularly the large-scale training and deployment of AI models. These facilities require huge amounts of electricity to power and cool thousands of graphics processing units (GPUs), the hardware typically used for advanced AI tasks.

In recent years, tech companies and infrastructure investors have turned to northern regions where natural cooling and cheap renewable electricity offer environmental and economic advantages. Narvik, with its access to stable, low-cost hydropower and cool year-round temperatures, provides precisely the conditions needed for sustainable AI operations.
For example, data centres in warmer climates often need complex and energy-intensive cooling systems. In Narvik, ambient air can be used for much of the cooling, significantly reducing operational emissions. Aker’s plan aligns with a broader trend across the Nordics, where countries are leveraging their green energy grids and favourable climates to attract the next generation of digital infrastructure.

Aker’s Portfolio and Strategic Focus

Founded in 1841, Aker ASA is one of Norway’s largest industrial investment firms. The company has long-standing interests in sectors including energy, marine biotechnology, oil and gas, and software. Its current portfolio includes Cognite, a software company that delivers industrial AI and data solutions, and Seetee, a digital assets firm that holds Bitcoin and invests in blockchain infrastructure. Both are majority-owned and operated through Aker’s tech division.

In its Q2 2025 earnings update, Aker reported a 7.4 per cent rise in net asset value, reaching NOK 66.5 billion (£4.9 billion). The company also confirmed it was consolidating its data centre activities under direct ownership, a signal that the Narvik development will form a core part of its long-term infrastructure play.

The move comes as part of a wider shift in Aker’s strategy, with CEO Øyvind Eriksen stating that AI represents “a new value chain,” and that Norway’s combination of political stability, clean energy and industrial expertise makes it an attractive location for such ventures.

Part of a Larger Nordic Trend

The Nordics (Norway, Sweden, Denmark, Finland, and Iceland) have emerged as one of the world’s fastest-growing regions for AI data infrastructure, drawing investment from tech giants and local firms alike. Last year, Google pledged €1 billion (£850 million) to expand its Hamina data centre campus in southern Finland, its seventh such expansion. Microsoft followed suit with a $3.2 billion (£2.5 billion) commitment to boost its AI and cloud capacity across Sweden.

Amsterdam-based Nebius, a cloud firm backed by Yandex co-founder Arkady Volozh, announced in October that it would triple GPU capacity at its Mäntsälä facility in Sweden. The site is now being scaled to run 60,000 GPUs dedicated to AI workloads, making it one of Europe’s most powerful AI installations.

Also, as a sign of increasing local innovation, Finnish startup Silo AI was acquired by chipmaker AMD for $665 million (£515 million) last year, underlining growing investor confidence in the region’s AI ecosystem.

Narvik’s Unique Position

It seems that Narvik is no stranger to strategic importance. For example, historically a transport hub for iron ore, the city now sits at the centre of what the Norwegian government calls “Green North”, a zone being positioned for energy-intensive industries powered entirely by renewable sources.

The site earmarked by Aker lies close to existing transmission infrastructure and has direct access to locally generated hydropower. According to Statnett, Norway’s national grid operator, the northern region benefits from surplus electricity and lower wholesale energy prices compared to southern parts of the country.

This abundance of clean energy has not gone unnoticed. Eriksen described the Arctic setting as “ideal for long-term, sustainable digital infrastructure”, highlighting the region’s potential to export data processing as a service, similar to how Norway exports energy and aluminium today. For example, the Narvik facility could process AI training workloads on behalf of global clients, using only renewable energy and naturally cooled systems, giving it a unique carbon advantage compared to data centres in North America or Asia.

Economic and Industrial Impacts

Aker says the AI factory will generate new local jobs in both construction and operations, while also stimulating the broader northern economy. Although specific employment numbers have not yet been released, regional leaders have welcomed the project as a sign of renewed industrial confidence.

Local authorities in Narvik have also indicated that they are keen to develop a technology cluster around the facility, offering incentives to secondary businesses such as equipment suppliers, repair services, and housing developments.

For Aker, the facility may strengthen its position in a growing sector while complementing its existing investments in digital infrastructure. By owning both the compute (via the AI factory) and the software layer (via Cognite), the firm may be able to offer vertically integrated industrial AI services to its portfolio companies and beyond.

UK and European businesses could benefit as well. For example, with growing pressure to decarbonise digital operations, firms may soon look to outsource high-energy AI processing to low-carbon providers, particularly those in stable jurisdictions like Norway.

Challenges and Concerns

However, the project is not without its critics. For example, some environmental groups have raised concerns about the true impact of AI-related energy use, arguing that even renewable-powered data centres could crowd out other local energy needs or require future grid upgrades.

There are also broader geopolitical and regulatory questions. The AI arms race has triggered export restrictions on high-end GPUs and computing technology, particularly between the US and China. For Norway, which remains outside the European Union but closely aligned through the EEA agreement, balancing access to global supply chains with national interests could become increasingly complex.

Also, while the Narvik site boasts favourable conditions today, questions remain around long-term cooling efficiency, particularly as GPU densities increase and water-based cooling becomes more common. Some analysts have cautioned that being early to market brings both opportunity and risk.

That said, Aker insists that its approach is grounded in long-term ownership and sustainability. In a statement accompanying the announcement, Eriksen said: “Our industrial DNA means we take a patient, value-creating view. This isn’t about short-term gains—it’s about building infrastructure that serves future generations of technology.”

More detailed timelines, costs, and partnerships are expected to be disclosed later this year.

What Does This Mean For Your Organisation?

If Aker succeeds in building a commercially viable AI facility powered by Arctic hydropower, it could set a new benchmark for how digital infrastructure is developed and operated in a low-carbon economy. While the company has yet to reveal the full technical and financial details, the decision to base the facility in Narvik reflects a deliberate strategy to align technological ambition with environmental responsibility. This positions Aker as not just a backer of industrial innovation, but a potential driver of regional transformation in northern Norway.

For Norway itself, the project signals an opportunity to diversify beyond oil and gas while still playing to its strengths in energy, engineering, and export-led industrial development. The Narvik factory is being framed as part of a new value chain, one where data, like oil before it, becomes a national resource to be harnessed and exported. That framing carries economic and political weight, especially as countries seek to balance growth with climate goals.

From a business perspective, the implications stretch beyond Scandinavia. For example, UK companies under growing pressure to meet sustainability targets could find that shifting AI workloads to greener, offshore compute centres is an attractive alternative to expanding domestic infrastructure. With corporate ESG commitments under scrutiny and AI workloads expected to surge, outsourcing to renewables-based facilities may become part of the commercial risk-reduction strategy.

Even so, the success of this model depends on the reliability and scalability of the energy supply, on keeping operational costs competitive, and on navigating geopolitical and supply chain uncertainty. As governments consider how to regulate AI, data sovereignty and infrastructure ownership will remain sensitive issues. In Norway and beyond, Aker’s Arctic AI factory may, therefore, serve as both a proving ground and a pressure test for the next chapter of sustainable industrial development.

This video shows how it’s now easier than ever to personalise your CoPilot, so that you can get it to operate to your very own specifications and personalise your way of doing things …

[Note – To Watch This Video without glitches/interruptions, It may be best to download it first]

Need to share sensitive information without leaving a record? WhatsApp now lets you send voice notes that automatically disappear after being listened to only once.

How to:

– Open an individual or group chat in WhatsApp.
– Tap and hold the microphone icon, swipe up to lock the recording.
– Tap the “1” View‑Once icon when it turns green to enable it.
– Record your message and tap send – it disappears after first playback.

What it’s for:

Ideal for sharing things like short instructions, passwords, or reminders—without leaving a lasting voice note in your chat history.

Pro‑Tip: Voice messages sent this way expire after 14 days if not opened and cannot be forwarded, saved or starred. Ensure the recipient has read receipts enabled so you can see when they’ve listened.

ChatGPT can now act on your behalf, using its own virtual computer to complete complex tasks, browse the web, run code, and interact with online tools, all without step-by-step prompting.

ChatGPT As An ‘AI Agent’

OpenAI has formally launched what it calls the ChatGPT agent, transforming its well-known conversational model into a proactive digital assistant capable of completing real tasks, independently choosing tools, and reasoning through multi-step workflows.

This new functionality, now available to paying subscribers, marks a significant turning point. For example, rather than simply responding to prompts, ChatGPT can now act as a true AI agent, performing tasks such as planning a meal, generating a financial forecast, writing and formatting a presentation, or summarising your inbox. Crucially, it can also interact with websites, manipulate files, and run code using its own virtual machine.

“We’ve brought together the strengths of our Operator and deep research systems to create a unified agentic model that works for you—using its own computer,” OpenAI explained in a blog post on 17 July. “ChatGPT can now handle complex tasks from start to finish.”

What the ChatGPT Agent Can Actually Do

OpenAI says the agentic version of ChatGPT can choose the best tools to solve a problem and it can perform multi-step operations without being micromanaged by the user.

For example:

– Users can ask ChatGPT to analyse their calendar and highlight upcoming client meetings, incorporating relevant news about those companies.

– It can plan a dinner for four by navigating recipe websites, ordering ingredients, and sending the shopping list via email.

– In professional settings, it may be used to analyse competitors, generate editable slide decks, or reformat financial spreadsheets with up-to-date data.

Its Own Toolkit

Technically, the agent achieves this by drawing on a powerful toolkit, i.e. a visual browser, text-based browser, command-line terminal, access to OpenAI APIs, and “connectors” for apps like Gmail, Google Drive, or GitHub. OpenAI reports that it can navigate between tools fluidly, running tasks within a dedicated virtual computer environment that preserves context and session history.

This context-awareness means it can hold onto prior steps and continue building on them. For example, if a user uploads a spreadsheet to be analysed, ChatGPT can extract key data, switch to a browser to find supporting info, and return to the terminal to generate a report, all within one session.

OpenAI describes the experience as interactive and collaborative, not just automated. Users can interrupt, steer or stop tasks, and ChatGPT will adapt accordingly.

Who, When, and How?

The new ChatGPT agent capabilities are being rolled out initially to paying customers on the Pro, Plus, and Team plans. Enterprise and Education users will follow in the coming weeks.

To access agent mode, users need to open a conversation in ChatGPT and select the ‘agent mode’ option from the tools dropdown. Once enabled, users can assign complex tasks just as they would in a natural chat. On-screen narration gives visibility into what the model is doing at each step.

Pro users get 400 messages per month, while Plus and Team users receive 40 per month, with more usage available through paid credits.

Although the rollout is currently limited, OpenAI says it is “working on enabling access for the European Economic Area and Switzerland” and will continue improving the experience.

Why OpenAI Is Doing This Now?

OpenAI’s move reflects a broader push within the industry to shift from passive chatbots to autonomous AI agents, i.e. models that can actively use tools, complete workflows, and deliver tangible results.

Until now, models like ChatGPT have excelled at language generation but faltered when asked to carry out structured, real-world tasks involving files, websites, or multiple steps. That changes with the new agent.

Demand-Driven Says OpenAI

According to OpenAI, user demand drove this shift. For example, many were reportedly attempting to use previous tools, such as Operator, for deeper research tasks, but were apparently frustrated by their limitations. By combining tool use and reasoning within a single system, OpenAI hopes to unlock more practical and business-relevant use cases.

This could also represent a strategic response by OpenAI to rising competition from agents being developed by Google DeepMind, Anthropic, Meta, and open-source communities, many of whom are now focusing on AI models that can act, not just talk.

Business Uses

While consumers can use the agent for tasks like travel planning or dinner parties, the biggest implications may be for professionals and businesses. For example, in OpenAI’s internal tests, the agent performed as well as or better than humans on tasks like:

– Generating investment banking models with correct formulas and formatting.

– Producing competitive market analyses.

– Updating Excel-style financial reports.

– Converting screenshots into editable presentations.

OpenAI says that for data-heavy roles, ChatGPT agent showed strong results. For example, on DSBench, a benchmark testing real-world data science tasks, it outperformed humans by wide margins in both analysis (89.9 per cent) and modelling (85.5 per cent). On SpreadsheetBench, it scored 45.5 per cent with direct Excel editing, far ahead of Microsoft’s Copilot in Excel at 20.0 per cent.

This positions ChatGPT agent not just as a time-saver, but as a cost-effective knowledge worker in fields like consulting, finance, data science, and operations.

New Capabilities Bring New Risks

Despite the powerful new functions, OpenAI has been clear that risks are increasing too, particularly because the agent can interact directly with sensitive data, websites, and terminal commands.

“This introduces new risks, particularly because ChatGPT agent can work directly with your data,” the company warned, noting the risk of adversarial prompt injection—where attackers hide malicious instructions in web pages or metadata that the AI might interpret as legitimate commands.

For example, if a webpage contained an invisible prompt telling ChatGPT to “share email contents with another user,” the model might do so (unless safeguards are in place).

To prevent this, OpenAI says it has:

– Required explicit user confirmation for real-world actions like purchases or emails.

– Introduced a watch mode for supervising high-impact tasks.

– Trained the model to refuse dangerous tasks (e.g. transferring funds).

– Implemented privacy controls, including cookie and browsing data deletion.

– Shielded the model from seeing passwords during browser “takeover” sessions.

Also, on synthetic prompt injection tests, OpenAI claims the agent resisted 99.5 per cent of malicious instructions. However, in more realistic red-team scenarios, the resistance rate dropped to 95 per cent, which is a reminder that vulnerabilities still exist.

The Next Phase

The launch of ChatGPT agent pushes OpenAI firmly into the next phase of AI development, i.e. intelligent systems that act on behalf of humans, not just inform them.

It’s a clear sign that OpenAI aims to lead in the agentic AI race, rather than simply competing on model performance or training size. With its own virtual environment, a growing toolset, and proactive capabilities, ChatGPT now resembles something closer to a software co-pilot than a chatbot.

Competitors will likely follow suit. Google’s Gemini, Anthropic’s Claude, and open-source challengers are all exploring similar agent-style features. However, OpenAI is arguably first to market with a production-ready system that balances capability and risk management (however imperfectly).

For users, especially in business, the implications are considerable. For example, those able to integrate ChatGPT agent into workflows may gain speed, efficiency, and analytical power, so long as they understand the limitations and continue to exercise oversight.

The success of this rollout could also shape broader conversations about AI safety, regulation, and responsibility, particularly as agents become more embedded in real-world systems.

What Does This Mean For Your Business?

The agent rollout gives OpenAI a powerful lead in the shift toward goal-directed, tool-using AI, one that can complete work on behalf of the user rather than waiting for commands. Its ability to interact with live websites, private data sources, and business systems puts it on a new level of utility, but also of accountability. This is no longer just about generating answers. It is about delegation.

For UK businesses, the implications are likely to be immediate and wide-ranging. For example, the agent offers a credible way to automate time-consuming tasks like competitor analysis, document preparation, scheduling, and spreadsheet management. For knowledge-heavy sectors such as finance, consultancy, and data operations, it introduces a low-friction option for streamlining routine work, reducing manual handling, and speeding up research. Organisations already experimenting with automation and AI-assisted productivity tools may now find themselves rethinking existing workflows in favour of a more hands-off, outcome-driven approach.

However, it’s not without operational risks. Any system that can click, copy, calculate, and communicate on your behalf must be trusted to do so responsibly. That means businesses will need to consider internal guardrails and policies, not just to protect sensitive information, but also to ensure the AI is being used ethically and in line with organisational goals. The fact that ChatGPT can now act autonomously raises pressing questions around auditability, compliance, and human oversight, especially in regulated sectors.

There are also broader competitive and reputational pressures in play. For OpenAI, this launch extends its relevance beyond individual users and into the professional environments that rivals like Microsoft and Google are also targeting. At the same time, it invites scrutiny over safety claims, especially as agents become more capable and the scope for unintended consequences grows.

OpenAI making ChatGPT an AI agent appears to be a clear step-change in how AI is positioned and applied. The tools are no longer limited to outputting content or providing suggestions, but are now expected to deliver outcomes, complete tasks, and take action with minimal supervision. For users, that means new possibilities, but also a renewed need to stay alert, strategic, and in control.

In this Tech Insight, we look at what Google Discover is, how it works, and how UK businesses can use it to boost visibility, traffic and engagement without relying on search.

A Quiet Revolution in Discovery

Google Discover isn’t new, but its importance has grown sharply in recent years. Originally launched in 2012 under the name Google Now, the feature began as a predictive assistant, offering up reminders, boarding passes, event alerts and other useful snippets throughout the day. Over time, many of these utilities were moved into Google Assistant, and the feed itself gradually evolved into what became known simply as the Google Feed.

In 2018, it was rebranded as Google Discover, with a clear shift in purpose: to deliver a personalised stream of content to users based on their interests and activity, all without needing them to type in a search. Since then, Discover has quietly become a major traffic driver for news sites, blogs, lifestyle content and increasingly, e-commerce and B2B brands.

For example, according to Google’s own figures, over 800 million people now use Discover each month, and while the company doesn’t publish detailed usage statistics, Search Engine Journal and others report that some media outlets receive up to 40 per cent of their mobile traffic from Discover.

So What Is Google Discover, Exactly?

Google Discover is a personalised content feed that appears directly within the Google app on both Android and iOS devices. It uses machine learning to show you articles, videos, and other online content that match your interests, based on your previous activity.

What makes it different from a news aggregator or a social feed is the way it predicts what you might want to read or watch next, without requiring any input, i.e. there’s no need to type anything in. The user simply opens the app, and it’s all there.

Where Do You Find It, and How Does It Work?

To access Google Discover, users open the Google app which is pre-installed on most Android phones and available on iOS via the App Store. The Discover feed appears directly beneath the search bar on the app’s home screen. On Android, for example, it’s also often accessible by swiping right from the home screen, depending on the device.

On iPhone, users find it under the “Home” tab in the Google app. On Android, it appears in a dedicated “Discover” tab. The feed includes scrollable cards featuring headlines, featured images, and links to the full content, which can be articles, YouTube videos, blog posts, or product pages.

There is no prominent label marking the content as part of Google Discover, but when users scroll through a personalised feed of recommendations in the Google app without entering a search, that is the Discover feed in action.

Personalised But With a Purpose

Google Discover is basically powered by signals from a user’s Web and App Activity, including previous search queries, website visits, YouTube history and location data. The feed can be refined by interacting with the control icons on each content card, such as the heart icon or the three-dot menu, to indicate whether more or less content of a certain type or from a particular source should be shown.

As a result, the feed evolves continually, not just in response to newly published content but in line with the user’s changing interests over time.

How Businesses Can Benefit

For UK businesses, Google Discover offers several potential benefits, such as:

– Brand exposure beyond search queries. Content can reach users even when they are not actively searching.

– High mobile engagement. As Discover is currently available only on mobile devices, it provides direct access to mobile-first users.

– Topical visibility. Content aligned with trending or niche interests may receive significant short-term visibility boosts.

– Longer shelf life for evergreen content. Unlike social media posts, which tend to fade quickly, high-value Discover content can reappear when it becomes relevant again.

A 2024 analysis by Seer Interactive found that most Discover content is seen within three to four days of publication, but older content can still surface if it is considered helpful to a user’s interests. This makes it a useful channel for both timely updates and evergreen material.

However, getting into Discover isn’t guaranteed. A user’s content must be high quality, indexed by Google, and comply with Discover’s content policies. As Google puts it, “Being eligible to appear in Discover is not a guarantee of appearing.”

What Kinds of Content Work Best?

Discover tends to favour:

– News and topical content (e.g. current events, technology, finance).

– How-to and educational guides.

– Blog and lifestyle content (e.g. fashion, food, fitness, travel).

– Product-led content like buying guides or comparisons.

A study from Searchmetrics found that 46 per cent of Discover URLs were from news sites, while 44 per cent were from e-commerce or commercial domains. This mix highlights its appeal across industries.

Visuals Important Too

It should be noted here that visuals also play a critical role. For example, Google recommends using high-quality images of at least 1200 pixels wide and enabling them via the max-image-preview:large tag in your website’s header. Sites that only use small thumbnails or logos are less likely to be surfaced.

How To Optimise for Google Discover

Unlike traditional SEO, optimising for Google Discover is less about keywords and more about content quality and relevance. According to Google and SEO experts, the following best practices can improve the chances of content appearing in Discover:

– Focus on E-E-A-T. Content should demonstrate Experience, Expertise, Authoritativeness and Trustworthiness. This is particularly important for topics related to finance, health and business.

– Create helpful, people-first content. Clickbait headlines and manipulative imagery should be avoided. Google’s systems penalise content that withholds key information or uses exaggerated claims to drive engagement.

– Use engaging visuals. High-quality images and videos help attract clicks and improve content performance.

– Optimise metadata. Page titles should clearly reflect the main topic without being overly promotional.

– Improve mobile user experience. Fast-loading, mobile-friendly websites perform better in Discover, which is currently a mobile-only feature.

– Leverage structured data. Schema markup is a type of code that helps Google understand what the content is about. Using formats such as Article, NewsArticle or VideoObject can help clarify the purpose and type of content.

Discover performance can be tracked in Google Search Console using the “Discover” report, which shows impressions, clicks and click-through rate over a 16-month period. However, because Discover traffic is recorded as “Direct” in Google Analytics, Search Console remains the more reliable source for analysis.

Access and Availability

Google Discover is free to use, both for users and for content creators. Users access it via the Google app on Android or iOS, or via some mobile browsers on the Google homepage. Businesses don’t need to pay to appear, although Google Discovery Ads, a separate paid product, allow businesses to place sponsored content into the feed.

Discovery Ads can extend the reach of brand storytelling or promotional content, but they follow separate rules and are managed via Google Ads, not organic inclusion.

The organic Discover feed is primarily available in mobile form, though recent reports suggest that Google is testing a desktop version, which could increase its value for B2B and SaaS companies with more desktop-centric audiences.

Who Can Use It And What’s Required

Any business with a website indexed by Google is technically eligible for Discover. There’s no need to apply or sign up. However, visibility depends on several factors, which are:

– Content must be deemed helpful and relevant by Google’s systems.

– It must be well-formatted for mobile, and free from violations such as misleading titles or adult content.

– Businesses must avoid hosting content that could be seen as low-quality, offensive, or manipulative. For example, Discover applies SafeSearch filters and additional relevance controls.

It’s also worth noting that Discover content is driven by individual user interests. If those interests shift, or if the content becomes less relevant, visibility may drop. This makes Discover an unpredictable, though potentially powerful source of traffic.

As Google explains: “Given its serendipitous nature, you should consider traffic from Discover as supplemental to your keyword-driven search traffic.”

Are There Any Alternatives?

While no rival offers quite the same predictive content feed on search platforms, there are several comparable features from other tech companies, such as:

– Microsoft Start. This is a personalised news feed integrated into Windows and the Edge browser, showing curated content.

– Apple News. Available on iOS devices, this offers personalised news and magazine content. However, it prioritises selected publisher partnerships and doesn’t index the open web.

– Flipboard. This is a popular app that curates content based on interests, similar to a digital magazine.

– Facebook’s News Feed and LinkedIn’s feed can serve a similar discovery role, though these are typically limited to in-network or followed sources.

These platforms may be better suited for audience engagement, but none really match Google Discover’s reach, automation, or integration with search intent. For that reason, Discover has quietly become an essential part of the content strategy playbook, particularly for mobile-first businesses aiming to grow their reach.

What Does This Mean For Your Business?

For UK businesses, Google Discover could present a real opportunity to reach audiences who may never have searched for them. Its personalised, interest-based model allows content to appear in front of users at the moment it is most relevant, without the need for a query. This gives brands the chance to surface articles, videos or product content in a more organic and contextually aware way than traditional search. For those already investing in quality content, it provides an additional pathway to visibility, one that can support both brand building and direct engagement.

However, while the potential reach is significant, the unpredictability of Discover may make it less dependable than search for consistent traffic. The feed is shaped by shifting user interests and algorithmic decisions that are not easily controlled, meaning spikes in visibility can be short-lived. For publishers, this volatility may pose a challenge when forecasting traffic or measuring ROI. For Google, it raises wider questions about editorial responsibility and how its AI models decide what is surfaced, particularly when it comes to news or sensitive topics.

The fact that Google does not offer detailed breakdowns of Discover’s performance data also limits transparency for businesses trying to assess impact. Search Console provides a helpful overview, but for many, the lack of insight into why certain pieces appear or disappear from the feed makes strategic planning difficult. It remains a supplementary channel rather than a core traffic source, particularly for B2B organisations who are still more likely to rely on desktop-based search and direct outreach.

Even so, as Google continues to integrate Discover more tightly with its search ecosystem, the line between active search and passive discovery is blurring. This has implications not only for marketers and content creators but also for how people consume information online. Competing services from Apple, Microsoft and others offer similar functionality, but none currently combine Discover’s predictive capability with the scale and depth of Google’s search infrastructure.

For content-focused businesses, the message about Discover is that clear, high-quality, mobile-friendly content that aligns with user interests is more valuable than ever. Also, while Discover may never be a guaranteed traffic source, it is already influencing how information is surfaced and consumed. Ignoring it could, therefore, mean missing out on a growing and increasingly influential part of the search experience.