People using cryptocurrency services in the UK are now required to provide personal and tax identifying details to cryptoasset platforms, following new reporting rules that came into force on 1 January 2026.

What Are The Rules?

From the start of 2026, anyone buying, selling, transferring, or exchanging cryptoassets through a cryptoasset service provider must provide specific identifying information, or risk penalties. The change forms part of the UK’s implementation of the Cryptoasset Reporting Framework, commonly known as CARF, an international standard developed to improve tax transparency around cryptoassets.

Will Link Crypto Activities To Tax Record

According to guidance published by HM Revenue & Customs, the information collected by crypto platforms is to be used to link a person’s crypto activity to their tax record. HMRC says this “makes it easier for us to find out what tax you need to pay”, emphasising that the measure is designed to support enforcement of existing tax rules rather than introduce a new form of crypto taxation.

Applies Whether The Crypto Service Is In The UK Or Not

HMRC says the reporting obligation applies regardless of whether the cryptoasset service provider is based in the UK or overseas. For example, as HMRC’s guidance states on its website, users must provide the required information “to every cryptoasset service provider you use, even if they’re not based in the UK”.

What Information Is Needed?

The details required depend on whether the user is an individual or an organisation. For example, individual users must provide their full name, date of birth, and the address and country where they normally live. They must also supply a tax identification number. For UK residents, this will usually be a National Insurance number or a Unique Taxpayer Reference.

Where a person is not eligible for a tax identification number, for example because their country of residence does not issue one, HMRC says it is not required.

Entity users, such as companies, partnerships, trusts, or charities, must provide their legal business name, main business address, and company registration number if they are a UK company. Non-UK entities must provide a tax identification number and the country that issued it. Some entities are also required to provide details of their controlling person.

Incorrect Details Could Result In A Fine

HMRC is making it clear that users must provide accurate information. It says that giving incorrect details, or failing to provide them at all to a UK cryptoasset service provider, can lead to a penalty of up to £300. Where a non-UK provider is involved, the penalty could be higher.

How Penalties And Tax Enforcement Fit Together

The £300 penalty relates specifically to failures to provide accurate identifying information to cryptoasset service providers. It sits alongside, rather than replaces, HMRC’s existing powers to penalise unpaid tax.

HMRC’s guidance warns that if someone has not paid tax they owe on cryptoassets and the tax authority later identifies this, penalties can be far more significant. For example, in such cases, HMRC says penalties can be “up to 100 per cent of the tax due plus interest”. For offshore matters or offshore transfers, penalties can be higher still.

Voluntary Disclosure Facility (For Previous Years) Available

The department is also operating a disclosure facility for people who have underpaid tax on cryptoassets in earlier years, which allows individuals to correct their tax affairs voluntarily for undeclared gains or unpaid tax prior to April 2024.

Why The Focus On Crypto For Tax Authorities?

Cryptoassets have long posed challenges for tax authorities because of their decentralised and cross-border nature. For example, transactions can take place across multiple platforms, wallets, and jurisdictions, often without the kind of centralised reporting that applies to traditional bank accounts.

CARF

Government policy documents describe cryptoassets as a rapidly expanding area where tax authorities have historically had limited visibility. The Cryptoasset Reporting Framework (CARF) was, therefore, developed to address gaps that remained even after the introduction of the Common Reporting Standard. In simple terms, CARF is designed to prevent people from avoiding tax reporting by shifting assets into crypto. It creates a framework under which cryptoasset service providers collect standardised information about users and their transactions, which can then be shared automatically between tax authorities in participating countries.

How International Data Sharing Will Work

CARF is a multinational framework, meaning its impact goes beyond the UK alone. For example, where a UK resident uses a UK cryptoasset service provider, HMRC will use the reported information to link crypto activity to the individual’s UK tax record. Where a UK resident uses a non-UK provider based in a country that has also implemented CARF, the tax authority in that country will share the information with HMRC.

Similarly, if a non-UK resident uses a UK cryptoasset service provider, HMRC will share the relevant information with the tax authority in the user’s country of residence, provided that country also follows the CARF rules.

The UK government has said that the first international exchanges of data under CARF are expected to take place from 2027, reflecting the time required for jurisdictions and businesses to build reporting systems.

How Crypto Is Taxed In The UK

The new reporting rules do not change how cryptoassets are taxed, but they are expected to make enforcement more effective.

In the UK, cryptoassets are generally subject to Capital Gains Tax when they are disposed of. Disposal can include selling crypto for traditional currency, exchanging one cryptoasset for another, spending crypto on goods or services, or gifting it to someone other than a spouse, civil partner, or charity.

If total gains across all disposals exceed the annual Capital Gains Tax allowance, the gains must be reported to HMRC and tax paid. Losses can be offset against gains, and in some cases carried forward to future tax years.

Where cryptoassets are received through employment, mining, or other income-generating activities, Income Tax and National Insurance contributions may also apply.

With this in mind, HMRC has now updated its Self Assessment tax return to include a dedicated section for cryptoassets, reflecting the growing expectation that taxpayers accurately report crypto-related income and gains.

How Widespread Is Crypto Use In The UK?

The changes come at a time when crypto awareness and usage remain significant in the UK. For example, research published by the Financial Conduct Authority shows that public awareness of cryptoassets remains high. Its most recent consumer research found that more than 90 per cent of adults had heard of cryptoassets, while around 8 per cent of respondents reported owning or using them.

The same research indicates that most users rely on centralised exchanges as their main way of accessing crypto, rather than decentralised protocols or peer-to-peer transactions. This is significant because CARF reporting obligations apply primarily to cryptoasset service providers that act as intermediaries.

For many consumers, the impact of the new rules is likely to be experienced through additional identity checks, requests to confirm tax residency, and prompts to supply or update tax identification details.

What The Rules Mean For Crypto Businesses

The change in the rules essentially sees the burden of compliance falling heavily on cryptoasset service providers, which must collect, verify, and report user information and transaction data.

Government impact assessments suggest that businesses already preparing for international CARF obligations may face relatively modest additional costs to extend reporting to UK resident users. Even so, firms may need to update systems, data validation processes, and reporting workflows to ensure information is accurate and submitted in the required format.

Around 50 UK businesses are estimated to be affected by the domestic reporting extension, though overseas platforms serving UK users are also brought into scope where their home jurisdictions implement CARF.

For example, a crypto exchange that already collects customer data for anti-money laundering purposes may still need to restructure how that data is stored and reported so it aligns with CARF requirements around tax residency and transaction reporting.

The Wider Regulatory Context

The introduction of CARF reporting coincides with broader efforts to regulate the UK crypto sector, although those initiatives are progressing on a separate track. The Financial Conduct Authority is currently consulting on proposals for a comprehensive regulatory regime for cryptoassets, covering areas such as exchange standards, conduct requirements, and crypto lending and borrowing. The consultation is due to close in February 2026.

The FCA has been clear that its goal is not to eliminate risk from crypto markets, but to ensure consumers understand those risks and that firms operate to clear standards. David Geale, the FCA’s executive director for payments and digital finance, has said regulation is coming and that the authority wants a regime that “protects consumers, supports innovation and promotes trust”.

For UK crypto users and businesses, the key distinction is that CARF focuses on tax transparency and data sharing, while the FCA’s work addresses how crypto markets operate and how consumers are protected within them.

Challenges and Criticisms

While HMRC says the new reporting framework is about enforcing existing tax law, the changes have prompted some concerns from parts of the crypto industry and from privacy advocates.

For example, one criticism centres on data protection and security. The rules require cryptoasset service providers to collect and store sensitive personal and tax information, sometimes across multiple jurisdictions. Critics argue this increases the risk of data breaches, particularly where smaller or overseas platforms may not have the same security standards as large UK financial institutions.

There are also questions about proportionality. For example, some industry voices argue the rules apply broadly to all users, including those with relatively small holdings or minimal trading activity, potentially increasing compliance friction for people who do not owe any tax. The requirement to provide tax identifiers to every platform used, even where no taxable gain has been realised, has been cited as a source of unnecessary complexity.

From a business perspective, crypto platforms face operational and cost pressures. Although many already collect customer information for anti-money laundering purposes, aligning systems with CARF reporting standards adds technical and administrative overhead, particularly for firms operating across multiple countries with different implementation timelines.

Others point out that CARF does not fully address decentralised finance. Transactions carried out directly on decentralised protocols, without an intermediary acting as a service provider, may remain harder for tax authorities to observe, raising questions about how evenly the rules will apply across the crypto ecosystem.

HMRC has acknowledged that regulation cannot eliminate all non-compliance, but maintains that broader data collection and international information sharing will significantly narrow the gaps that have historically made cryptoassets difficult to tax.

What Does This Mean For Your Business?

The new reporting rules mark a clear change in how crypto activity is treated by the UK tax system, moving it closer to the level of visibility long associated with traditional financial accounts. For individual users, the message is pretty straightforward. Crypto transactions are no longer operating in a grey area, and HMRC now expects crypto activity to be linked clearly and consistently to a person’s tax record, regardless of where the platform they use is based.

For UK businesses operating in the crypto sector, the changes reinforce the idea that compliance and data governance are now central operational requirements rather than secondary considerations. Firms offering exchange, wallet, or portfolio services are being drawn more firmly into the UK’s tax reporting infrastructure, with real implications for system design, data accuracy, and cross-border coordination. Even businesses that already meet anti-money laundering standards may need to rethink how customer data is structured, verified, and reported over time.

More broadly, the rules reflect a wider change in how governments, regulators, and tax authorities view cryptoassets. For example, what was once treated as a niche or experimental asset class is now being integrated into mainstream regulatory frameworks, with greater expectations placed on platforms, investors, and advisers alike. While concerns remain around privacy, proportionality, and coverage of decentralised activity, HMRC’s position is clear that increased transparency is necessary to close long-standing enforcement gaps.

As CARF data sharing begins to scale internationally from 2027, the practical impact of these rules is likely to become more visible across markets. For users, businesses, and regulators, things are clearly moving towards a tighter alignment between crypto activity and existing tax and compliance systems, with fewer opportunities for crypto to sit outside the scope of routine financial oversight.

In this Tech Insight, we look at why IPv6 is now 30 years old, what it was designed to solve, how it works in practice, and why it continues to matter to the modern internet despite never fully replacing IPv4.

What Is IPv6?

IPv6, or Internet Protocol version 6, is the system used to identify devices on the internet and route data between them. Every device connected to the public internet needs an IP address so information can be sent to the correct destination.

IPv6 is the successor to IPv4 and uses a much larger 128 bit address format, allowing vastly more unique addresses. This expansion was designed to ensure the internet could continue to grow as more people, devices, and services came online.

Why Was A New Internet Addressing System Needed?

The origins of IPv6 lie in a problem identified more than three decades ago. Internet Protocol version 4, introduced in the early 1980s, used 32 bit addresses, allowing for around 4.3 billion unique IP addresses. At a time when the internet was largely confined to universities, research institutions, and government networks, that seemed more than sufficient.

By the early 1990s, however, growth was accelerating much faster than expected. Commercial internet service providers were emerging, personal computers were becoming commonplace, and policymakers and engineers began to worry that the available supply of IPv4 addresses would eventually run out. Without addresses, new devices could not connect to the public internet, creating a real risk of slowing innovation and economic growth.

The responsibility for solving this problem fell to the Internet Engineering Task Force, the open standards organisation that develops the technical foundations of the internet. After several years of debate and experimentation, the IETF published RFC 1883 in December 1995, formally defining Internet Protocol version 6.

What Was Different About IPv6?

The most significant change introduced by IPv6 was the expansion of the address space. For example, IPv6 uses 128 bit addresses, increasing the number of possible addresses to approximately 340 undecillion (36 zeros!). In practical terms, this removed address scarcity as a constraint on future internet growth.

IPv6 also introduced a simplified packet header (the addressing and delivery instructions for data) to improve routing efficiency, removed some legacy features that had accumulated in IPv4, and standardised support for multicast traffic. Address assignment was redesigned through stateless address autoconfiguration, which allowed devices to generate their own addresses automatically when connecting to a network, without relying on manual configuration.

Security

Security considerations were part of the design from the outset. For example, support for IPsec was specified within IPv6, reflecting the growing importance of encryption and authentication on the public internet. Even so, IPv6 was deliberately conservative in that it was designed to change as little as possible beyond what was required to address scaling limits.

Not Backward Compatible

However, it’s worth noting here that IPv6 was not designed to be backward compatible with IPv4, i.e., IPv6 cannot directly communicate with IPv4, a decision that proved controversial because devices using one protocol could not directly communicate with devices using the other without translation mechanisms or running both protocols in parallel.

Why IPv6 Did Not Replace IPv4

At the time IPv6 was standardised, many assumed the internet would gradually migrate from IPv4 to IPv6. However, that transition never occurred in a clean or coordinated way.

Instead, network operators adopted Network Address Translation, known as NAT. NAT allows many devices to share a single public IPv4 address by using private address ranges internally. Homes, offices, and even entire mobile networks could connect large numbers of devices while consuming very few public IPv4 addresses.

This workaround fundamentally changed the incentives around IPv6 adoption. NAT was popular because it was relatively easy to deploy, worked with existing equipment, and avoided the need for large scale network redesign. Over time, IPv4 addresses became scarce but still usable, with regional internet registries overseeing address transfers between organisations.

As a result, IPv6 deployment slowed. Vendors had limited motivation to prioritise IPv6 support, and many organisations saw little short term benefit in migrating. Dual stack operation, where IPv4 and IPv6 run side by side, increased complexity and operational cost.

Where IPv6 Has Actually Been Successful

Judging IPv6 purely by whether it replaced IPv4 misses how the protocol is used today. In fact, IPv6 has carried much of the internet’s growth over the past decade, particularly in environments where scaling pressures are highest.

Mobile networks are a clear example. Many operators now deploy IPv6 as the default protocol for smartphones, using translation technologies only when IPv4 connectivity is required. This approach allows mobile providers to connect millions of devices without relying entirely on increasingly complex NAT systems.

Cloud infrastructure also shows a similar pattern. For example, large providers support IPv6 extensively within their internal networks and data centres. New virtual machines and services are often IPv6 capable by default, even if they still need to interoperate with IPv4 clients.

Data from Google, the Asia Pacific Network Information Centre, and Cloudflare shows that IPv6 adoption remains uneven worldwide, with global usage hovering in the mid 40 per cent range, some countries exceeding 50 per cent adoption, and others still relying heavily on IPv4.

What IPv6 Means for Modern Internet Architecture

Over the past 30 years, the internet has evolved in ways few engineers anticipated in the 1990s. For example, applications increasingly rely on domain names rather than fixed IP addresses, encryption is now the default for web traffic, and protocols such as QUIC reduce reliance on long lived client addressing by operating at higher layers.

These changes have led some to question whether IP addressing matters as much as it once did. In reality, scalable addressing still underpins everything. Data must still be routed efficiently across global networks, and infrastructure still needs predictable, manageable address allocation.

Simplifies Large Scale Network Design

In fact, IPv6 allows networks to be designed more simply at scale because large address blocks can be allocated hierarchically, which reduces routing complexity and makes networks easier to manage, particularly in data centres, content delivery networks, and emerging Internet of Things deployments where device counts can grow rapidly.

Ongoing Challenges

Despite its advantages, IPv6 is not without its drawbacks. For example, running IPv4 and IPv6 side by side increases operational overhead because security teams must monitor and protect two protocols at once, and misconfigured IPv6 can create unexpected exposure if administrators focus only on IPv4 controls.

Also, some older hardware and software either lacks IPv6 support or implements it poorly, which leads organisations in those environments to disable IPv6 entirely to avoid instability, even though doing so can create long term technical debt.

IPv6 migration also requires planning, testing, and staff training, and analysts at Gartner have repeatedly noted that many organisations struggle to justify IPv6 projects without external pressure such as address exhaustion, cloud pricing models, or regulatory expectations.

Why IPv6 Still Matters in 2026

As the global pool of unused IPv4 addresses has become effectively exhausted, supporting new services, devices, and networks increasingly depends on complex translation layers, which are harder to scale and manage over time, while IPv6 provides a way to support continued growth without compounding that complexity indefinitely.

IPv6 was designed as underlying infrastructure rather than a visible end user technology, with its value lying in the capacity and flexibility it provides to support internet expansion as higher level protocols, encryption, and application architectures continue to evolve.

Viewed in that context, IPv6 has not failed, but has quietly fulfilled its original purpose by allowing the internet to keep growing without breaking under the strain of address scarcity and architectural workarounds.

What Does This Mean For Your Business?

IPv6’s 30 year history shows that it was never meant to be a dramatic switchover moment, but a long term safety valve for internet growth, and that role is now clearer than ever. IPv4 continues to function through layers of workarounds, trading markets, and translation systems, while IPv6 quietly carries much of the internet’s newest traffic, particularly where scale and automation matter most. The result is an internet that runs on both protocols at once, not because that was the ideal outcome, but because it proved to be the most practical one.

For UK businesses, this creates a more immediate and pragmatic challenge than a theoretical one. For example, organisations planning cloud migrations, rolling out new digital services, or deploying large numbers of connected devices increasingly need to understand how IPv6 fits into their infrastructure, even if customers never notice it directly. Ignoring IPv6 entirely can introduce hidden risks, from security blind spots to unexpected compatibility issues with cloud platforms and mobile networks that already assume IPv6 support by default.

For network operators, regulators, vendors, and standards bodies, IPv6 remains a reminder that core internet technologies evolve slowly and unevenly, shaped as much by economics and operational reality as by technical design. Thirty years on, IPv6 has neither transformed the internet nor been left behind by it. Instead, it seems to have become part of the underlying fabric that allows the internet to keep expanding, quietly doing the job it was built to do while the debate about its future continues.

The European Commission has renewed its decisions allowing personal data to flow freely between the EU and the UK, confirming that the UK’s data protection framework continues to meet EU standards despite recent legal changes.

Applies To Two Frameworks

The decision, announced on 19 December 2025, extends the EU’s existing data adequacy arrangements with the UK for a further six years, until December 2031. It applies to two parallel frameworks, one under the General Data Protection Regulation and another covering law enforcement data under the Law Enforcement Directive. Together, these decisions determine whether personal data can be transferred from the European Economic Area to the UK without additional safeguards or legal mechanisms.

What Data Adequacy Means In Practice

Under EU law, personal data can only be transferred outside the EU and EEA if the receiving country provides an “adequate” level of protection. Adequacy decisions are adopted by the European Commission and confirm that a third country’s legal and regulatory framework offers protections that are essentially equivalent to those guaranteed under EU law.

For example, when an adequacy decision is in place, organisations can transfer personal data without needing to rely on alternative tools such as standard contractual clauses, binding corporate rules, or case by case risk assessments. For businesses, public bodies, and digital services, this significantly reduces legal complexity, compliance costs, and operational friction.

The UK first received adequacy decisions in 2021, following its departure from the EU. Those decisions were time limited and included a sunset clause, reflecting concerns about future regulatory divergence after Brexit.

Why The Renewal Was Not Automatic

The original UK adequacy decisions were due to expire on 27 December 2025 but, in June 2025, the Commission adopted a technical six month extension to avoid a legal cliff edge while it reassessed the UK’s legal framework. This review was triggered by the passage of the Data (Use and Access) Act, which amended aspects of UK data protection law.

The Act introduced targeted changes, including adjustments to how personal data can be used for research and charitable fundraising, alongside new requirements for organisations to operate clearer data protection complaints procedures. The UK government described the reforms as limited and pragmatic rather than a wholesale departure from GDPR, but they nonetheless required close scrutiny by EU regulators.

During the extension period, the Commission assessed whether the amended UK framework continued to meet the threshold of essential equivalence required under EU law. This assessment covered both general data protection under GDPR and the handling of personal data for policing and criminal justice purposes under the Law Enforcement Directive.

The Role Of EU Oversight Bodies

The renewal decision followed a formal process involving EU institutions and Member States. The European Data Protection Board, which brings together national data protection authorities across the EU, issued an opinion on the UK’s legal framework. Member States then gave their approval through the so-called comitology procedure, which allows national representatives to scrutinise and endorse Commission implementing decisions.

Sufficiently Aligned

The Commission concluded that the UK’s safeguards remain sufficiently aligned with EU standards, including in areas such as individual rights, oversight mechanisms, and restrictions on onward transfers of data to other third countries.

As with the original decisions, the renewed adequacy determinations include safeguards designed to monitor future developments. A review of how the arrangements are functioning is scheduled after four years, with the option to amend, suspend, or revoke adequacy if the UK diverges in ways that undermine data protection.

A Six Year Extension With Built In Limits

The renewed adequacy decisions will now run until 27 December 2031 and include a fresh sunset clause. This essentially means adequacy is not permanent and must be actively reassessed in light of legal, political, and technological changes.

From the Commission’s perspective, this structure balances continuity with control. It provides long-term legal certainty for organisations that depend on EU UK data transfers, while preserving the EU’s ability to intervene if standards fall.

For UK businesses, the extension avoids what many had warned would be a serious disruption. The UK is one of the EU’s largest data partners, with personal data flowing daily for purposes including trade, financial services, health research, cloud computing, advertising, and human resources management.

Economic And Operational Significance

Industry groups and legal experts have repeatedly warned that losing adequacy would impose substantial compliance burdens. Organisations would need to put alternative transfer mechanisms in place, reassess international data flows, and potentially redesign systems and contracts at short notice.

Previous estimates from UK industry bodies have suggested that the administrative cost of relying on standard contractual clauses and transfer risk assessments could run into billions of pounds across the economy. Also, smaller organisations, charities, and public sector bodies would likely be hit hardest.

The Commission explicitly highlighted these practical implications in its announcement. Henna Virkkunen, Executive Vice President for Tech Sovereignty, Security and Democracy, said the renewal “benefits businesses and citizens alike on both sides of the Channel”. She added that it “ensures the free flow of personal data between the EEA and the UK in full compliance with data protection rules while reducing costs and administrative burdens”.

Virkkunen also emphasised continuity for European organisations, stating that the decision allows companies to keep sharing data seamlessly with UK partners, supporting innovation, competitiveness, and trusted digital cooperation.

Law Enforcement And Justice Cooperation

The adequacy decision covering law enforcement data is particularly significant because it underpins data sharing between EU Member States and UK authorities for policing, criminal investigations, and judicial cooperation.

Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, described the United Kingdom as “an important strategic partner for the European Union”. He said the adequacy decisions “form a central pillar of this partnership” by enabling both commercial exchanges and cooperation in the fields of justice and law enforcement.

McGrath added that the renewal reflects the Commission’s assessment that the UK’s legal framework continues to provide robust safeguards for personal data that remain closely aligned with EU standards, including in the context of recent legislative developments.

Ongoing Concerns And Future Scrutiny

It should be noted here, however, that while the renewal provides stability, it does not remove all uncertainty. Privacy advocates and some EU lawmakers have previously raised concerns about the UK’s approach to surveillance, data sharing with third countries, and the potential for future divergence from GDPR principles.

The four year review mechanism is intended to address these risks by allowing the Commission and the European Data Protection Board to reassess adequacy in light of concrete evidence rather than hypothetical concerns. Any significant weakening of protections could still result in suspension or revocation of the decisions.

For now though, it looks as though the Commission’s renewal signals confidence that the UK remains closely aligned with EU data protection standards, while retaining the ability to revisit that judgement if circumstances change.

What Does This Mean For Your Business?

The renewal confirms that the EU continues to see the UK as a trusted destination for personal data, despite political separation and limited legal divergence since Brexit. It removes the immediate risk of disruption to data flows that underpin everyday commercial activity, public services, and cross border cooperation. For now, the legal foundations that allow organisations to move personal data between the EU and UK without additional safeguards remain intact.

For UK businesses, this brings practical certainty. For example, companies operating across borders can continue to rely on existing systems, contracts, and data driven services without having to introduce costly transfer mechanisms or redesign operations at short notice. That stability is particularly important for sectors such as finance, technology, healthcare, research, and professional services, where routine access to EU personal data is fundamental rather than optional.

The decision also has wider implications beyond commerce. Continued adequacy supports cooperation between regulators, law enforcement agencies, and public authorities, ensuring that data sharing for policing, justice, and safeguarding purposes can continue without new legal barriers. At the same time, the inclusion of a sunset clause and a four year review reflects the EU’s ongoing caution, making clear that adequacy depends on sustained alignment rather than historical precedent.

Taken together, the renewal appears to strike a careful balance. In essence, it signals confidence in the UK’s current data protection framework while reinforcing that future reforms will be judged against EU standards. For businesses and other stakeholders, the takeaway message is that the current framework offers breathing space and legal certainty, but long-term stability will depend on how closely the UK continues to track core principles of EU data protection law.

PostNord delivered its final letter in Denmark on 30 December 2025, bringing an end to more than four centuries of nationwide letter delivery after letter volumes collapsed as most communication moved online.

Just Parcels Now

For the first time since organised postal services were established in Denmark in 1624, the country’s historic national operator no longer delivers domestic letters. From 2026, PostNord says it will now operate in Denmark solely as a parcel carrier, thereby reflecting a structural change in how Danes communicate, receive official information, and interact with public and private services.

A Decision Rooted in Long-Term Decline

PostNord’s decision was not driven by a sudden policy shift but by a sustained and dramatic collapse in letter volumes over the past 25 years. For example, according to figures published by the company, the number of letters handled by PostNord Denmark has fallen by more than 90 per cent since 2000, with volumes continuing to decline rapidly year on year.

In its official announcement, PostNord stated: “Danes have become more and more digital, and what was once sent by letter is now received digitally by the vast majority of people.” The company added that letter volumes “have decreased by over 90 per cent since 2000, and the volume of letters continues to decrease rapidly”.

The pace of decline has accelerated in recent years. PostNord executives have noted that letter volumes fell by around 30 per cent in a single year leading up to the decision, underlining how quickly physical mail has been displaced by digital alternatives.

Denmark’s Digital-First Society

Denmark’s status as one of the world’s most digitalised countries helps explain why the move became unavoidable. Most official communications from public authorities are delivered through Digital Post, an electronic mailbox linked to MitID, Denmark’s national digital identity system. MitID is used for everything from online banking and tax returns to healthcare appointments and document signing.

In fact, around 95 per cent of Danes now receive official correspondence digitally, with only a small minority opting out. As a result, physical letters have increasingly become an exception rather than a default channel, mainly used for niche purposes, formal notifications, or correspondence with people who are exempt from digital systems.

PostNord acknowledged this reality directly, stating that “the letter market is no longer profitable” under current conditions, making continued nationwide letter delivery unsustainable.

From Universal Service to Competitive Market

Denmark’s postal landscape has also changed at a regulatory level. For example, until the end of 2023, the country operated a universal postal service model, under which PostNord was required to deliver letters nationwide at regulated prices. This system ended with the introduction of a new Postal Act in 2024.

The updated legislation opened the letter market to full competition and removed VAT exemptions on letters, pushing up postage prices. At the time of PostNord’s announcement, sending a standard letter could cost as much as 29 Danish krone, making physical mail significantly more expensive relative to digital communication.

PostNord’s managing director in Denmark, Kim Pedersen, has said publicly that higher prices further reduced demand, reinforcing a downward spiral that left letter delivery commercially unviable.

What Changed in 2025?

Throughout 2025, PostNord continued to deliver letters as normal while preparing for its exit. Clear deadlines were set to give households and businesses time to adjust. For example:

– Basic letters, including business letters, direct mail, and magazines, had to be handed in by 18 December 2025.

– More specialised services such as registered letters and letters with return receipt remained available until 29 December.

– The final deliveries took place on 30 December 2025.

Refunds

PostNord also confirmed that postal labels purchased in 2024 or 2025 would be eligible for refunds during a limited period in 2026 if unused, stating: “We’ve made sure that all postal labels purchased in 2024 – or to be purchased in 2025 – can be refunded for a limited time in 2026 if you don’t use them in 2025.”

The Disappearance of the Red Postboxes

One of the most visible consequences of the decision was the removal of Denmark’s iconic red postboxes. From 1 June 2025, PostNord began dismantling the country’s remaining 1,500 mailboxes, with all removals completed by the end of the year.

Each postbox was clearly marked in advance with its planned removal date, and boxes could still be used until taken out of service. PostNord also said it was working to ensure that the postboxes would “have a new purpose” once removed, rather than being discarded.

The removal programme symbolised the practical end of everyday letter posting for most Danes and marked a clear shift away from street-level postal infrastructure.

Impact on Jobs and Operations

The move away from letters had significant workforce implications. For example, around 1,500 jobs were affected in Denmark, out of a total PostNord workforce of roughly 4,600 in the country. While PostNord continues to operate in parcels, letter sorting, delivery, and associated logistics roles were no longer required at previous levels.

PostNord has faced financial pressure for several years, with letter delivery becoming increasingly loss-making as volumes fell and fixed costs remained high.

PostNord Still Operating In Sweden

Importantly, the decision applies only to Denmark. PostNord’s letter operations in Sweden continue unchanged, and the company remains active in the letter market there under different regulatory and market conditions.

Who Delivers Letters Now?

From 1 January 2026, the responsibility for letter delivery has shifted to other operators in the open market, most notably DAO, which already delivered letters prior to PostNord’s exit.

DAO has expanded its operations to handle significantly higher volumes, with customers required to drop letters at designated shops or pay for home collection services. According to Danish law, the option to send physical letters must continue to exist, meaning the government is obliged to ensure that alternative providers remain available.

What About International Mail?

International mail remains a bit of a transitional issue. PostNord was appointed by Denmark’s Ministry of Transport to handle international letters until 31 December 2025. However, responsibility for this service from 2026 onwards is expected to be determined through a separate process.

Groups Most Affected

While the vast majority of Danes rely on digital communication, the end of PostNord’s letter service has raised concerns for groups that still depend on physical mail. For example, advocacy organisations for older people have warned that hospital appointments, care decisions, and other important communications can still arrive by letter for those exempt from Digital Post.

PostNord acknowledged that physical letters will continue to be delivered by other operators, but critics have highlighted that alternative services often require digital payment or app-based interaction, which may present barriers for some users.

A Strategic Move to Parcels

At the centre of PostNord’s decision is a clear strategic refocus. As letter volumes collapsed, parcel deliveries surged due to sustained growth in online shopping. PostNord has said its goal from 2026 is “to become the Danes’ preferred parcel courier”.

In its announcement, the company explained: “We want to be the very best where Danes need us – and that’s in parcels.” The shift aligns PostNord with broader trends across Europe, where national postal operators are increasingly repositioning themselves as logistics and e-commerce delivery companies rather than traditional mail carriers.

The First To Go

The Danish case stands out for the scale and finality of the change. While many European postal services have reduced letter frequency or raised prices, Denmark is the first country to formally conclude that nationwide letter delivery is no longer economically or operationally viable in a fully digital society.

The implications of that decision continue to unfold, both within Denmark and across a continent facing similar pressures on long-established postal systems.

What Does This Mean For Your Business?

Denmark’s decision to end nationwide letter delivery marks a clear acknowledgement that physical mail has moved from being an essential public service to a marginal one in highly digital societies. PostNord’s withdrawal was not driven by sentiment or short-term pressures, but by structural changes in how information is created, distributed, and received. Once most official, financial, and personal communication shifted online, the economics of maintaining a universal letter network no longer held up, even for a long-established national operator.

For businesses, the Danish experience underlines how quickly legacy communication channels can become commercially unviable once digital alternatives reach critical mass. Organisations that still rely on physical letters for billing, notifications, or formal correspondence have been forced to adapt, either by moving processes online or by paying significantly higher costs through alternative providers. This transition has been manageable in Denmark largely because digital infrastructure, digital identity systems, and public adoption were already well established before the postal network was scaled back.

There are clear lessons here for UK businesses and public sector bodies. While the UK remains far more reliant on physical post than Denmark, letter volumes continue to decline, and postal operators are under increasing financial strain. The Danish case shows that once digital communication becomes the default for government and commerce, postal services tend to follow demand rather than tradition. UK organisations may, therefore, need to reassess how dependent they remain on physical mail, particularly for time-sensitive or high-volume communications, and whether existing processes are resilient to future changes in postal service provision or pricing.

Also, the Danish experience highlights the importance of managing transitions carefully for those who cannot easily move online. For example, older people, digitally excluded groups, and organisations that still require physical documentation remain stakeholders in any postal system, even as volumes fall. Ensuring that alternatives remain accessible, affordable, and legally compliant has become a policy challenge rather than a purely operational one.

Denmark’s move does not mean the end of letters altogether, but it does demonstrate that nationwide letter delivery is no longer guaranteed in societies where digital communication dominates. For postal operators, governments, businesses, and citizens alike, the shift marks a practical redefinition of what postal services are for in a digital-first economy, and who they are ultimately designed to serve.

SpaceX says it will move roughly half of the Starlink satellite network into lower orbits during 2026, arguing that the change will materially reduce collision risk and speed up the removal of failed spacecraft as low Earth orbit becomes increasingly congested.

Starlink

Starlink is the satellite broadband network operated by SpaceX, and it has grown into the largest satellite constellation ever deployed. The network now consists of more than 9,000 operational satellites in low Earth orbit, providing internet connectivity to residential, government, and enterprise customers worldwide.

Apples To Just One Layer

The newly announced plan targets one specific layer of the constellation. Starlink vice president of engineering Michael Nicolls said (in a post on X) SpaceX intends to lower all Starlink satellites currently operating at around 550 kilometres above Earth down to approximately 480 kilometres. The migration will involve about 4,400 satellites and will be carried out gradually over the course of 2026.

In his public post on the X platform, Nicolls described the move as “a significant reconfiguration of its satellite constellation focused on increasing space safety”, adding that the lowering will be “tightly coordinated with other operators, regulators, and USSPACECOM”.

What Is Changing And Why It Matters

Low Earth orbit, often shortened to LEO, generally covers altitudes from about 160 km to 2,000 km above Earth. Satellites in this region travel at extremely high speeds, completing an orbit in roughly 90 minutes. LEO is attractive for communications services because it allows lower latency than higher orbits, yet it is also where orbital congestion is now growing most rapidly.

The Starlink satellites affected by this change currently operate at around 550 km and SpaceX now plans to lower them by roughly 70 km. While that difference may appear quite modest, it actually has significant implications for how long satellites remain in orbit if they lose control or suffer a failure.

The Sun’s Activity Cycle

Nicolls linked the decision directly to the Sun’s activity cycle. For example, solar activity follows an approximately 11-year pattern, with higher activity expanding the upper atmosphere and increasing drag on satellites. When solar activity declines towards solar minimum, the upper atmosphere becomes less dense, reducing drag and allowing satellites to remain in orbit for much longer at the same altitude.

“As solar minimum approaches, atmospheric density decreases which means the ballistic decay time at any given altitude increases,” Nicolls wrote on X. “Lowering will mean a >80% reduction in ballistic decay time in solar minimum, or 4+ years reduced to a few months.”

Ballistic decay time refers to how long an uncontrolled satellite takes to naturally lose altitude and re-enter Earth’s atmosphere. For example, a shorter decay time means failed satellites spend less time posing a collision risk to other spacecraft.

Recent Incidents

The announcement follows a rare Starlink satellite incident reported in late 2025. SpaceX said one of its satellites experienced a failure that involved venting propellant, tumbling out of control, and releasing a small amount of debris.

During the incident, the satellite rapidly lost altitude and communications were cut off. SpaceX said the debris consisted of “trackable low relative velocity objects” and that the spacecraft was expected to re-enter the atmosphere within weeks.

Although SpaceX has not said that a collision caused the failure, the incident has drawn attention to the growing difficulty of managing risk in crowded orbital environments. SpaceX has previously said that a Chinese satellite launch came within roughly 200 metres of colliding with a Starlink satellite, underlining how close some encounters in low Earth orbit have become.

Why Lower Orbits Are Seen As Safer

Nicolls has highlighted how lowering Starlink’s 550 km shell would improve safety in several ways, beyond simply speeding up re-entry for failed spacecraft, saying “the number of debris objects and planned satellite constellations is significantly lower below 500 km, reducing the aggregate likelihood of collision.”

For example, a satellite that fails at 550 km during periods of low solar activity could remain in orbit for several years, thereby increasing the time window in which it might be struck by another object. At around 480 km, natural atmospheric drag should pull an uncontrolled satellite down far more quickly, reducing long-term risk.

This approach aligns with broader industry efforts to ensure satellites do not remain in orbit for decades after failure, contributing to the gradual build-up of debris.

Low Earth Orbit Becoming Increasingly Crowded

It’s worth noting here that the number of satellites in low Earth orbit has increased sharply in recent years, largely driven by the rise of large satellite constellations. Starlink alone now accounts for the majority of active satellites in orbit.

Also, other major networks are also in development. For example, Amazon’s Project Kuiper aims to deploy more than 3,000 satellites, while China is understood to be planning multiple LEO constellations that could together exceed 10,000 spacecraft.

With thousands of satellites travelling at several kilometres per second, the risk of collisions has become a central concern for operators and regulators. Even small fragments of debris can cause catastrophic damage at orbital velocities.

These concerns are often discussed in the context of the Kessler Syndrome, i.e., a scenario in which collisions generate debris that triggers further collisions, eventually making certain orbital regions difficult or impossible to use.

Regulatory Scrutiny Is Increasing

Starlink’s orbit-lowering plan comes amid growing regulatory and political scrutiny of large satellite constellations. In the United States, regulators have moved to tighten disposal requirements for satellites in low Earth orbit, shortening the expected time allowed for defunct spacecraft to be removed after the end of their mission. The aim is to reduce the long-term accumulation of debris and lower systemic risk.

Public interest groups have also called for more cautious deployment of megaconstellations. For example, some have urged regulators to pause or more closely examine large LEO projects until the environmental and safety consequences of space congestion are better understood.

Also, concerns extend beyond collisions. For example, scientists have raised questions about the cumulative impact of frequent launches and satellite re-entries on the upper atmosphere, including the release of metals and other materials as spacecraft burn up.

Reliability Claims And Risks Beyond SpaceX’s Control

SpaceX has repeatedly stressed that Starlink satellites are designed to be highly reliable. In fact, Nicolls said there are “only 2 dead satellites” within the operational fleet of more than 9,000.

However, he emphasised that rapid de-orbiting remains important even with strong reliability figures. “If a satellite does fail on orbit, we want it to deorbit as quickly as possible,” he wrote.

Nicolls also highlighted hazards that SpaceX cannot directly control, including “uncoordinated manoeuvres and launches by other satellite operators”. As more constellations are deployed, the behaviour of every operator increasingly affects the safety of the entire orbital environment.

How Will The Migration Be Managed?

SpaceX has not released detailed technical procedures for the migration, but the underlying approach is broadly understood to be that each satellite will use onboard propulsion to gradually adjust its orbit in a controlled manner, lowering altitude while maintaining collision avoidance and tracking.

Nicolls said the process will be carried out in coordination with other satellite operators, regulators, and United States Space Command, which plays a central role in space domain awareness and conjunction warnings.

The movement of thousands of satellites over a single year will be closely watched across the space industry, as it may signal how megaconstellations adapt to rising congestion and evolving expectations around safety and sustainability in low Earth orbit.

What Does This Mean For Your Business?

Lowering thousands of satellites is a clear acknowledgement that congestion in low Earth orbit is no longer a theoretical problem but an operational one. SpaceX’s decision suggests that managing failure scenarios and end of life outcomes is becoming just as important as launch cadence and coverage expansion. Even a relatively small change in altitude can materially reduce how long failed hardware remains a hazard, which matters in an environment where collision risk compounds over time rather than staying static.

The move also sets a practical benchmark for other large constellation operators. For example, as more networks come online, regulators are likely to expect similar evidence that operators are actively reducing long term debris risk rather than relying solely on reliability claims. Coordination with other operators and military tracking bodies signals that large scale orbital changes are now part of routine constellation management, not exceptional events.

For UK businesses and public sector users that rely on satellite connectivity, particularly in rural areas, offshore operations, transport, defence, and emergency services, the announcement points to a more mature phase of satellite internet delivery. A safer and more actively managed orbital environment reduces the risk of service disruption caused by debris events or emergency manoeuvres. It also strengthens the long term viability of satellite broadband as a dependable part of national digital infrastructure rather than a stopgap solution.

For policymakers, insurers, and space regulators, the Starlink reconfiguration highlights where expectations are heading. For example, operators are now being judged not just on coverage and performance but on how responsibly they manage shared orbital space. Decisions made during this phase of LEO expansion will shape what remains usable decades from now, and whether satellite services continue to scale without triggering tighter intervention or enforced limits.

OpenAI has said it is strengthening security in its ChatGPT Atlas browser to reduce the risk of prompt injection attacks, warning the threat is unlikely to ever be fully eliminated.

ChatGPT Atlas includes an agent mode that can read web pages and take actions inside a user’s browser, such as clicking links or sending emails. This makes it a more attractive target for prompt injection attacks, where hidden malicious instructions are used to override the user’s intent.

OpenAI has rolled out a security update with a newly adversarially trained model and stronger safeguards. The changes were driven by automated red teaming, using an internally built AI attacker trained with reinforcement learning to identify complex exploits before they appear in the wild.

The company said prompt injection is a long-term AI security challenge, similar to online scams and social engineering. Industry analysts, including Gartner, have warned that AI browsers could pose significant risks if not tightly controlled.

To reduce exposure, OpenAI advises businesses to limit logged-in use of AI agents, carefully review confirmation requests, and give clear, tightly scoped instructions to reduce the impact of hidden or malicious content.