Costello Advisory advises organisations on the full spectrum of digital regulation — privacy law, data governance, cybersecurity compliance, AI regulation, the Digital Services Act, the Online Safety Act, DORA, and their equivalents across EU, UK and US jurisdictions.
“Digital regulation is no longer a single framework. It is an overlapping landscape of privacy law, AI governance, cybersecurity obligations, and platform rules — moving simultaneously across the EU, UK and US. The organisations that navigate it best are those with the clearest picture of all of it.”
Digital regulation has become one of the most complex compliance challenges facing organisations today. Privacy law. Cybersecurity obligations. AI governance. Platform regulation. Data governance. These are not separate problems — they are the same problem from different angles, and they are moving simultaneously across three major jurisdictions that do not always agree.
Costello Advisory advises organisations of every size and sector on all of it — from global financial institutions navigating DORA and GDPR simultaneously, to technology scale-ups facing EU AI Act obligations and CCPA enforcement, to platforms managing DSA and Online Safety Act duties across EU and UK markets.
We are an independent consultancy boutique. Senior, strategic, commercial. Where engagements require regulated legal advice, that work is handled through a separate regulated legal practice. Everything else is delivered directly — with the depth and judgement that only comes from twenty years at the coalface of digital regulation across three jurisdictions.
A focused, fixed-scope review of your AI deployments against EU AI Act obligations. Risk classification, compliance gap analysis, and a clear written action plan. Delivered within two weeks. No retainer required.
Enquire nowUS privacy enforcement is accelerating. CCPA fines, FTC action, and state AI laws are creating real exposure for any organisation touching US consumers. A focused review of your specific risk — what the law requires, where your gaps are, and what to fix first.
Enquire nowEvery engagement involves direct access to senior expertise — no junior team, no templated deliverables, no unnecessary complexity. A straight answer on what the regulation requires, what your exposure is, and what to do about it.
GDPR, UK GDPR, CCPA, CPRA, and the growing landscape of US state privacy law. Data governance frameworks, privacy by design, data subject rights, international transfers, and regulatory compliance — across EU, UK and US from a single adviser.
DORA, NIS2, the UK Cyber Resilience Act, and NIST frameworks. Regulatory compliance for cybersecurity obligations in financial services and technology — what the frameworks require operationally, not just on paper.
Risk classification, gap analysis, compliance frameworks, and board-level advisory on AI governance. EU AI Act obligations, UK AI policy, and US state AI laws — what your specific exposure is and what to do about it.
Platform obligations under the DSA, the Online Safety Act, and the expanding framework of digital platform regulation across EU and UK. Content moderation, algorithmic accountability, risk assessments, and regulatory reporting.
The ICO finalised its Storage and Access Technologies guidance on 29 April 2026 — PECR fines are now aligned with GDPR. Consent architecture, tracking technology compliance, and adtech regulatory strategy for UK and EU markets.
Regulatory strategy for fintech business models, payments, digital assets, and blockchain infrastructure — including DAOs, smart contract platforms, and tokenisation. Advisory across EU MiCA, UK FCA regime, and US frameworks since the sector's earliest days.
New DUAA exemptions, a 35-fold increase in maximum PECR penalties, and an expanded “instigation” concept that catches advertisers further up the adtech chain. What every UK organisation with a digital presence needs to do now.
Read the full analysisMandatory automated decision-making risk assessments. Mandatory cybersecurity audits. The largest CCPA settlement to date — $2.75 million against Disney. California's privacy regime has entered its most demanding phase.
Read the full analysisThe high-risk AI system requirements are being delayed to December 2027. The prohibitions and Article 4 literacy obligations are already in force. What compliance actually requires — and why the delay is not a reprieve.
Read the full analysisThe EU asks what an AI system might do. The US asks what it has done. The UK asks which regulator should be asking. What the divergence between Brussels, London and Washington means for global compliance strategy.
Read the full analysisWithout federal AI legislation, the real action is at state level — Colorado, California, Illinois, Texas — each with different definitions, scope triggers and enforcement mechanisms. What multi-state operators need to know.
Read the full analysisThe UK chose not to legislate on AI. Two years on, the scorecard is more complicated than either side acknowledges. What the sector-based approach has produced — and what it hasn’t.
Read the full analysisAsh Costello is the founder of Costello Advisory. She has spent over twenty years advising some of the world's most complex organisations on their most consequential digital regulation questions — across global financial institutions, technology platforms, and high-growth businesses at every stage.
Triply qualified across England & Wales, Ireland and New York, she advises on EU, UK and US regulatory frameworks simultaneously. For organisations navigating digital regulation across multiple jurisdictions, this means a single adviser who understands the complete picture — not three separate advisers each seeing one part of it.
She has operated at the most senior levels of in-house legal practice, including as Global Head of Legal for a global alternative asset administration platform operating across 22 entities — part of one of the ten largest banking groups in the world. She has chaired and attended hundreds of board and fund governance meetings across the world's leading financial institutions, and has advised on blockchain and digital assets since the sector's earliest days.
Through Costello Advisory, she works with boards, leadership teams, and organisations that need more than a compliance checklist — a strategist who understands the commercial reality behind the regulatory question, and who will tell you what matters, what doesn't, and what to do about it.
Over twenty years in private practice at leading UK and Irish law firms, followed by senior in-house roles at global financial institutions, and a decade advising technology platforms, fintechs and emerging technology businesses on digital regulation across three jurisdictions. Based across London, New York and Catania.
If you are navigating digital regulation — whether that is DORA, the EU AI Act, CCPA enforcement, the Online Safety Act, or any combination of the above — the starting point is a direct conversation. No sales process. No pitch deck.
Costello Advisory is a consultancy boutique. Regulated legal advice is provided through a separate regulated legal practice. Enquiries are treated in strict confidence.