Locations
The last few months have seen political battles over the UK's and EU's approaches to AI regulation, the continued rollout of online safety measures Europewide, and groundbreaking changes in the UK to the enforcement of consumer law. Read more for our insights into the key developments and how they could affect your business.
AI
Artificial Intelligence (AI) Act (EU)
As of 2 February 2025, certain AI practices are prohibited, on the basis that they pose unacceptable risks to European values and rights. These include practices that deploy subliminal, manipulative or deceptive techniques to exploit behaviour. Further strict regulations under the Act applying to high-risk AI systems, and transparency obligations for general-purpose AI systems, are set to come into force. Companies that breach the AI Act face fines of up to 7% of global turnover.
Scope: Any business that operates in the EU, provides AI-driven services affecting EU citizens, or uses AI models trained on EU data must ensure compliance.
Next steps:
- On 4 February 2025, the European Commission published its guidelines on prohibited practices.
- In May 2025, the European Commission consulted on rules and guidelines concerning general purpose AI models. Those rules will come into force on 2 August 2025.
- Finally, the obligations concerning high-risk AI systems will become applicable 36 months after the entry into force of the Act.
UK approaches to AI
Since the UK Government's AI White Paper (2023) and its Response (2024), policymakers have resisted binding AI regulation, prioritising innovation over restrictive frameworks. However, as AI adoption accelerates, momentum may be shifting towards formal legislation. Recent developments signalling this transition include:
- The King's Speech (July 2024): Proposed new laws imposing legal obligations on AI developers, moving away from voluntary compliance.
- AI Opportunities Action Plan (January 2025): A long-term AI roadmap focusing on infrastructure, governance, and public sector adoption.
- AI Supercomputing Expansion (Spring 2025): The Government plans to increase AI compute capacity 20-fold by 2030 to support AI research, compliance, and regulatory oversight.
- Reintroduction of the AI Bill (March 2025)
Online safety
Online Safety Act (OSA) (UK)
The OSA imposes duties on online service providers to keep users safe. On 24 April 2025, Ofcom published its Protection of Children Codes and Guidance. Providers of services likely to be accessed by children must implement safety measures to mitigate risks to children by 25 July 2025. These can either be the measures listed in the Protection of Children Codes, or alternative measures that allow the providers to effectively meet their duties.
Scope: Providers of internet services where content is generated, uploaded or shared by users ("user-to-user services"); or providers of a search engine ("search services"). To be in scope, services must have a significant number of UK users, or the UK must form one of the service's target markets.
Next steps: In the next quarter, Ofcom expects to publish its register of categorised service providers that are subject to additional duties under the OSA. These include some of the most widely used online sites and apps that involve content recommender systems, user-to-user services and search services.
Don't miss a thing, subscribe today!
Stay up to date by subscribing to the latest Technology and Data insights from the experts at Fieldfisher.
Subscribe nowPlatform
Digital Markets, Competition and Consumers (DMCC) Act (UK)
The consumer protection regime under the DMCC Act is now in force. The CMA is now able to decide whether consumer protection laws have been infringed (rather than litigating through the courts) and to enforce against any breaches directly, including through requiring consumer redress and fines (up to 10% of infringing businesses' global turnover).
Scope: All b2c businesses.
Next steps: The CMA's priority areas for the first 12 months of the regime will be: (a) aggressive sales practices that prey on vulnerable consumers; (b) hidden fees; (c) objectively false information given to consumers; (d) unfair and unbalanced contract terms; and (e) behaviour investigated previously by the CMA, such as on drip pricing and fake reviews.
Digital Markets Act (DMA) (EU)
The European Commission has issued its first fines under the DMA, in cases involving both Apple and Meta. The Commission found that: Apple breached its obligation to inform customers of, and steer them towards, alternative offers outside of the App Store; and that Meta breached its obligation to give consumers the choice of a service that uses less of their personal data. The Commission fined Apple and Meta with €500 million and €200 million respectively and ordered changes to be made by those companies.
Cyber
Cyber Resilience Act (CRA) (EU)
The CRA seeks to enhance the cybersecurity safeguards for consumers and businesses buying or using products or software, by imposing mandatory cybersecurity requirements, requiring conformity assessments, the provision of steps to mitigate vulnerabilities and reporting to the authorities and the provision of support across a product's entire lifecycle.
Scope: Smart or connected household devices (such as smartphones, tablets, PCs, cameras, TVs, fridges, exercise equipment, etc.), toys, wearables and software products such as operating systems. The obligations will apply to manufacturers, their authorised representatives, importers and distributors.
Next steps: The CRA entered into force on 10 December 2024. The majority of its provisions will not take effect until December 2027 (although some will apply at an earlier stage – e.g. reporting obligations from September 2026). Companies should now be taking steps to ensure compliance with the CRA's requirements, including assessing its applicability to their products, making provision for cybersecurity risk assessments, building a compliance infrastructure, training staff and planning for product lifecycle support.
Digital Operational Resilience Act (DORA) (EU)
DORA harmonises approaches on tackling digital operational resilience and IT security across the EU financial services sector. The following regulatory technical standards (RTSs), which give financial entities and their IT suppliers more guidance on how to comply with their DORA obligations, recently entered into force: RTS to specify information on oversight conduct, RTS on specifying the content and reporting timelines for major ICT-related incidents and RTS on specifying the composition of the joint examination team. On 24 March 2025, the European Commission adopted the sub-contracting RTS, following the rejection initially of the draft.
Scope: DORA seeks to cover the vast majority of the financial services ecosystem. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.
Next steps: DORA came into force on 17 January 2025. To the extent they have not already done so, firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections.
Cybersecurity Act (EU)
The Cybersecurity Act has recently been amended to bring "managed security services" within scope in addition to the ICT products, services and processes that the Act already covers.
Scope: Managed security services comprise service providers of cybersecurity risk management, including incident response, penetration testing, security audits and consultancy.
Next steps: The amendment entered into force on 4 February 2025.
Cyber Security and Resilience Bill (UK)
On 1 April 2025, the UK Government announced further details on the planned Cyber Security and Resilience Bill. The Bill will seek to address concerns arising from a sophisticated threat landscape and recent cyberattacks on critical infrastructure in the UK. It will update the UK’s existing NIS Regulations 2018.
Scope: The Bill will bring managed service providers in scope of the UK NIS Regulations for the first time. The Bill will allow new sectors and sub-sectors to be introduced and new supply chain risk management obligations to be imposed. The criteria for reportable incidents will be expanded and a two-stage reporting process (similar to NIS2) will be adopted.
Next steps: The UK Government plans to introduce the Bill during the current Parliamentary session. The Government is also considering a number of additional measures which could be introduced via the Bill or another legislative vehicle. These include bringing certain data centres within the scope of NIS2 and empowering the Secretary of State to direct regulated entities and regulators to take action where necessary for international security.
Data
European Health Data Spaces Regulation (EHDS) (EU)
The EHDS aims to improve access and sharing of health data by addressing the complexities of current European rules on data-sharing in the health sector. The European Commission will establish a central platform to provide services to support and facilitate the exchange of health data between designated authorities in Member States.
Scope: The EHDS will apply to (a) manufacturers and suppliers of electronic health records systems and wellness applications placed on the market and put into service in the EU and the users of such products; (b) controllers and processors established in the EU processing electronic health data; (c) controllers and processors established in a third country that have been connected to or are interoperable with the platform; and (d) data users to whom electronic health data is made available by data holders in the EU.
Next steps: The EHDS regulation entered into force on 26 March 2025, with the first deadlines becoming applicable in March 2027.
EU GDPR Simplification Plan (EU)
The European Commission is finalising a plan to simplify GDPR to ease the burden on small and medium-sized businesses. The Commission will target a reduction in paperwork by removing record-keeping requirements for smaller businesses, namely those organisations with fewer than 500 employees that are currently subject to the regulation. These rules currently apply to organisations with under 250 employees.
Scope: The current intention is for organisations with fewer than 500 employees to benefit from reduced administrative burdens. Larger organisations are not expected to be impacted.
Next steps: Plans for the simplification package are under discussion by the European Commission.
The Data (Use and Access) Bill (DUA) (UK)
The DUA updates the UK GDPR and Data Protection Act 2018 with new regulation around automated decision-making, the use of legitimate interests as a purpose for personal data processing, the use of cookies and other tracking technologies, and the ability to use personal data for scientific research purposes. It also converts the UK data protection regulator from the ICO to the Information Commission, with new powers and a different corporate structure.
Scope: The DUA will apply to (a) traders and data holders (businesses that supply goods and services, or digital content); (b) digital verification service providers (businesses offering identity verification services); (c) infrastructure and utility companies (entities that are responsible for underground apparatus); and (d) public sector bodies (entities with responsibility for managing registers of birth and death).
Next steps: The House of Commons is considering amendments to the draft bill. is expected that it will become law in early summer.
Additional Insights
European Accessibility Act (EAA) (EU)
The EAA will come into effect on 28 June 2025. The EAA mandates that digital products and services (e.g., TVs, smartphones, computers, consoles, ticketing machines, websites) across the EU be accessible to everyone, particularly individuals with disabilities. By standardising accessibility requirements, the EAA aims to eliminate barriers caused by varying national regulations, thereby enhancing accessibility and competitive pricing of these products and services.
