Locations
Our first edition of 2025 sets out the key EU / UK regulatory developments in digital platforms, online safety, cyber, AI and data. A large amount of long-planned regulation came into force in December and January, including the UK's new digital markets regime, EU Cyber Resilience Act and DORA. Check below whether your business is in scope, and if and when further steps may be required to comply.
Quick links:
Platform
Digital Markets, Competition and Consumers Act (DMCCA) (UK)
The UK's new digital markets regime, applying to firms with "Strategic Market Status" (SMS), came into force earlier this month. The CMA, which is responsible for oversight and enforcement, has launched an investigation into whether to designate Google search services as within the scope of the regime.
Other significant changes to UK competition and consumer law have also come into force:
- Enhanced investigation powers. The CMA now has broader tools to investigate potential breaches of competition law, enabling faster and more effective enforcement.
- Stronger enforcement penalties. Companies face tougher sanctions for failing to comply with CMA investigations, including increased financial penalties for non-cooperation.
- Revised merger control thresholds. Thresholds for merger notifications have been revised, with a focus on capturing transactions that may otherwise escape scrutiny but have significant competitive impacts.
- Streamlined market investigations. The CMA’s powers for market studies and investigations have been streamlined, reducing the time needed to address market-wide competition concerns.
Scope: The digital markets regime applies to SMS firms only; the consumer law reforms to all b2c businesses; and the competition law reforms universally.
Next steps: From April 2025, the CMA will have broader powers to investigate unfair commercial practices, including the ability to impose fines of up to 10% of a business's global turnover for breaches of consumer law. Businesses operating in the UK should act now to update their internal policies to reflect the CMA's strengthened powers and audit their practices to avoid potential enforcement action.
Online safety
The OSA imposes duties on online service providers to keep users safe. These fall into three categories: illegal harms duties (such as removing terrorism content and child abuse from online services); child safety duties; and additional duties including transparency and user empowerment.
Scope: Providers of internet services where content is generated, uploaded or shared by users ("user-to-user services"); or providers of a search engine ("search services"). To be in scope, services must have a significant number of UK users, or the UK must form one of the service's target markets.
Next steps: Ofcom's Illegal Harms Codes were published on 16 December 2024, giving in-scope services until 16 March 2025 to complete their Illegal Harms Risk Assessments. In-scope services also have until 16 April 2025 to complete their Children's Access Assessment. All services that allow pornography must implement highly effective age assurance to ensure that children are not normally able to access pornographic content by July 2025 at the latest. For "Part 5" services (i.e. platforms that publish their own pornography), this duty came into effect on 17 January 2025.
Further consultations are expected in the coming months on:
- Better protection for women and girls.
- Automated content moderation.
- Banning the accounts of those found to have shared child sexual abuse material (CSAM).
- Crisis response protocols for emergency events.
- Use of hash matching to prevent the sharing of non-consensual intimate imagery and terrorist content.
- Tackling illegal harms including CSAM through the use of AI.
- Extending the role of highly effective age assurance to protect children from grooming.
Digital Services Act (DSA) (EU)
The DSA creates a single set of rules for increased safety and consistency across digital services in the EU. It imposes new obligations relating to illegal content, content moderation, advertising, transparency reporting, terms and conditions, dark patterns and online marketplaces.
Scope: Digital businesses including hosting providers and online platforms, whether b2c or b2b. Businesses caught include cloud service providers, social media platforms, app stores, online marketplaces, messaging and email services, online forums, games business, dating websites and many others.
Next steps: The European Commission has opened a number of investigations against a number of Very Large Online Search Engines (VLOSEs) and Very Large Online Platforms (VLOPs) for potential infringements.
The Implementing Regulation, which standardises the format, content, and reporting periods for transparency reports, was adopted by the European Commission on 4 November 2024. The key updates are:
- Service providers are encouraged, but not required, to use the Commission's templates for reporting until 30 June 2025. From 1 July 2025, the Commission's template must be used.
- Additional subcategories for "illegal content" have been created as part of the Commission's template, therefore broadening the scope of transparency reporting for those in scope.
- Transparency reports are to be made available online for at least five years following their publication for all providers.
- First reporting cycle: publication of transparency reports is required by 16 February 2025.
- Second reporting cycle: a transitional reporting cycle will cover the period to 31 December 2025.
Cyber
Cyber Resilience Act (CRA) (EU)
The CRA seeks to enhance the cybersecurity safeguards for consumers and businesses buying or using products or software, by imposing mandatory cybersecurity requirements, requiring conformity assessments, the provision of steps to mitigate vulnerabilities and reporting to the authorities and the provision of support across a product's entire lifecycle.
Scope: Smart or connected household devices (such as smartphones, tablets, PCs, cameras, TVs, fridges, exercise equipment, etc.), toys, wearables and software products such as operating systems. The obligations will apply to manufacturers, their authorised representatives, importers and distributors.
Next steps: The CRA entered into force on 10 December 2024. The majority of its provisions will not take effect until December 2027 (although some will apply at an earlier stage – e.g. reporting obligations from September 2026). Companies should now be taking steps to ensure compliance with the CRA's requirements, including assessing its applicability to their products, making provision for cybersecurity risk assessments, building a compliance infrastructure, training staff and planning for product lifecycle support.
Digital Operational Resilience Act (DORA) (EU)
DORA harmonises approaches on tackling digital operational resilience and IT security across the EU financial services sector. Some of the specific obligations under DORA were left to be specified by the European Supervisory Authorities (ESAs), which were required to present regulatory technical standards (RTSs) that give financial entities and their IT suppliers more guidance on how to comply with their DORA obligations. On 21 January 2025, the European Commission rejected the final draft RTS, specifying how to determine and assess the conditions for subcontracting ICT services that support critical or important functions.
Scope: DORA seeks to cover the vast majority of the financial services ecosystem. There is an exhaustive list of covered entities, including payment institutions, investment firms, account information service providers, credit rating agencies, insurers and electronic money institutions.
Next steps: DORA came into force on 17 January 2025. To the extent they have not already done so, firms will need to more closely scrutinise their technology providers' performance (including by conducting enhanced pre-contract diligence), and will in most cases need to revisit the contracts underpinning those relationships to build in certain minimum protections. IT suppliers who service the financial services sector will need to ensure their contractual terms are updated to comply with the requirements of DORA and improve their infrastructure and performance to stay in the market. Some "critical" providers will be directly regulated for the first time (though no such providers have yet been designated). The ESAs will now need to revise the draft RTS on subcontracting and propose a new version to the European Commission.
The Cybersecurity Act is in the process of being amended to bring "managed security services" within scope in addition to the ICT products, services and processes that the Act already covers.
Scope: Managed security services comprise service providers of cybersecurity risk management, including incident response, penetration testing, security audits and consultancy.
Next steps: The draft amendment to the Act was adopted by the Council of the EU on 2 December 2024. The amendment will enter into force 20 days after publication in the Official Journal.
In an effort to raise the overall level of cybersecurity resilience across the EU, the NIS 2 Directive was passed in January 2023 to replace and repeal the NIS 1 Directive.
Scope: The Directive brings a large number of new industry sectors (and therefore, new types of entities) within scope of its obligations – namely, wastewater, waste management, space, postal and courier services, chemicals, food, manufacturing and public administration.
Next steps: Member States had until 17 October 2024 to transpose the Directive into national legislation but many are running behind. The status of implementing legislation is currently varied – for instance, it has already been implemented in some Member States (e.g. Belgium and Italy), but in others it has only been published in draft form (e.g. Germany and France) and in some cases drafts have not yet been published (e.g. Spain and Sweden).
Data
The DA aims to set out a framework for data-sharing, ease the switching between providers of data processing services, introduce safeguards against unlawful data transfer and provide for the development of interoperability standards for data to be reused between sectors.
Scope: The DA applies to (a) manufacturers of connected products (e.g. smart devices such as medical devices and wearables etc.) who offer their products to the EU market and providers of related services; (b) users in the EU of connected products or related services; (c) public sector bodies; (d) providers of data processing services to customers in the EU (e.g. cloud service providers); and (e) participants in data spaces and vendors of applications or professionals using smart contracts.
Next steps: The DA will become applicable on 12 September 2025. On 6 September 2024, the Commission published non-binding FAQs on the DA (here) which are designed to assist stakeholders in the implementation of the Act. We recommend clients understand as soon as possible whether they are caught by the DA to ensure compliance.
European Health Data Spaces Regulation (EHDS) (EU)
The EHDS aims to improve access and sharing of health data by addressing the complexities of current European rules on data-sharing in the health sector. The European Commission will establish a central platform named MYHealth@EU to provide services to support and facilitate the exchange of health data between designated authorities in Member States. These authorities will act as joint controllers of the electronic health data on the platform, with the Commission acting as the processor.
Scope: The EHDS will apply to (a) manufacturers and suppliers of electronic health records systems and wellness applications placed on the market and put into service in the EU and the users of such products; (b) controllers and processors established in the EU processing electronic health data; (c) controllers and processors established in a third country that have been connected to or are interoperable with the proposed MyHealth@EU platform; and (d) data users to whom electronic health data is made available by data holders in the EU.
Next steps: The Council of Europe formally adopted the EHDS regulation on 21 January 2025. It will enter in force 20 days after publication in the Official Journal.
The Data (Use and Access) Bill (DUA) (UK)
The DUA updates the UK GDPR and Data Protection Act 2018 with new regulation around automated decision-making, the use of legitimate interests as a purpose for personal data processing, the use of cookies and other tracking technologies, and the ability to use personal data for scientific research purposes. It also converts the UK data protection regulator from the ICO to the Information Commission, with new powers and a different corporate structure.
Scope: The DUA will apply to (a) traders and data holders (businesses that supply goods and services, or digital content), (b) digital verification service providers (businesses offering identity verification services), (c) infrastructure and utility companies (entities that are responsible for underground apparatus), and (d) public sector bodies (entities with responsibility for managing registers of birth and death).
Next steps: The DUA was scheduled for discussion in the House of Lords under the Report Stage on 21 January 2025, with a further session expected on 28 January 2025. Once this is concluded, the DUA will pass through the House of Commons on its passage to become law.
AI
Artificial Intelligence Act (AI Act) (EU)
The AI Act entered into force on 1 August 2024, setting out a risk-based approach where AI systems will either be (a) prohibited on the basis of unacceptable risk; (b) permitted subject to compliance with stringent requirements and an ex-ante conformity assessment; (c) permitted but subject to certain information and transparency obligations; or (d) permitted without restrictions.
Scope: Organizations developing AI and/or using / adopting AI.
Next steps: From 2 February 2025 the bans on prohibited AI practices will apply, followed by rules on general purpose AI, governance, and sanctions on 2 August 2025. Most of the remainder of the Act (including obligations relating to AI systems classed as high-risk under Annex III) becomes applicable on 2 August 2026, save for a couple of specific exceptions (including the obligations relating to AI systems classed as high-risk under Annex I, which are postponed to 2 August 2027). In addition, the General Purpose AI Code of Practice, which is intended to provide guidance as to how providers can demonstrate their compliance with AI Act, is expected to be published in April 2025.
UK Government approaches to AI
In January 2025, the UK Government released its response to the AI Opportunities Action Plan. Amongst the commitments to spending on AI, the government notes its plans to set out its approach on AI regulation. The Government also published its response to the report on governance of AI from the House of Commons Science, Innovation and Technology Select Committee. Notably, the Government agrees that specific legislation to regulate AI is required and a consultation will be published shortly.
In addition, in December 2024, the UK opened a consultation into copyright and AI. The consultation notes that the current law on copyright does not work for AI and this needs to be addressed. The suggested approach includes: (a) transparency requirements and the consultation is seeking suggestions as to how to do this practically; (b) permitting text and data mining for commercial purposes with an option for the rights holder to opt out; and (c) protection for the outputs of AI.
Next steps: The consultation into copyright and AI closes on 25 February 2025.
Additional Insights
European Accessibility Act (EAA) (EU)
The EAA, effective from 28 June 2025, will ensure digital products and services are accessible to all, especially those with disabilities, across the EU. The EAA applies to businesses within EU Member States and covers products like computers, ATMs, smartphones, and e-commerce. By standardising accessibility requirements, the EAA aims to remove barriers created by divergent national regulations, making these products and services more accessible and competitively priced.
Product Liability Directive (PLD) (EU)
The PLD entered into force on 8 December 2024. It ensures victims can claim compensation from manufacturers for damage caused by defective products, which now also include AI systems. Whilst the PLD holds online platforms liable for defective products sold through their services, the Directive mandates an EU-based liable party for compensation claims, even if the manufacturer is outside the EU. Further, the PLD introduces tools to help victims request evidence in court, easing the burden of proof in more complex cases.
Tech trends shaping the future
The technology sector is entering a transformative era and 2025 will see emerging regulations, sustainability imperatives and advancements in AI redefine the landscape.
In this article, we explore eight critical trends poised to impact the sector over the next 12 months.
