Digital Regulation

The last few years have seen a wave of new, sometimes overlapping, digital regulation across the globe. The EU’s ambitious digital programme has resulted in numerous pieces of legislation, while the UK is treading a delicate line of testing post-Brexit divergence while recognising the need for global businesses to have certainty and consistency. 2025 will be the year when many of those new laws start to bed down, and organisations need to put processes in place to comply. Here we look at developments in four key areas: AI, data, competition and digital regulation for financial services. 

AI

The EU AI Act has dominated discussions around AI regulation in Europe and beyond for some time. While it is now in force, this focus may continue as further developments are expected this year. For example, the rules banning certain AI use apply from this February and those relating to general purpose AI apply from this August. Listening to EU legislators and regulators discussing implementation of the Act, they do (particularly following the Draghi report on EU competitiveness) seem very aware of the challenge they face to ensure regulation does not stifle innovation in a highly competitive global AI market – and this theme (or tension) is something we are seeing played out more generally in relation to digital regulation across the globe. That said, in the UK we are also expecting an AI Bill, although this is only expected to regulate those developing the most powerful AI models. 

New AI specific laws are not, however, the only developments requiring focus. AI raises particular challenges for intellectual property law, and we await case law and/or government intervention to determine whether current approaches to training AI are compatible with IP law and whether the output from generative AI is protectable. Ultimately this comes down to balancing the interests of content providers and AI developers. 

On the privacy front, regulators continue their focus on AI. Organisations are still processing new guidance from both the EU and UK. At the time of writing, we expect the European Data Protection Board (EDPB) to publish its foundation models paper on 23 December 2024 and we additionally expect the UK’s data regulator, the Information Commissioner’s Office (ICO) to publish the response to its consultation on generative AI, with more developments expected in 2025. 

In other areas, the UK’s new Online Safety rules and developments from sector regulators (including the financial regulators – see below) are also expected to impact AI.

Data

2025 looks to be a year of change for data privacy. The UK’s Data (Use and Access) Bill is expected to become law in the first half of 2025, amending the existing data privacy legislation. Most significantly for business, this Bill introduces higher penalties for cookie and marketing infringements, in line with those under the GDPR, and facilitates "Smart Data" data sharing schemes in sectors such as finance and energy, building on the success of the UK’s existing Open Banking scheme. New guidance from the ICO is also expected on key topics including data anonymisation and cookies. In the EU, businesses will welcome promised guidance from the EDPB on the interplay between the GDPR and other data-relevant legislation, including the AI Act and Digital Markets Act. Further key pieces of EDPB guidance are expected on anonymisation and “consent or pay” models (beyond those being operated by large online platforms). It is also expected that EU GDPR procedural reforms will progress during 2025, potentially to completion, which promise to facilitate more efficient resolution of complex cross-border cases, whilst the incoming EU Commissioner for Justice, Michael McGrath, has said he will address unfair personalisation practices. 

Competition

In the UK, and at the time of writing, the new digital markets regime established by the Digital Markets, Competition and Consumers (DMCC) Act 2024 is expected to commence shortly, with the Competition and Markets Authority (CMA) planning to designate three or four firms as having “strategic market status” in the first year after commencement. Once designated, these firms will have to comply with merger reporting obligations and targeted conduct requirements, and could be the subject of “pro-competitive interventions” by the CMA. A new merger control threshold intended to capture “killer acquisitions” will also become operational.

In Europe, we can expect the existing momentum of enforcement under the Digital Markets Act (DMA) to continue in 2025 – the new Competition Commissioner, Teresa Ribera, has said she plans “vigorous enforcement” of the DMA, a sentiment echoed by Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy. The two Vice-Presidents plan to work closely on the DMA and have the shared priorities of opening up closed ecosystems, giving consumers choice and ensuring data belongs to those who generate it. Ribera has made clear that greater resources will be needed to enforce the DMA, noting that this is an issue which “goes beyond our borders” and requires coordination with national competition authorities. 

Digital regulation for financial services

Businesses operating in the financial services sector are subject to specialised digital regulation, which will continue to evolve across 2025. Regulatory rules on operational resilience, which seek to manage the risk of cyber-attacks and IT system outages among other disruptions, will apply in the EU from 17 January 2025 and to specified UK firms by no later than 31 March 2025. As part of this operational resilience framework, both jurisdictions will also start to designate a small number of third party (which could include AI and cloud service) providers to the financial sector as "critical", imposing requirements on them directly.

This regulatory capture of critical third parties speaks to the increasing enmeshment of technology and financial services. Responding to this, we expect financial regulators in the EU and UK to continue to dig into the impacts of Big Tech's entry into financial services, progress the development of Open Finance, and modernise the payment services landscape.

As AI use cases in the financial sector proliferate, we may receive clarification from EU authorities on the relationship between financial regulation and the EU AI Act, and there are suggestions that the current tech-agnostic approach to AI of the UK regulators may ultimately shift. Finally, the EU’s regulatory framework for cryptoassets applied in full from 30 December 2024 and will start to take hold in 2025 (subject to grandfathering provisions). The UK has confirmed that it will press ahead with a more comprehensive regulatory framework for cryptoasset activities in 2025, with final rules expected in 2026.