Update
28.01.2025
In 2025, the landscape of technology and law is set to undergo significant transformations. With the implementation of the EU Artificial Intelligence Act (AI Act), new cybersecurity regulations, and enhanced transparency requirements for digital platforms, businesses and individuals alike must navigate a complex web of compliance and innovation. In this article we will give you the five key developments you need to know.
  • #1. Key AI Act provisions start applying in 2025

    In 2025, several key dates are crucial for the implementation of the EU Artificial Intelligence Act (AI Act). Starting on 2 February 2025, the general provisions (Chapter I) take effect, including requiring AI providers and deployers to ensure their staff, and others involved, have sufficient AI literacy (Article 4). At the same time, prohibitions on unacceptable risk AI systems (Chapter II) come into force. Prohibited practices include manipulative or deceptive AI systems, social scoring, crime risk assessments, biometric categorisation, and real-time remote biometric identification in public spaces. Bans also cover emotion recognition in workplaces and education, and the untargeted scraping of facial images for facial recognition databases.

    As from 2 August 2025, rules regarding notified bodies (Chapter III, Section 4), GPAI models (Chapter V), governance (Chapter VII), confidentiality (Article 78), and penalties (Articles 99 and 100) will apply. However, as the AI act advances, technology is also evolving. The emergence of chatbots such as ChatGPT and tools like Copilot has resulted in the development of so-called AI agents. These AI systems are not only capable of answering questions but also taking over tasks and making autonomous decisions. So on top of AI Act compliance, data protection authorities are keen to closely examine these AI solutions for GDPR compliance.

  • #2. Improved cybersecurity regulations and compliance requirements

    The EU's Cybersecurity Strategy aims to enhance Europe’s resilience against cyber threats by improving cooperation among member states and incident response capabilities. Under this strategy, the second Network and Information Security Directive (NIS2) plays a crucial role. NIS2 expands the scope of sectors and entities required to comply with ICT security requirements, including critical infrastructure such as energy and transport, as well as digital services like cloud computing providers and data centres. Organisations must adopt stringent security measures, including risk management practices, incident response plans, and regular security assessments. Enhanced obligations for reporting significant cyber incidents to national authorities are also mandated. Member states had until 17 October 2024 to transpose NIS2 into their national legislation, with provisions applying from 18 October 2024. However, in the Netherlands, the implementation of both NIS2 and the Critical Entities Resilience Directive (CER) has been postponed to Q3 of 2025. Despite this delay, entities subject to NIS2 will already possess certain rights. Specifically for financial institutions, 17 January 2025 marked the start of ICT security requirements under the Digital Operational Resilience Act (DORA).

    All these regulatory requirements significantly impact the agreements of obligated entities with their 3rd party ICT service providers.

  • #3. More transparency and liability for digital platforms and content

    The Digital Services Act (DSA) will be fully implemented by 2025. Key aspects include (i) enhancing transparency, requiring platforms to disclose more information about their algorithms and content moderation practices; (ii) imposing stricter liability rules, making online platforms more accountable for illegal content and goods; and (iii) empowering users, giving them more control over the content they see and providing stronger mechanisms to report illegal content. Furthermore, we expect increased activity from national supervisors in 2025, particularly considering resistance from US BigTech firms to EU-style regulation. For example, starting 8 November 2024, the Dutch Competition Authority (ACM) will supervise compliance with the EU Platform-to-Business Regulation (P2B), in effect since 12 July 2020. This regulation aims to enhance transparency and fairness for business users of online intermediation services and search engines. Businesses can report violations to the ACM, which plans to conduct two to three investigations annually. That makes it crucial for both online platforms and businesses using these platforms to understand and comply with P2B requirements. For more detailed information about the requirements, refer to our article 'The Platform-to-Business (P2B) Regulation under ACM supervision: five things you need to know'.

  • #4. Improving data sharing and data protection

    In 2025, the EU’s data regulation landscape will undergo further changes with the introduction of the Data Act (Data Act) and the recent adoption of the European Health Data Space Regulation (EHDS). These new regulations, alongside the Data Governance Act (DGA), are key pillars of the European Data Strategy, which envisions a single market for data. This market will facilitate the seamless flow of both personal and non-personal data across borders and sectors, with appropriate safeguards in place.

    The Data Act, which entered into force on 11 January 2025 and will be largely applicable from 12 September 2025, establishes clear rules on the permissible use of data generated by the Internet-of-Things (IoT). It ensures legal certainty for entities generating this data, maintaining incentives for high-quality data generation. Furthermore, it addresses contractual imbalances by protecting organisations from unfair terms imposed by more powerful players and allows public sector bodies access to private sector data for specific public interest purposes, such as emergency response. Additionally, it enables customer switching between different data-processing service providers, thereby enhancing interoperability within the EU cloud market.

    The EHDS Regulation establishes a legal framework for the accessibility and exchange of health data across the EU. It enables both primary and secondary uses of health data, without requiring prior consent, while still offering individuals the possibility to opt out.

  • #5. Ensuring digital accessibility for all users

    From 28 June 2025, various organisations and (semi-)public authorities must comply with new accessibility requirements under the EU Accessibility Act (EAA). The EAA covers a wide range of products and services, including smartphones, ATMs, ticketing machines, telephony services, audio-visual media services, elements of passenger transport services, (online) consumer banking services, and e-commerce platforms. Organisations must ensure that people with disabilities (e.g. visual or auditory impairment, illiteracy, or problems with fine motor skills) can use products or navigate websites as easily as any other user. Websites must comply with the Web Content Accessibility Guidelines (WCAG) and adhere to the POUR principles: perceivable, operable, understandable, and robust. Additionally, organisations must provide an accessibility statement on their website, use alternative text for images, offer various contract methods, and enable users to report accessibility issues.

    The EAA exempts microenterprises (<10 employees and ≤EUR 2 million annual turnover) and cases where compliance would fundamentally alter the nature of a product or impose a disproportionate burden. Non-compliance can result in fines up to EUR 500,000 (in Germany), corrective measures, and even potential suspension of business operations. Organisations should therefor audit their products and services for accessibility issues by 2025 and continually educate their teams about ongoing EAA requirements.

Any questions?

At NautaDutilh, we understand that navigating the complexities of new regulations can be challenging for your organisation. We are here to help. Our team will guide you, to ensure your organisation meets all requirements smoothly. For personalised assistance, do not hesitate to contact one of our experts.

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.