2024 has seen major changes to the EU legislative framework for data and cyber, and 2025 promises to showcase a couple of further interesting legal developments.

The Data Act entered into force in January 2024 and mostly applies from 12 September 2025, except for specific provisions that apply at a later stage. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services.

The EU AI Act was adopted in July 2024, with the first obligations taking effect in February 2025. The EU AI Act provides for graduated regulation of AI products based on risk categories: it prohibits certain technologies and imposes obligations on technology producers and deployers based on the risk category into which the AI product falls, and provides an important additional layer of regulation where personal data is processed by AI technologies.

The implementation deadlines for both the NIS 2 Directive (which broadens the scope of application and also extends the relevant obligations in comparison to NIS) and the Critical Entities Resilience Directive (which strengthens the resilience of critical entities) passed in October 2024. National implementing legislation is already in force in some jurisdictions, although many jurisdictions have not yet passed their implementing legislation.

The Cyber Resilience Act (“CRA”) has been published on 20 November 2024. The CRA will enter into force on 10 December 2024 and will be mostly applicable from 11 December 2027 with some provisions applying at an earlier stage. The CRA will introduce new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products.

The Data Governance Act is applicable since 24 September 2023., The prohibition on exclusive agreements for use of public sector data (except in limited circumstances) will take effect on 24 December 2024.

The Political Advertising Regulation has also been adopted on 13 March 2024 and will be mostly applicable from 10 October 2025, with some provisions applying since 9 April 2024. It lays down certain rules and requirements, including transparency and due diligence obligations, for the provision of political advertising and related services as well as on targeting techniques and ad-delivery techniques involving personal data processing in the context of online political advertising provision.

The Digital Operational Resilience Act (“DORA”) will also mostly apply from 17 January 2025. It sets forth uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.

It is expected that that the European Health Data Space Regulation, on which a political agreement has been reached, will be published and enter into force later in 2025.

In 2025, it is anticipated that the GDPR Enforcement Procedures Regulation will either be adopted, or at the very least, reach the final stages of the legislative process.