1. Full Steam Ahead: The European Union’s (EU) Artificial Intelligence (AI) Act in Action — As the EU’s landmark AI Act officially takes effect, 2025 will be a year of implementation challenges and enforcement. Companies deploying AI across the EU will likely navigate strict rules on data usage, transparency, and risk management, especially for high-risk AI systems. Privacy regulators are expected to play a key role in monitoring how personal data is used in AI model training, with potential penalties for noncompliance. The interplay between the AI Act and the General Data Protection Regulation (GDPR) may add complexity, particularly for multinational organizations.
  2. Network and Information Security Directive (NIS2) Matures: A New Era of Cybersecurity Regulation — The EU’s NIS2 Directive will enter its enforcement phase, expanding cybersecurity obligations for critical infrastructure and key sectors. Companies must adapt to stricter breach notification rules, risk management requirements, and supply-chain security mandates. Regulators are expected to focus on cross-border coordination in response to major incidents, with early cases likely setting important precedents. Organizations will likely face increasing scrutiny of their cybersecurity disclosures and incident response protocols.
  3. The Evolution of Data Transfers: Toward a Unified Framework — After years of turbulence, 2025 may mark a turning point for transatlantic and global data flows. The EU-U.S. Data Privacy Framework will face ongoing reviews by the European Data Protection Board (EDPB) and potential legal challenges, but it offers a clearer path forward. Meanwhile, the EU may continue striking adequacy agreements with key trading partners, setting the stage for a harmonized approach to cross-border data transfers. Companies will need robust mechanisms, such as Standard Contractual Clauses and emerging Transfer Impact Assessments (TIAs), to maintain compliance.
  4. Consumer Rights Expand Under the GDPR’s Influence — The GDPR continues to set the global benchmark for privacy laws, and 2025 will see the ripple effect of its influence as EU member states refine their own data protection frameworks. Enhanced consumer rights, such as the right to explanation in algorithmic decision-making and stricter opt-in requirements for data use, are anticipated. Regulators are also likely to target dark patterns and deceptive consent mechanisms, driving companies toward greater transparency in their user interfaces and data practices.
  5. Digital Markets Act Meets GDPR: Privacy in the Platform Economy — The Digital Markets Act (DMA), fully enforceable in 2025, will bring sweeping changes to large online platforms, or “gatekeepers.” Interoperability mandates, restrictions on data combination across services, and limits on targeted advertising will intersect with GDPR compliance. The overlap between DMA and GDPR enforcement will challenge platforms to adapt their practices while balancing privacy obligations. This regulatory synergy may reshape data monetization strategies and set a precedent for digital market governance worldwide.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dr. Viola Bensinger Dr. Viola Bensinger

Viola Bensinger is Global Co-Chair of the Greenberg Traurig’s IP & Technology Practice Group and the Global Data Privacy & Cybersecurity Practice, and also chairs the Technology Practice in Germany. She advises clients from the technology, media, health care, automotive and other industries.

Photo of Carsten A. Kociok Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

Photo of Dr. Philip Radlanski Dr. Philip Radlanski

Philip Radlanski is a Local Partner in the IP & Technology Practice Group. He advises clients ranging from early-stage start-ups to large corporations on privacy and cybersecurity issues. His work focuses on complex and innovative data-heavy projects, often with cross-border aspects. He also

Philip Radlanski is a Local Partner in the IP & Technology Practice Group. He advises clients ranging from early-stage start-ups to large corporations on privacy and cybersecurity issues. His work focuses on complex and innovative data-heavy projects, often with cross-border aspects. He also assists with addressing cybersecurity issues, including data breach incident management and response. He gained strong recognition throughout Europe for his representation in the first German trial against a GDPR fine, in which he was able to achieve a reduction of the multimillion-euro fine by more than 90 percent.

Philip is known for his pragmatic approach, which he was able to further refine through several months of secondments to the legal departments of a leading German internet service provider and an internationally operating online marketplace for food delivery. A further one-year secondment to the Global Privacy & Data Security Group of an international law firm in New York shaped Philip’s understanding of the U.S. market and U.S. clients.

Prior to practicing as an attorney, Philip worked as a research assistant at the University of Regensburg, Germany, and as a visiting tutor at King’s College London, UK. He also worked with the German Federal Film Board, the cybercrime division of the Berlin District Attorney’s Office, and for different international law firms in Berlin, New York, and Sydney.

He is a member of the German Association for the Protection of Intellectual Property and Copyright (GRUR), the International Technology Law Association (ITechLaw), and the Bauhaus Archive.