In 2025, significant changes are expected in IT law and regulation, especially concerning artificial intelligence (AI), data protection, and technology exports. This year is notable due to political shifts, such as early elections in Germany, a new EU Commission, and Donald Trump’s second term in the US. These changes will likely influence IT regulations globally.
A key focus is the regulation of AI. The AI Act, effective from August 2024, introduces EU-wide regulations for AI, with a phased implementation allowing businesses and authorities time to adapt. Initially, from February 2025, certain AI systems, such as those involved in behavior manipulation and biometric categorization, will be banned. Violations could result in hefty fines.
By May 2025, the EU Commission must publish a code of conduct for general-purpose AI models. Compliance with this code implies adherence to the AI Act’s requirements; otherwise, alternative compliance methods must be demonstrated. The code’s development involves various stakeholders, including companies and interest groups.
From August 2025, obligations for general-purpose AI models come into effect. These include technical documentation, integration guidelines, and appointing a representative if the provider is outside the EU. Open-source AI models have some exceptions. Models posing systemic risks face stricter requirements, such as cybersecurity measures and incident reporting.
Germany faces a crucial deadline in August 2025 to establish a national authority for the AI Act. Previously, the Federal Network Agency was considered for this role, but changes in government could alter this direction, potentially leading to EU infringement proceedings if the deadline is missed.
Data protection and export controls are also critical areas. Meta’s decision not to release its AI model Llama 3.2 in the EU highlights concerns over data protection. Export controls, especially concerning AI technologies, are under discussion, with potential tightening expected, particularly regarding China.
The Data Act, effective September 2025, aims to enhance data usage across sectors, facilitating a single EU data market. It emphasizes fair data sharing between companies and consumers and among businesses. Manufacturers face design obligations, and public authorities gain access rights to private sector data for public interest purposes.
Discussions on revising the General Data Protection Regulation (GDPR) are ongoing, with calls for a GDPR 2.0 to modernize EU data protection. The new EU Commission seeks to harmonize regulations, addressing inconsistencies between GDPR and the AI Act that hinder innovation.
In finance, the Digital Operational Resilience Act (DORA) will enhance digital system stability in the financial sector from January 2025. Quantum computing and cybersecurity are also areas of interest, with potential regulatory developments expected.
In Germany, electronic invoicing becomes partially mandatory for B2B transactions from January 2025. The Accessibility Strengthening Act, effective June 2025, requires products and services to be accessible to people with disabilities, affecting businesses offering telecommunications and banking services.
The electronic health record (ePA) will be introduced in January 2025, with an opt-out system for insured individuals, aiming to improve healthcare data exchange and patient care.
The proposed Employee Data Act, addressing data protection in the workplace, is uncertain due to political changes. The implementation of the NIS2 Directive, enhancing cybersecurity, is also affected by political shifts.
Other legislative efforts, such as the Data Governance Act and amendments to the Computer Crimes Act, are ongoing. The latter seeks to clarify legal protections for ethical hacking and penetration testing.
Overall, 2025 promises significant developments in IT law, influenced by political changes and ongoing regulatory efforts at both national and EU levels. Businesses must stay informed to comply with new regulations and adapt to the evolving legal landscape.