Navigating AI Integration and Cybersecurity Demands

As we look ahead to 2025, businesses must consider key themes such as AI integration and cybersecurity demands, which will significantly impact strategic decisions and regulatory compliance.

Key Considerations in 2025

Evolving AI Represents Positive and Negative Change for Businesses

As the development and use of AI continues to evolve over the next 12 months, organisations should consider two fundamental issues. On the one hand, how can they leverage AI to enhance and grow their business (such as improving efficiency and reducing costs)? And on the other, will AI render certain aspects of their business less important—or even obsolete? The answer to these questions will play a critical role in shaping their success over the coming years.

EU AI Act Preparation Ramps Up

Organisations will ramp up their preparations for compliance with the EU’s AI Act, which took effect in August 2024 but whose provisions will apply in a staggered timeline over the next three years. Establishing governance frameworks, mapping products and services for potential AI Act application, and educating internal stakeholders should all be front of mind for organisations as they plan for the coming year.

A Renewed Focus on Cyber Laws

Complying with a pair of new EU cybersecurity laws will be a particular focus for many organisations in 2025. The NIS2 Directive took effect on 17 October 2024, and the Digital Operational Resilience Act takes effect on 17 January 2025. Both laws impose new and enhanced obligations around operational resilience, incident reporting and third-party contracting—with GDPR-like fines for non-compliance and liability going to the board level.

Evolving UK Digital Regulation Landscape

The Labour government’s legislative agenda for digital regulation will further take shape in 2025. In addition to the Data (Use and Access) Bill, which was introduced to Parliament in October 2024 and seeks to reform Britain’s data protection regime, we expect to see legislation around cybersecurity (including provisions on notifying the Government of ransom payments) and, perhaps, artificial intelligence.

Divergence in EU and UK Regulatory Interpretation

Although regulatory interpretation of and enforcement under the GDPR and UK GDPR have to date been broadly aligned, we expect to see that change in the next 12 months. The UK ICO has recently taken a more permissive approach than its EU counterparts to ’pay or consent models‘ and using public data to train AI models, which suggests that we may start to see further regulatory divergence in the coming year.

Children’s Data Becomes an Enforcement Priority

As children go online at a younger age than ever before, regulators have been increasingly vocal about ensuring their protection. Although to date there has been sporadic enforcement against companies processing children’s data, 2025 could be the year that changes—with large fines being issued in relation to (i) allowing underage children onto social media platforms, and (ii) advertising being targeted to children.

Trends and themes to act on

Leveraging AI for Growth: When evaluating how AI can enhance your business operations, be aware of the preparation needed regarding the EU AI Act to ensure compliance.
Strengthening Cyber Resilience: It will be increasingly important to have an in-depth understanding of the requirements of new EU cybersecurity laws such as NIS2 and DORA to avoid significant fines.
Adapting to Regulatory Changes: To remain compliant and ahead of regulatory changes, continue to stay informed about evolving UK digital regulations and the divergence in EU and UK GDPR interpretations.

For more information

If you would like to speak to someone, please contact a member of our London team.

Rohan Massey

Partner

London+44 20 3201 1636

Rohan.Massey@ropesgray.com

See Bio

Edward Machin

Counsel

London+44 20 3847 9094

Edward.Machin@ropesgray.com

See Bio

Additional Themes in 2025

See All