Insights

Whether it is personal, customer, training or other data, one thing is clear: data continues to be an important currency and revenue driver for companies. Rapidly changing technology, coupled with developing regulations, requires companies that use or disclose data to be extremely vigilant to stay current. Today, companies struggle to keep up with seemingly nonstop changes to state-level law. These struggles are exacerbated by quickly developing regulations and regimes overseas— creating challenges for international data transfers and international transactions. To optimize the value of their data into 2025 and beyond, companies should consider addressing these challenges with a new focus and additional precision in their commercial agreements.

The rapid advancement of artificial intelligence (AI) has spurred a wave of legislative action across the United States—with New York and California arguably emerging as frontrunners. Both states enacted laws in 2024 aimed at regulating AI, but their approaches differ significantly, reflecting distinct priorities and concerns.

The Asia-Pacific (APAC) region witnessed a rapid digital transformation in 2024, powered by its connectivity and technological innovations. However, these advancements have introduced new vulnerabilities into the region’s digital ecosystem, which more sophisticated and nuanced cyber threats are already exploiting. In Q2 2024 alone, the APAC region experienced an average of 2,510 weekly cyberattacks per organization, marking a 23 percent increase compared to the same period in 2023.

In 2025, owners and operators of critical infrastructure will have new security and information sharing obligations to consider under the National Security Memorandum 22 (“NSM-22” or the “Memorandum”). NSM- 22 replaces the Obama-era Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21).

On June 13, 2024, the European Union (EU) adopted the Artificial Intelligence Act (EU AI Act), making it the first-ever global law to regulate the use of artificial intelligence in a broad and horizontal manner. The historic measure applies to the development, deployment, and use of AI in the EU. Importantly, the EU AI Act has a certain “extra-territorial” effect to the extent that it is applicable to providers placing AI systems on the market in the EU, even if these providers are established outside the EU.

The EU Cyber Resilience Act (CRA) was formally adopted by the European Council on October 10, 2024. Its main goal is to enhance cybersecurity and cyber resilience across the EU by establishing common cybersecurity standards for digitally enabled products, such as required incident reports and automatic security updates. This includes, for example, connected home products (cameras, fridges, toys), password managers, firewalls, and VPNs.

In March 2024, after years of preparation, the Council of the European Union and the European Parliament reached a provisional agreement on a new regulation governing electronic health data. The regulation, known as the European Health Data Space, was first proposed in March 2022 and, when formally adopted, will apply to the primary use and secondary use of health data. This initiative is a key component of the broader EU data strategy and represents the first of nine sector– and domain–specific data spaces outlined in the European Commission’s 2020 communication on “A European strategy for data.”

When President Joe Biden issued the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence in 2023, his administration recognized not only the extraordinary promise of artificial intelligence (AI) but also the risks that irresponsible use of the technology posed. The risks identified by the President include algorithmic discrimination in activities that impact consumers, job candidates, and employees.

The People’s Republic of China’s data protection laws have evolved rapidly in recent years, reflecting the global trend towards greater data privacy and security. The cornerstone of this legal framework has been a trio of measures: the Cybersecurity Law (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). These three laws collectively govern the whole lifecycle of data processing.

In 2024, Latin American countries ramped up their data protection laws, following the general trend seen in international privacy law outside of the European Union. While many countries in Latin America enacted measures in 2024, others scheduled their regulations to go into effect in early 2025, and still others continue to wrestle with the legislative process.

On October 18, 2024, the requirements of Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) entered into force. The NIS2 Directive outlines the cybersecurity responsibilities of both “essential” and “important” entities, and sets out the duties of “management bodies,” emphasizing their potential liability for failure to comply with the new mandates, along with significant penalties for entities that fail to meet their obligations.

After years of anticipation and a series of delays, implementation of the U.S. Department of Defense’s Cyber Maturity Model Certification Program (CMMC) is rapidly approaching. Though CMMC is not expected to enter into effect until early-to- mid 2025, DOD contactors can start taking steps now to ensure a smooth transition into this new regulatory era.