Insights

Whether it is personal, customer, training or other data, one thing is clear: data continues to be an important currency and revenue driver for companies. Rapidly changing technology, coupled with developing regulations, requires companies that use or disclose data to be extremely vigilant to stay current. Today, companies struggle to keep up with seemingly nonstop changes to state-level law. These struggles are exacerbated by quickly developing regulations and regimes overseas— creating challenges for international data transfers and international transactions. To optimize the value of their data into 2025 and beyond, companies should consider addressing these challenges with a new focus and additional precision in their commercial agreements.

The rapid advancement of artificial intelligence (AI) has spurred a wave of legislative action across the United States—with New York and California arguably emerging as frontrunners. Both states enacted laws in 2024 aimed at regulating AI, but their approaches differ significantly, reflecting distinct priorities and concerns.

The Asia-Pacific (APAC) region witnessed a rapid digital transformation in 2024, powered by its connectivity and technological innovations. However, these advancements have introduced new vulnerabilities into the region’s digital ecosystem, which more sophisticated and nuanced cyber threats are already exploiting. In Q2 2024 alone, the APAC region experienced an average of 2,510 weekly cyberattacks per organization, marking a 23 percent increase compared to the same period in 2023.

In 2025, owners and operators of critical infrastructure will have new security and information sharing obligations to consider under the National Security Memorandum 22 (“NSM-22” or the “Memorandum”). NSM- 22 replaces the Obama-era Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21).

On June 13, 2024, the European Union (EU) adopted the Artificial Intelligence Act (EU AI Act), making it the first-ever global law to regulate the use of artificial intelligence in a broad and horizontal manner. The historic measure applies to the development, deployment, and use of AI in the EU. Importantly, the EU AI Act has a certain “extra-territorial” effect to the extent that it is applicable to providers placing AI systems on the market in the EU, even if these providers are established outside the EU.

The EU Cyber Resilience Act (CRA) was formally adopted by the European Council on October 10, 2024. Its main goal is to enhance cybersecurity and cyber resilience across the EU by establishing common cybersecurity standards for digitally enabled products, such as required incident reports and automatic security updates. This includes, for example, connected home products (cameras, fridges, toys), password managers, firewalls, and VPNs.