2. News
  3. The key data regulations and trends in 2025

Are you up to data? The key data regulations & trends in 2025

At FTI, we believe that clear and simple regulations are essential to stimulate and accelerate innovation. However, as the regulatory landscape evolves, it remains crucial for companies to understand and comply with the rules as they currently stand.

CEO Blog banner (260 x 260 px) (1)

To help businesses navigate these changes, we asked our FTI Alliance partner, Four & Five – specialists in legal guidance for technology, innovation and data – to provide an expert update on the key developments shaping the data regulatory landscape in 2025. This also includes the wave of legislative initiatives introduced in 2024 to regulate data and emerging technologies (including the AI Act, the Data Act and the Data Governance Act), which are now beginning to take shape.

 

European internal market for data

The European Union is actively shaping a future where data flows freely and securely across borders, while respecting user empowerment and control. With regulations like the Data Governance Act and the Data Act, the EU is making data more accessible and easier to exchange via ‘Common European Data Spaces’. Various sector-specific regulations such as the European Health Data Space (EHDS) and the Framework for Financial Data Access (FIDA) encourage seamless data sharing across multiple sectors, including healthcare and finance, to foster technological progress.

 

At the same time, these initiatives aim to support individual empowerment, for example through the advancement of stronger data portability rights for individuals. These rights enable individuals to have more control over their (personal) data and allow for a smoother transition between service providers without losing access to their information. To effectively grant such data-user rights, companies need to adapt, streamline and optimize their internal processes and software architectures to ensure seamless and efficient data portability to different service providers.

 

Data mesh: ‘Data-as-a-Product’

As datasets become more important than ever to support technological innovation and companies can now build on the concept of common data spaces to offer and valorize their datasets (via licensing) for further usage across borders, the ability to make such datasets interoperable becomes crucial. To boost data flows across sectors, technology and borders, companies will have to standardize their data formats and databases to ensure smooth data exchanges, data portability and interoperability across diverse technologies. Without standardized formats, datasets risk becoming isolated silos and models risk becoming fragmented systems.

 

As a result, businesses are increasingly embracing common standards, introducing ‘data-as-a-product’, whereby data(sets) and models are ‘packaged’ in streamlined formats, allowing self-service use without requiring direct involvement from the data provider. FTI’s platform is at the forefront of this data mesh trend by connecting data providers with potential data users, giving them an overview of the data landscape to leverage (existing) data and models. By embracing such common standards and self-service data-products, companies can foster greater and more cost-efficient collaboration, ultimately valorizing their data ecosystem by making it more accessible, agile and future-proof.

  • Day in the life- Holly (8)

Data quality: get your AI Act together!

Data quality and model understandability and observability are the cornerstones of effective decision-making, reliable insights, and successful innovation. As businesses continue to develop and deploy AI systems and models, maintaining these elements becomes crucial.

 

Artificial intelligence is transitioning from an unregulated frontier to a governed domain with the phased entry into force of the EU AI Act in 2025. This first-of-its-kind legislation introduces a risk-based approach, classifying AI systems as limited-risk, high-risk, or unacceptable-risk systems, each with corresponding compliance obligations. Obligations include, among others, the implementation of data quality management procedures including regular data validation, cleansing, and standardization to ensure that data-driven decisions and models are based on reliable and actionable information.

 

The gradual rollout of the AI Act should, however, not be viewed as a reason to delay compliance. The key to successful implementation is embedding data and model quality standards and governance procedures into a company’s core culture from the first development stages, ensuring they are seamlessly integrated into the company’s daily operations and values.

 

To stay ahead, companies must take proactive measures to ensure compliance by focusing on building their AI-model with an appropriate level of accuracy, robustness, and cybersecurity in mind. Beyond the technical aspects, implementing training programs that enhance AI literacy across teams will be critical in creating a proactive compliance strategy and ensuring the successful integration of AI into all business units.

By making compliance an integral part of their strategy and culture, businesses can future-proof their operations and mitigate (legal) risks.

 

GDPR – Still here, still guarding (your) personal data

Even as new regulations emerge, the GDPR remains highly relevant for the collection, processing and further usage of personal data and strict compliance therewith remains a non-negotiable when sharing personal data and entering the data mesh landscape.

Companies must ensure that every aspect of data collection and usage is conducted in a compliant manner. This responsibility is shared between data providers and data users. Data providers remain responsible for the lawful, secure and transparent initial collection of personal data in accordance with the GDPR, whereas the data users remain responsible for the legality of the further processing and usage of the personal data in accordance with the principles of the GDPR.

 

This shows that the GDPR continues to play a prominent role in the development of new technologies, such as AI models, where unlawful data processing in the early stages can have lasting consequences for subsequent processing and the model’s overall operation. It is essential that data controllers adhere to the principles of data protection from the outset of each (new) processing activity. The GDPR shall remain a critical safeguard in the evolving digital landscape.

 

Cybersecurity: defend your data

As the volume of data grows exponentially, so does the risk of cyberattacks and security incidents. This makes cybersecurity and resilience more critical than ever. The EU has been proactive in addressing potential risks by introducing new legislation, including among others, DORA, NIS-II and the Cyber Resilience Act. These legal frameworks aim to impose a minimum level of cybersecurity, setting certain security obligations and introducing more stringent reporting requirements for security incidents to mitigate potential risks and consequences. Concretely, companies will have to review and strengthen their cybersecurity setup and architecture and adopt internal security policies and procedures, tailored to their business activities, to ensure their staff are aware of these requirements and have clear step-by-step procedures to prevent and handle security incidents. Having a clear strategy for risk management and incident response is key to future compliance and fostering trust.

 

In summary

The evolving data law landscape in 2025 presents promising opportunities. However, as data continues to drive technological advancements, the ability to stay up-to-date with data-sharing trends and industry practices and the ability to navigate regulatory complexities are key to staying relevant in today’s digital world.