Digital Regulation Timeline

The DSA aims to update the "rules of the internet", with the key principle that what is illegal offline should also be illegal online.

The DSA both preserves and updates the intermediary liability position set out in the e-Commerce Directive (e.g. the hosting defence). However, the range of requirements fundamentally changes the liability of online services in the EU with strict obligations for the supervision of illegal content online, as well as new rules on transparency, user safety and advertising accountability. It also includes detailed rules on features that must be incorporated into online platforms and marketplaces or included in user terms and conditions.

Illegal online content

The DSA preserves the liability defences under Articles 12-15 of the e-Commerce Directive (the "mere conduit" defence, the "caching" defence, the "hosting" defence and the "no obligation to monitor" provision). Clarity is added that these defences remain available even if the platform has voluntarily taken action to detect, identify and remove, or disable access to, illegal content.

However, notice and take down obligations on online platforms are strengthened. Platforms must put in place mechanisms for users to report illicit content (such as hate speech, terror propaganda, discrimination or counterfeit goods). Platforms must decide what to do about reported content in a timely, diligent and non-arbitrary manner, in order to continue to benefit from the hosting defence. Specified mechanisms to challenge content removal must be made available, including alternative dispute resolution. Online platforms must monitor for repeated submission of illegal content or unfounded complaints by particular users, and suspend their access.

Third party content monitors can apply for "trusted flagger" status. Platforms must prioritise illegal content reports from such individuals and bodies.

Transparency

General obligations apply in relation to user safety, transparency, controls and information.

Annual reports are required from all intermediary service providers on their content moderation activity, with the required contents depending on the service provided (see below "Implementation progress"). Hosting service providers must include information about illegal content notices and complaints received and action taken. These include provisions relating to content recommendations and online terms, and obligations relating to the publication and communication of information on the average monthly active recipients of the service.

Websites must not be designed and organised in away that deceives or manipulates users – so-called "dark patterns" – but must be designed in a user-friendly and age-appropriate way to make sure users can make informed decisions.

In September 2023, the Commission launched the DSA Transparency Database which is a publicly accessible database of "statements of reasons "that online platforms must submit to the Commission setting out their reasons for making content moderation decisions (with the exception of micro- and small enterprises). The Commission has also published an open-source software package to facilitate the analysis of data in the Transparency Database.

Online marketplaces

The DSA introduces traceability provisions for online marketplaces. These include a "know-your-trader" obligation, requiring online marketplaces that allow B2C sales to conduct due diligence on traders prior to allowing them to use the platform.

Platforms must be designed to facilitate compliance with traders' legal obligations such as e-commerce and product safety requirements. The illegal content take down provisions are to facilitate the removal of illegal or counterfeit products, and platforms have obligations to contact consumers who have purchased those products.

Advertising accountability

Specific transparency obligations apply to online advertising. It must be clear to users whether a displayed item is an advertisement and from whom it originates. Information about the main parameters used to decide to whom it will be displayed is essential in this context.

VLOPs and VLOSEs

VLOPs and VLOSEs are designated by the Commission. Platforms and search engines need to report on the number of users at least every six months.

An additional layer of obligations are imposed on VLOPs and VLOSEs. They must diligently monitor and mitigate systemic risks including their service being used for the dissemination of illegal content; the impact of their service on human rights; and the risk of their service negatively affecting civic discourse, electoral processes, public security, gender-based violence, the protection of public health and minors and individuals' physical and mental well-being.

The Commission's guidelines on mitigating against systemic risks in relation to electoral processes were published in the EU's Official Journal on 26 April 2024. The guidelines aim to support VLOPs and VLOSEs with their compliance obligations under Article 35 of the DSA (mitigation of risks) and with other obligations relevant to elections. As well as mitigation measures, the guidelines cover best practices before, during and after electoral events.

VLOPs and VLOSEs also have to implement strict processes towards regular risk assessments, produce reports of action regarding content moderation and are obliged to conduct independent annual audits to assess compliance and any commitments made pursuant to codes of conduct and crisis protocols that the Commission has adopted. They also have to disclose their parameters for recommender systems and provide for at least one recommender system which does not involve profiling. In addition, the Commission as well as member states, can seek access to their algorithms.

The Commission has also launched a DSA whistleblower tool which allows individuals with inside information to report harmful practices by VLOPs and VLOSEs that are potentially in breach of the DSA, anonymously if preferred.

Enforcement

Non-VLOPs and VLOSEs

Each member state must designate one or more competent authorities as responsible for the application and enforcement of the DSA in their jurisdiction, and each member state must designate one of these as a "Digital Services Coordinator." (DSC)" The DSCs are responsible for enforcement of the DSA in respect of platforms that are not VLOPs or VLOSEs in their different territories and can work together. The DSCs make up a European Board for Digital Services, chaired by the Commission, which works as an independent advisory group to enforce the DSA.

In 2024, the Commission opened infringement procedures against various member states which either had not designated their DSC, or had not yet granted their DSC full powers to carry out their duties under the DSA. In May 2025, the Commission referred five of these member states (Czechia, Spain, Cyprus, Poland and Portugal) to the Court of Justice of the EU for failing to take the necessary measures.

VLOPs and VLOSEs

Enforcement in relation to VLOPS and VLOSEs is exclusively reserved to the Commission. Fines of up to 6% of global annual turnover can be levied for breaches.

The Commission has opened infringement procedures against six member states which either did not designate their Digital Services Coordinator by the 17 February 2024 deadline (Estonia, Poland and Slovakia), or have not yet granted them full powers to carry out their duties under the DSA (Cyprus, Czechia and Portugal). In July 2024, the Commission opened infringement proceedings against six further member states (Belgium, Spain, Croatia, Luxembourg, Netherlands and Sweden).

Enforcement in relation to VLOPS and VLOSEs is exclusively reserved to the EU Commission. Fines of up to 6% of global annual turnover can be levied for breaches.

The European Commission has been, and continues to be, proactive in sending requests for information to various platforms concerning their compliance with their DSA obligations. It has also opened formal proceedings against some platforms following preliminary investigations and requests for information. 

International cooperation

In May 2024, the Commission and the UK's Ofcom signed an administrative arrangement to support their work in enforcing the new online safety regimes in both the EU and the UK under the DSA and the UK Online Safety Act 2023 respectively.

On 22 February 2024, the delegated regulation on  independent audits entered into effect. The delegated act provides a framework to guide VLOPs and VLOSEs when preparing their external independent audits.  It also provides mandatory templates for auditors to use when completing an audit report, as well as mandatory templates for the VLOPs and VLOSEs to use when completing their audit implementation reports.

The first risk assessment reports and independent audit reports from designated VLOPs and VLOSEs were published in November 2024.

⭐ From 1 July 2025, the implementing regulation on transparency reporting under the DSA started to apply. The regulation standardises templates and reporting periods for the transparency reports that providers of intermediary services have to publish in relation to their content moderation practices. VLOPs and VLOSEs must report twice a year, while other services report annually. Under the implementing regulation, providers must start collecting data in line with the templates from 1 July 2025, with the first harmonised reports due at the beginning of 2026. The Commission also plans to update the requirements for submitting statements of reasons to the DSA transparency database so that they align with the implementing regulation. 

⭐ On 1 July 2025, the voluntary Code of Practice on Disinformation was integrated into the DSA. The code, which has been signed by various advertisers, ad-tech companies, platforms and other relevant organisations, is a set of 44 commitments aimed at fighting disinformation online. It covers, among other things, transparency of political advertising, cutting financial incentives for disseminators of disinformation, measures to reduce the spread of disinformation, tools to empower users against disinformation, and tools to empower researchers and fact-checkers. With integration, compliance with the code can be used by enforcers as a benchmark for determining DSA compliance.

⭐ On 2 July 2025, the Commission adopted a delegated act on data access for researchers under the DSA. The delegated act explains how VLOPs and VLOSEs should share internal data that is not publicly available with qualified researchers. It sets out the legal and technical requirements for such access so that researchers can assess systemic risks and mitigation measures in the EU. It also establishes a new online DSA data access portal. The delegated act must be scrutinised by the European Parliament and Council of the EU within the next three months. It will enter into force on publication in the Official Journal of the EU.

⭐ On 14 July 2025, the Commission published its final guidelines on the protection of minors under Article 28 of the DSA. See this Regulatory Outlook for more information. The guidelines also recommend the use of age verification technologies to restrict access to adult content, pointing to EU digital identity wallets (when they become available) and to the Commission's blueprint for age verification apps, which sets a standard for age verification apps.

Digital regulation | UK Regulatory Outlook July 2025

17 February 2024: The Digital Services Act (DSA) is now fully applicable

Rethinking regulation of data-driven digital platforms

EU's Digital Service Act to introduce first express ban on 'dark patterns'

Commission finds EU consumer law inadequate to protect consumers in the digital world

The primary aims of the Act are to:

• Promote UK public service broadcaster (PSB) content and national radio stations.
• Protect UK audiences and stimulate local content production.
• Redress the perceived imbalance between the influence of global streaming platforms as compared to UK-based media services. The bill overhauls the traditional scope of UK on-demand law by extending Ofcom's jurisdiction to non-UK services.
• Specifically regulate larger digital content selection platforms and smart devices regarding prominence and access to internet-delivered TV and radio services.

On 26 February 2024, Ofcom published its roadmap for implementing the bill (as it was then) in which it explained its "high-level plan" for putting the provisions into practice once the bill became law. Ofcom cautioned that the dates outlined were indicative only. Its timetable assumed that the legislation would receive Royal Assent by the summer (which it did) and the necessary secondary legislation subsequently laid before Parliament. Ofcom is proceeding with implementation, which is taking place in phases over the next two years.

Listed events

In July 2024, Ofcom published a call for evidence on the listed events regime under the Act, which closed on 26 September 2024.

In June 2025, Ofcom published a consultation on changes Ofcom proposes making to its Code on listed events and on the definition of various terms used in the listed events regime. The deadline for responses was 8 August 2025. See this Regulatory Outlook for more. Ofcom expects to publish a final statement in late 2025 and the regime is expected to come into effect in 2026.

‍VoD services regime

The Media Act 2024 (Commencement No 1) Regulations 2024 brought certain (mostly functional) provisions of the Act into force on 23 August 2024. The Regulations also brought into effect the non-UK Tier 1 VoD services framework, but the details of the regime are still to be determined as Ofcom must first consult and then the government will produce further regulations. In addition, the Regulations partially brought into effect the new digital prominence regime, but the details are also subject to consultation and further regulations from the government.

In September 2024, the government indicated to Ofcom its intention to begin its consideration of Tier 1 regulation of appropriate on-demand services "as soon as is practically possible". The government asked Ofcom to prepare a report on the operation of the UK market generally for on-demand programme services (ODPS) and non-UK (ODPS), which report the government is required to take into account.

On 30 May 2025, Ofcom delivered the report to the secretary of state. Ofcom has not made this report publicly available due to restrictions in the Communications Act 2003 on sharing the information provided to Ofcom by providers of ODPS.  

‍Regulation of radio services

The second commencement regulations, the Media Act 2024 (Commencement No. 2 and Transitional and Saving Provisions) Regulations 2024 brought into force the following provisions of the Act on 17 October 2024: (i) Part 5 (Regulation of radio services); and (ii) Section 19 (amount of financial penalties: qualifying revenue), but only for the purposes of enabling Ofcom to carry out the necessary work to bring the section into force. The regulations also contain transitional and saving provisions.

Part 5 covers, among other things, local analogue commercial radio licences and their renewal. Previously, renewal was only available if the licence holder was also broadcasting a digital radio service on a "relevant" DAB multiplex. The Act introduces an additional, alternative statutory basis for licensees to apply for renewal if there is a "relevant" DAB multiplex available, but it is not "suitable" for their needs. In December 2024, Ofcom launched a consultation on its approach to considering applications under this new renewal route. Essentially, Ofcom is proposing that a "relevant" local or small-scale multiplex should be considered "unsuitable" in relation to an analogue services only if there is a substantial difference in the size of their coverage areas. The consultation closed on 5 February 2025.

Part 5 also ensures the delivery of local news and information on analogue commercial radio by establishing new mandates for its consistent transmission.  On 1 July 2025, Ofcom published a consultation on how it proposes to implement this new framework, including the specific conditions Ofcom proposes to include in licences. Ofcom also published draft guidance on how licensees might meet the requirements of the new licence conditions. The consultation closes on 22 September 2025.

Regulation of radio selection services (RSS)

Part 6 of the Act governs the regulation of RSS. Ofcom is obliged to provide the secretary of state with a report making recommendations as to which RSS should be designated. In February 2025, Ofcom consulted on the principles and methods it proposes applying when making these recommendations. It also sought views on its emerging thinking on the appropriate sources of data for measuring the use of RSS and setting the threshold for recommendations.

Ofcom published its final statement confirming its principles and methods in May 2025.

Availability and prominence regime

Internet televisions equipment: The Internet Television Equipment Regulations 2024, which came into force on 14 November 2024, set out the descriptions of devices that are considered to be "internet television equipment" for the purposes of the new prominence framework under the Act. The regulations name smart televisions and streaming devices as internet television equipment.  

The government has also published a policy paper on its approach to deciding the categories of TV devices that will be considered "internet television equipment". It explains that smart TVs, set-top boxes and streaming sticks will qualify, but that smartphones, laptops, tablets, PCs and video games consoles will not, as watching TV on these devices is not their primary function. Newer devices, such as home cinema projectors and portable lifestyle screens, internet connected car touchscreens, virtual reality headsets, smart watches and in-home screens (such as smart fridges and smart speakers with in-built screens), will also be excluded for the same reason. However, the government intends to review the list one year after full implementation of the new prominence regime.

Television selection services: Under the Act, Ofcom is also obliged to provide a report to the secretary of state with recommendations on the designation of "television selection services" (TSS), which are the connected TV platforms on which, under the new regime, Ofcom-designated PSB TV apps must be available, prominent and easily accessible. In December 2024, Ofcom launched a consultation on the principles and methods it proposes applying when preparing the report. The consultation closed on 5 February 2025. In April 2025, Ofcom published a final statement with no changes. It is expected that decisions on designation will be made in the second half of 2025.

⭐ Ofcom is now consulting on 14 TSS that it proposes designating. Following consultation, Ofcom will formally report its recommendations to the secretary of state who will make regulations to formalise the designations. The consultation is open until 16 September 2025.

⭐ Internet programme services: Under the new online availability and prominence regime, TSS designated by the secretary of state (see above) will have to ensure that PSB TV players (known as internet programme services or IPS) that have been designated by Ofcom, and their content, are available, prominent and easily accessible. Before Ofcom can consider applications for designation as IPS, it is required to publish a statement setting out how it will do this. In July 2025, following consultation and after having made some minor changes, it published the final statement. Ofcom intends to publish an application form for PSBs to request designation as IPS later in 2025.

Public service broadcasters

In May 2025, Ofcom published a consultation on implementing changes to the PSB quota obligations under the Act (to allow PSBs to use their on-demand services to meet their productions quotas). Ofcom also consulted on draft guidance on which programmes will count towards the original productions quota, and on amending its guidance on regional productions. The consultation closed on 10 July 2025.  

⭐ In July 2025, Ofcom also updated its guidance on the codes of practice that PSBs must put in place and follow when commissioning independent producers. The guidance will not take effect until the relevant provisions in the Act have been commenced through secondary legislation. Ofcom does not expect this to be before 1 January 2026.

⭐ The Act also requires licensed PSBs to set out how they intend to fulfil all their regulatory obligations, including identifying the contribution that each service (whether online or linear) will make, in statements of programme policy (SoPP). Channel 4 has additional media content duties that it sets out in a statement of media content policy. The BBC is subject to different requirements under the BBC Charter and is not therefore required to deliver a SoPP. In July 2025 Ofcom published updated guidance for PSBs on preparing these documents, following consultation. The guidance will take effect once the relevant sections of the Media Act are commenced through secondary legislation.

UK Media Act Hub

⭐The UK Media Act: what is next for Tier 1 services and digital prominence?

Media Matters Podcast (Media Act Series)

The UK Media Act 2024 takes first steps on Ofcom's roadmap to implementation

The overarching intention of the directive is to enable people with disabilities or impairments to access these products and services on an equal basis with others.

Rather than specifying technical requirements, the directive identifies the particular features of the relevant products and services that must be accessible (set out in Annex I of the directive). The  intention is that this approach allows for flexibility and innovation in how these requirements are actually met in practice.

The accessibility requirements set out in Annex I depend on the product or service but include: providing information through more than one sensory channel (e.g. the option of an audio version of written  text), ensuring content is presented in an understandable way; and requirements for written content to be formatted in sufficient size fonts, with sufficient contrast and adjustable spacing. Products requiring fine motor control must offer alternative controls, and requirements for extensive reach or great strength should be avoided. The directive envisages the use of assistive  technologies, as well as emphasising the need to respect privacy.

The directive sets out requirements on product manufacturers for technical documentation, self-assessment of compliance and a declaration of conformity with the accessibility requirements, as well as a CE marking to  show compliance. Importers are required to place only compliant products on  the market, and to check for compliance and the CE mark. Distributors must similarly check for compliance and not put non-compliant products on the market.

For services, compliance with the directive's accessibility requirements must be incorporated into how the services are designed and provided. Information about the service's accessibility compliance must be made available (and updated) for the lifetime of the service. Compliance must be reviewed and maintained, with disclosure obligations around non-compliance.

As noted, compliance is not required where it would fundamentally alter the basic nature of the product or service, or where it would create a disproportionate economic burden on the entity concerned. Where a business decides it falls within one of these carve-outs and so does not have to comply, it must document that assessment. In relation to services, the assessment must be renewed every 5 years, or when the service is altered, or when the national authority requests a reassessment.

The directive also requires member states to set up national market surveillance authorities to oversee enforcement of the accessibility regime. Adequate enforcement powers must be given to the national authority, which should include provision for "effective, proportionate and dissuasive penalties", as well as remedial action to address non-compliance.  

All member states have implemented the necessary legislation, meaning that the directive is in effect across the whole of the EU. New websites and digital services must comply now, but existing websites and digital services have until 28 June 2030 to comply. National implementing legislation can be tracked from this page.

The EU Accessibility Act – Two Months to Go!

EU Accessibility Act now in force – Is your business at risk?

Webinar recording: European Accessibility Act: An introduction (19 March 2024)

Webinar recording: Digital Inclusion: Risks of not making your digital products accessible (18 April 2023)

The Act is a wide-ranging piece of legislation, much of it amending existing legislation, in particular the UK General Data Protection Regulation (GDPR), and setting up various frameworks to be fleshed out in secondary legislation. Some key provisions include:

• A framework for standardising information sharing in the National Health Service (NHS).
• A framework for smart data schemes (similar to the open banking regime), to be introduced via secondary legislation across relevant sectors.
• A certification framework to facilitate use of digital identity verification systems.
• Provisions regarding the National Underground Asset Register, which is the official online data map of underground pipes and cables.
• Various changes to the UK GDPR.

Data Protection

In the areas of data protection law, the Act introduces many fairly small changes, including those set out below.

Automated decision making

There is a softening of the current restrictions on automated decision making (ADM), for example in making explicit that the (partial) prohibition on ADM would apply only for special category data, and where there is "no meaningful human involvement".

In theory, this gives organisations broader scope to use ADM, which may facilitate deploying AI systems for additional use cases. However, the changes are subtle and several conditions and restrictions still apply, including obligations to put in place appropriate safeguards for all significant wholly automated decisions based on personal data.

Research use of data

Definitions of certain types of research are added to the GDPR to refine the scope of those concepts.

In particular, the definition of "scientific research" arguably makes the concept slightly wider, in that it is deemed to include any research that "can reasonably be described as scientific" irrespective of the source of research funding, and whether or not it is commercial.

The definition of "statistical purposes" potentially slightly narrows the concept, in that it applies only where the data is used for statistical surveys or to produce statistical results.

There is a broader concept of what people can consent to their data being used for. The Act clarifies that, in appropriate cases, a person will be able to give consent to their data potentially being used for more than one type of scientific research, even if not all those research purposes are identifiable at the time they give that consent.  

Overall, the changes are intended to benefit organisations that conduct research or use research results. While there is broadening of the scope of "scientific research", this is still tempered by safeguards and limitations.

Common standards for health records

The Act provides for the government to bring in standards to enable interoperability and sharing of health-related data, amending the Health and Social Care Act so that information standards in relation to IT technology or services can be published. The government hopes this will facilitate smooth flowing of patient information across healthcare, giving staff quicker access to patient data.

IT providers whose services are used in connection with the provision of health care or adult social care must have regard to these standards. The regulator will be able to call out publicly those who fail to meet them.

IT suppliers for the health and care sectors will need to ensure that their systems meet common standards to enable data sharing across platforms. Such standards have yet to be set, but may include, for example, standards allowing for mandatory interoperability and APIs for services which process patients’ information.

Digital identity

Under the Act, the existing Office for Digital Identities and Attributes will oversee a standards framework for online digital verification services.

Compliance with the standards framework will not be mandatory, but organisations successfully applying for certification will be awarded certification and be included on a publicly accessible register and entitled to display a "trust mark" to show they meet the standards.  

The standards will include:

• Not “profiling” users for third-party marketing purposes.
• Not creating large datasets that could risk revealing sensitive data about users.
• Explicitly confirming that users understand how their data is being shared, whenever this happens.

Organisations hoping to obtain certification will of course need to ensure that their data processing practices meet the requirements, which in some circumstances will go beyond their current UK GDPR compliance obligations.  

Smart data

The government will set up a "smart data" regime, which will allow the setting up of separate smart data schemes to address specific sector needs, such as in finance, energy and telecoms.

Smart data schemes will allow individuals to request that their data be shared directly with them, or with authorised and regulated third parties, and establish a supporting framework to ensure secure storage and transfers of this data.  

The government hopes that these schemes can mirror the success of the open banking regime, enhancing consumer confidence in using trusted third-party services to provide, for example, personalised market comparisons and financial advice on costs savings, as well as "one-click" service switching to a new provider.

National Underground Asset Register

The National Underground Asset Register is a government digital service which provides instant access to a map of the underground pipes and cables for authorised users. It will be put on a statutory footing, rather than the current voluntary arrangement, mandating that owners of underground infrastructure, such as water companies or telecoms operators, register their underground assets. The idea is that companies will benefit from a more comprehensive and rich view of buried assets, enabling them to know exactly where any underground asset is placed.

Failure to comply with the obligations may constitute a criminal offence and those in breach may be liable for damages to those suffering loss as a consequence of that failure.

Cookies and tracking

The Act creates some exceptions to the current regime; for example, that user consent is not required for use of cookies/other tracking technologies in some online services where they are used solely to collect statistical data in order to make improvements to services or a website, or are used solely to improve the appearance or performance of a website, or adapt it to a user's preferences.  

The exceptions are subject to various conditions, including around transparency, the right to object, and not using the collected data for purposes beyond the scope of the exceptions.

GDPR – Subject access requests

The Act limits the right for an individual to obtain copies of their personal data under the GDPR so that they are entitled only to the data that would be found in a "reasonable and proportionate" search. This is largely mere codification of the existing case law and guidance from the Information Commissioner's Office (ICO).

GDPR – Legitimate interests processing

The Act provides that certain types of processing purposes will be more likely to count as "legitimate interests", including processing for the purposes of:

• Direct marketing.
• Intra-group transfers for internal administration (including transfers between affiliated institutions, not just between groups of parent and subsidiary businesses).
• Network and IT system security.

In theory, this makes it easier for organisations to use the legitimate interest ground as the basis for their processing in these areas. However, its impact is reduced in practice, because the changes mean only that those types of processing are more likely to be considered legitimate interests (they are not guaranteed to be); the recitals of the GDPR already referred to the processing of personal data for direct marketing purposes potentially being regarded as carried out for a legitimate interest; and many organisations will have already concluded that they were covered by the legitimate interest ground.

The Act also includes provisions allowing the government, in future, to introduce categories of processing which will be deemed to be legitimate interests purposes.

GDPR – Special category data

The Act includes a new mechanism to allow the secretary of state to introduce more classes of special category data (s. 74) by enacting secondary legislation. The restrictions on the processing of special category data are significantly heavier than those on other types of personal data.

Online Safety research

The Online Safety Act 2023 will be amended to allow the government to bring in regulations which could oblige service providers to provide information to third-party researchers conducting research into online safety measures, including the ability to bring in criminal offences, fines and other sanctions for non-compliance.

ICO

The UK regulator, the ICO, will be abolished and its functions transferred to a new body, the Information Commission, with changes to structure and powers.

⭐ Commencement regulations

On 21 July 2025, the Data (Use and Access) Act 2025 (Commencement No 1) Regulations were made, bringing into force several sections of the Act. These provisions are largely technical, relating mainly to sections of the Act that allow the government to make certain provisions.

However, the regulations also brought into effect s111 of the Act, which amends the Privacy and Electronic Communications Regulations (PECR) by extending the time periods for relevant service providers to notify a personal data breach under PECR to the regulator.

Also brought into effect are parts of s117 of the Act, which establishes the Information Commission, though substantive changes to the ICO/Information Commission are not expected until early 2026 and can only take place once the new Information Commission's board has been appointed in any event.

⭐ Approximate timetable for implementation

In July 2025, the Department for Science, Innovation and Technology (DSIT) published an outline of its tiered timetable for implementing the Act. In summary:

• Stage 1 – immediately after Royal Assent – includes the commencement of technical provisions, clarifying aspects of the legal framework and measures requiring the government to publish an impact assessment, a report and a progress update on its plans for AI and copyright reform.

• Stage 2 – three to four months after Royal Assent (i.e. mid-September to mid-October 2025) – includes the commencement of most of the measures on digital verification services and those on the retention of information by providers of internet services in connection with the death of a child.

• Stage 3 – approximately six months after Royal Assent (i.e. mid-December 2025) – includes the commencement of the main changes to data protection legislation plus the provisions on information standards for health and adult social care.

• Stage 4 – more than six months after Royal Assent (i.e. from mid-December 2025 onwards) – includes the rest (e.g. measures on the National Underground Register and electronic registering births and deaths).

Data (Use and Access) Act becomes law, with first ever changes to UK GDPR

Data law | UK Regulatory Outlook July 2025

‍

The Act aims to protect children from harmful content and to deal with illegal online content. The Act seeks to strike a balance between ensuring safe online interactions for children and adult users, and freedom of speech.

Key provisions under the Act include:

• Duties on regulated services to protect all users from illegal content.
• Duties on regulated services to protect child users from certain types of legal but harmful content.
• Various duties to empower users to control their exposure to harmful content.
• Duties to protect free speech and fundamental rights.
• Duties to protect consumers from fraudulent advertising.
• Powers for Ofcom to require regulated services to use technology to proactively identify and remove content relating to terrorism or child abuse.
• New communications offences and other offences relating to online behaviour.
• Extensive investigatory and enforcement powers for Ofcom: services which breach their obligations under the Act can be liable for fines of up to £18 million or 10% of their global turnover (whichever is larger); companies (and in certain circumstances their senior managers) may also be criminally liable for breaches.

In order to ensure that the online safety regime is flexible and "future proof", a number of these provisions are dealt with, and to be dealt with, in secondary legislation, and by codes of practice and guidance to be developed by the designated regulator, Ofcom.

When the Act received Royal Assent, Ofcom devised a consultation process to inform its codes of practice and guidance. This comprises four major consultations together with various sub-consultations, on numerous aspects of the new regime. Ofcom also published an implementation roadmap.

In October 2024, Ofcom published an updated roadmap, setting out its progress in implementing the Act since it became law and presenting its plans for 2025. See our Insight for details.

In June 2025, Ofcom published a further update on its implementation plans.

‍Illegal content

The process began in November 2023, with a first major consultation on draft codes of practice and guidance on illegal harms duties, which closed on 23 February 2024 (see our insight).

In December 2024, Ofcom published its final form illegal content codes of practice and guidance. This signalled the start date for services to comply with the new rules on conducting illegal content risk assessments. All in-scope services had to have completed their illegal content risk assessment, to evaluate the risk of harms to users resulting from the presence of illegal content on their service, by 16 March 2025. Services needed to implement the recommended measures set out in these codes (or be using other effective measures to protect users from illegal content) by 17 March 2025.

In August 2024, Ofcom consulted on strengthening its draft illegal harms codes of practice and guidance to include animal cruelty and human torture due to these categories of content not being fully covered by the list of "priority offences" in the Act. The "priority offences", listed in Schedule 7 of the Act, relate to the most serious forms of illegal content. Regulated online platforms not only have to take steps to prevent such content from appearing, but also have to remove it when they become aware of it. By including animal cruelty and human torture in its codes and guidance, Ofcom aims to ensure that providers understand that they will also have to remove this type of content. Ofcom's statement on the consultation is pending.

Under the Act, Ofcom has specific powers to tackle terrorism and child sexual exploitation and abuse (CSEA) content available on user-to-user services. Ofcom can, by issuing a "technology notice", make a provider use a certain technology to tackle this content or it can require them to develop such technology. Any technology Ofcom requires a provider to use must be accredited by Ofcom or appointed third party, against minimum standards of accuracy set by government, following advice form Ofcom. In December 2024, Ofcom consulted on its proposals for what the minimum standards of accuracy for accredited technologies could be, and on draft guidance on how it proposes to use its technology notice powers. Ofcom intends to submit its final advice on minimum standards to the government and publish final guidance by Spring 2026.

To tackle the specific risks faced by women and girls online, Ofcom is required to publish additional, dedicated guidance on safety for women and girls. On 25 February 2025, Ofcom published draft guidance, setting out how in-scope service providers can combat content and activities that disproportionately impact women and girls. The guidelines describe nine actions providers can take and highlight good practice in this area. Ofcom consulted on the draft earlier this year and expects to publish the final guidance by the end of 2025.

On 24 April 2025, Ofcom published a consultation on amending its illegal content codes of practice to expand the application of measures that allow children to block and mute user accounts (ICU J1 in the code of practice) and disable comments (ICU J2), to include providers of certain smaller user-to-user services that are likely to be accessed by children where they have relevant risks and functionalities. The consultation closed on 22 July 2025. Ofcom expects to publish the final guidance by the end of 2025.

On 30 June 2025, Ofcom published a consultation proposing additional safety measures for its illegal content and protection of children codes of practice. The new proposals provide more targeted safety measures to make online services safer by design. They include measures to: stop illegal content going viral; make more use of proactive technologies (such as "hash matching" for intimate image abuse content and terrorism content); protect children while livestreaming; and respond to a crisis. The consultation closes on 20 October 2025. Ofcom plans to publish updated codes of practice in summer 2026.

Pornographic content‍

On 16 January 2025, Ofcom published its final form guidance on "highly effective age assurance and other Part 5 duties" relating to the duties of regulated providers of pornographic content to prevent access by children to such content through the use of age verification/estimation tools. This duty came into effect on 17 January 2025.

On 24 April 2025, ahead of the 25 July deadline to implement mandatory age assurance requirements (see "Children" below) Ofcom wrote to hundreds of pornography services, setting out in detail what services need to do to comply with their duties under the Act and reminding them of the consequences of non-compliance.

Children

On 16 January 2025, Ofcom published its Statement on Age Assurance and Children's Access, comprising final form versions of Part 3 guidance on highly effective age assurance, guidance on children's access assessments (and guidance on highly effective age assurance and other Part 5 duties see above under Pornographic content)). This marked the start of compliance with the protection of children duties under the Act by kicking off the three-month period within which all in-scope services had to complete their Child Access Assessments (i.e. by 16 April 2025).

On 24 April 2025, Ofcom published its protection of children statement under the Act, including the draft Protection of Children Codes of Practice for search services and for user-to-user services, and the final form Children's Risk Assessment Guidance and Children's Risk Profiles.

On 4 July 2025, Ofcom published the final versions of its Protection of Children Code for user-to-user services and Protection of Children Code for search services.

Starting from 24 April 2025, all in-scope services had until 24 July 2025 to complete and record a Children's Risk Assessment to assess the risk of harm to children on their service from content harmful to children. This assessment is an additional requirement to completing an illegal content risk assessment (the deadline for which was 16 March 2025).

From 25 July 2025, service providers need to have implemented the measures set out in the Protection of Children Codes of Practice (or be using similar effective measures to protect children and mitigate the risks to children identified in their risk assessment). Ofcom has said that it will give a further six month grace period, ending 24 February 2026, for services to implement these measures. However, this grace period will not stop Ofcom from taking action in the meantime against services that it deems are "deliberately" not engaging with child protection measures or are causing "egregious harm".

Categorised services

The Act introduces a system categorising some regulated online services as category 1, 2A or 2B services, based on their key characteristics and whether they meet certain numerical thresholds.

In March 2024, Ofcom published a call for evidence to inform its further consultation on draft codes of practice and guidance on the additional duties that will apply to "categorised services" under the Act. This call for evidence closed on 20 May 2024 and a statement from the regulator is pending.

The regulations defining the thresholds above which in-scope services become "categorised services" and subject to certain additional obligations under the Act came into force on 27 February 2025. Ofcom will, once it has assessed services against these final thresholds, publish a register of categorised services, as well as a list of emerging category 1 services.

⭐ In July 2025, Ofcom published a statement on transparency reporting and its final transparency reporting guidance for categorised services. The guidance explains when and how Ofcom will exercise its transparency powers, setting out the factors it will consider when deciding what information categorised services will be required to provide (as set out in transparency notices issued by Ofcom) in their transparency reports.

‍Fees and penalties‍

At the end of May 2024, the government published guidance to Ofcom on determining the fees that will be payable by regulated services under the Act. The fees will only be paid by providers whose "qualifying worldwide revenue" (QWR) meets or exceeds a certain revenue threshold and who are not otherwise exempt, and will fund Ofcom's regulation of the new online safety regime. The government will retain oversight of the regulatory costs of the regime by setting Ofcom's total budget cap.

In June 2025, Ofcom published its policy statement on implementation of the online safety fees and penalties regime under the Act following a consultation (see this Regulatory Outlook for more on the consultation. Ofcom has decided on: the definition of QWR to be used to assess the threshold at or above which providers will be required to pay fees, and the maximum penalty caps; QWR for penalty caps in the case of joint and several liability; QWR threshold advice to the secretary of state; exemptions from having to notify Ofcom on QWR and from paying fees; its approach to its Statement of Charging Principles, which will establish the principles that Ofcom will apply when setting fees, which must be in place before Ofcom can start charging; and the process for notifying Ofcom of liability to pay fees.

⭐ In July 2025, Ofcom published a second consultation to implement the fees and penalties regime, this time on guidance for providers of online services regulated under the Act on calculating their QWR in accordance with the Online Safety Act 2023 (Qualifying Worldwide Revenue) Regulations 2025. The consultation is open until 10 September 2025.

The fee regime is expected to be in place by 2026/27 financial year. Until then, the government is funding Ofcom's initial costs. Additional fees will then be charged over an initial set period of consecutive years to recoup the set-up costs.

Information notices

Under the Act, Ofcom has powers to require and obtain information from regulated services that it needs to fulfil its online safety duties. It will do this by issuing "information notices". On 26 February 2025, Ofcom published final guidance on its information gathering powers under the Act, how it plans to use them and the typical procedures it will follow. Failing to comply with an information notice may result in Ofcom taking enforcement action under the Act.

Enforcement

In January 2025, Ofcom opened an enforcement programme into age assurance measures to protect children from encountering pornographic content, initially focusing on regulated providers' compliance with the Part 5 duties. In July 2025, Ofcom extended this programme to cover all platforms that allow users to share pornographic material, whether they are dedicated adult sites or other services that include pornography (Part 3 services).

On 3 March 2025, Ofcom launched an enforcement programme to monitor whether services are meeting their illegal content risk assessment and record keeping duties under the Act. As part of the programme, the regulator asked various providers to provide it with their illegal content risk assessments to assist it in identifying possible compliance concerns and to monitor how the guidance is being applied. Ofcom expects the programme to run for at least 12 months, during which period, it may initiate formal investigations if it suspects that a provider is failing to meet its obligations under the Act.

In March 2025, Ofcom also launched an enforcement programme targeting child sexual abuse material (CSAM) online. In recognition of the prevalence of such material, making human content moderation insufficient to deal with the issue on its own, Ofcom's illegal content codes of practice recommend that certain services use automated moderation technology, including perceptual hash-matching if the service is a file-sharing or file-storage service at high risk of hosting CSAM, to identify such content and swiftly remove it. For more, see this Regulatory Outlook.

⭐ In July 2025, Ofcom launched a fourth enforcement programme to monitor whether services are meeting their children's risk assessment duties under the Act.

⭐ In July 2025, Ofcom also launched a new enforcement programme to protect children from harmful content through the use of age assurance. It builds on work undertaken by Ofcom's "small but risky taskforce", which identified several services whose main purpose is to host or disseminate content harmful to children. Ofcom will engage with these services and assess the age assurance processes they are implementing.

Miscellaneous‍

"Small but risky" online services: In September 2024, the Secretary of State for Science, Innovation and Technology, Peter Kyle, wrote to Ofcom asking how it plans to monitor and address the issue of "small but risky" online services. In its response, Ofcom said that tackling these services is a "vital part" of its regulatory mission. The regulator confirmed that it has already developed plans to take early action against these services.

International cooperation: In October 2024, the UK and US governments signed a joint statement on online safety, calling for platforms to go "further and faster" to protect children online by taking "immediate action" and continually using the resources available to them to develop innovative solutions, while ensuring there are appropriate safeguards for user privacy and freedom of expression. See this Regulatory Outlook for more.

AI: In November 2024, Ofcom published an open letter to UK online service providers on how the Act will apply to generative AI and chatbots. Ofcom reminded providers that various AI tools and content relating to user-to-user services, search services and pornographic material, will be in scope of the Act.

Statement of Strategic Priorities for online safety: In May 2025, the government's Statement of Strategic Priorities for online safety was laid before Parliament. It highlights five priorities that Ofcom must have regard to when implementing the OSA and that industry is expected to adhere to. See this Regulatory Outlook for details.

Online Information Advisory Committee: Ofcom has established an Online Information Advisory Committee to advise the regulator on issues relating to disinformation and misinformation, as required by the Act.

"Super-complaints": In June 2025, the government published a response to its consultation on "super-complaints" under the Act. The super-complaints regime aims to ensure that eligible entitles can raise complaints with Ofcom about "systemic issues" relating to existing or emerging online harms (see this Regulatory Outlook for background). The government has also laid draft Online Safety Super-Complaints (Eligibility and Procedural Matters) Regulations 2025 before Parliament to define the eligibility criteria for entities to submit super-complaints and the procedural steps to establish the duties of complainants and of Ofcom when a super-complaint is submitted. The super-complaints regime is stated to come into force on 31 December 2025. Ofcom will also be consulting on draft guidance for the new regime.

⭐ Researchers' access: In July 2025, Ofcom's published a report, following a call for evidence, examining how researchers could gain better access to information from regulated online services to support their work on online safety. The report, which the regulator is required by the Act to publish and submit to the secretary of state, also assesses the current constraints on information sharing for research purposes and assesses how to improve access, setting out three policy options for the government to consider.

‍UK Online Safety Act: Ofcom publishes guidance on age assurance and children's access assessments

Ofcom publishes final illegal content risk assessment guidance and codes of practice under UK Online Safety Act

Online Safety Act 2023: time to prepare as UK's Ofcom confirms start of illegal content duties

UK's Online Safety Act is a seismic regulatory shift for service providers

UK Online Safety Act: Ofcom launches its first consultation on illegal harms

The UK Online Safety Act: Top 10 takeaways for online service providers

Digital regulation | UK Regulatory Outlook June 2025

Digital regulation | UK Regulatory Outlook July 2025

In the King's Speech 2024, the government set out plans to introduce a Product Safety and Metrology Bill which would preserve the UK’s status as a global leader in product regulation, supporting  businesses and protecting consumers". The King's Speech 2024 background briefing notes specifically recognised that the EU is reforming product safety regulations in line with technological developments through, for example, the new EU General Product Safety Regulation and the EU Product Liability Directive.

Having had its amendments considered and approved by the Lords on 10 July 2025, the Product Regulation and Metrology Bill received Royal Assent on 21 July and subsequently became the Product Regulation and Metrology Act 2025.

The Act is intended to modernise the UK's management of product and metrology regulations, by allowing ministers to introduce secondary legislation (which will be subject to consultation and to the affirmative procedure, i.e. increased parliamentary scrutiny, in key areas), including in relation to the creation of criminal offences, regulating online marketplaces, and imposing duties on new supply chain actors.

A key aspect of the Act is that these regulations can be closely aligned with relevant EU laws if appropriate.

Other aspects of the Act include enhancing compliance and enforcement capabilities, including improved data sharing between regulators and market surveillance authorities; clarifying the responsibilities of those in the supply chain, including online market places; and updating the legal metrology framework. The Act also provides for cost recovery mechanisms and emergency modifications.

Products excluded from the Act include: food, feed stuff, plants, fruit and fungi, plant protection products, animal by-products, products of animal origin, aircrafts, military equipment, medicines and medical devices.

On 4 June, the bill finished its reading in the House of Commons and went back to the House of Lords to approve the amendments, which include:

• Now that the Act has royal assent, it is expected that the secretary of state will launch a number of consultations to reform current regulations in autumn 2025, including in relation to online marketplaces. Companies are encouraged to engage with these consultations when published, and to be prepared for new regulations affecting their products.  

The Act and subsequent reformed regulations will likely have a significant impact on product regulation in the UK and businesses need to keep abreast of developments.

Products | UK Regulatory Outlook July 2025

Product Regulation and Metrology Act 2025

Definition of AI

The AIA defines an AI system as "a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments".

A risk-based approach

The AIA takes a risk-based approach, with the regulatory framework depending on both the level of risk created by an AI application, and the nature of the regulated entity's role. AI deemed high risk is regulated more strictly, as are those who create and distribute AI systems, who are regulated more strictly than organisations which deploy systems created by third parties. In addition, the AIA creates a regulatory framework for general-purpose AI.

"Risk" is assessed in the AIA by reference to both harm to health and safety, and harm to fundamental human rights and is a combination of the probability of occurrence of harm and the severity of that harm.

The proposed tiers of AIA regulation are prohibited AI, high risk AI, transparency requirements for certain forms of AI, and unregulated AI. Two further but distinct tiers apply to general-purpose AI.

Prohibited AI

Some uses of AI are considered to pose such a significant risk to health and safety or fundamental rights that they should be banned. Banned applications include:

• AI systems that use subliminal, manipulative or deceptive techniques intended to distort someone's behaviour materially by impairing their ability to make an informed decision and so causing them to take a decision that they would not otherwise have taken, causing significant harm.
• AI that exploits vulnerabilities of age, disability, social or economic circumstances in order to distort their behaviour, causing significant harm.
• Social scoring based on behaviour or personal characteristics where the scoring results in detrimental treatment of the person in question in a social context unrelated to the context in which the scoring data was originally generated or collected, or which is unjustified or disproportionate.
• AI systems used to predict the likelihood of a person committing a criminal offence, based solely on profiling that person or an assessment of their personality traits.
• AI systems that create or expand facial recognition databases through untargeted web-scraping of the internet or CCTV footage.
• Emotion inference systems used in the workplace or educational settings unless for medical or safety reasons.
• Biometric categorisation around sensitive characteristics (including race, political views, trade union memberships, religious or philosophical beliefs, sex life or sexual orientation).
• Real time remote facial recognition systems used in publicly accessible spaces for law enforcement, with exceptions.

High risk AI

Some AI applications are considered to pose a potentially high risk to health and safety or to fundamental rights, but not to the point that they should be prohibited. These high risk systems fall into two broad categories.

Firstly, AI will be classified as "high risk" for AIA purposes where it is used in safety systems or in products that are already subject to EU product safety legislation, including transport, other vehicles or machinery, and products such as toys, personal protective equipment and medical devices (the Annex I high risk categories).

Secondly, there is a list of specified "high risk" AI systems (in Annex III to the AIA). The detail of this list includes:

• Permitted remote biometric identification systems (excluding systems solely used to confirm someone's identity).
• AI used for biometric categorisation based on sensitive or protected attributes or characteristics.
• Emotion recognition systems.
• AI systems used as safety components in critical physical and digital infrastructure.
• AI systems used in an educational or vocational context, including determining access to training institutions, learning evaluation systems, educational needs appraisal systems, and systems used to monitor behaviour during exams.
• Workplace AI systems for recruitment, applications appraisal, awarding and terminating employment contracts, task allocation and performance appraisal.
• Assessment of eligibility for public benefits and services.
• Credit checks (excluding fraud prevention systems).
• Systems used to assess risk and set prices for life and health insurance.
• Systems for the despatch or prioritisation of emergency services.
• Various uses in law enforcement, immigration, asylum, judicial and democratic processes.

However, high risk regulation will not apply to AI falling in the Annex III categories where "it does not pose a significant risk of harm to the health, safety or fundamental rights of natural persons, including by not materially influencing the outcome of decision making". This will be an issue for self-assessment. Where there is no such actual risk, the system will not have to comply with the AIA high risk regulatory regime.

Onerous compliance obligations are proposed for high risk AI systems concerning a "continuous, iterative" risk management system for the full lifecycle of the AI system. Compliance will require meeting the AIA requirements for technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity.

In addition, the AIA will impose extensive obligations concerning the governance and curation of data used to train, validate and test high risk AI. The focus is on ensuring that such data sets are relevant, sufficiently representative and, to the best extent possible, reasonably free of errors and complete in view of the intended purposes. The data should have "appropriate statistical properties", including as regards the people in relation to whom the AI system will be used. Data sets must reflect, to the extent appropriate for their intended use, the "specific geographical, contextual, behavioural or functional setting" within which the AI system will be used.

The burden of high risk AI compliance will apply in different ways to businesses at different points in the AI supply chain – providers (developers and businesses who have had AI developed for them to put onto the market), product manufacturers whose products incorporate AI, importers, distributors and deployers.

Lower risk AI

Some lower risk AI, outside the high risk regime, will nevertheless be subject to obligations, mainly relating to transparency. The prime concern is that users must be aware that they are interacting with an AI system, if it was not obvious from the circumstances and context. These provisions will apply to:

• Chatbots and other systems that interact directly with individuals.
• Systems producing synthetic audio, image, video or text content, which must be marked (in machine-readable format) as having been artificially generated or manipulated.
• Emotion recognition systems.
• Biometric categorisation systems.
• Deep fakes images/video/audio content that have been created or manipulated by AI (with exceptions for "evidently artistic, creative, satirical, fictional or analogous works").
• Systems producing text intended to inform the public on matters of public interest.

Other AI

For AI systems that do not fall within any of the above categories, the AIA provides for codes of conduct and encourages voluntary adherence to some of the regulatory obligations which apply to the high risk categories. Codes of practice may also cover wider issues such as sustainability, accessibility, stakeholder participation in development and diversity in system-design teams.

"General-purpose AI"

Since the AIA was first proposed in 2021, foundation AI systems have emerged as a significant slice of the AI ecosystem. They do not fit readily within the AIA tiers because they perform a specific function (translation, text generation, image generation etc) that can be put to many different applications with differing levels of risk.

The AIA creates two layers of regulation for "general-purpose AI" models: one universal set of obligations for general-purpose AI models and a set of additional obligations for general-purpose AI models with systemic risk.

General-purpose AI include foundation models and some generative AI models. They are defined as models "Including where such AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications", with an exception for AI models used for research, development or prototyping before they are placed on the market.

A general-purpose AI model will be classified as having "systemic risk" if:

• The cumulative amount of computation used to train it is more than 10²⁵ floating point operations.
• It otherwise has "high-impact capabilities" – i.e. it matches or exceed the capabilities of the most advanced existing general-purpose AI.
• It is designated as a general-purpose model with systemic risk by the European Commission.

The largest, state of the art AI models are expected to fall within this category.

The universal obligations for all general-purpose AI apply in addition to the core risk-based tiers of AIA regulation. Providers of all general-purpose AI models will be required to meet various transparency obligations (including information about the training data and in respect of copyright), which are intended to support downstream providers using the model in their AI system to comply with their own AIA obligations.

General-purpose AI models with systemic risk are subject to a second tier of obligations. These will include model evaluation and adversarial testing, assessment and mitigation of systemic risk, monitoring and reporting on serious incidents, adequate cybersecurity, and monitoring and reporting on energy consumption.

Regulatory bodies and enforcement regime

The AIA requires member states to appoint national level AI regulators which will be given extensive powers to investigate possible non-compliance, with powers to impose fines.

In addition, the "AI Office" has been created within the Commission to centralise monitoring of general-purpose AI models, and to lead on interaction with the scientific community, and in international discussions on AI. It will also support the Commission in developing guidance, standards, codes of practice, codes of conduct, and in relation to investigations, testing and enforcement of AI systems. The AI Office will play a key role in governance across the national AI regulatory bodies appointed in member states.

Coordination and coherence of the AIA regime is the responsibility of the AI Board, which is separate to the AI Office and comprises representatives from member states.

Regulatory fines are in three tiers:

• Up to the higher of 7 per cent of worldwide turnover or €35 million for breach of the prohibition provisions.
• Up to the higher of 3 per cent of worldwide turnover or €15 million for breach of other substantive provisions (including compliance with the high risk AI regime, the low risk transparency regime, and the general-purpose AI provisions).
• Up to the higher of 1% of worldwide turnover or €7.5 million for supplying incorrect, incomplete or misleading information to the relevant authorities.

The fining regime for SMEs is similar to the above, except that the maximum fine is whichever percentage or amount is the lower.

As noted above, deadlines for compliance will be staggered.

Definition of AI

In February 2025, the Commission published its guidelines on the definition of "AI system", which simply describe the definition, apply the recital and give examples. The key is the ability of a system to act autonomously and infer how to generate output based on inputs. See this Regulatory Outlook.

Prohibited AI

On 2 February 2025, the AIA's restrictions on prohibited AI practices, as well as general AI literacy obligations, came into full effect. Following this, the Commission published its long-awaited guidelines on prohibited categories of AI. See this Regulatory Outlook for more details.

General-purpose AI

⭐ General-purpose AI code of practice

On 10 July 2025, the final draft of the general-purpose AI (GPAI) code of practice (Code) was published, not far in advance of 2 August 2025, when the relevant parts of the AIA came into effect. This follows an iterative drafting process with three draft codes published before the final one.

Following this, the Commission and the European Artificial Intelligence Board completed their adequacy assessment and formally confirmed that adherence to the Code is an adequate voluntary tool for providers of GPAI models to demonstrate compliance with articles 53 and 55 of the AIA.

The Code has three chapters: (i) transparency; (ii) copyright; and (iii) safety and security (the latter applying only to providers of GPAI models with "systemic risk"). The Code is voluntary, but adherence to it is more likely to ensure compliance. Following the Code may also be beneficial, as the authorities may be more likely to focus on monitoring the developer's adherence to the Code, rather than wider compliance issues.

⭐ Commission guidelines on GPAI

On 18 July 2025, the Commission published its guidance on the scope of application of the GPAI rules. The guidelines introduce technical criteria to help developers understand whether their AI models qualify as general-purpose and hence are subject to the AIA's additional obligations on this type of model. The guidelines state that a key "indicative criterion" is whether the compute needed to train the general-purpose model was greater than 10²³ FLOPs and whether it can generate language.

High risk AI

In June 2025, the Commission launched a consultation on the classification of high risk AI systems under the AIA. The consultation closed on 18 July 2025. Responses will feed into the guidelines on high-risk AI that have to be issued by 2February 2026. See this Regulatory Outlook for details.

Artificial Intelligence | UK Regulatory Outlook July 2025

Artificial Intelligence | UK Regulatory Outlook June 2025

Artificial intelligence | UK Regulatory Outlook April 2025

When will businesses have to comply with the EU's AI Act?

How will the new UK government resolve the conflict over AI development and IP rights?

EU delays compliance deadlines for the AI Act

Artificial intelligence | UK Regulatory Outlook March 2025

The Data Act is intended to boost the availability of data to support a vibrant data economy in the EU. It will have a significant impact on some businesses. It will operate to extend data regulation far beyond the current focus on personal data and data privacy. The intention is to open up access to data, particularly Internet of Things (IoT) and machine-generated data, which is often controlled by the entity that gathered it, and is inaccessible to the entity whose activities generated it. The provisions of the Data Act will be without prejudice to the General Data Protection Regulation regime, privacy rights and rights to confidentiality of communications, all of which must be complied with in acting on the requirements in the Data Act.

You can familiarise yourself with the European Commission's "Data Act explained" document here and Frequently Asked Questions (FAQs) on the Data Act here.

Access to data from connected devices

Currently, contractual terms and conditions typically decide whether or not data collected by IoT systems, industrial systems and other connected devices can be accessed by the business or person whose activities have generated the data – the user. It is not unusual that the collected data is held by the device or service provider and is not accessible by the user.

The Data Act will create an obligation to design connected products and related services so that data that they collect is available to the user. Users will be entitled to access the data free of charge and potentially in real time. Data must either be directly accessible from the device or readily available without delay.

Users will, moreover, be able to pass the data to a third party (which may be the data holder’s competitor) or instruct the data holder to do so; data holders can only pass user data to a third party on the instructions of the relevant user. The Data Act will impose restrictions on how the third party can use the received data.

These provisions include measures designed to prevent valuable trade secrets from being revealed, and to ensure that these rights are not used to find out information about the offerings of a competitor. They also include measures to prevent unfair contractual terms and conditions being imposed on users by data holders. Data holders are able to impose a non-discriminatory, reasonable fee for providing access (which can include a margin) in business-to-business relationships. Where data is being provided to an SME, the fee must not exceed the costs incurred in making the data available.

Contractual terms and conditions relating to private sector data

In relation to contracts between businesses that contain data-related obligations more generally, the Data Act outlaws terms and conditions that deviate grossly from good commercial practice, contrary to good faith and fair dealing, if imposed unilaterally. Within that prohibition, it sets out various specifically blacklisted contractual terms, which will be unenforceable.

Access to data for public bodies

The Data Act makes provision for public sector bodies to gain access to private sector data where they can demonstrate an exceptional need to use the data to carry out statutory duties in the public interest. This might be to deal with a public emergency, or to fulfil a task required by law where there is no other way to obtain the data in question. These provisions do not apply to criminal or administrative investigations or enforcement.

Switching between cloud services providers

The Data Act seeks to remove perceived obstacles to switching between cloud services providers, or from a cloud service to on-premise infrastructure, or from a single cloud provider to multi-provider services. This part of the Data Act includes provisions concerning the contractual terms dealing with switching or data portability, which must be possible without undue delay, with reasonable assistance, acting to maintain business continuity, and ensuring security, particularly data security. It provides for maximum time limits and detailed information requirements. Service providers are required, more generally, to make information readily available about switching and porting methods, as well as formats including standards and open interoperability specifications. The Data Act imposes a general duty of good faith on all parties involved to make switching effective, timely and to ensure continuity of service.

Prevention of unlawful access and transfer of cloud-based data

A further limb of the Data Act is to require cloud service providers to prevent international and non-EU governments from accessing or transferring non-personal data held in the EU, where it would be in breach of EU or member state law.

Interoperability of data, data sharing mechanisms and cloud services

To ensure that data access rights are not undermined by technical compatibility problems, the Data Act creates obligations around interoperability for data and data-sharing mechanisms. It requires transparency around key aspects and features of datasets, data structures, and access mechanisms (such as application programming interfaces). Provision is made for standards to be developed in relation to these requirements.

The Data Act also imposes interoperability requirements between cloud services, again providing for open interoperability specifications and harmonised standards to support switching and portability, as well as parallel processing.

Smart contracts for data sharing

Finally, the Data Act covers smart contracts used for executing a data-sharing arrangement (but not smart contracts with other functions). It lays down requirements for robustness and access control, safe termination and interruption (a "kill switch"), data archiving and continuity, as well as measures to ensure consistency with the terms of the contract that the smart contract is executing. Provision is made for standards to be developed to meet these requirements. Smart contracts must be self-assessed for conformity and a declaration of EU conformity made.

Enforcement

The Data Act will be enforced at member state level by an appointed regulator. This could be an extension of jurisdiction for an existing regulator, or a new one could be created. Powers for member state regulators can include sanctions.

The EU Data Act: Part 1 – what does it regulate?

EU Data Act proposal: Commission plans comprehensive right to data access

What are the implications of the EU Data Act for smart contract operators?‍

Firms within the scope of DORA must be able to withstand, respond to and recover from ICT incidents. Important requirements for firms will include:

• Having internal governance and control frameworks that allow them to manage ICT risks effectively and prudently.
• Having a robust and well-documented ICT risk management framework in place that allows them to address ICT risks quickly and comprehensively.
• Reporting major ICT-related incidents to the relevant regulator.
• Regularly carrying out digital operational resilience testing, including a range of assessments, methodologies, practices and tools.
• Managing ICT third-party risk within their ICT risk management framework.  

Under DORA, the European Supervisory Authorities (being the European Banking Authority (EBA) European Insurance and Occupational Pensions Authority (EIOPA) European Securities and Markets Authority (ESMA) (together the ESAs)) will develop 13 Regulatory Technical Standards (RTS) and Implementation Technical Standards (ITS) setting out details and guidance on key provisions and requirements within DORA. Financial entitles must be fully compliant with and implement these standards in their ICT systems by 17 January 2025.

The first batch of technical standards published by the ESAs were adopted by the Commission and brought into effect via implementing and delegated acts in 2024 (see below).

The second batch of draft technical standards were published by the ESAs on 17 July 2024.

The ESAs also published joint Guidelines on the cooperation of oversight activities between the ESAs and competent authorities on this date. These applied from 17January 2025.

To date, the Commission has brought the technical standards set out below into effect via implementing and delegated acts:

• Delegated regulation specifying oversight fees for critical ICT third-party service providers in the financial sector, which came into effect on 13 March 2024.
• Delegated regulation on further specifying the criteria for designation of ICT third-party service providers as critical for financial entities, which. came into effect on 19 June 2024.
• Delegated regulation on oversight fees for critical ICT third-party service providers, which came into effect on 19 June 2024.
• Delegated regulation on RTS specifying the criteria for classification of ICT-related incidents, which came into effect on 15 July 2024.
• Delegated regulation on RTS specifying criteria regarding ICT risk management, which came into effect on 15 July 2024.
• Delegated regulation on RTS specifying ICT services policies supporting the critical or important functions provided by third party ICT providers, which came into effect on 15 July 2024.
• Implementing regulation on standard templates for the register of information, which came into effect on 22 December 2024.
• Delegated regulation on RTS on harmonising oversight activities, which came into effect on 5 March 2025.
• Delegated regulation on RTS which specify the content and time limits for the notification and reporting of major ICT-related incidents, and the content of notifications for significant cyber threats, which will come into effect on 12 March 2025.
• Implementing regulation on ITS setting out the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat, which came into effect on 12 March 2025.
• Delegated regulation on RTS specifying the criteria for determining the composition of the joint examination team, which came into effect on 13 April 2025.
• ⭐ Delegated regulation on RTS for threat-led penetration testing, which came into effect on 8 July 2025.
• ⭐ Delegated regulation on RTS on subcontracting setting out the requirements and conditions for the use of subcontracted ICT services supporting critical or important functions under DORA, which came into effect on 22 July 2025.

On 18 March 2025, the ESAs published joint guidelines on the estimation of aggregated annual costs and losses from major ICT-related incidents. The joint guidelines came into effect on 19 May 2025.

⭐ Following the coming into force of the delegated regulation on RTS on subcontracting, the legal framework of DORA is now complete. Organisations should focus on implementing their regulatory obligations to ensure compliance.

The implementing and delegated acts can be tracked from this page.

Cyber security | UK Regulatory Outlook January 2025

Insight: DORA – New EU cybersecurity law for Crypto

Insight: DORA Regulation – an ICT service provider's perspective

Webinar recording: Future of Financial Services Week | Deciphering DORA