6 Digital Law Developments to Watch in 2025

As digital technology transforms businesses, new laws are emerging to manage its risks and opportunities. With mandatory e-invoicing in the EU and stricter cybersecurity rules under the Cyber Resilience Act, 2025 will bring key legal changes that impact digital businesses. Here is a breakdown of the key changes. 

1. E-Invoicing in the EU

Starting on 1st January 2025, all businesses in the European Union are required to accept electronic invoices. This change is designed to improve tax compliance and streamline invoicing processes, enabling smoother cross-border data sharing within the EU. The European Committee for Standardisation (CEN) has developed the EN 16931 standard to ensure compatibility and compliance across borders, with different levels of conformity tailored to suit various business needs. This initiative is part of the EU’s broader digital agenda to boost innovation and reduce administrative burdens for businesses. Each country has implemented its own mandate.

2. The Digital Markets Competition and Consumers Act (DMCCA) in the UK

The UK is set to overhaul its digital markets, competition rules, and consumer laws with the introduction of the DMCCA. This legislation aims to address the power imbalance in digital markets by regulating dominant tech companies and promoting fair competition. The government and the Competition and Markets Authority (CMA) have worked closely on the consultation process, and businesses must adapt to these changes in order to stay compliant.

3. The Digital Operational Resilience Act (DORA) for the Financial Sector

On 17th January 2025, the EU's Digital Operational Resilience Act (DORA) came into full effect. DORA aims to strengthen the IT security of financial institutions like banks, insurance companies, and investment firms. It addresses the increasing reliance on technology in the financial sector and ensures these organisations can remain stable during cyberattacks or disruptions. The regulation will require financial entities across the EU to follow strict rules, helping to create a more secure financial system.

Under DORA, financial entities must comply with strict rules for managing ICT (information and communication technology) risks. This includes setting up cybersecurity governance, maintaining an asset inventory, and developing key documents like an Information Security Policy and Business Continuity Plans. Financial businesses will also need to review their relationships with third-party service providers to ensure they meet specific security standards and contractual obligations. In some cases, financial entities will have to conduct penetration testing and report major ICT-related incidents according to detailed criteria.

For businesses abroad, DORA’s impact is significant, especially for third-party service providers who work with EU-based financial entities. These providers, even if not based in the EU, will need to comply with DORA’s requirements if they support critical functions of financial institutions. This means international service providers will need to review and potentially update their contracts with EU financial clients to ensure compliance. Many organisations are already revising contracts to meet DORA standards, and while regulators may eventually offer standard contractual clauses, compliance will still depend on careful negotiation and implementation.

DORA’s scope goes beyond IT departments, it extends to management teams, requiring them to be trained in cybersecurity and oversee risk management processes. The act will change how financial entities manage contracts, internal policies, and even how they interact with service providers, making digital resilience a central concern for both the financial sector and its third-party partners. 

4. The NIS2 Directive: Strengthening Cybersecurity Across the EU

The NIS2 Directive is set to enhance cybersecurity across 18 critical sectors in the EU. Starting in 2025, member states will be required to adopt national cybersecurity strategies, establish risk management measures, and improve collaboration on cross-border cyber threats. With broader coverage and stronger enforcement powers, NIS2 aims to improve the EU's overall cybersecurity posture, ensuring better protection against cyber incidents and enhancing the ability to respond to security breaches.

The directive expands on the previous NIS 1 by broadening its scope to cover more sectors and imposing stricter cybersecurity obligations on medium and large entities. The sectors now affected include energy, transport, healthcare, finance, water management, and digital infrastructure, along with additional sectors such as public electronic communications services, social platforms, postal services, manufacturing of critical products, and public administration. Businesses in these sectors must implement effective cybersecurity risk-management measures to safeguard against potential disruptions or damage.

From a business perspective, NIS2 requires organisations to notify national authorities of any significant cybersecurity incidents, particularly those that could cause major disruptions. This obligation ensures that both the private and public sectors are more transparent and proactive when it comes to cyber risks. Additionally, businesses are now required to align their cybersecurity practices with national strategies that include supply chain security, vulnerability management, and increased awareness among staff. 

For businesses outside the EU, particularly those that provide critical services to EU-based entities, NIS2 will indirectly affect their operations. These companies must ensure that their cybersecurity practices meet EU standards if they work with organisations covered by the directive. 

5. The Data Act: New Rules for Data Sharing

Effective from 12th September 2025, the Data Act will set new rules for data sharing within the EU, creating a more open and transparent data economy. This regulation will impact businesses by requiring them to enter into fair, non-discriminatory contracts when sharing data. Additionally, the European Commission will provide guidelines on how businesses can protect trade secrets and ensure fair compensation in data-sharing agreements. With the rise of data-driven innovation, the Data Act will shape how organisations collaborate, share, and utilise data in the coming years.

One of the most significant impacts of the Data Act is its potential to unlock the value of data generated by connected products, which could substantially boost the economy. By facilitating access to this data, businesses can offer improved aftermarket services (e.g., repair, maintenance, or customisation of products) and create entirely new data-driven services. 

Consumers, too, can benefit from enhanced personalisation and control over the products they own, as well as more informed choices about how to use them. For example, a smart washing machine could allow the user to track its environmental impact, adjusting cycles for optimal energy efficiency based on real-time data.

The European data strategy, which aims to position the EU as a leader in the data economy, is also supported by the Data Act. By facilitating the free and safe flow of data across borders and sectors, the Data Act plays a critical role in building a unified European data market. This will help businesses innovate and compete, ensuring a more equitable distribution of the economic value that data can generate.

To help businesses navigate these changes, the Commission will provide model contractual terms to guide data-sharing agreements between companies. These terms will aim to ensure fairness in the way businesses share data, addressing issues like compensation and the protection of trade secrets.

6. The Cyber Resilience Act: Strengthening Product Security

As digital products and services become more integrated into daily life, ensuring cybersecurity throughout their lifecycle is becoming increasingly important. The Cyber Resilience Act, which will be enforced in 2025, aims to address gaps in product security for devices with digital components, such as smartwatches and baby monitors. Manufacturers will be required to ensure their products meet cybersecurity standards, including providing regular security updates. This regulation will help businesses and consumers make more informed decisions when selecting products, ensuring a safer digital environment.

The Cyber Resilience Act (CRA) will impact businesses, particularly manufacturers and retailers of connected products. Companies will need to invest in cybersecurity measures throughout the entire product lifecycle, from design to maintenance, leading to increased operational costs. High-risk products will require third-party assessments before being sold in the EU, adding additional time and resources to the process. 

Manufacturers will bear greater responsibility for ensuring their products meet cybersecurity standards, shifting the burden away from consumers. Products must carry the CE mark to access the EU market, making compliance critical to maintaining market access and consumer trust. Businesses will need to adapt their product development, risk management, and compliance strategies to meet these evolving requirements, which may lead to long-term operational changes.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.