How To Stay Ahead of Evolving Cyber and Data Privacy Regulation and Legislation

Why is Keeping Up with Regulations so Challenging? 

Organisations face a range of challenges in relation to changing regulation and legislation, these can include: 

1. Identification – Challenges identifying current and future legislation and regulation which applies. 

2. Understanding – Organisations typically do not have the in-house expertise on what new regulations and legislations are being introduced, and how that could potentially affect the organisation. 

3. Resourcing – Organisations often don’t have the resources to ensure that the legal requirements of applicable legislation and regulation are identified and are followed by the organisation 

If any of these challenges prevent an organisation from meeting their regulatory requirements, it can result in reputational damage and possible financial penalties and legal action.  

New and Upcoming Legislation and Regulations 

A new piece of legislation that will be introduced to Parliament in the UK in 2026 is the ‘Cyber Security and Resilience Bill (CSRB)’. This was the government's response to an increase in cyber crime affecting critical national infrastructure. 

The CSRB was first mentioned in the King’s speech in July 2024 and the bill will strengthen cyber security defences ensuring that critical national infrastructure and digital services that are relied upon, such as local authorities, government departments and hospitals, are protected against cyber threats and attacks. The CSRB will also make updates to UK NIS Regulations with an expanded scope and more explicit cyber security requirements. This will lead to closer alignment with NIS 2. 

In Europe there are three main pieces of legislation that will affect organisations globally. These are the European Union Artificial Intelligence Act 2024 (EU AI Act), the European Union Accessibility Act 2025 (EU Accessibility Act) and the European Union Data Act 2024 (EU Data Act).  

The EU AI Act 

What is the EU AI Act? 

The EU AI Act will affect how AI can be used. With AI usage on the rise, it is crucial that organisations consider the risks of AI adoption. Remember to consider the implications of AI usage within your organisation, across your supply chain and how it could be misused by threat actors. Within the EU AI Act there are rules applied which affect AI systems differently depending on the risk category they are put in. There are four risk categories, which are unacceptable risk (banned), high risk, transparency risk, and minimal or no risk. 

Business Implications 

The EU AI Act will impact the use of AI within your organisation as some AI tools are banned, such as any AI tools that exploit vulnerable individuals and any tools that perform social scoring. If your organisation is found to be non-compliant with this piece of legislation, there will be fines of up to €35,000,000 or up to 7% of annual worldwide turnover for your organisation. 

Geographical Regions 

The EU AI Act will apply to all organisations that do business within the European Union and/or the AI product being utilised is from the EU or influences individuals within the EU. 

Key Dates 

• The EU AI Act was written into law in August 2024. 

The EU Accessibility Act 

What is the EU Accessibility Act? 

The EU Accessibility Act will affect how accessible services are for people across the EU, aiming to make services and products more accessible. This Act ensures that both businesses and people with disabilities and elderly people will benefit from this Act being in place. There are numerous products and services that this Act covers, some of the ones highlighted here are computers and operating systems, passenger transport and e-commerce. 

Business Implications 

If your organisation is found to be non-compliant there are fines from €5,000 to €20,000 per non-compliance. The amount that an organisation would have to pay depends on the severity of non-compliance with the Act. 

Geographical Regions 

The EU Accessibility Act will apply to all organisations within the EU and to those outside of the EU that do business with countries residing in the EU. 

Key Dates 

• The EU Accessibility Act was be written into law in June 2025. 

The EU Data Act 

What is the EU Data Act? 

The EU Data Act will affect how data is exchanged and used within the EU and was implemented in January 2024. This act defines how data should be accessed by having new measures such as mitigating the abuse of contractual imbalances and increasing legal certainty. Additionally, there are new rules setting the framework for customers to effectively switch between different providers of data-processing services. 

This Act primarily applies to non-personal data and applies to anyone in the EU that processes data. This can apply to a range of different people such as manufacturers of connected products, data holders/recipients and providers of data processing services (including cloud services). The EU Data Act also sets new requirements that govern compensation for data use, portability between data processing services and safeguards for nonpersonal data transfers to third countries. 

Business Implications 

If your organisation is non-compliant with the EU Data Act there will be fines of up to €20,000,000 or 4% of the company's turnover. 

Geographical Regions 

The EU Data Act will apply to any organisation doing business in the EU, any organisation that holds data that is available to those residing in the EU and service providers (such as cloud service providers) within the EU and/or provide services to anyone within the EU. 

Key Dates 

• The EU Data Act was written into law in January 2024. 

US Legislations to be Aware of 

In the United States, there are multiple new pieces of state specific legislation that are being introduced in 2025. If your organisation operates within the United States, you will need to ensure you are monitoring these changes and assessing whether there is any impact to your organisation. Some examples of new legislation in the United States are the New Jersey Data Privacy Act (NJDPA), the Utah Consumer Privacy Act (UCPA) and the Texas Data Privacy and Security Act (TDPSA). 

More information on these state-specific legislations, as well as several more from other states, are covered in our Global Regulatory Landscape Guide for 2026 .

Why Regulatory Changes Matter 

These changes to legislation and regulations matter as they can impact how your organisation processes information, the use of AI, the controls that are required to keep information safe, and how accessible your services are.  

These new and upcoming pieces of legislation also set out the financial penalties for non-compliance, which are significant. However, perhaps even more important is the reputational damage associated with non-compliance. Customers are becoming increasingly aware of data and digital regulations, and they will act with their feet if they feel they can no longer trust your organisation to be compliant, or to act appropriately and ethically with their data.  

These new and upcoming pieces of legislation require your organisation to be compliant with them – they are legal requirements. For severe non-compliance with them, there can be financial penalties. However, this is not seen often. 

Customers will have the expectation that your organisation is compliant with these laws and that your organisation will have adequate measures in place to protect their personal data and that systems are secured. Non-compliance can lead to customers having a lack of trust in your organisation and going to other companies to provide a service or a product. 

How to Ensure Regulatory Compliance 

There are multiple solutions to navigating around new and upcoming legislation and regulation, ensuring your organisation are compliant with legal requirements. A strong organisational culture of accountability and responsibility is paramount, ensuring that individuals are aware of how to stay compliant, are accountable for their actions and understand who is responsible for compliance within your organisation.  

You could also consider undertaking a review of all upcoming cyber security and data privacy regulation to see what applies to your organisation. Whilst this requires subject matter expertise and can be resource intensive, it is a valuable undertaking.