IT law and regulation: what to expect in 2025
AI regulation, a new US government, a new EU Commission and a new German government will shape the agenda for the coming year.
(Image: iX)
- Tobias Haar
The calendar year 2025 will also shape IT law and bring with it new regulations, laws, judgments and much more. It will be a special year, as early elections to the Bundestag are due in Germany, the new EU Commission is beginning its work and implementing its
agenda and Donald Trump is starting his second term in office in the USA.
The focus everywhere will initially be on artificial intelligence and the question of how it should be regulated. This concerns, for example, legal issues relating to AI training data, export controls to prevent technologies from reaching certain countries, data protection and much more. The details of the respective government programs will be exciting. While the agenda of the new EU Commission is already roughly outlined, the content of a coalition agreement of a future German government is still completely open. In the meantime, the first details of the Trump administration's government program are leaking out, but it is still too early to provide an overview of the impact on (US) IT law. However, trends can be identified.
As in previous years, IT law in this country is largely shaped by the European Union. The new EU Commission's "Strategic Agenda 2024 - 2029" states promisingly: "We are committed to better regulation, including by making the best possible use of digital governance and taking into account the needs of SMEs and start-ups."
The EU Commission also commits to its focus areas: "We will build our own capacities in sensitive sectors and key technologies of the future such as defense, space, artificial intelligence, quantum technologies, semiconductors, 5G/6G, health, biotechnology, net zero technologies, mobility, pharmaceuticals, chemicals and advanced materials." It is due to the geopolitical framework conditions that defense is mentioned first.
AI regulation in stages
In detail: The AI Act already came into force on August 1, 2024. The comprehensive horizontal EU-wide AI regulation, which applies to all AI applications, was the result of a long legislative process with some extremely controversial discussions. In order to give the affected companies and authorities sufficient time to prepare, the AI Act provides for a phased entry into force.
(Image:Â EU-Rat)
Those responsible also chose a dynamic regulatory approach. This means that numerous provisions of the AI Act will only be fleshed out in detail over time through delegated acts. In addition, uniform EU standards will be set on the basis of "a standardization request to support safe and trustworthy AI" from the EU Commission, which has already been granted in 2022. The responsible CEN/CENELEC committees must complete this mandate by April 30, 2025.
First, however, bans on certain AI systems will take effect from February 2, 2025. These include AI systems from the areas of manipulation of behaviour and exploitation of weaknesses, social assessment systems, systems for risk assessment and profiling with regard to criminal offences, for creating or expanding databases for facial recognition, for recognizing emotions, biometric categorization systems and real-time remote identification systems in public spaces. Violations can lead to substantial fines.
By May 2, 2025, the EU Commission must publish a code of conduct to which providers of general-purpose AI models must adhere. If they do so, they will enjoy a presumption of conformity with the requirements of the AI Act. Otherwise, they must demonstrate alternative, appropriate means of complying with the requirements. Work on this code of conduct began in September 2024 under the leadership of the Artificial Intelligence Office under the umbrella of the EU Commission, with the involvement of affected companies, interest representatives and other stakeholders.
Use should be transparent and risk-free
On August 2, 2025, the provisions of the AI Act on general purpose AI models will come into force. These are essentially technical documentation obligations, requirements for integration into AI systems, the introduction of a copyright directive, a summary of the training data used and the mandatory appointment of an authorized representative if the provider of the AI model is based outside the EU.
There are some exceptions to these obligations for AI models that are licensed under open source licenses. Certain AI models, on the other hand, fall into the "systemic risk" category. They are subject to stricter requirements, such as the performance of attack tests, risk assessments, information obligations in the event of serious incidents, an appropriate level of cybersecurity and more.
An explosive deadline, especially for Germany, also expires on August 2, 2025: The national implementing authority for the AI Act must be notified to the EU Commission by then, including financial and human resources. This presupposes that a competent authority exists. Until the break-up of the traffic light coalition, there were many indications that the Federal Network Agency for Germany would primarily be entrusted with the tasks of AI market surveillance. It remains to be seen how a new federal government will position itself in this regard. Germany could face EU infringement proceedings if the deadline is missed.
Providers and operators of AI systems should use 2025 to prepare for the requirements for high-risk AI systems, AI systems with a specific or low risk and AI systems with a minimal risk that will apply from August 2, 2026. The scope of the definition of high-risk AI systems in the AI Act in particular is likely to mean that countless AI applications in corporate and government use will fall under this more stringently regulated category.
Further interesting developments can be expected in AI law in 2025. The appeal proceedings in the LAION case, which concerns the permissibility of using copyrighted works for AI training, will continue before the Hamburg Higher Regional Court. The action brought by the collecting society GEMA against OpenAI will be heard by the Munich I Regional Court. Copyright issues are also the focus there, particularly regarding the output of generative AI, specifically in the area of music. Further court proceedings are not ruled out in this country. Further proceedings in other countries are relevant, particularly in the USA, where whether AI training with copyrighted content is covered by the "fair use" doctrine is being disputed.
Protecting data, controlling exports
In addition, the discussions surrounding data protection aspects of AI training and AI use continue. Allegedly out of concern about data protection consequences in the EU, Meta has decided not to release the multimodal AI model Llama 3.2 for use within the EU (at least for now). Whether this will change over the course of the year and whether other AI models will not be available in this country is an exciting question.
At the same time, export controls for artificial intelligence are likely to come into focus. The relevant authorities, including in the USA and the EU, are already discussing whether the export of certain AI technologies should be subject to stricter controls. This already applies to dual-use technologies. This means that certain AI technologies are already subject to export controls. The Trump administration is reportedly planning further significant tightening in this area –, primarily with China in mind.
Discussions are currently underway at EU level whether a further directive on AI liability should be introduced for artificial intelligence in addition to the Product Liability Directive, which will not be amended until 2024. The current discussion is based on a report by the EU Parliament's Scientific Service. According to the report, the aim of the directive would be to create uniform rules for liability in the event of damage caused by AI. The study evaluates the proposals and recommends extensions to liability that are being discussed in the legislative process. Due to opposition from some EU member states, it is not possible to predict when the project will be completed or whether it will fail altogether. Although the Product Liability Directive, which will be revised in 2024, does not have to be transposed into the law of the EU member states until the end of 2026, it is likely to generate further discussion in 2025. In the future, it will also cover damage caused
by software, thereby significantly expanding the scope of application.
Secure and fair data use for all
Another IT law topic in 2025 is data law. The Data Act is central to this. It will come into effect on September 12, 2025 and includes numerous regulations aimed at promoting more intensive and effective use of data in various areas of life. It supports the goal of making greater use of data to create value, particularly for new business models. The aim is nothing less than to create a single EU market for data. To this end, access to data, for example in Internet of Things applications, should be simple, secure, and fair for users of networked products. This concerns both the transfer of data by companies to consumers and the transfer of data between companies.
Manufacturers of such products will be subject to technical design obligations, their freedom to use certain contractual clauses will be restricted and much more. Customers will also be provided the opportunity to switch between cloud providers more easily. Public authorities will be granted the right to access private sector data to use it for certain purposes in the public interest.
Data law in the broader sense also includes data protection law. Calls
for a revision of the General Data Protection Regulation (GDPR) have been growing louder for years. In September 2024, a report entitled "The future of European competitiveness – A competitiveness strategy for Europe" was presented in Brussels by former ECB President Mario Draghi. Regarding data protection, it states: "The GDPR in particular has been implemented with a high degree of fragmentation, which undermines the EU's digital objectives." As a result, some newly elected EU parliamentarians have set themselves the goal of getting a GDPR 2.0 through the legislative process in order to modernize EU data protection. It remains to be seen whether there is enough political power at EU level to achieve this.
In any case, the declared aim of the new EU Commission is to improve consistency between individual EU regulations. This applies in particular to the tension between the GDPR and the AI Act. According to former ECB President Mario Draghi, the existing inconsistencies and overlaps between regulations are hampering innovation and development in the EU.
Financial markets need security and stability
Other important projects are on the agenda at EU level in 2025: the regulations of the Digital Operational Resilience Act (DORA) will come into force on January 16, 2025. The aim is to ensure the operational stability of digital systems in the financial sector. The regulation is intended to make a significant contribution to strengthening the European financial market against cyber risks and information and communication technology incidents. Germany has chosen the Federal Financial Supervisory Authority (BaFin) to enforce DORA.
No specific regulatory plans for quantum computing are yet on the political
agenda for 2025. However, the legal discussions surrounding specific legislative activities in this area have already begun. Questions of export control, i.e., the permissibility of exporting technology, are being discussed in more concrete terms. Quantum technology has already become the focus of the US Bureau of Industry and Security, the agency that deals with high technology and national security, in 2024. The current US government has imposed initial export control restrictions. The future administration could tighten these restrictions further against the backdrop of the global political situation and force the EU and its member states to follow suit with their regulations.
It is also to be expected that legal aspects of cybersecurity will remain in focus considering the geopolitical threats and will lead to regulatory initiatives at national and EU level. Affected companies should also use the coming year to comply with the requirements of the EU Cyber Resilience Act, which will apply from 2026.
At German level, the new year will also bring changes to IT law: from January 1, 2025, electronic invoicing will become partially mandatory in the domestic B2B sector. A PDF invoice sent by email will no longer count as an electronic invoice. However, there are transitional arrangements until 2028 and companies should adapt their general terms and conditions. This applies in particular to payment terms and invoicing. Companies should find out about electronic invoice formats such as XRechnung or ZUGFeRD (a combination of PDF and XML formats) and select the format that suits them best.
Accessibility of products and services
The Accessibility Reinforcement Act (BFSG) comes into force on June 28, 2025. It affects all market participants who offer products such as computers, self-service terminals or telecommunications devices as well as services such as telecommunications services, banking services and e-commerce (e.g. web stores and apps). Companies must fulfill testing, verification and notification obligations. Manufacturers are obliged to prepare technical documentation, carry out conformity assessment procedures, affix CE markings, submit EU declarations of conformity and comply with information and labeling obligations.
Retailers and service providers are also called upon to update their general terms and conditions and ensure the accessibility of their products and services. For example, it must then be possible for all B2C online stores to be used by people with disabilities without difficulty or assistance.
The electronic patient file (ePA) is to be introduced in 2025. From January 15, 2025, everyone with statutory health insurance will automatically receive an ePA unless they object. This opt-out regulation is intended to significantly expand the use of the EPR, as only around one percent of insured persons have applied for such a record to date, although this has been possible since January 2021. An application will no longer be necessary in future, as the ePA will be created automatically.
The ePA will initially be introduced in Hamburg, Franconia and parts of North Rhine-Westphalia, where it will be tested from January 15, 2025. If successful, the Federal Ministry of Health is planning a nationwide rollout from 15 February 2025. The ePA is intended to optimize the exchange and use of health data between all treating service providers and thus improve patient care. Insured people should be able to manage and use their ePA independently at any time via the ePA app.
Shortly before the break-up of the traffic light coalition, the Federal Ministry of Labor presented a draft for an Employee Data Act. It is intended to take account of the increasing digitalization of the world of work and the specification of abstract data protection regulations in the General Data Protection Regulation and the Federal Data Protection Act. It is intended to regulate questions such as: At what point is an employee's consent to data processing required, when should applicant data be deleted, what limits should be placed on employee monitoring and what co-determination rights does the works council have? The fate of this draft law is likely to depend on whether the SPD will be part of a new federal government.
The current timetable for transposing the NIS2 Directive into German law is also at risk. In Germany, the implementation of this cyber security directive is linked to other aspects. These include the independence of the Federal Office for Information Security (BSI) and regulations on vulnerability management. The upcoming elections affect other legislative projects. One is the implementation of the E-Evidence Directive, which is intended to give investigators better access to content and traffic data as well as other electronic evidence across national borders.
Many legislative projects are on hold
There are also laws to strengthen security authorities in the digital space, the quick freeze procedure, which is intended to provide a way out of the legal uncertainty surrounding data retention, the Telecommunications Network Expansion Acceleration Act, amendments to the Energy Efficiency Act with regard to data centers, the Mobility Data Act and several other projects that are now on hold for now. On the other hand, the Data Governance Act, which deals with the use of public/protected data and its disclosure by trustworthy data intermediaries, is considered to have a certain chance of success. New regulations on the right to encryption, chat control and register modernization are likely to have failed. Perhaps a new federal government will succeed in bringing the national implementations of the EU Data Protection Act into force in time before the deadline in September 2025.
At the beginning of November 2024, the Federal Ministry of the Interior presented a "Draft Act to Amend the Criminal Code – Modernization of Computer Criminal Law". It is intended to reform Section 202 of the German Criminal Code (StGB), which has become known as the hacker paragraph. Spying on data should not be punishable if it is done "with the intention of identifying a vulnerability or other security risk in an information technology system (security vulnerability) and informing those responsible [...] about the identified security vulnerability" or if it is "necessary to identify the security vulnerability". The reform would clearly exempt penetration testing and ethical hacking within or outside of bug bounty programs from punishment and eliminate existing uncertainties.
On the other hand, in the case of hacking with a large-scale loss of assets, for profit, commercial activity, impairment of the "availability, functionality, authenticity or confidentiality of a critical infrastructure" or a threat to Germany's security, the penalty would be increased from three to five years. These tougher penalties are also planned for data interception (Section 202 b StGB) and data alteration (Section 303 a StGB).
Many small but important regulations
The Federal Criminal Police Act must be revised by July 2025. This is provided for in a ruling by the Federal Constitutional Court in October 2024. The issue was the extent to which the BKA can process personal data in its own information systems "insofar as this is necessary to fulfill its tasks". The judges in Karlsruhe believe that the principle of proportionality is violated if this data is used for secret surveillance measures.
Finally, there is a whole series of smaller, yet important new legal requirements in the IT sector. According to the EU Product Safety Regulation, online retailers must provide clear and visible information about their online product offerings. This includes the name, the registered trademark of the manufacturer along with contact details, a European address for foreign suppliers and any warnings and safety instructions. Online labeling obligations also apply to radio equipment. This affects manufacturers, importers and retailers of portable cell phones, headsets, laptops and navigation systems, among other things. They must provide product detail pages in their online stores with an online pictogram and an online label. A transition period until 2026 applies to laptops.
From June 20, 2025, energy consumption labeling obligations will apply to smartphones and tablets sold after this date. Appropriate labels must be displayed at points of sale or in online stores. Advertising materials must contain information about the energy efficiency class of a product. According to the Batterierecht-DurchfĂĽhrungsgesetz (Battery Rights Implementation Act), online retailers will have to fulfill certain information obligations towards end users regarding the take-back or return obligation from mid-August 2025.
Conclusion
Following the break-up of the coalition government in Germany, numerous IT law projects have been put on ice. These include the Employee Data Act, for example. It is likely to be several months before a new government is formed and a coalition agreement is in place. Legislative packages that have already been passed, such as the electronic patient file, will come into force or be implemented as planned in 2025.
At EU level, the new EU Commission is taking shape. It has proclaimed "Europe's Digital Decade: digital goals for 2030". It remains to be seen in detail which specific projects it will derive from this. It is clear that further regulation of artificial intelligence and access to data for new business models will be part of this. At the same time, regulations in the AI Act and other IT regulations will come into force in 2025.
Many in Europe are waiting with great excitement and concern to see how the new US government will position itself on IT law aspects. Artificial intelligence also plays a major role here. There are also questions about the permissibility of exporting technologies to China and other countries, discussions about customs duties and how this will affect IT supply chains worldwide.
(nie)
