EU and UK: Technology Law Shorts - December 2025

This quarter shows regulators accelerating reforms that reshape data governance,  and digital resilience. Global businesses must adapt early, as these rules increasingly influence product design, infrastructure choices, and cross-border operations.

Key developments include the EU court’s confirmation of the EU-US Data Privacy Framework,  and the launch of the EU’s Digital Omnibus proposal. In the UK, initiatives on technology licensing and cyber-resilience mark a shift toward more agile oversight.

For global leaders, two priorities stand out. Simplification efforts are advancing but will involve a difficult transition. At the same time, resilience and security concerns are driving tighter oversight of infrastructure, suppliers, and core digital services.

Commercial technology on the horizon: what do I need to know?

EU: Court of First Instance confirms validity of EU-US Data Privacy Framework

On 3 September 2025, the EU General Court (GC) upheld the Commission’s adequacy decision on the EU-US Data Privacy Framework.

The DPF is a system that allows certified US businesses to receive personal data from the EU without additional safeguards. It was created to address EU concerns about US surveillance and judicial redress. For businesses, it provides a streamlined way to maintain transatlantic data flows essential for HR, cloud services, and customer operations.

The plaintiff argued that the DPF did not provide sufficient protection for personal data transferred to the US. They cited concerns over surveillance, security of processing, and automated decision-making.  The GC rejected these claims, finding that the US framework offers ‘substantially equivalent’ protection to EU standards.

This decision confirms that the DPF remains a valid transfer mechanism and provides legal certainty for transatlantic data transfers.

Impact: For businesses this first ruling means reduced compliance risk and operational continuity. It confirms the DPF as a valid way to transfer data, ensuring legal certainty for data flows between the EU and US. EU organisations using alternatives like SCCs and BCRs also benefit from increased certainty. Many of the US privacy safeguards approved by the Court are also relevant for ensuring compliance with these transfer tools. However, privacy experts warn that the ruling can still be overturned on appeal.

EU: New GDPR Cross-Border Enforcement Rules adopted

On 17 November, the Council of the European Union formally adopted a regulation to speed up handling of cross-border GDPR complaints and improve cooperation among national authorities. The Council’s adoption was the final legislative step for the regulation. The regulation was published in the Official Journal on 12 December 2026.

Key changes include:

• uniform rules on the information required to be specified in cross-border GDPR complaints lodged by data subjects, in order for a complaint to be admissible
• the same rights for individuals filing complaints and investigated parties, including the right to receive preliminary findings
• early resolution and simple cooperation mechanisms to enable supervisory authorities to settle straightforward cases to reduce administrative burden
• new deadlines for complaints handling, including that lead supervisory authorities must submit a draft decision within 15 months (extendable by 12 months for complex cases) or 12 months for straightforward cases

Impact: The regulation promises faster enforcement. Compliance processes will, therefore, require tighter timelines and proactive engagement. Businesses should review GDPR strategies now to anticipate stricter deadlines and enhanced transparency obligations across EU jurisdictions.

EU: Digital Omnibus Proposal Triggers Fierce Debate

On 19 November 2025, the EC published its proposal for a Digital Omnibus. This is a package of new reform proposals to simplify and streamline EU digital rules. It covers GDPR, cybersecurity, AI regulation, data laws, reporting obligations and the ‘European Business Wallet’. The package includes proposals for two Regulations, with AI proposals grouped separately. This signals fast tracking to delay AI Act rules due in August 2026.

The Commission also launched a consultation and evidence call, open until 11 March 2026, for a Digital Fitness Check. This review will assess how digital laws work together, their impact on businesses, and their role in competitiveness and fundamental rights.                                                                         

Critics argue the Omnibus lacks evidence and may weaken privacy and accountability, while the Commission highlights benefits for SMEs and mid-sized firms. Expect a contentious legislative process with lengthy negotiations and possible court challenges.

The Council and Parliament are preparing positions before starting three-way negotiations.

Impact: The key changes impacting businesses include:

• consolidated data-sharing rules to protect trade secrets and maintain EU control
• changes to personal data use, including limits on use of special categories of personal data and automated decisions
• ePrivacy reforms to reduce consent fatigue and cut cookie banners
• one-stop reporting for breaches under GDPR, NIS2, and DORA
• adjusted AI Act timelines to align obligations with availability of standards and guidance

Businesses operating in or affected by EU digital laws should stay alert. Expect major revisions, procedural risks, and timelines stretching into late 2026 or beyond. It is recommended to prepare for multiple scenarios as the current draft will likely change.

UK: CMA Recommends New Tech Licensing Framework

On 30 September 2025, the CMA recommended replacing the current Technology Transfer Block Exemption (TTBER) with a UK-specific order (TTBEO). The new framework aims to modernize licensing rules for innovative sectors and provide greater flexibility for competitive agreements. The UK TTBER mirrors the EU version, but both expire on 30 April 2026.

Key changes under the UK’s Proposed TTBEO:

• new exemption test: agreements qualify if three independently controlled, “real and concrete” competing technologies exist
• CMA powers: CMA can withdraw exemptions case-by-case, with strict notice and response procedures
• grace period: Market share grace period extended from two to three years
• definitions: Updated to align with UK law and Vertical Agreements Block Exemption Order (VABEO) for greater clarity

The CMA plans a one-year transition after TTBER expires. Existing agreements remain valid until April 2027, after which they must comply with the TTBEO.

Impact: The proposed TTBEO will reshape UK technology licensing. Divergence from EU rules is likely as both regimes expire in April 2026. Businesses should review existing agreements now. Early action will help avoid disruption and maintain exemption benefits across European operations.

UK: Cyber Security and Resilience Bill significantly broadening NIS regime

On 12 November 2025, the UK Government introduced the Cyber Security and Resilience (Network and Information Systems) Bill.

The Bill aims to strengthen cyber security across essential UK public services, including healthcare, transport, energy, water, and digital infrastructure. It brings data centres, large load controllers,  managed service providers and critical suppliers to entities subject to UK NIS under regulatory oversight, expanding obligations to previously exempt businesses.

Key Changes:

• more entities in-scope of UK NIS
• broader incident reporting requirements
• stronger enforcement powers and cost recovery provisions
• enhanced information-sharing rules
• powers for the Secretary of State to adapt the regime to emerging risks and technologies

Impact: The Bill will significantly widen the UK NIS regime once enacted. Compliance will require robust cybersecurity and reporting frameworks. Obligations will extend across supply chains and will impact downstream contracts.

Expect stricter reporting, potential audits, and higher compliance costs. Failure to comply risks enforcement, reputational damage, and contractual disruption. Early engagement with government factsheets and sector-specific guidance is recommended to prepare for implementation.

Even after adoption, businesses must stay alert as new sectors and obligations can be introduced quickly.

Further resources:

• Tech Talks - Executing AI: Frameworks for success
• Our Guide to the UK's Data (Use and Access) Act 2025
• Global AI Regulatory Update - August 2025 | Eversheds Sutherland
• Tech Talks podcast series