In so many ways, we’re living through a time when what seemed far-fetched until recently is now commonplace. Whether devising contractual models to underpin new business patterns or aligning the legal and regulatory issues that arise when an entirely new range of services comes to market, Tech lawyers’ creativity will have a big part to play in making the far-fetched a reality in 2025.
Two things stand out as key Tech law trends for 2025 – the astonishing progress of AI and what this means for lawyers; and how organisations’ legal and compliance teams are navigating the flood tide of new Tech regulation that reaches its high water mark in 2025 and 2026.
AI scaling laws: the new kid on the block
Moore’s law – that processor density doubles every two years – is being overtaken by a new rule of thumb: scaling laws – that AI model performance doubles every six months. And it’s this new empirical rule that’s leading to ever faster AI models being called out as the accelerant for reshaping the Tech landscape. But it’s not just faster AI models – the race is on for AI model optimisation by making algorithms, compute power and energy consumption greener and more efficient.
With AI compute demand forecast to exceed supply, scaling laws are also behind Big Tech’s investments in nuclear energy – where Google, Amazon and Microsoft each announced deals in autumn 2024 – and data centres – where alternative asset manager Blackstone predicted in mid-2024:
“there will be approximately $1 trillion of capital expenditures in the United States over the next five years to build and facilitate new data centres with another $1 trillion of capital expenditures outside the United States.”1
So, we’ll be hearing more in 2025 about scaling AI efficiently as measured by ‘tokens per dollar per Watt’, (where the token is the basic unit of data that an AI model processes, dollar is cost and Watt is energy consumption) and ‘test-time compute’ (giving AI models more time to think).
Yet some are saying that scaling laws are already running out of steam, prompting the Economist to call the current data centre dash:
“the biggest gamble in business history … will investors lose their nerve, or will AI prove its worth as “agentic” systems become more capable and AI-developed drugs emerge?”[2]
AI agents
AI scaling laws facilitate the convergence of three capabilities:
- new AI-driven user interfaces that support speech, image and video as input and output;
- memory that retains context; and
- new reasoning capabilities that complete end-to-end tasks for the user.
In the words of the Microsoft Annual Report 2024:
“this new world is defined by personal, business and organisational AI agents taking action on our behalf and working in concert as a new input to improve efficiency.”3
In this context, a striking prediction from research consultancy Gartner is that by 2030, 80% of humans will engage with smart robots on a daily basis, up from less than 10% today.4
2025 will see a burgeoning of AI contractual and regulatory issues on Tech lawyers’ desks as a fast growing range of AI services hits the mainstream. As organisations work to balance the benefits and risks of AI services in their businesses, and as AI projects move from proof of concept to pilot to full roll-out, AI Governance – in the shape of impact assessments, transparency documentation, guardrails, policy statements and internal user requirements – will increasingly occupy legal teams’ time in 2025.
EU Tech regulation (again)
With NIS2 (the second network and information security directive) applicable since October 2024 and DORA (digital operational resilience for financial entities) applicable from mid-January 2025, the new world of EU cybersecurity regulation (see Table 1 below) – not inaccurately called ‘the great re-papering’ – has definitively arrived in 2025, with the AI Act to follow hard on its heels in August 2026.
But the transition to these new rules looks set to be challenging in 2025. This is because rules that are cast as directives (NIS2 and critical entities resilience) need to be transposed into national member state law, and as we go into 2025 only a few countries have passed NIS2 into their own law. This is likely to give rise to a period of uncertainty in those countries that are late, quite apart from substantive differences in what each member state’s law will actually say. Delay and differentiation could well lead to further fragmentation (precisely what NIS2 aims to avoid).
In the longer run, with the incoming US administration promising a bonfire of regulation, it remains to be seen how this EU tech rule toolbox will play out globally, geopolitically and in terms of European competitiveness.
Table 1: the EU Tech rule toolbox
| # | Area or Measure | Content | Instrument* and status |
| AI | |||
| 1 | AI Act | Sets out harmonised rules on AI | Regulation, came into force on 01.08.24, fully applicable by 02.08.26 |
| Cybersecurity | |||
| 2 | Cyber Resilience Act | Addresses connected device software vulnerabilities | Regulation, proposal of 15.09.22 |
| 3 | Critical Entities’ Resilience Directive | Aims to harmonise and raise resilience standards for critical entities | Came into force on 16.01.23, rules to be transposed into national law by 17.10.24 |
| 4 | Digital Operational Resilience Act (DORA) + regulatory technical standards, etc | Aims to harmonise and raise standards of operational resilience in the financial sector. | Came into force on 16.01.23, fully applicable by from 17.01.25 |
| 5 | Network Information Security Directive (NIS2) | Aims to raise harmonise and raise standards of network and information security (and replace the NIS 1 Directive | Came into force on 16.01.23, rules to be transposed into national law by 17.10.24 |
| 6 | NIS2 Implementing Regulation | Lays down detailed rules for application of NIS2 | Published on 17.10.24 |
| Data | |||
| 7 | Data Act | Harmonises rules on data fair access and use | Regulation in force on 11.01.24 and will become directly applicable on 12.09.25 |
| 8 | Data Governance Act | Aims to ensure trust in data sharing, neutrality of data markets and public sector data use | Regulation in force on 24.06.22, most terms have applied from 24.09.23 |
| Online platforms | |||
| 9 | Digital Markets Act | Aims to foster “big tech” fair competition | Regulation in force on 1.11.22, most terms apply from 04.23 |
| 10 | Digital Services Act | Regulates online services and intermediary service providers | Regulation in force on 18.11.22, most terms apply from 02.24 |
| Privacy and data protection | |||
| 11 | ePrivacy Regulation | Replaces and overhauls Privacy and eCommunications Directive (2002/58) | Regulation proposal of 10.01.17 |
| 12 | Health Data Space Regulation (EHDSR) | Establishes common space for individuals to manage (and private and public sector entities to access) health, healthcare and genomic data. (The EHDSR is the first of several anticipated “domain-specific” common EU data spaces) | Regulation, proposal of 03.05.22 |
| 13 | Platform Workers Directive | Includes limits monitoring of platform workers’ psychological state, private conversations and devices use outside of platform work | Directive, proposal of 09.12.21 |
| Product liability | |||
| 14 | Liability Directive for AI | Adapts non-contractual civil liability rules to AI | Directive, proposal of 28.09.22 |
| 15 | Liability Directive for Products | Product liability rules extended to cover digital products | Directive, proposal of 28.09.22 |
Tech regulation in the UK in 2025
More narrowly, how the UK, poised uncomfortably, between the EU and the US, will respond in 2025 remains to be seen.Despite a tumultuous political landscape in recent years, 2025 is set up for a gear shift for UK tech regulation. The government has indicated that 2025 will be the year it regulates on AI (a stark contrast to the message at the start of the year). The question of how far it will go and which direction it will take is yet to be seen, especially against the complex geopolitical backdrop.
The long overdue update of the NIS Regulations has been set in motion but it’s still early days as the new cybersecurity law is yet to be drafted. The focus on security and resilience will be at the heart of UK cyber developments, mirroring the EU approach (and of regulators globally) that the risk of threats is greater, the impact more severe and this requires intensified oversight.
The continued rise of smart devices, in particular in consumer markets, will be looked at through the lens of data and security and regulators will be looking to protect against the ‘invisible’ threats throughout the entire life cycle of products. Of course, UK businesses will also have to navigate the unprecedented wave of EU regulations coming into force over the next couple of years in order to maintain their cross-border operations.
Data protection in 2025
Data protection will continue to be seen through an AI lens as we move into 2025.
In the UK, the data protection regulator, the ICO will hopefully publish the final versions of its Generative AI guidance.
Meanwhile, Labour’s vision of the UK’s data reform bill, the Data (Use and Access) Bill will continue to progress, and, unlike its predecessor Data Protection and Digital Information Bill(s!), likely be successful. The Bill’s UK GDPR reform provisions will reform the ICO into the “Information Commission” and increase the PECR (i.e. cookies and direct marketing) regulatory regime to align with the UK GDPR. Most notably for AI, they also give greater permissions and clarity for automated decision making, the (re)use of personal data for scientific research (including a broadening of “consent”) and permit the Secretary of State to both authorise processing for specific “legitimate interests” and prescribe new “special categories” of personal data. Importantly, the Bill has done away with some of the more controversial proposals of the previous Bill, including to replace DPOs with “Senior Responsible Individuals”. (Deirdre’s summary of the previous proposals can be found at: https://kempitlaw.com/insights/the-dpdi-no-2-bill-a-whole-new-uk-gdpr/ )
The Bill also paves the way for open data regulations covering customer and trader data, including customer rights of rectification and portability, and obligations for “data holders”, likely to include e.g. SaaS providers, to assist traders in complying. Digital verification services (DVS) and digital IDs are also back in scope, including standards, governance and oversight for DVS providers.
Across the channel, data protection enforcement (coupled with competition and AI regulation) continues to battle with the EU’s lagging economic development and the dominance of Big Tech. With many, but importantly not all, of Europe’s data protection authorities assuming national competence under the new AI Act, and consultations on AI, “consent or pay” and the draft “legitimate interests” guidance closing, expect the tussle to continue. Other EDPB priorities to keep an eye on are the taskforce on Competition and Consumer Law, and the right of erasure.
Further afield, expect the proliferation and enforcement of privacy laws to continue. As for everything else, the interaction with AI will likely dominate, although other areas of focus will likely be children’s data, digital identities and other frontier technologies, such as neurotechnology, quantum computing (and its threat to encryption) and deep fakes.
Finally, a few outliers that we may well be more familiar with by the end of 2025.
Quantum cryptography
Quantum computing has been steadily, if quietly, developing in recent years, with IBM becoming the first to 433 Qubits (quantum’s version of the binary digit) in 2022 and 1,000 qubits (at the end of 2023). Although compelling use cases for quantum have been slower to emerge than developers had hoped, security and cryptography present technical features that may (according to Gartner) make most conventional asymmetric cryptography unsafe.
The return of spatial computing (aka the metaverse)
Swelling the theme of efficiency, the metaverse is morphing into spatial computing – digitally enhancing the physical world by augmented (AR), extended (XR) and virtual reality (VR) technology – and expanding as XR devices come down in cost and become infused with AI. This is resulting in mainstream adoption in the organisation in areas like training, workflows and collaboration. AR/XR/VR present particularly challenging issues for copyright, trade marks and other intellectual property and 2025 will see these issues get even more complex as more cases come to court.
Neurological enhancement
Until recently neurological enhancement – the reading and decoding of brain activity – has been used mainly to repair injury and in other medical fields. In 2025, the technique will come out of the hospital and into everyday life, enhancing cognitive ability in fields as diverse as product marketing (what is the customer feeling?), performance and improving generations to come. These new techniques, and the increased competition they will drive, will bring about an increasing regulatory response in the next years.
1 Blackstone Second-Quarter 2024 Investor Call – 1678009, Steve Schwarzman, Chairman & CEO, July 18, 2024
2 “Will the bubble burst for AI in 2025, or will it start to deliver?” Rachana Shanbhogue, Business affairs editor, The Economist, November 18, 2024
3 Microsoft Annual Report 2024, Letter to Shareholders from Satya Nadella, Microsoft Chairman & CEO
4 Gartner Top 10 Strategic Technology Trends, Gene Alvarez, Gartner, October 21, 2024