Technology and Innovation
Key provisions that apply in 2025 include the rules on prohibited AI systems (2 February 2025) and obligations for providers of general-purpose AI models (2 August 2025).
By 17 April 2025, Ireland and other Member States must establish a list of essential and important entities as well as entities providing domain name registration services.
Artificial Intelligence
Many businesses will be ramping up their compliance and governance processes in 2025 to take account of the AI Act (Regulation (EU) 2024/1689), which will generally apply to AI systems from 2 August 2026, subject to a phased timeline for certain obligations. Key provisions that apply in 2025 include the rules on prohibited AI systems (2 February 2025) and obligations for providers of general-purpose AI models (2 August 2025). Work has already commenced on a General-Purpose AI Code of Practice (Code) in a multi-stakeholder collaborative process with the European Artificial Intelligence Office. The final Code will be published and presented in a closing plenary, expected in April 2025.
For more information on the AI Act and its application, watch our video series here and read our briefings on procurement of AI here.
Regulation of Data
While receiving less fanfare than the AI Act, the Data Act (Regulation (EU) 2023/2854) contains new wide-ranging rights and measures, including: rights for users to access personal and non-personal data from connected products and related services, measures for B2B data sharing, rights/obligations to reduce friction on switching cloud services and measures to enhance the interoperability of data and of data sharing mechanisms and services. The Regulation applies from 12 September 2025, with provisions for some obligations to apply from a later date.
For more information on the Data Act, watch our video series here and read our briefing here.
Cybersecurity
The Network and Information Security Directive (Directive 2022/2555) (NIS2) came into effect from 17 October 2024, subject to the enactment of domestic Irish legislation to fully transpose its provision. It applies to a broad range of sectors and introduces stricter cybersecurity requirements, including specific governance requirements and new regulatory reporting obligations and deadlines. By 17 April 2025, Ireland and other Member States must establish a list of essential and important entities as well as entities providing domain name registration services.
Read more about NIS2 here and watch our video series here.
Operational Resilience
17 January 2025 will see the Digital Operational Resilience Act (Regulation (EU) 2022/2554) (DORA) come into force. It applies to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Importantly, DORA will also result in certain major ICT service providers formally coming within scope of supervision by the European Supervisory Authorities for the first time.
See our briefing on DORA here.