Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.



Resource Center / Reports and Research Articles / EU Digital Laws Report 2025

EU Digital Laws Report 2025

This report provides the foundation for building a synergetic compliance strategy with EU digital laws and policies.

Published: October 2025

Contributors:

Müge Fazlioglu

View Report (Members-Only)

Envisioned by the European Commission's 19 February 2020 communication on a European strategy for data and streamlined through the emerging Data Union Strategy, numerous new EU digital laws have recently come into force. Motivating this digital legislative agenda is data's centrality to the modern, global economy. Data is "an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general."

Ultimately, these laws aim to "explore new ways to handle and create value from data" within a framework that respects the EU Charter of Fundamental Rights. The suite of new digital laws that have recently come into force — or will soon — include the Data Governance Act, the Data Act, the Open Data Directive, the Digital Markets Act, the Digital Services Act, the Artificial Intelligence Act, the Network and Information Security Directive II and the Cyber Resilience Act, to name a few.

By one count, 101 EU laws related to digitalization had been adopted, with 24 more in process or in the planning stages at the end of the 2019-2024 legislative term. With new digital regulations now in force, organizations must prioritize how to implement various requirements, understand how they intersect, and manage their overlap with longer-standing laws around privacy and data protection, namely the EU General Data Protection Regulation.

Indeed, although these new digital laws all aim to improve the functioning of the internal market while protecting fundamental rights, more clarity about their legal obligations can enhance their effectiveness. These new laws have created additional responsibilities for organizations in general and for the privacy function in particular. Yet, the majority of privacy, AI and digital responsibility professionals have welcomed the challenges brought about by these increasing regulatory responsibilities. Indeed, 77% of European respondents to the IAPP's 2025 AI Governance Profession Survey agreed that regulation is helpful to their organization's mission of using data and digital technology for innovation and achieving business outcomes.

Situated within this context, this report provides the foundation for building a synergetic compliance strategy with the DGA, Data Act, DMA, DSA, AI Act and NIS2 Directive. Considering the vast number of new digital laws and policies, this report focuses on this narrower subset due to their significance and broader effects within the global marketplace. Although narrower, more targeted initiatives may be just as substantive in terms of impact. This report seeks to appeal to the broadest class of organizations, including digital service providers, online platforms and marketplaces, developers and deployers of AI, public sector bodies and entities operating within critical sectors of the economy.

Thus, homing in on this core subset of digital laws, this report lays out their scope, exemptions, and key obligations with a focus on risk assessments, individual rights, transparency requirements, data governance structures, and EU level agencies and cooperation mechanisms set up by each regulation or directive. This report also examines the intersection of each of these recently enacted laws with one another and with the GDPR with a view toward synergy and simplification within the EU's digital agenda.

Key takeaways

Vast number of new digital laws and policies

101 EU laws related to digitalization have been adopted, with 24 more in process or in the planning stages.

Difficulty understanding EU AI Act obligations

Nearly 7 in 10 businesses have difficulty understanding their obligations under the AI Act, with those expressing more uncertainty being less likely to make plans to invest in AI.

Additional tasks beyond privacy

Over the past year, 80% of privacy professionals report being given additional tasks above-and-beyond their privacy day jobs, with 55% having acquired additional responsibility for AI governance, 32% for cybersecurity regulatory compliance, 20% for consumer protection, and 19% for platform liability.

Regulation helpful to organizational missions

77% of European respondents to the IAPP's 2025 AI Governance Profession Survey agreed that regulation is helpful to their organization's mission of using data and digital technology for innovation and achieving business outcomes.

View Report (Members-only)

Additional resources

Tags: Europe, Privacy Law, Privacy Operations Management, Privacy Research, Westin Research Center

Approved
AIGP, CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/CN, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 3

Submit for CPEs

Related Stories
Europe
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in the European region....
EU AI Act
Here, you can find the IAPP’s collection of coverage, analysis and resources covering the EU AI Act....
EU Cyber Resilience Act: 101
This resource explores the EU Cyber Resilience Act, which establishes uniform cybersecurity requirements for products with digital elements across the EU....
Read More