As Europe’s data protection landscape evolves in 2025, businesses will face heightened scrutiny at both the EU and national levels. The intersection of new regulatory frameworks—like the AI Act, DSA, and DMA—with existing GDPR obligations demands a more integrated and forward-looking approach to compliance.

IMPLEMENTATION OF THE EU AI ACT AND ITS IMPACT ON DATA PROTECTION

The EU Artificial Intelligence Act (“AI Act”), adopted in 2024, will start applying in stages from 2025. It is the first comprehensive legal framework regulating artificial intelligence across the EU.  While the Act mainly focuses on how AI is governed, it also has important consequences for personal data protection—especially for companies that use AI for decision-making and profiling.

What this means for business:

Companies using AI for analytics, fraud detection, or automated services should now review and update their compliance strategies to reflect these new requirements.

NEW STANDARD CONTRACTUAL CLAUSES (SCCs) FOR INTERNATIONAL DATA TRANSFERS

In 2025, the European Commission is expected to introduce updated Standard Contractual Clauses (SCCs) to address ongoing legal uncertainty around international data transfers, especially to countries outside the European Economic Area (EEA).

What this means for business:

Companies relying on SCCs should review their transfer impact assessments, watch for the release of the new clauses, and prepare to update their data transfer agreements to stay GDPR-compliant.

DIGITAL SERVICES ACT (DSA): FULL IMPLEMENTATION AND ENFORCEMENT FOCUS

The Digital Services Act (DSA) – Regulation (EU) 2022/2065 – creates a unified set of rules for digital services that connect users with goods, services, or content. While many of its provisions began applying in 2023 and early 2024, 2025 will be the first full year of large-scale, coordinated enforcement across the EU. This includes oversight of smaller platforms whose obligations took effect on February 17, 2024.

What to expect in 2025:

As the first full year of harmonized DSA enforcement unfolds, there will be closer scrutiny of how platforms use personal data, especially in recommender systems, online ads, and content moderation. Companies should ensure their DSA compliance measures are fully aligned with GDPR requirements, particularly in areas like consent, profiling, and transparency.

DIGITAL MARKETS ACT (DMA): GATEKEEPER COMPLIANCE OBLIGATIONS

The Digital Markets Act (DMA) – Regulation (EU) 2022/1925 – targets large digital platforms that act as "gatekeepers". These are companies that control access to key digital services such as app stores, operating systems, online marketplaces, search engines, and social media platforms.

The DMA aims to promote fair competition in the digital economy by preventing gatekeepers from abusing their dominant position to block competitors or exploit users. The first group of gatekeepers was designated by the European Commission in September 2023, and their obligations fully apply from March 2024, with ongoing implementation and oversight throughout 2025.

Why this matters in 2025:

Non-compliance with the DMA can result in fines of up to 10% of global turnover or even forced divestitures. For compliance teams, 2025 will be a critical year to monitor enforcement actions and align DMA implementation with GDPR standards, especially around consent, data portability, and purpose limitation.

NATIONAL DEVELOPMENTS IN DATA PROTECTION ACROSS EUROPE

Alongside EU-level regulations, 2025 will bring important national initiatives as individual Member States continue to strengthen their enforcement of privacy laws. The key developments occurring in Germany, France and Ireland reflect a growing trend toward localized regulatory action, and companies operating in multiple EU countries should pay close attention to these changes.

What this means for business:

These national-level measures indicate the need for companies to go beyond EU-wide compliance and tailor their data protection strategies to local regulatory expectations. Keeping track of guidance from individual Data Protection Authorities will be essential in 2025.

CONCLUSION: KEY ACTIONS FOR COMPANIES

• Reassess risk exposure under the AI Act and ensure high-risk AI systems are GDPR-compliant, transparent, and auditable.

• Review and update SCC-based data transfer mechanisms once the new clauses are released, with special attention to Schrems II compliance.

• Strengthen DSA and DMA implementation across digital platforms, especially in areas involving profiling, transparency, and data portability.

• Monitor local regulatory trends and adapt policies to reflect national guidance from data protection authorities.

• Align legal, compliance, and technical teams to ensure a cohesive data governance strategy that anticipates regulatory enforcement, rather than reacts to it.