EU digital regulations: key takeaways for global companies

Artificial intelligence: The EU AI Act's global reach

The EU AI Act, which entered into force in August 2024, establishes the world's first comprehensive legal framework for artificial intelligence. Its phased implementation timeline stretches through 2027-2028, but several critical obligations are already in effect or fast approaching. Prohibitions on unacceptable risk AI systems and AI literacy obligations became applicable in February 2025, while rules governing general purpose AI (GPAI) models and the broader governance framework took effect in August 2025. The vast majority of obligations, including those for standalone high risk and limited risk AI systems, will become applicable ultimately in 2027-2028.

For non-EU operators, the AI Act's extraterritorial scope is particularly significant. The regulation applies not only to providers and deployers of AI systems established in the EU, but also to providers and deployers in third countries whose AI system output is used within the EU, or who want to roll-out global AI tools and policies across all international entities within their organization. Companies should be evaluating in which risk category their AI tools fall, assessing their obligations around transparency, human oversight, and risk management, and preparing for conformity assessment requirements.

Beyond personal data: GDPR reform, the Data Act, and the Digital Omnibus

On the data governance side, the EU's Digital Omnibus package introduces targeted but materially significant amendments to the GDPR and ePrivacy framework. Among the most impactful changes is the codification of "relative identifiability," clarifying that the same dataset may fall outside the GDPR for one entity while remaining fully in scope for another. The package also intends to extend data breach notification deadlines from 72 to 96 hours, to integrate cookie consent rules into the GDPR, and to introduce an explicit legal basis for AI development under legitimate interests.

Meanwhile, the EU Data Act, applicable since September 2025, creates new access and sharing obligations for manufacturers of connected products, providers of related services, and cloud/SaaS providers. Its reach is extraterritorial: non-EUcompanies placing connected products on the EU market or providing data processing services to EU customers must comply, regardless of where they are established. We often see the impact of the Data Act being underestimated. Both on the technical side (reassessing implementation of data export and interoperability functionalities) and on the contractual side (updates to T&Cs for cloud-based, SaaS or other data-processing services, legal/regulatory requirements for connected products, etc.), substantial investments may however be required.

NIS2 and the EU Cyber Resilience Act: What non-EU organisations need to know

The EU Cyber Resilience Act, which entered into force in December 2024, represents the EU's first binding cybersecurity framework for hardware and software products. Its scope is broad and extraterritorial. Any company making products with digital elements available on the EU market is subject to its requirements, regardless of where that company is based. Reporting obligations take effect in September 2026, with full compliance required by December 2027. Non-compliance carries fines of up to EUR 15 million or 2.5% of global annual turnover.

Equally significant is the NIS2 Directive, which imposes mandatory cybersecurity risk management measures, incident reporting obligations, and supply chain due diligence requirements on "essential" and "important" entities. Directors and management bodies can be held personally liable for non-compliance.

While NIS2 has not yet been implemented in all EU Member States, its global impact (notably for international groups acquiring smaller European targets, and thereby triggering the applicability of NIS2 due to group-level size thresholds being exceeded) should not be underestimated. Most affected are players in the healthcare, food/life sciences/chemical manufacturing, and the energy industry, along with digital operators such as cloud service or managed IT services providers.

Practical implications

The EU's regulatory framework extends well beyond the borders of Europe. International groups with operations in Europe should be assessing which of their products and services fall within scope of, for example, the GDPR, CRA, NIS2, the Data Act, and the AI Act.

Reviewing supply chain arrangements for compliance gaps, updating global policies and implementation frameworks, keeping track of local developments and enforcement practices, and re-designing the characteristics of any product or service offering linked to the EU market, have become key.

Our team advises multinational companies on the full spectrum of EU digital regulation, from compliance strategy and risk assessment to technology transactions, product launches, and regulatory engagement and is happy to assist.