As December came and went and 2025 came to an end, looking back at the global digital landscape of 2025 has felt a bit like a giant house renovation project with the EU trying to re-wire the complex electrical wiring it installed over the last decade, the US knocking down walls to build a massive new extension for AI, and emerging markets rapidly laying their own foundations to ensure they have a solid base to build upon.

So in a year which was defined by a shift toward structured, risk-based regulation of digital technologies, characterised by the rapid institutionalisation of Artificial Intelligence (AI) governance and a complex interplay between deregulation and strict enforcement we saw: the European Union introduce a "Digital Omnibus" package aimed at simplification of its key digital rules, signalling a possible move away from its role as the "world’s digital enforcer" to address concerns regarding economic competitiveness; the United States under the Trump administration pursue a radical, pro-innovation agenda, marked by the revocation of previous AI executive orders and the launch of massive infrastructure initiatives like the $500 billion "Stargate Project"; and the Asia-Pacific region and Africa accelerated their own regulatory frameworks, with Japan, South Korea, Vietnam, and Kenya advancing legislation on AI, data protection, and digital sovereignty to align with or adapt to international standards.

Parallel to these regulatory shifts, 2025 witnessed an intensified focus on cybersecurity resilience, digital sovereignty, and huge infrastructure investments. Governments globally prioritized "technological self-sufficiency," exemplified by France and Germany’s joint digital sovereignty agenda and the US government’s multi-billion-dollar investment in domestic semiconductor leadership. Cybersecurity moved to the forefront of national policy, with the EU implementing the Digital Operational Resilience Act (DORA) and the UK introducing a Cyber Security and Resilience Bill to protect critical sectors from an evolving threat landscape.

Geopolitically, while tensions persisted the year was also marked by a theme of international cooperation, evidenced by numerous cross-border agreements on digital trade and AI partnerships involving nations like the UK, Singapore, Nigeria, and Saudi Arabia. Additionally, the protection of children became a legislative priority, with the European Parliament voting to follow Australia's lead in banning under-16s from social media.

As for December itself, In Asia-Pacific, Australia launched its National AI Plan and issued guidance on AI-generated content, India introduced a landmark Deepfake Bill, and Japan approved both a Basic AI Plan and a new Cybersecurity Strategy. China continued its regulatory momentum with consultations on network data security and new technical standards for information erasure. In Europe, the EU published its first draft Code of Practice on labelling AI-generated content, signalling transparency obligations under the AI Act, while the UK advanced its digital verification framework and opened a consultation on AI regulation in healthcare. Across the Atlantic, the U.S. issued an Executive Order to harmonize AI policy nationally, and Africa and the Middle East focused on data governance frameworks and encryption standards, underscoring a global trend toward resilience and trust in digital ecosystems.

THE REGIONS IN DETAIL

APAC (Excluding China)

Australia

Australian Government’s Department of Industry, Science and Resources launches the National AI Plan

On 2 December 2025, Australia introduced its National AI Plan focusing on leveraging AI opportunities, broadening benefits across society, and ensuring public safety. As part of this initiative, A$29.9 million has been allocated to establish the Australian Artificial Intelligence Safety Institute, which is scheduled to open in early 2026.

National Artificial Intelligence Centre releases Guidance on AI‑Generated Content

On 1 December 2025, the Australian Government’s National Artificial Intelligence Centre (NAIC) released guidance applicable to digital content created or modified using Artificial Intelligence (AI). The guidance outlines three mechanisms required for identifying AI-generated content: labelling, watermarking, and metadata recording. Businesses will have to choose the right level of transparency for their context and potential impact of the content. 

India

India Introduces Regulation of Deepfake Bill

On 5 December 2025, the Regulation of Deepfake Bill was introduced in the Lower House of the Indian Parliament. The bill proposes to criminalise the creation, distribution, or sharing of deepfakes without consent or a digital watermark. The bill also provides for the establishment of a Deepfake Taskforce to oversee implementation and enforcement.

Japan

Cabinet Approves Basic AI Plan

On 23 December 2025, Japan’s Cabinet approved the Basic AI Plan. According to the Cabinet Office, the plan was formulated under the concept of “pursuing trustworthy AI and making Japan the world’s most AI-friendly country for development and utilisation.” It includes an investment of ¥1 trillion in AI-related initiatives and a decision to double the number of members at the AI Safety Institute.

Cabinet Approves New Cybersecurity Strategy

On 23 December 2025, Japan’s Cabinet approved a new Cybersecurity Strategy. According to the government, the strategy is based on three pillars: (1) defence and deterrence against increasingly serious cyber threats, (2) enhancing cybersecurity and resilience across society through the involvement of a wide range of stakeholders, and (3) developing an ecosystem for human resources and technology to support cyber response capabilities. The strategy sets goals and implementation policies for measures to be taken over the next five years.

Japan and Canada Sign Memorandum to Cooperate on Data Leak Investigations

On 15 December 2025, Japan’s Personal Information Protection Commission and Canadian authorities signed a memorandum to share information on data leaks and privacy incidents to enable faster investigations by allowing for quicker assessment of damage when investigating potential breaches of personal information protection laws. The agreement covers suspected privacy violations by major technology companies and data breaches caused by cyberattacks. It is Japan’s second such agreement with a foreign authority, following the UK.

Singapore

Singapore and European Union held Second Digital Partnership Council Meeting

On 1 December 2025, the Government of Singapore and the European Commission held the second Digital Partnership Council meeting in Brussels. The meeting covered cooperation in areas including AI, online safety, trust services, cybersecurity, data flows, semiconductors, and quantum technologies. Discussions included administrative arrangements on AI safety, potential exchanges on AI language models, approaches to online safety and age verification, interoperability of digital identity systems, and collaborative research.

Taiwan

Legislative Yuan Releases Report on Generative AI in News

On 9 December 2025, Taiwan’s Legislative Yuan published a report on legal issues related to generative AI in news media. The report reviews international regulatory frameworks and outlines measures including establishing standards for AI use in news, clarifying permissible data use, implementing privacy training for journalists, introducing fact-checking mechanisms and penalties for misinformation, and requiring filtering in platform news recommendations.

China

China Approves Mandatory National Standard on Technical Requirements for Information Erasure in Electronic Products

On 13 December 2025, the Cyberspace Administration of China announced that the mandatory national standard Data Security Technology – Technical Requirements for Information Erasure in Electronic Products has been approved and will take effect on 1 January 2027. The standard addresses growing risks of data leakage from second-hand electronic products such as mobile phones and computers.

China Seeks Public Comment on the Measures for Network Data Security Risk Assessment On 6 December 2025, the Cyberspace Administration of China released the consultation draft of the Measures for Network Data Security Risk Assessment for public comments. The draft standardises risk assessment activities for network data security, safeguard data security, and promote lawful and effective data utilisation. It specifies the principles, scope, and responsibilities for conducting risk assessments, including annual assessments for critical data processors and periodic assessments for general data processors. The measures also outline reporting obligations, confidentiality requirements, and compliance with national standards such as Data Security Technology - Risk Assessment Method for Data Security. Comments are requested by 5 January 2026.

China’s Information Security Standardization Technical Committee releases guidelines on Security Requirements for Database Networking

On 18 December 2025, the National Information Security Standardisation Technical Committee issued the Cybersecurity Standards Practice Guide – Security Requirements for Database Networking. The guide sets technical and management requirements for databases connected to public networks, covering identity authentication, access control, encryption, and operational management. It also includes security measures for cloud object storage.

Europe

European Union

European Commission publishes first draft of Code of Practice on labelling AI-generated content 

On 17 December 2025, the Commission published the first draft of a voluntary Code of Practice on marking and labelling AI-generated content. The draft sets out measures for providers and deployers of generative AI systems to meet transparency obligations under the AI Act, including marking AI-generated content and labelling deepfakes or AI-generated text on matters of public interest. Comments are requested by 23 January 2026, with the final code expected by June 2026. Obligations under the AI Act will apply from August 2026.

Noyb files GDPR complaints against apps over sensitive data sharing

On 17 December 2025, privacy advocacy group None of Your Business (Noyb) lodged complaints with Austria’s Data Protection Authority against several apps, alleging unlawful processing and sharing of sensitive personal data without a valid legal basis under the GDPR.

European Commission moves toward designating ChatGPT as a Very Large Online Search Engine under the DSA

On 3 December 2025, the Commission confirmed that it considers that ChatGPT exceeds the 45 million monthly user threshold for Very Large Online Search Engines (VLOSE) under the Digital Services Act. The EC is assessing whether ChatGPT qualifies for designation, considering its functionality as a conversational AI and the recent launch of ChatGPT Atlas, which integrates browsing features. A VLOSE designation would trigger obligations including risk assessments, transparency reporting, and independent audits.

Court of Justice of the EU (CJEU) Clarifies GDPR obligations for online marketplaces

On 2 December 2025, the CJEU ruled that operators of online marketplaces are data controllers under the GDPR for personal data contained in advertisements published on their platforms. Operators must implement measures to identify sensitive data before publication, verify advertiser identity or obtain explicit consent, and refuse publication if conditions are not met. The CJEU noted that liability exemptions under the E-Commerce Directive cannot override these GDPR obligations.

United Kingdom

Digital Verification Services Measures come into force

On 1 December 2025, measures under Part 2 of the Data (Use and Access) Act 2025 came into force, putting the UK’s digital verification services (DVS) pilot onto a statutory footing. These measures establish a trust framework, a register of certified providers, and enable providers to be listed on a public register.

Progress Report on Copyright and AI

On 15 December 2025, the Department for Science, Innovation and Technology, in coordination with the Intellectual Property Office and Department for Culture, Media and Sport, published a progress report under Section 137 of the Data (Use and Access) Act 2025. The report outlines work completed to date ahead of a report and economic impact assessment required under Sections 135 and 136, due by 18 March 2026. It notes that the forthcoming assessment will cover: technical measures and standards to control access to copyright works for AI development; the effect of copyright law on AI data access; disclosure by developers of their use of copyrighted works; licensing of copyright material; and enforcement mechanisms relating to AI systems

Call for Evidence on AI Regulation in Healthcare

On 18 December 2025, the Medicines and Healthcare products Regulatory Agency (MHRA) launched a call for evidence for the National Commission on the Regulation of AI in Healthcare. The call invites input on regulatory challenges and best practices for AI-enabled medical devices through a framework to be finalised in 2026. Comments are requested by 2nd February 2026.

Americas

The United States of America

The New York Times Files Copyright and Trademark Infringement Lawsuit Against Perplexity AI

On 5 December 2025, The New York Times Company (Times) filed a lawsuit in the Southern District of New York against Perplexity AI, Inc. (Perplexity), alleging systematic unauthorised use of Times’ content, including paywalled articles, to power its generative AI services. The complaint claims that Perplexity collected and reproduced Times’ material verbatim or in detailed summaries, and sometimes attributed inaccurate information to Times. Times asserts it implemented technical blocks and issued multiple cease-and-desist letters, but unauthorised use continued. The suit seeks monetary damages, an injunction, and other remedies to prevent further infringement. Dow Jones & Company, Inc. Encyclopaedia Britannica, Inc., and Chicago Tribune also have active lawsuits filed against Perplexity.

Executive Order on National AI Policy Framework
On 11 December 2025, President Donald Trump issued an Executive Order titled Eliminating State Law Obstruction of National Artificial Intelligence Policy. The order, which aims to discourage individual states passing their own AI laws, directs federal agencies to challenge conflicting state laws, condition certain funding on compliance, and consider federal standards that pre-empt state requirements.

Middle East

Turkey

Turkey’s Personal Data Protection Authority (KVKK) publishes guide on generative AI and personal data protection

On 24 November 2025, Turkey’s Personal Data Protection Authority (KVKK) published a guide titled Generative Artificial Intelligence and Personal Data Protection (15 Questions). The guide addresses personal data processing in generative AI systems under the Law on the Protection of Personal Data. It outlines risks such as inaccurate outputs, bias, privacy breaches, data leakage, and misuse for phishing or deepfakes. The guide clarifies compliance requirements  and advises identifying processing activities across the AI lifecycle, applying principles such as lawfulness, fairness, and data minimisation, and implementing Privacy by Design and Default. It also covers transparency obligations, risk management, and enabling individuals’ rights and explains the roles of controllers and processors.

United Arab Emirates

Dubai Financial Services Authority (DFSA) issues updated rules on the regulation of Crypto Tokens in the Dubai International Financial Centre (DIFC)

On 15 December 2025, the DFSA issued updated rules for Crypto Tokens in the DIFC, effective 12 January 2026. The revised framework requires firms providing financial services involving Crypto Tokens to assess and document whether each token meets DFSA’s suitability criteria. The previous list of Recognised Crypto Tokens will be discontinued. The rules also introduce proportionate reporting requirements and investor protection measures.

Approval of the National Encryption Policy and Executive Regulation

On 27 November 2025, the United Arab Emirates announced the approval of the National Encryption Policy and the issuance of its executive regulation. The regulation requires government entities to prepare transition plans from traditional encryption methods to post-quantum cryptography. The UAE Cybersecurity Council will oversee implementation, including technical assessments and standards for encryption, and will conduct reliability testing for AI systems, software, hardware, and signals.

Africa

African Union

Validation of Continental Data Governance Frameworks

On 1-4 December 2025, the African Union Commission held a workshop in Addis Ababa to validate three draft continental data governance frameworks: Data Categorisation and Sharing, Cross-Border Data Flows, and the Continental Open Data Strategy. The draft frameworks are part of the AU Data Policy Framework adopted in 2022 and aim to support a Digital Single Market by 2030.

Ghana

Public Consultation on Draft Number Registration Regulations Extended

On 8 December 2025, Ghana’s National Communications Authority extended its public consultation on the draft Number Registration Regulations 2025 to 2 January 2026 (from 14 November 2025). The draft regulations would repeal and replace the Subscriber Identity Module (SIM) Regulations, 2001 (L.I 2006), and set requirements for data governance, consumer protection, identity verification, lawful processing of subscriber data, inclusion of marginalised groups, and protection of national numbering resources.

Mozambique

Mozambique introduces plans for a Cloud Adoption Framework and Domestic Data Centres

On 1 December 2025, Mozambique’s Minister of Communications and Digital Transformation, Américo Muchanga, announced that the government will establish domestic data centres and issue draft a regulatory framework for cloud computing services. The draft framework will replace existing legal restrictions and set conditions for cloud deployment. The plan includes building data centres over the next five years to host cloud services for banks and other companies and replacing existing legal restrictions with new regulations. The announcement also highlighted that the framework will address cybersecurity and personal data protection and involve partnerships with banks, fintech companies, and investors.

Key Dates on the Horizon

January 2026

• 1 January 2026
  • Vietnam’s new Law on Artificial Intelligence takes effect, introducing a four-tier risk framework for AI systems and strict penalties for violations. Draft Law
  • China’s Measures for Certification of Cross-border Transfer of Personal Information come into force, providing detailed rules for certification processes under the Personal Information Protection Law. More info
• 2 January 2026 Deadline for feedback on the Ghana draft Number Registration Regulations, 2025. Consultation link / Draft regulation

• 5 January 2026 Deadline for feedback on China’s draft Measures for Network Data Security Risk Assessment. Draft regulation
• 12 January 2026 Dubai Financial Services Authority (DFSA) updated rules on Crypto Tokens come into force. More info

• 20 January 2026 Deadline for feedback on the EU Digital Omnibus Package (Digital Simplification Package) and related proposals. Feedback link
• 23 January 2026 Deadline for feedback on the UK Information Commissioner’s Office (ICO) consultation on draft enforcement procedural guidance under the Data Protection Act 2018, UK GDPR, and the Data (Use and Access) Act 2025 (DUAA). Consultation
   / Read our article on the consultation
• 31 January 2026 Deadline for feedback on Singapore’s Monetary Authority of Singapore (MAS) consultation on proposed AI risk management guidelines for financial institutions. Consultation link

February 2026

• 1 February 2026 Colorado Consumer Protections for Artificial Intelligence Act comes into effect. Bill
• 2 February 2026  Deadline for comments on UK MHRA call for evidence on AI regulation in healthcare. More info

March 2026

• 11 March 2026 Deadline for feedback on the EU Digital Fitness Check consultation and call for evidence, which could result in further reform to a wide range of EU digital legislation. Consultation link
• 18 March 2026 Deadline for UK report and economic impact assessment on Copyright and AI. More info

August 2026

• 2 August 2026
  • Providers of GPAI models that have been placed on the market / put into service before this date need to be compliant with the EU AI Act by this date.* EU AI Act
  • Transparency requirements for certain AI systems under Article 50 of the EU AI Act expected to enter into force, following the development of guidelines and a voluntary code of practice.* EU AI Act

January 2027

• 1 January 2027 China’s mandatory standard on information erasure in electronic products takes effect

More info

* Both these dates would be delayed if proposal in the EU Digital Omnibus package get adopted.

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.