Remember remember 2025 November, as the digital regulatory dance between the world's main power blocks continued. November's big question: Is the EU pivoting from its role as the 'world's digital enforcer' toward a strategy of deregulation—or at least simplification? Despite spending a decade establishing global benchmarks like the General Data Protection Regulation (GDPR) and Artificial Intelligence (AI) Act, are the EU Commission now aligning closer to Washington's deregulation agenda with the launch of their Digital Simplification Package (or Digital Omnibus)? Does this spell the end for the 'Brussels Effect' and the EU's long-held status as the standard-setter for global tech standards? Or is the move simply prompted by internal political reality and economic pressures as highlighted by a European Parliament study which found that while the AI Act and the existing digital legislation are individually well-targeted, their interplay creates significant regulatory complexity, which risks undermining the European AI industry's competitiveness and innovation capacity?

We have produced a briefing which provides an overview of the main proposals of the Digital Omnibus package and what we see as the practical implications of its proposals.

Still in the EU, the Commission published non-binding Model Contractual Terms (MCTs) and Standard Contractual Clauses (SCCs) to help parties implement the provisions of the Data Act; the European Parliament voted in favour of following Australia's lead of banning under 16s from social media; financial regulators designated critical ICT providers under Digital Operational Resilience Act (DORA) to bolster financial resilience; and the UK introduced a draft Cyber Security and Resilience Bill.

We have produced an article on the bill outlining why the evolving threat landscape has necessitated an update to the existing Network and Information Systems (NIS) Regulations 2018 regime and provide a high-level overview of the Bill's proposed changes.  There is also still time to register for our webinar 'Under Siege – Cyber Survival Strategies for Boards in the Age of Digital Dependence', taking place on Thursday, 4 December 2025 (8am EST / 1pm GMT / 9pm HKT) where our panel of experts will cover key senior management accountability in the face of new regulation, geopolitical risk, right-sizing strategy and immediate steps for incident response and litigation.

The theme of the month globally was cooperation, as we saw: the US and Australia sign a critical minerals framework agreement; the US sign reciprocal trade agreements with Malaysia and Thailand including provision to facilitate digital trade; China and South Africa launch the Initiative on Cooperation Supporting Modernisation in Africa; Nigeria and Sierra Leone sign digital cooperation agreements establishing a roadmap for digital transformation and a cross-border AI research and talent partnership; Togo and Mozambique sign a memorandum of understanding on cybersecurity; Kenya and Romania sign a Memorandum of Understanding (MoU) to enhance cooperation on cybersecurity; the UK and Netherlands announce an innovation partnership to strengthen collaboration in emerging technologies, focusing on artificial intelligence, semiconductors, and quantum technologies; the UK and Singapore announce a strategic partnership on artificial intelligence in finance; and France and Germany announce a joint economic agenda to reinforce European digital sovereignty.

THE REGIONS IN DETAIL

APAC (Excluding China)

Hong Kong

PCPD completes inspections of educational institutions’ personal data systems
On 13 November 2025, the Privacy Commissioner for Data Protection (PCPD) announced that it had completed inspections of HKICC Lee Shau Kee School of Creativity and the Hong Kong College of Technology. The inspections reviewed remedial actions following data breaches in 2024 and assessed compliance with the Personal Data (Privacy) Ordinance. PCPD confirmed improvements, including patch management, two-factor VPN authentication, ‘least privilege’ access controls, privacy management programmes, and breach response plans. Both institutions were advised to refine data retention policies and conduct regular security audits.

India

Data Security Council of India (DSCI) publishes summary of Digital Personal Data Protection Rules

On 13 November 2025, the DSCI published a summary of the Digital Personal Data Protection Rules. The summary sets out the implementation timeline and provides an overview of the provisions, referencing the corresponding Sections and Schedules under the Digital Personal Data Protection Act.

Ministry of Electronics and Information Technology (MeitY) publishes Digital Data Protection Rules
On 13 November 2025, India’s MeitY unveiled new rules regulating personal data processing by data fiduciaries, processors, and consent managers. Key requirements include providing clear notices, obtaining verifiable consent, implementing robust security measures, notifying breaches within 72 hours, and ensuring timely data deletion once the purpose is fulfilled unless retention is required by law. The Data Protection Board will oversee compliance and enforcement, including registration of consent managers and potential suspension or cancellation for non-compliance. The rules have staggered effective dates: some provisions apply immediately, while others take effect one year or 18 months after publication.

Japan

Strengthening Protection of Sensitive Personal Data: Amendments to Japan’s Economic Security Promotion Act

On 5 November 2025, the Government of Japan announced plans to amend the Economic Security Promotion Act (2022). The proposed amendments would introduce provisions to protect sensitive personal data related to economic security, including financial information, genomic data, and location data.

Progress on Japan’s Basic AI Plan: Strengthening Safety Measures and Promoting Data Collaboration

On 4 November 2025, expert panels and the government’s strategic headquarters convened to review the Basic AI Plan developed under the AI Promotion Act. The discussions included proposals to expand the functions of the AI Safety Institute, address adoption of AI by local governments, and develop data infrastructure to support data sharing across organisations and between public and private sectors.

Malaysia

Malaysia and USA sign agreement on reciprocal trade and data transfers
On 26 October 2025, the White House announced that it had signed an Agreement on Reciprocal Trade with the Government of Malaysia. The agreement includes provisions to facilitate digital trade, requiring Malaysia to ensure cross-border transfer of data by electronic means across trusted borders with appropriate protections for business purposes. It also provides for collaboration on cybersecurity, including exchanging information on threats and best practices, promoting the use of relevant international standards, and exploring capacity-building activities.

Singapore

Singapore: Monetary Authority of Singapore (MAS) and UK Financial Conduct Authority (FCA) announce partnership on AI in finance

On 12 November 2025, the MAS and UK FCA announced a strategic partnership on artificial intelligence in finance. The partnership will involve joint testing of AI solutions, sharing regulatory insights, and collaborative events on responsible AI use.  

MAS consults on AI risk management guidelines for financial institutions

On 13 November 2025, the MAS opened a consultation on proposed guidelines for managing AI risks in financial institutions. The guidelines, which should be applicable to different AI applications and technologies, including Generative AI, as well as newer developments such as AI agents, set out clear supervisory expectations, requiring institutions to establish governance structures, maintain accurate AI inventories, conduct risk materiality assessments, and ensure adequate internal capabilities. The consultation closes on 31 January 2026.

Thailand

Thailand and USA sign framework on data transfers and digital services

On 26 October 2025, the White House announced a Framework for an Agreement on Reciprocal Trade with the Government of Thailand. Under the agreement, Thailand committed to not imposing digital services taxes or discriminatory measures against US digital services or products, and to ensure the free transfer of data across trusted borders for business purposes.

Vietnam

State Bank of Vietnam publishes overview of Bank for International Settlements report on AI in policy management

On 5 November 2025, the State Bank of Vietnam published an overview of a Bank for International Settlements research report on the use of artificial intelligence in policy management. The report examines AI applications in data collection, macroeconomic and financial analysis, payment system monitoring, and financial stability supervision. It notes challenges including privacy, cybersecurity, human resource limitations, and reliance on external technology providers. The report calls for central banks to collaborate, share data, and build a unified AI governance framework to maintain security, accountability, and trust in financial systems.

CHINA

Chinese authorities release Draft Rules on Personal Information Protection for Large Network Platform Service Providers

On 22 November 2025, the Cyberspace Administration of China and the Ministry of Public Security issued the Personal Information Protection Rules for Large Network Platform Service Providers (Consultation Draft) for public comment. Large network platform service providers are defined as network platforms with more than 50 million registered users or 10 million monthly active users, and complex business types, whose data processing activities would impact national security, economic operations, and the livelihood of the people. The draft requires these providers to appoint a personal information protection officer, set up internal protection mechanisms, and conduct risk assessments. It also  introduces data localisation requirements, including storing personal information in qualified domestic data centers. The  consultation closes on 22 December 2025.

Chinese authorities release Draft Measures on Cybersecurity Labels

On 21 November 2025, the Cyberspace Administration of China and other departments issued the Administrative Measures for Cybersecurity Labels (Consultation Draft) and the Catalogue of Products Implementing Cybersecurity Labels (First Batch) for public comment. The draft introduces a voluntary labeling system for internet-connected products, classifying security capability into three levels (basic, enhanced, leading). It sets requirements for label content, testing and filing procedures, and supervision measures. The consultation closes on 6 December 2025.

EUROPE

European Union

European Commission unveils Digital Simplification Package

On 19 November 2025, the European Commission published the highly anticipated EU Digital Simplification Package (or Digital Omnibus) to harmonise and streamline the EU's digital regulatory framework. The package consists of two proposed omnibus laws: the Digital Omnibus on AI, which simplifies the implementation of harmonized AI rules, and the Digital Legislation Omnibus, which consolidates and amends existing data, privacy, and cyber laws. This is only the first step in a legislative process: the proposals will require approval from the European Parliament and the Council of the EU before they can become law. Further engagement with businesses and civil society is expected in the coming months as the Member States and Parliament consider their positions. This includes the Commission's post-adoption feedback periods on both proposals within the Digital Omnibus (both close on 20 January 2026) and the Digital Fitness Check consultation and call for evidence (closes 11 March 2026), which could result in further reform to a wide range of other EU digital legislation such as, potentially, the Digital Services Act and the Digital Markets Act.

For more on the digital simplification package read our article: All aboard the Digital Omnibus?

European Commission issues Draft Model Contractual Terms and Standard Clauses for Data Act compliance

On 19 November 2025, the European Commission published non-binding Model Contractual Terms (MCTs) for mandatory and voluntary data sharing and Standard Contractual Clauses (SCCs) for cloud computing contracts developed to help parties implement the provisions of the Data Act. The MCTs include four sets of terms, three covering mandatory data sharing relationships (Data Holder to User, User to Data Recipient, and Data Holder to Data Recipient) plus one for voluntary data sharing, all compliant with the Data Acts rules on unfair contract terms, and the six SCCs translate its cloud switching provisions into ready-to-use terms on switching, termination, security, business continuity, non-dispersion, non-amendment, and liability.

For more on the EU Data Act read our article EU Data Act: A new era for data sharing has begun

European Commission launches work on a Code of Practice for marking AI-generated content

On 5 November 2025, the European Commission initiated the development of a voluntary Code of Practice to guide providers and deployers of generative AI systems in meeting transparency obligations under the AI Act. The Code will focus on marking AI-generated content (including text, audio, images, and video) in machine-readable formats to enable detection and disclosure, particularly for deepfakes and public-interest information. These obligations will apply from August 2026.

European Parliament (EP) Report Calls for Stronger Child Online Protection

On 26 November 2025, the EP voted in favour of a report calling for tougher Europe-wide rules to protect children online, including a minimum age of 16 for social media access without parental consent. While praising the Digital Services Act (DSA), the report stresses the need for its swift enforcement and demands the Commission create harmonized EU-level age verification mechanisms to address current fragmentation. The EP also recommends banning or turning off addictive design techniques for children (like infinite scrolling) and the banning of paid loot boxes in online video games likely accessed by minors. The report also states that platforms and providers bear the primary responsibility for protection, recommending that tech CEOs be held personally liable for consistent violations.

EU Digital Sovereignty Summit: France and Germany push for simplified regulation and strategic investments

On 18 November 2025, France and Germany led the EU Digital Sovereignty Summit in Berlin, announcing measures to strengthen Europe’s technological independence and competitiveness. Key initiatives include a 12-month moratorium on high-risk AI rules, stricter standards for sensitive data protection, and the creation of a joint working group on digital sovereignty. The summit also confirmed over €12 billion in private investments in critical technologies and commitments to open-source tools and a European digital identity portfolio. 

European Supervisory Authorities designate critical ICT providers under DORA

The European Supervisory Authorities (ESAs) have published the official list of critical ICT third-party providers under DORA. Designation was based on systemic importance, substitutability, and role in supporting critical functions for financial entities. The ESAs will directly oversee these providers to ensure risk management and governance frameworks for ICT resilience across the EU financial sector.

United Kingdom

Uk Government published draft  Cyber Security and Resilience (Network and Information Systems) Bill

On 12 November 2025, the UK Government published the draft Cyber Security and Resilience (Network and Information Systems) Bill.

The Bill proposes a number of amendments to the UK's Network and Information Systems (NIS) Regulations 2018 (NIS) – currently the UK's only cross-sector specific cyber regulation. In a similar vein to the EU's NIS2 Directive (2022/255) (EU NIS2), the Bill aims to address the shortfalls that have emerged as a result of the evolving cyber threat landscape, including the heightened risks posed to the provision of essential services due to the exploitation of supply chain vulnerabilities. 

For more on the draft bill read our article: Cyber Security and Resilience (network and information systems) Bill issued by UK government

National Cyber Security Centre (NCSC) publishes strategic guidance to bolster organisational cyber resilience

On 11 November 2025, the NCSC announced the Cyber Action Toolkit (CAT) is now in Public Beta. The toolkit provides small businesses with simplified, actionable steps to improve cyber resilience, addressing barriers such as complexity and cost. CAT includes layered protection measures against common threats, such as email compromise, ransomware, and data breaches, and is designed for sole traders, micro, and small enterprises.

United Kingdom and Netherlands Governments announce innovation partnership

On 12 November 2025, the UK Government and the Government of the Netherlands announced an innovation partnership to collaborate on emerging technologies. The partnership focuses on areas including artificial intelligence, semiconductors and quantum technologies, and provides for bilateral network development, joint research initiatives, commercialisation support, and sharing best practices on standards and governance.

High Court issues first ruling on copyright and AI

On 4 November 2025, the English High Court delivered its first decision on copyright and AI in Getty Images (US) Inc & ors v Stability AI Limited [2025] EWHC 2863 (Ch). The Court held that an AI model, such as Stable Diffusion, does not constitute an infringing copy under the Copyright, Designs and Patents Act 1988, as model weights do not store or reproduce copyrighted works. Getty’s primary infringement claim was withdrawn after accepting that training did not occur in the UK. The Court rejected secondary infringement claims, finding that exposure to infringing copies during training does not render the resulting model an infringing copy, though limited trademark infringement was identified. The judgment may be subject to appeal.

Information Commissioner’s Office (ICO) consults on draft enforcement procedural guidance

On 31 October 2025, the ICO published draft guidance on how it proposes to conduct data protection investigations and enforcement under the Data Protection Act 2018, UK GDPR, and the Data (Use and Access) Act 2025 (DUAA). The guidance outlines processes for opening and managing cases and provides detail on new powers introduced by DUAA, including issuing interview notices, requiring reports by approved third-party specialists, and compelling document production. It also sets out the ICO’s approach to public announcements and settlement, including discounts for early resolution. The consultation closes on 23 January 2026.

For more on this read our article: UK ICO consults on new data protection enforcement procedural guidance

AMERICAS

The United States of America

Leaked Draft Executive Order Proposes Federal AI Framework and Moratorium on State Enforcement of AI Laws

On 19 November 2025, a draft executive order titled “Eliminating State Law Obstruction of National AI Policy” was leaked. The draft proposes a federal AI framework and pre-empt state laws. It proposes directing the Attorney General to create an AI Litigation Task Force, conditioning certain federal funding on compliance, and instructing agencies including the Federal Communications Commission and Federal Trade Commission to develop standards and clarify pre-emption. The draft also calls for legislative recommendations to support a national AI regulatory regime. Separately, U.S. lawmakers are considering a provision in the National Defense Authorization Act to impose a five-year moratorium on state enforcement of AI laws, linked to federal broadband grants.

New York Law Requiring Algorithmic Pricing Disclosure Takes Effect as California Bans Algorithmic Price-Fixing

On 10 November 2025, New York’s Algorithmic Pricing Disclosure Act took effect, requiring companies that use algorithmic pricing to disclose to consumers that prices are set using their personal data. The New York Attorney General issued an alert encouraging consumers to report undisclosed algorithmic pricing. Other states are also taking action to regulate algorithmic pricing, such as California, where California AB 325, became law on 6 October 2025. The law makes it unlawful for any person to use or distribute a “common pricing algorithm” as part of a contract, combination, or conspiracy to restrain trade or commerce, and prohibits coercing others to adopt prices or commercial terms recommended by such algorithms for similar products or services in California.

MIDDLE EAST

United Arab Emirates

Dubai Ports launches AI-powered approval system
On 18 November 2025, the Dubai Ports Authority, under the Ports, Customs and Free Zone Corporation announced the UAE's first smart system that leverages AI. The system automates approvals for processes such as acceptance of dangerous goods, vessel bunkering, ship waste discharge, and work permits for port and ship repair facilities.

Turkey

Turkey's Parliament introduced bill to regulate artificial intelligence systems

On 11 November 2025, Turkey’s Grand National Assembly introduced a bill to regulate AI systems.. The proposal amends key laws, including the Penal Code, Law No. 5651, Personal Data Protection Act, Cybersecurity Law, and Electronic Communications Law. Key provisions include mandatory labeling of AI-generated deepfake content, rapid removal of harmful material, and fines up to 10 million TL for violations. Additionally, AI datasets must comply with anonymity and non-discrimination principles, while providers face obligations for transparency, algorithmic controls, and cybersecurity testing.

Saudi Arabia

Saudi Arabia Real Estate General Authority launches national blockchain property registry

On 20 November 2025, Saudi Arabia’s Real Estate General Authority launched a tokenised national real estate registry. The blockchain-based platform integrates property registration, fractional ownership, and marketplace functions within a single ecosystem. It supports end-to-end digital transactions, including property listings, due diligence, title transfer, and settlement, and incorporates features such as blockchain-based title management, escrow-linked payment verification, and automatic valuation models.

Saudi Arabia Government prepares regulated stablecoin framework
On 6 November 2025, Saudi Arabia announced plans to introduce stablecoins under national regulation, led by the Saudi Central Bank and the Capital Market Authority. The initiative will embed stablecoins within existing financial oversight structures to support digital payments and cross-border trade. Exchanges including Bybit and BingX have publicly endorsed the plan. No official launch date has been provided.

AFRICA

African Continental Free Trade Area

Launch of Africa Digital Access and Public Infrastructure for Trade (ADAPT)

On 17 November 2025, the African Continental Free Trade Area (AfCFTA) Secretariat announced the launch of the ADAPT programme in partnership with the Tony Blair Institute, IOTA Foundation, and the World Economic Forum. The announcement states that ADAPT introduces a shared digital trade backbone using distributed ledger technology and artificial intelligence.  Initial rollouts include Kenya and Ghana, with continent-wide expansion planned for 2026.  

South Africa

South Africa and Chinese Governments launch Initiative on Cooperation Supporting Modernisation in Africa
On 22 November 2025, the Government of the Republic of South Africa and the Government of the People’s Republic of China jointly launched the Initiative on Cooperation Supporting Modernisation in Africa during the G20 Johannesburg Summit. The Initiative identifies key areas of collaboration, including science and technology, artificial intelligence and renewable energy.

Nigeria and Sierra Leone

Nigeria and Sierra Leone Governments sign two digital cooperation agreements
On 21-22 November 2025, the Government of Nigeria and the Government of Sierra Leone signed two agreements The first agreement establishes a roadmap for digital transformation, covering digital public infrastructure, interoperability, policy alignment, start-up support, and talent exchange. The second agreement creates a cross-border AI research and talent partnership, involving government agencies and technology organisations from both countries, to develop local datasets, innovation testbeds, and capacity-building programmes.

Togo and Mozambique

Togo and Mozambique governments sign cybersecurity cooperation agreement

On 19 November 2025, Togo and Mozambique signed a memorandum of understanding on cybersecurity. The agreement provides for joint capacity building, intelligence sharing, and the development of harmonised defence protocols to strengthen national and regional cyber resilience.

DATES ON THE HORIZON

December 2025

• 6 December 2025
  Deadline for feedback on China’s draft Administrative Measures for Cybersecurity Labels (Consultation Draft), which introduces a voluntary labelling system for internet-connected products. More info
• 10 December 2025
  Social Media Minimum Age (SMMA) Scheme comes into force in Australia, imposing new privacy obligations on age-restricted social media platforms and age assurance providers. OAIC Guidance
• 20 December 2025
  Deadline for public comments on China’s draft Personal Information Protection Rules for Large Network Platform Service Providers (Consultation Draft). More info
• 22 December 2025
  Deadline for public comments on China’s draft Personal Information Protection Rules for Large Network Platform Service Providers (Consultation Draft). More info

January 2026

• 1 January 2026
  • Vietnam’s new Law on Artificial Intelligence takes effect, introducing a four-tier risk framework for AI systems and strict penalties for violations. Draft Law
  • China’s Measures for Certification of Cross-border Transfer of Personal Information come into force, providing detailed rules for certification processes under the Personal Information Protection Law. More info
• 20 January 2026
  Deadline for feedback on the EU Digital Omnibus Package (Digital Simplification Package) and related proposals. Feedback link
• 23 January 2026
  Deadline for feedback on the UK Information Commissioner’s Office (ICO) consultation on draft enforcement procedural guidance under the Data Protection Act 2018, UK GDPR, and the Data (Use and Access) Act 2025 (DUAA). Consultation
   / Read our article on the consultation
  
  
• 31 January 2026
  Deadline for feedback on Singapore’s Monetary Authority of Singapore (MAS) consultation on proposed AI risk management guidelines for financial institutions. Consultation link

March 2026

• 11 March 2026
  Deadline for feedback on the EU Digital Fitness Check consultation and call for evidence, which could result in further reform to a wide range of EU digital legislation. Consultation link

August 2026

• 2 August 2026
  • Providers of GPAI models that have been placed on the market / put into service before this date need to be compliant with the EU AI Act by this date.* EU AI Act
  • Transparency requirements for certain AI systems under Article 50 of the EU AI Act expected to enter into force, following the development of guidelines and a voluntary code of practice.* EU AI Act

* Both these dates would be delayed if proposals in the EU Digital Omnibus package get adopted. 

Additional information

This publication does not necessarily deal with every important topic nor cover every aspect of the topics with which it deals. It is not designed to provide legal or other advice. Clifford Chance is not responsible for third party content. Please note that English language translations may not be available for some content.

The content above relating to the PRC is based on our experience as international counsel representing clients in business activities in the PRC and should not be construed as constituting a legal opinion on the application of PRC law. As is the case for all international law firms with offices in the PRC, whilst we are authorised to provide information concerning the effect of the Chinese legal environment, we are not permitted to engage in Chinese legal affairs. Our employees who have PRC legal professional qualification certificates are currently not PRC practising lawyers.