Digital Regulation back-to-school 2025

Despite significant domestic and international debate on digital regulation, regulatory timescales for in-scope companies remain on track

Introduction

As the summer holiday season comes to an end, welcome to our back-to-school note (or note de rentrée for our Francophone readers), which outlines key UK and EU digital regulatory developments during July and August.

Clearly, this regulatory activity sits within a broader public policy and international context. During the summer, this has been illustrated in three ways:

• First, the active public debate around the role of online age assurance, in the context of free speech and privacy considerations, in particular in the UK.
• Second, international discussions on the merits of digital regulation, in particular regulation relevant to content moderation and competition, as highlighted in the run up to the EU/US trade deal that was agreed at the end of July.
• Third, continued debate on potential simplification and delays to implementation timelines for a number of EU AI Act requirements, including in relation to high-risk AI systems given delays to relevant standards.

Despite these ongoing debates, at the time of writing timelines and milestones for the key digital regulatory files remain largely unaltered. As we move into the autumn period, companies should therefore focus on preparing for incoming requirements across priority areas including online safety, competition, AI, digital fairness, media and data regulation.

We set out below our view on the specific developments, and associated implications, that in-scope companies should have on their radar.

Significant regulatory milestones on protecting children online

The obvious place to start is the protection of children online, with important regulatory milestones in both the EU and UK over the summer.

In the EU, mid-July saw the publication of the European Commission’s final guidelines on the protection of minors under the DSA, which sets out recommended actions for online services, including modifications to recommender systems, improved moderation, and implementing effective age assurance. Towards the end of July, requirements to protect children from harmful online content came into force in the UK. Service providers need to take safety measures set out in Ofcom's Protection of Children Codes or use other effective measures to comply with the requirements.

Both developments bring potential future enforcement activity into sharp relief. In the EU, the Commission has been clear that its guidelines may be used to assess ongoing compliance. In the UK, Ofcom's monitoring program will assess compliance, examining both completed risk assessments and practical steps taken by the largest platforms where children spend most time. It is therefore important that in-scope services respond accordingly, for example by making service design changes and implementing appropriate age assurance depending on the service’s risk profile.

Important developments in online safety transparency reporting and civil society obligations

Transparency reporting

Transparency reporting is a central feature of online safety regimes in the UK and the EU, and during the summer, important updates were provided on what is expected in this area.

In the EU, transparency reporting under the DSA is required annually, but for Very Large Online Platform (‘VLOP’) and Very Large Online Search Engine (‘VLOSE’) they are required biannually. However, the nature of this reporting can vary significantly by company. In order to ensure greater consistency in the content, format and reporting periods for transparency reporting going forwards, the Commission has sought to harmonise transparency reporting rules. Whilst the first reports under this new framework are not due until early 2026, these will require relevant data from 1 July 2025 onwards. In-scope services should therefore prioritise capturing the required data, and given the work required, begin preparing to develop these reports now to ensure timely, accurate, and compliant reporting.

Later in July, Ofcom published its statement on transparency reporting under the Online Safety Act. In the UK, the largest ‘categorised’ services will be required to publish annual reports. Unlike the DSA, transparency reporting requirements will be specific to each service. Firms should look out for Ofcom’s register of categorised services and first draft transparency notices later this year, and plan accordingly given the implications for data and compliance teams.

Civil Society obligations

Another key element of online safety regimes is the role that broader ‘civil society’ (e.g. academics and researchers) have to play in monitoring and identifying risks associated with large online services.

At the start of July the EU adopted the long-awaited Delegated Act on data access under the DSA, setting out how VLOPs and VLOSEs must provide vetted researchers with access to non-public data relevant to systemic risks and mitigation measures in the EU. The rules will be effective from October 2025, meaning VLOPs and VLOSEs should begin preparing now to ensure they have robust processes in place for managing data access requests.

In the UK, following the Royal Assent of the Data (Use and Access) Act 2025 in June, the path is now clear for Government to create a new framework for researcher access to data relevant to online safety held by regulated services. Less than a month after Royal Assent, Ofcom published a new report on Researchers’ access to information from regulated online services, highlighting various policy options for the Government's consideration on this topic. Whilst still nascent, companies should monitor developments closely, as this could ultimately lead to data access requirements in the UK similar to those in the EU.

New AI Act rules come into force, with sovereignty considerations also coming to the fore

General-Purpose AI

The summer saw new rules on General Purpose AI (GPAI) come into force in the EU on 2 August. This came shortly after publication of the much-debated General Purpose AI Code of Practice and accompanying guidelines. The intention of the Code is to help industry comply with the AI Act obligations on safety, transparency and copyright in relation to GPAI models, with the Commission confirming that the Code represents an ‘adequate voluntary tool’ for providers of GPAI models to demonstrate compliance with the AI Act. Non-signatories will need to demonstrate compliance through alternative methods to avoid enforcement action. While the rules are now in effect, full enforcement with fines will not commence until August 2026.

Sovereignty

Both the UK and EU continue to pursue AI leadership, with a particular focus on securing sovereign underlying infrastructure.

The UK's Compute Roadmap, launched in July, outlined plans to build a public compute ecosystem, develop AI infrastructure, and create sovereign capacity. A key element is planned "AI Growth Zones”, with further Zones expected to be announced in due course. These sites may be attractive for firms looking to develop or invest in AI-related infrastructure as they provide incentives such as improved access to power and planning support.

Meanwhile, the consultation on a new EU Cloud and AI Development Act, which closed in the same month, shows a focus on technological sovereignty and securing necessary computing resources and infrastructure. A key goal is to increase the EU’s data centre capacity by tackling investment barriers and potentially offering financial support, which will be relevant to firms looking to deploy new infrastructure. A particular focus is cloud, with a goal to ensure that certain highly critical use cases can be operated using ‘highly secure EU-based cloud capacity’ – this is notable in that it may provide legislative clarity on what ‘sovereign cloud’ means in this context. Given the text is expected from Q4 2025, companies active in cloud and AI should consider how their company strategies may be affected by it.

Review of EU digital competition regulation commences as first formal designations proposed under the corresponding UK regime

Over the summer, the European Commission began seeking input to inform the first of its required triennial reviews of the Digital Markets Act (DMA), due to conclude by May 2026. In July, the Commission consulted to gather feedback and evidence on the effectiveness of the DMA and in late August, the Commission launched an additional targeted consultation seeking feedback on the DMA’s implications for the AI sector. Translating findings from this review into policy and enforcement priorities will only take place after the review has concluded, meaning that it is unlikely to have an immediate direct impact. However, firms should monitor progress as it will no doubt influence the Commission’s ongoing priorities.

In the corresponding UK regime, July also saw the Competition and Markets Authority (CMA) provisionally propose to designate two companies with ‘strategic market status’ in relation to mobile ecosystems, following an SMS designation proposal in relation to general search and advertising services previously announced in June. In both cases, the CMA has set out a ‘Roadmap’ of potential measures it may impose on these firms, if designated. Whilst DMA compliance can likely be leveraged to some extent, the specifics may differ, meaning designated firms will need to carefully consider how they respond. For example, in relation to a potential measure requiring firms to allow app developers to steer potential customers away from an app store, the CMA notes it “need not adopt a ‘lift and shift’ approach, rather ensuring an approach that is appropriate in the UK.” In addition, new requirements will come with associated reporting obligations, potentially requiring new data collection processes in the UK.

Further investigations are anticipated in 2026. One potential area of focus is likely to be cloud services, following the conclusion of the CMA’s market investigation, which recommended investigations into the two largest providers. Given the report emphasises concerns around barriers to entry and expansion, barriers to switching, and licensing practices influencing choice of cloud providers, firms should expect any future requirements to centre on these issues. However, as an SMS designation investigation must be completed first, any new requirements would not be in force until late 2026, at the very earliest.

Consumer enforcement a priority for the CMA, with new digital fairness regulation consulted on in the EU

Now that the UK’s new consumer protection regime is in place (which we wrote about in our April blog The DMCCA consumer protection regime is now live), the summer provided the first example of how the CMA is using these new powers. It’s clear that one area of enforcement focus for the CMA is fake reviews; following an initial 3-month grace period, the CMA announced in July that it has now reviewed over 100 websites and has contacted 54 potentially non-compliant businesses. In July the CMA also opened a consultation on new price transparency guidance, including how pricing information should be presented up-front. With the CMA standing ready to enforce, online services should review and compare existing online practices against the CMA’s guidance and prioritise redesigning services as required to ensure compliance.

In the EU, potential new digital fairness regulation is on the horizon. In July, the European Commission consulted on a forthcoming Digital Fairness Act which will significantly change consumer protection regulations, focusing on areas including deceptive interfaces, misleading influencer marketing, addictive design, unfair personalisation, and child protection. Whilst not expected until Q3 2026, firms should ensure they are monitoring these developments and, based on the stated priority areas, begin to identify practices that may fall foul of new requirements.

Fit for purpose regulation of audiovisual media services and the protection of public service media remains high on the European agenda

Developments during the summer again highlighted the interdependency between digital regulation and the regulation of audiovisual media services.

In the UK, as part of its ongoing implementation of the Media Act, Ofcom consulted at the end of July on the ‘television selection services’ that it recommends Government should make subject to public service content prominence and accessibility obligations. Affected services (such as the identified smart TV operating systems) should already be considering the technical, strategic and commercial implications that would flow from this (something we have previously written about in our May blog Media regulation in the era of Generation Alpha).

At the same time, Ofcom also sounded the alarm on the need for Government to take urgent legislative steps to expand public service prominence and discoverability obligations even further, including online video-sharing platforms. This signals a clear direction of travel of how Ofcom believes prominence should be ensured in the digital sphere, suggesting that the Media Act, which is still being implemented, does not go far enough. If the Government were to act on Ofcom’s recommendations, this would mark a major shift in the relationship between public service broadcasters and digital platforms. This would require in-scope platforms to redesign their platforms, potentially including recommender systems, to provide the required prominence for public service content.

In the EU, the independency between media and digital regulation was also evident as key provisions of the EU's Media Freedom Act came into force from 8 August, imposing requirements on how VLOPs treat media service providers operating on their platform. However, affected VLOPs will need to wait a little bit longer for final Commission guidance confirming how elements of this should work in practice, given a relevant consultation on this topic only closed in July. VLOPs should nonetheless prioritise alignment with the requirements and final guidelines, when published, and ensure they are capturing the data required for new mandatory reporting.

Smart Data is a clear priority in the UK, as the EU focuses on potentially streamlining data rules as the Data Act is about to come into effect

Data regulation remains a central element of the UK and EU digital regulatory agenda, given its link to innovation and economic growth.

A key focus of the UK's Data (Use and Access) Act is the development of Smart Data schemes, designed to support innovation. Open Banking, which allows consumers to securely share financial data and initiate payments, is a model for potential schemes in other sectors. While the Government indicated an initial focus on finance and energy, July’s call for evidence explored opportunities in digital markets. This includes any learnings that can be gleaned from the data portability requirements under the EU’s DMA. The CMA’s discussion paper on smart data and price transparency schemes that followed in August demonstrates that this topic is a key element of the UK growth agenda.

At the same time, ahead of the majority of the EU Data Act’s provisions coming into effect on 12 September, the EU has been considering how it might streamline existing and incoming rules around data, evidenced in its consultation on its upcoming Data Union Strategy, which closed in July. This strategy aims to create a clearer framework for businesses and administrations to share data more seamlessly and at scale, while maintaining high privacy and security. This consultation precedes the planned simplification of data rules via a Digital Omnibus package in Q4 2025.

Ultimately, as data sharing increasingly becomes a policy focus, firms will need to consider the operational impact of any new requirements to share or make data available to authorised third parties. This will require firms to ensure a fit-for-purpose underlying data environment alongside the technical capability to source, transform and provide data as required. In parallel, firms should consider the opportunities offered by data sharing, including its potential to support new services and business models.

Conclusion

So that rounds off our swift recap on key UK & EU digital regulatory developments over the summer period. It’s clear that there is a considerable amount for in-scope companies to stay on top of.

If you’re interested in receiving our regulatory updates to your inbox going forward, please do sign up to the quarterly ECRS digital regulation newsletter, in which we pull together our publications and events relevant to the ever-evolving UK and EU digital regulatory agenda.