15 July 2026
Share Print

Data and cyber legislation (recent and forthcoming): a timeline

To The Point
(3 min read)

The sheer volume of new and forthcoming legislation in the EU and the UK can be difficult to keep track of. We’ve updated our timeline to help you monitor which laws have recently come into force, which are coming into force in stages, and what is on the horizon.

Data and cyber legislation timeline

The legislation appearing in the timeline is:

  • ePrivacy Directive: this was implemented in the UK in the Privacy and Electronic Communications Regulations (PECR). While PECR has been in force for over 20 years, it has been amended several times, most recently by the Data (Use and Access) Act 2025 (DUAA), which introduced new exceptions to the cookie consent requirement and increased the maximum fine. The ICO has recently published its advice to the government on potential further changes to the rules governing online advertising.
  • GDPR: while this may still feel relatively new, it has now been applicable for over eight years, together with supplementary national legislation, such as the Data Protection Act 2018 in the UK. Following the end of the Brexit transition period, the UK GDPR came into force in January 2021 and has been amended by DUAA. The Digital Omnibus, which is going through the EU legislative process, proposes amendments to the GDPR and other EU digital laws. For more information, read our article EU Digital Omnibus – the EDPB and EDPS joint opinion
  • NIS and NIS2: the original Network and Information Systems Directive (NIS) imposed cybersecurity requirements on organisations in certain sectors. NIS2 has extended the in-scope sectors and updated their obligations. The deadline for EU member states to implement NIS2 in national law was October 2024, however, some states have still not fully done so. The Digital Omnibus also proposes amendments to NIS2, including streamlining the incident reporting obligations.
  • EU Digital Markets Act: this creates new obligations for large technology platforms acting as gatekeepers providing core platform services.
  • EU Digital Services Act: this aims to harmonise conditions for the provision of intermediary services, including transparency requirements and rules on targeted advertising.
  • DORA: this strengthens the cybersecurity requirements for financial services entities in the EU.
  • EU AI Act: this regulates AI systems placed on the EU market and is becoming applicable in stages, as set out in the timeline. The AI Omnibus has delayed some of those stages and our updated timeline reflects those stages. For more details, read our article EU AI Act: AI Omnibus formally adopted.
  • Data (Use and Access) Act 2025: this has amended the UK GDPR, Data Protection Act 2018 and PECR, primarily to relax certain requirements, but it has also introduced a new requirement to operate a complaints procedure. DUAA’s changes to data protection are now in force, but its reforms of the Information Commissioner’s Office (ICO) have not yet taken effect. For more information about DUAA, please read our article The Data (Use and Access) Act 2025: top 7 changes you need to know about and listen to the recording of our webinar.
  • EU Data Act: this introduces new rules on access to, and use of, data generated by connected products and related services. It started to become applicable on 12 September 2025. We have published a Data Act brochure and a series of articles on the Data Act: EU Data Act: Is Your Business Ready?EU Data Act: Interplay with the GDPR and EU Data Act: Gamechanger for SaaS contracts.
  • Cyber Security and Resilience (Network and Information Systems) Bill: the UK government published this Bill in November 2025, and it is currently going through the parliamentary process. The Bill brings the existing UK NIS Regulations closer to NIS2, including by bringing data centres and managed service providers into scope, extending incident reporting obligations and introducing turnover-based fines.
  • EU Cyber Resilience Act: this EU law introduces cybersecurity requirements for connected devices and is becoming applicable in stages, as set out in the timeline.
  • EU Digital Fairness Act and Biotech Act: the European Commission is expected to adopt these new pieces of legislation later in 2026. The Digital Fairness Act will place obligations on online services to prevent dark patterns, addictive design and misleading marketing. We’ve included the Biotech Act in the timeline because it is likely to contain provisions about access to data, including anonymised health data, to help Europe become more competitive in the biotech sector.
  • AI Bill: the previous version of our timeline reflected the 2024 King’s Speech, which stated that the government would introduce legislation to regulate the most powerful AI models. More recently, the government has indicated that it does not intend to introduce an AI Bill at this time, so we have deleted this entry from the updated timeline. 

Organisations may be finding it difficult to navigate the closely-connected rules introduced by this new legislation, while horizon scanning for forthcoming legislation such as the EU Digital Fairness Act and the UK Cyber Security and Resilience Bill. Organisations that operate in the EU and the UK have the added complexity of UK data protection law starting to diverge from the GDPR now that the Data (Use and Access) Act 2025 changes are in force.

Next steps

Addleshaw Goddard’s specialist Data team can help you to identify which legislation applies to your organisation and devise a plan to achieve compliance.

Key contacts

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

Partner, IP/IT & Data Protection
France

Partner, Commercial & Data Protection
Aberdeen, UK

Partner, Intellectual Property, Data Protection & IT, Commercial
Germany

Counsel, Head of IS and Technology, Data Protection and Intellectual Property
Madrid, Spain

Counsel, Head of TMT/IP (Poland)

To the Point


Subscribe to receive legal insights and industry updates directly into your inbox

Sign up now