The 2025 Baker McKenzie “Top 10” Predictions on Global Data and Cybersecurity Risks

The data and cyber global landscape in 2025 looks as complex as it has ever been. Global organizations and transformational technologies are borderless—but the laws that regulate businesses, information practices and governance are country-specific. Data, cyber and digital evolution are key drivers of business risk and opportunity.  We predict that trend to continue throughout 2025, with geopolitical instability driving new cyber threats, national policy and legislative responses. Our recently updated 2025 Global Data & Cyber Handbook coupled with our predictions for 2025 below, and our Global Disputes Forecast 2025, provide a detailed perspective on how these trends are influencing laws and regulatory enforcement around the world for data, cyber and AI.

1. Geopolitical Tensions Intensify Global Data and Cyber Risk. With trade and tariff wars intensifying, the likelihood and severity of data and cyber issues are increasing for global businesses. New laws going into effect in 2025 impose cross-border data transfer restrictions, mandate transparency and increase reporting and regulatory obligations.
2. Puts Multinational Businesses in the Cyber Crosshairs. In the context of geopolitical risk, multinational businesses must prepare for increasing cyber attacks from nation state actors.  Multinationals will need to go deeper to be ready for and resilient to cyber-attacks, particularly those that are considered critical infrastructure or are part of the IT and supply chain. Response and reporting obligations for cyber incidents vary across jurisdictions with short deadlines for reporting. Multinational companies must proactively identify which laws apply so they can react and respond to local nuances.
3. Secular Data Trends. Geopolitical risks are increasing complexity on data trends.  At the end of 2024, we observed the first of its kind US outbound data transfer restrictions, grounded in national security considerations with transfer of sensitive personal information to countries of concern and backed by potential criminal penalties.  Corresponding risks arise in other markets, as countries such as China have adopted strict privacy, cyber, and security rules that can be interpreted through a lens of geopolitical risk and uncertainty.  At the same time, longstanding cross-border data transfer issues, such as those represented by the EU-US Data Privacy Framework, will continue to develop, although may not attract as much headline attention as increasing geopolitical risk other areas.   
4. Private Sector Litigation Continues to Shape the Data and Cyber Landscape. In the U.S., privacy and data breach litigation is exponentially increasing, particularly for wiretapping laws like the California Invasion of Privacy Act, use of cookies/pixels, geolocation tracking, and cybersecurity issues. Also as the new administration is expected to have more business-friendly policy and enforcement on these issues, certain state regulators and lawmakers will likely ramp up state actions. In the EU and UK, the intersection of the law, the constant flow of new technology applications, and regulators having to often learn on the job rather than having the luxury of time to consider policy, creates a complex melting pot of litigation risk.  Add to that a sprinkling of privacy activism and it seems inevitable that data litigation risk will see an increase across Europe and beyond.  How this manifests through legal proceedings remains problematic given the uneven landscape for such actions, for example whether they are driven through class actions, mass litigation claims or collective actions; either way, the uncertainty of the litigation channel adds to the challenge.
5. Bad Guys Get Better Using AI. Threat actors continue to weaponize artificial intelligence. They are using old stolen data and credentials to automate scripts and attack businesses, bypassing multifactor authentication, creating deepfakes, and developing sophisticated types of polymorphic malware. They are also using AI to create extremely targeted phishing campaigns. It is imperative that businesses understand these emerging AI-powered tactics and that their legal and InfoSec teams work closely together to manage and mitigate risk. Bad actors are not subject to safety, transparency, and accountability obligations and therefore careful planning and risk assessments are essential.
6. The Logic and Complexity of the EU AI Act Means Challenges to Implementation. The EU AI Act, ratified in 2024, establishes a comprehensive regulatory framework for AI within the EU, categorizing AI systems by risk level and imposing stringent requirements on high-risk applications to ensure safety, transparency, and accountability. It demands significant compliance efforts from businesses, including robust governance structures, continuous monitoring, and thorough documentation. Similar to the GDPR, the EU sees it as setting a global precedent, but it’s not clear how widely this will be followed by other markets, not least because the different logic and complexity of the Act may result in a complicated implementation phase.  We expect that the multiple implementation stages, such as the establishment of national supervisory authorities and AI regulatory sandboxes, will take several years to fully operationalize. Compliance will be extremely resource-intensive and may lead companies to deprioritize certain projects. Finally, the Act’s reliance on self-regulation and self-certification could result in varying levels of compliance and enforcement, potentially undermining its effectiveness. These challenges highlight the need for clear guidelines and robust support mechanisms to help businesses navigate the regulatory landscape efficiently. The guidance and notably the codes of conduct which are expected to be published by the AI Board and relevant authorities in 2025 are eagerly awaited.
7. AI Governance and Regulation Continues to Mature. As businesses continue to find innovative ways to create, leverage, and utilize AI, the issue of AI governance becomes increasingly important. However, AI governance remains immature in most organizations. With the new U.S. administration, Biden’s federal AI policy was reversed and replaced with a new policy focusing on innovation. Federal deregulation or lack of federal enforcement will cause certain state lawmakers and regulators to increase laws, regulations and enforcement activity. This is particularly true in the area of consumer privacy and protection. In APAC, our AI Governance Principles and Regulatory Landscape Overview shows the mixed current picture in the region which is likely to persist in 2025. China is an outlier with specific mandatory measures imposed across a wide range of issues, with other jurisdictions either relying on specific measures proposed by existing sectoral regulators to indicate compliance, or on softer non-binding, principle-based guidelines. With the EU AI Act an imperfect benchmark, businesses must grapple with the challenge of operationalizing a global AI strategy while respecting local nuances.
8. Holistic Data Risk Assessment and Governance Becomes a Necessity. Regulatory FOMO (Fear of Missing Out) will lead to continued convergence between data and cyber risk and wider considerations, like antitrust, and make a holistic data governance strategy essential. One key antitrust theme is the use of AI: as organisations deploy AI to develop their business strategies, their internal investigations and in their relationships with consumers, they will need to keep in mind antitrust issues regarding information sharing and price unification alongside privacy, cyber and other legal risks. Another theme with impact across legal disciplines is sharing of non-personal data, as legislators take specific action to unlock valuable public and private sector data – for example, via the EU’s Data Act and Data Governance Act. We expect to see this convergence play out through increased regulatory “contagion”, where interest or scrutiny from one regulator in the data, cyber, digital content, consumer or antitrust space gives rise to action by others.
9. Sustained Focus on Digital and Cyber Regulation in Europe. The outlook for EU digital regulation in 2025 suggests a sustained emphasis on advancing the digital ecosystem while tackling new challenges. With the new European Commission, which began its term on 1 December 2024, there is a clear intention to prioritize the regulation and enforcement of digital markets. This approach aims to streamline and simplify existing regulations, thereby alleviating the regulatory and administrative load on EU businesses. Key areas of focus include not only the EU AI Act, which will continue to evolve, with a focus on balancing innovation with risk management, but also the Digital Fairness Act, which aims to ensure fair competition and consumer protection in the digital market, and the Data Governance Acts (the DGA itself and the Data Act) which will facilitate data access and sharing. The cybersecurity piece is not forgotten in the EU digital landscape: the Cyber Resilience Act, the Cybersecurity Act and NIS 2 will continue to enhance the EU’s cybersecurity posture, ensuring that businesses prioritize cybersecurity throughout the product lifecycle.    Of course, the EU’s close neighbor – the UK – is also seeing some clarity on the drive towards new data and cyber driven legislation.  Whilst it is only early stages it is interesting to see how the Data Use and Access Bill adopts a hybrid approach combining the data protection framework and ‘Data Act’ with a sprinkling of the UK Government’s smart data growth ambitions to loosen the legislative grip on data re-use. 
10. Continued Evolution and Divergence in Asia-Pacific. The privacy and cybersecurity laws in the Asia-Pacific (APAC) region are continuing to develop, with many new or amended laws being enacted or proposed across the region, including in countries such as Malaysia, Australia, Thailand, Vietnam, Hong Kong, and India. These changes reflect a growing recognition of the importance of data protection and cybersecurity in an increasingly digital world. Nevertheless, regional harmonization remains a distant goal due to divergent approaches on legal bases for processing, data and cybersecurity breach notification and incident response requirements, and cross-border data transfer requirements, amongst others, and this is not expected to change in 2025. There appears to be alignment in the region on the need for increased regulations to combat online harms. For example, Singapore introduced the Online Criminal Harms Act (OCHA) on February 1, 2024, targeting online services that pose a high risk of scams to Singaporeans, particularly social media and e-commerce sites. In addition, a new regulator will be introduced to address online harms and promote responsible behavior online. Other ASEAN economies, notably Malaysia and Vietnam, have also introduced rules to tackle online safety . Online harms and the protection of children’s personal data remain high on the agenda of regional regulators, such as Singapore, Australia, Malaysia and Vietnam. On the cybersecurity front, we also expect increased regulations governing digital infrastructure and systems, although the form that such regulations will take is likely to vary across the APAC jurisdictions, making implementation of a standard approach more challenging for companies.