The European Commission’s Digital Omnibus Regulation proposal and recent national law updates in the UK, China, and India mark significant shifts in data law compliance for organisations in 2025, requiring renewed focus on cross-border risks and incident reporting.
Welcome to the final edition of the Stephenson Harwood data protection update for 2025, which reviews the principal regulatory, cyber security and enforcement developments from November and highlights what organisations should prioritise as we move into 2026. [1]
The European Commission published its Digital Omnibus Regulation proposal on 19 November 2025, a package of amendments aimed at simplifying and aligning the GDPR, the ePrivacy Directive, the AI Act, the Data Act, the Data Governance Act and NIS2 to reduce complexity while seeking to preserve high standards. Industry and legal observers should monitor fast-moving trilogue negotiations and consider the potential impact of proposed changes on data processing, AI compliance and cross-border data flows. According to the Commission’s announcement, some deadlines for high‑risk AI measures have also been floated for later implementation to give stakeholders more time to prepare. [1][2][5][7]
In the UK, the Department for Science, Innovation and Technology introduced the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament on 12 November 2025, updating the NIS Regulations to broaden scope, impose new duties on regulated entities, mandate incident reporting and strengthen regulator enforcement powers and fines. The Bill is intended to bring a wider range of digital services and critical suppliers within the framework and to raise obligations for resilience and recovery. Stakeholders should review the government factsheets and prepare for expanded compliance and reporting requirements. [1][3][4][6]
China tightened its cyber security regime in two phases: the Measures for the Administration of National Cybersecurity Incident Reporting, effective 1 November 2025, which sets out cross‑sector incident reporting obligations (including very short reporting windows for critical infrastructure), and an amended Cybersecurity Law, effective 1 January 2026, which increases penalties, extends extra‑territorial reach and strengthens data localisation and cross‑border assessment requirements. Businesses with operations or data processing in China should reassess localisation, incident response and documentation practices. [1]
The UK’s Data (Use and Access) Act 2025 continued its phased implementation in November, with sections on joint law‑enforcement processing and intelligence services coming into force on 17 November and most digital verification services provisions commencing from 1 December 2025 (subject to limited exceptions). Organisations should consult the DUAA implementation timeline and update policies ahead of the anticipated wave of further amendments due in early January 2026. [1]
India finalised rules to operationalise the Digital Personal Data Protection Act 2023 when it notified the Digital Personal Data Protection Rules 2025 on 13 November 2025, establishing the Data Protection Board and setting a phased timetable for core obligations. Key features include the introduction of registered “consent managers”, mandatory security safeguards, a two‑stage breach reporting framework with detailed follow‑up within 72 hours, parental‑consent regimes for children’s data, obligations for Significant Data Fiduciaries and substantial fines for serious breaches. Organisations offering goods or services to individuals in India should map flows, assess SDF exposure and prepare for progressive compliance milestones through to May 2027. [1]
In enforcement and litigation, the European Court of Justice held on 13 November 2025 in Inteligo Media v ANSPDCP that the ePrivacy Directive governs the use of email addresses for direct marketing and can take precedence over the GDPR in that context, reinforcing the scope of the ePrivacy “soft opt‑in” for certain freemium models while cautioning that the ruling should be read narrowly. Separately, the FCA secured a prosecution under section 170(1) of the Data Protection Act 2018 after a former employee unlawfully sold customer data that enabled a crypto boiler‑room fraud; the FCA said the defendant “abused his position of trust” and stressed it will use its powers to tackle misuse of personal data that facilitates financial crime. These developments underscore that both data protection and financial regulators are sharpening enforcement tools where data misuse enables harm. [1]
Taken together, November’s measures , from the Digital Omnibus proposals and the ECJ clarifications to national laws and incident reporting regimes in China, India and the UK , emphasise three immediate priorities for organisations: (1) map and minimise cross‑border transfer and localisation risks; (2) strengthen incident detection, reporting and record‑keeping to meet tightened timelines; and (3) reassess marketing and consent practices in light of evolving ePrivacy/GDPR interaction and regional law changes. Legal teams and compliance functions should treat the coming months as a period to convert strategic planning into operational controls. [1][2][3][5][6]
📌 Reference Map:
##Reference Map:
- [1] (Stephenson Harwood) – Paragraph 1, Paragraph 2, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8
- [2] (European Commission) – Paragraph 2, Paragraph 8
- [3] (UK Government) – Paragraph 3, Paragraph 8
- [4] (UK Government factsheets) – Paragraph 3
- [5] (Reuters) – Paragraph 2, Paragraph 8
- [6] (Reuters) – Paragraph 3, Paragraph 8
- [7] (Reuters) – Paragraph 2
Source: Noah Wire Services
Noah Fact Check Pro
The draft above was created using the information available at the time the story first
emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed
below. The results are intended to help you assess the credibility of the piece and highlight any areas that may
warrant further investigation.
Freshness check
Score:
10
Notes:
The narrative is current, published on 4 December 2025, covering developments up to November 2025. The Digital Omnibus Regulation proposal was published on 19 November 2025, and the Cyber Security and Resilience Bill was introduced to Parliament on 12 November 2025. ([digital-strategy.ec.europa.eu](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal?utm_source=openai)) No evidence of recycled or outdated content was found.
Quotes check
Score:
10
Notes:
The narrative does not contain any direct quotes, indicating original content.
Source reliability
Score:
10
Notes:
The narrative originates from Stephenson Harwood, a reputable international law firm, enhancing its credibility.
Plausability check
Score:
10
Notes:
The claims are consistent with other reputable sources. The Digital Omnibus Regulation proposal and the Cyber Security and Resilience Bill are well-documented in official publications. ([digital-strategy.ec.europa.eu](https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal?utm_source=openai)) The narrative maintains a formal and professional tone appropriate for its subject matter.
Overall assessment
Verdict (FAIL, OPEN, PASS): PASS
Confidence (LOW, MEDIUM, HIGH): HIGH
Summary:
The narrative is current, original, and originates from a reputable source. All claims are consistent with other reputable sources, and the tone is appropriate for the subject matter.
