The European Union (EU) is introducing new regulations for online and tech businesses to create a consistent legal framework across various sectors. By 2025, several European and German laws will come into effect. Want to know which ones? Keep reading! This alert provides a quick overview of what these 2025 frameworks are about, who they may concern and when they will apply.

The EU General Product Safety Regulation

  • What? The EU General Product Safety Regulation (GPSR) replaces the old General Product Safety Directive and includes various safety requirements for products. The regulation covers product safety analysis, labeling requirements, and rules for product recalls.
  • Who? It impacts all economic operators and online marketplaces dealing with products that are intended or likely to be used by consumers. The GPSR also applies if the product is manufactured or sold online from outside the EU, provided the product is intended for consumers in the EU.
  • When? The GPSR has been in effect since December 13, 2024.

The EU DORA Regulation

  • What? The Regulation on Digital Operational Resilience for the Financial Sector (DORA) establishes a harmonized legal framework for managing cybersecurity and ICT risks in financial markets. It aims to ensure resilient operations during major business interruptions that could threaten network and information system security. The Regulation focuses on ICT risk management, reporting requirements, digital resilience testing, and third-party risk management.
  • Who? The DORA covers a wide range of EU financial entities, e.g. credit institutions, investment firms or management companies.
  • When? The DORA applies from January 17, 2025.

The NIS2 Directive

  • What? With the introduction of the Directive on measures for a high common level of cybersecurity across the Union (NIS2), the EU aims to improve cybersecurity in critical sectors in response to growing threats. Affected companies are required to implement risk management measures, registration obligations and incident management.
  • Who? The scope of NIS2 is significantly broader compared to the previous NIS1 Directive. It covers all companies that meet quantitative thresholds and provide or carry out their activities in critical sectors in the EU.
  • When? Member states were required to implement this regulation into national law by October 17, 2024. Germany is behind schedule, but it is expected that the German implementation law will come into effect in the second quarter of 2025. The timetable depends to a large extent on the composition of the future federal government.

The German Accessibility Strengthening Law

  • What? The German Accessibility Strengthening Act (Barrierefreiheitsstärkungsgesetz – BFSG) implements the European Accessibility Act (EAA). The law aims to ensure the accessibility of products and services, enabling people with disabilities to participate in society.
  • Who? It requires various economic operators to meet specific accessibility requirements for products and services offered in Germany, including e-commerce offerings like webshops and consumer terminals with interactive services.
  • When? The BFSG was enacted on July 16, 2021, and will be applied from June 28, 2025.

The EU AI Act

  • What? The Regulation on Artificial Intelligence (AI Act) is the first legislation to set specific rules for developing and providing artificial intelligence. It classifies AI Systems into different risk categories, each with its own set of requirements.
  • Who? The AI Act primarily applies to operators, providers, importers, and distributors of AI systems. It is sufficient for the application if the AI system is placed on the market in the European Union.
  • When? While the AI Act itself will fully apply on August 2, 2025, the regulations on prohobited AI systems will already apply from February 2, 2025. The regulations on high-risk AI models, will then apply from August 2, 2027.

The European Media Freedom Act

  • What? The European Media Freedom Act (EMFA) introduces a new framework to protect media pluralism and independence. It includes various information obligations, such as disclosing the names of beneficial owners.
  • Who? The EMFA applies particularly to media services and media service providers that offer information, entertainment, or education to the public.
  • When? The EMFA will be effective from August 8, 2025. However, some articles will apply earlier, starting from November 8, 2024, February 8, 2025, and May 8, 2025.

The EU Data Act

  • What? The EU Data Act (DA) introduces new rules for the exchange, distribution, and use of data, including non-personal data. The DA also enhances data interoperability and data-sharing mechanisms and services.
  • Who? It targets manufacturers of connected products (IoT), providers of related services, their users, and data holders. The DA applies in particular to products placed on the market in the Union and providers of related services; irrespective of the place of establishment of those manufacturers and providers.
  • When? The DA entered into force on January 11, 2024, and its rules will mainly apply from September 12, 2025.

The EU Product Liability Directive

  • What? The new EU Product Liability Directive (PLD) aims to update European product liability law to address digitalization challenges and business developments in recent years. The liability regime for economic operators is expected to become significantly stricter.
  • Who? The PDL covers all movable or immovable products placed on the market or put into service in the EU. One of the significant changes is that the directive now also covers digital products like software.
  • When? Member states must implement this directive into national law by December 9, 2026. Due to its significant impact, businesses are advised to understand its effects on their business models early on.

What’s next?

The European Union’s regulatory landscape is evolving, with significant projects slated for the year 2025. A key focus will be on regulating product compliance and e-commerce platforms. Although the list of legislative acts is not exhaustive, several important laws are already in the pipeline for the upcoming years. The Cyber Resilience Act, the Machinery Regulation, and the e-Evidence Package are only some examples. Online and tech companies will continue to face new challenges as these regulations come into effect.

EU data strategy: Stay up to date on Data Act, AI Act, Digital Services Act, NIS2, Cyber Resilience Act, European Health Space and others with our blog series.