On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the
Inside Privacy
Updates on developments in data privacy and cybersecurity
NIST Publishes Preliminary Draft of Cybersecurity Framework Profile for Artificial Intelligence for Public Comment
On December 16, 2025, the U.S. National Institute of Standards and Technology (“NIST”) published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (“Cyber AI Profile” or “Profile”). According to the draft, the Cyber AI Profile is intended to “provide guidelines for managing cybersecurity risk related to AI systems [and] identify[] opportunities for…
Spain Issues Guidance Under the EU AI Act
In December 2025, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) published a set of detailed guidance documents and templates aimed at helping providers and deployers of high-risk AI systems under the EU AI Act comply with the relevant requirements of the law. All materials are currently available in Spanish only.…
End-of-Year 2025 State and Federal Developments in Minors’ Privacy
Since our mid-year recap on minors’ privacy legislation, several significant developments have emerged in the latter half of 2025. We recap the notable developments below.…
European Commission Announces 2030 Consumer Policy Strategy
On November 19, 2025, the European Commission unveiled its 2030 Consumer Agenda, setting out priorities for EU consumer policy over the next five years. Below is an overview of the six key measures most relevant to industry.…
Digital Omnibus Package Series: European Commission’s Proposal to Revise the EU’s AI Rules
On November 19, 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). In our previous blog post (see here), we explained that this initiative, which represents a comprehensive update to the EU’s digital regulatory landscape, consisted of two proposed regulations: a “Digital Omnibus” that would amend, amongst…
European Commission Proposes Revisions to GDPR and Other Digital Rules Under Digital Omnibus Package
On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final…
U.S. Senate Introduces the Health Information Privacy Reform Act
On November 4, 2025, Senator Bill Cassidy (R-LA), chair of the Senate Health, Education, Labor, and Pensions (“HELP”) Committee, introduced the Health Information Privacy Reform Act (“HIPRA”). HIPRA seeks to extend protections similar to those provided under the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) to…
NYDFS Publishes Industry Guidance on Managing Cyber Risks Related to Third-Party Service Providers
On October 21, 2025, the New York State Department of Financial Services (“NYDFS”) issued an industry letter (the “Guidance”) highlighting the cybersecurity risks related to Covered Entities’ use of Third-Party Service Providers (“TPSPs”) and providing strategies to address these risks. The Guidance is addressed to all Covered Entities subject to NYDFS’s cybersecurity regulation codified at…
China Amends Cybersecurity Law and Incident Reporting Regime to Address AI and Infrastructure Risks
By Yan Luo
Over the past few months, Chinese regulators have taken steps to update the country’s cybersecurity framework, with a particular focus on artificial intelligence (AI) safety and clarifying incident reporting obligations for onshore infrastructure. These developments reflect a broader trend toward more proactive AI and cyber governance and could signal priorities for the year ahead.…