November sees significant shifts in global data protection and cyber security regulations

Welcome to the final data protection and cyber security round-up for 2025, focussing on regulatory shifts, emerging compliance obligations and notable enforcement developments from November. According to the original report from Stephenson Harwood, the month brought major EU proposals, new UK and Chinese cyber rules, the operationalisation of India’s privacy framework and landmark legal and enforcement decisions that will affect organisations handling personal data.

The European Commission published its Digital Omnibus package on 19 November 2025, proposing a wide-ranging set of amendments to the GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act, NIS2 and the EU AI Act. The Commission presents the package as simplification and harmonisation aimed at boosting innovation while preserving high standards; however, the measures will be subject to trilogue negotiations before any changes take effect and some high‑risk AI rules are under discussion for later implementation. Organisations should therefore monitor developments and prepare for transitional changes.

Key elements of the Digital Omnibus include targeted amendments to the GDPR and clarifications on the interplay with the ePrivacy Directive, proposed adjustments to AI governance (including suggested delays and narrower scopes for some high‑risk requirements), and measures intended to streamline cross‑cutting rules on data access and use. Industry stakeholders should note the Commission’s stated intention to preserve regulatory safeguards while reducing duplicative obligations that industry has argued create burdens. The final shape of these reforms will depend on negotiations between the Commission, the European Parliament and member states.

In the UK, the long‑awaited Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025. The Bill modernises and expands the existing NIS framework, broadening the range of regulated entities (including data centres, cloud and managed service providers and critical suppliers), imposing new duties to identify and manage cyber risks, mandating incident reporting to authorities and affected customers, and increasing fines and enforcement powers. The government has published factsheets setting out practical implications for sectors and suppliers. Firms providing relevant services to the UK should begin reviewing obligations and incident response arrangements to ensure readiness for compliance.

China tightened its cyber security regime through two complementary measures. The amended Cybersecurity Law, effective 1 January 2026, raises penalties, extends individual liability, tightens personal data requirements (including localisation and mandatory security assessments for cross‑border transfers) and broadens extra‑territorial enforcement powers. Separately, the Cyberspace Administration’s Measures for National Cybersecurity Incident Reporting (effective 1 November 2025) create a cross‑sector reporting framework with stringent deadlines for critical information infrastructure operators, including a one‑hour reporting requirement for certain incidents. Companies with operations or data processing in China should reassess local and cross‑border practices, strengthen documentation and move from reactive to proactive compliance postures. 

In the UK statutory and regulatory enforcement space, the Financial Conduct Authority prosecuted a former employee of Virgin Media O2 for unlawfully obtaining and selling customer personal data that facilitated a large‑scale cryptocurrency fraud. The FCA treated the conduct as unlawful obtaining and disclosure under section 170(1) of the Data Protection Act 2018 and emphasised the harm caused by insider misuse of data. Although the monetary fines levied were small, the FCA framed the case as a clear signal that it will use its powers to address data misuse that enables financial crime, complementing ICO enforcement activity. Regulated firms should therefore reinforce insider threat controls and cultural deterrents.

The European Court of Justice clarified the relationship between the ePrivacy Directive and the GDPR in Inteligo Media SA v ANSPDCP (C‑654/23), ruling that where an email address is used for direct marketing within the meaning of Article 13(2) of the ePrivacy Directive, the ePrivacy regime takes precedence and separate lawfulness under Article 6(1) GDPR is not required. The judgment, aligning with the Advocate General’s opinion, confirms the availability of the “soft opt‑in” for certain freemium models but should be read narrowly in the specific factual context of the case. Organisations relying on direct marketing exemptions must carefully assess whether their user journeys and service offerings match the terms of the ruling. 

India has operationalised core elements of its Digital Personal Data Protection architecture: on 13 November 2025 the Digital Personal Data Protection Rules 2025 were notified to activate the Digital Personal Data Protection Act 2023. The Rules establish the Data Protection Board and set a phased timetable for obligations: consent manager duties begin in 12 months and core compliance requirements (security safeguards, retention rules, children’s data protections and restrictions on certain transfers) take effect 18 months from notification (13 May 2027). The regime introduces consent managers, differentiation for Significant Data Fiduciaries, mandatory breach reporting timelines and substantial fines for serious breaches; affected organisations should map data flows, update governance and prepare for staged enforcement.

Taken together, November’s developments underline a global trend: regulators are tightening both privacy and cyber security obligations while clarifying interaction between overlapping legal regimes. Boards and compliance teams should prioritise cross‑cutting risk assessments (covering AI, incident reporting, insider threats and cross‑border transfers), update playbooks for fast reporting and response, and maintain documentary evidence of proactive compliance measures as enforcement activity intensifies. Industry guidance and implementing regulations remain in flux, so continuous monitoring and timely engagement with policy updates will be essential.

Read more in our Knowledge Hub.

Source: Noah Wire Services