digital economy regulation

A US federal court ruled, in two separate cases, that training artificial intelligence (AI) models with copyright-protected books without permission from copyright owners does not infringe copyright in certain circumstances. Both rulings are subject to appeal, and the ultimate resolution of this AI training issue remains unsettled. Many other copyright infringement lawsuits over AI training are still pending in the US.

The Data (Use and Access) Act became law on 19 June 2025. The act introduces changes to the UK data protection regime in areas such as automated decision-making, the use of cookies and the legal bases for processing personal data. It also restructures the UK data protection authority.

This report gathers policy and regulatory developments at EU level covered by Cullen International’s Digital Economy and Media services over the past two weeks. It also lists events taking place this week.

The UK government is seeking feedback on the cybersecurity of enterprise connected (IoT) devices. Proposed initiatives may include publishing a voluntary code of practice, developing “a new global standard” for cybersecurity and/or introducing legislation that would mandate some or all of the code’s principles.

The NIS2 transposition law has not yet been officially published but it is expected to enter into force on 1 September 2025. The government would have sole responsibility for deciding on restricting high-risk vendors, while the national cybersecurity authority would implement the decision in practice.

The agreement, which is yet to be formally adopted, would set a 15-month deadline for data protection authorities to conclude their investigations. However, the press releases issued by the EP and the Council do not provide much detail on the substance of the final deal.