The new year of 2025 will see a number of important changes in new technology law. These range from AI and data regulations, through cyber security to the financial sector and digital services. We list the most important dates and look at upcoming regulations that will change the technological legal landscape.
Artificial intelligence
It’s impossible to discuss new technologies without mentioning artificial intelligence. Last year brought the adoption of the EU AI Act, and although its full entry into force is staggered over several years, regulations on prohibited AI practices, as well as the so-called AI Literacy obligation will take effect as early as on 2 February 2025.
In practice, this will mean banning AI solutions that generate unacceptable risk, and formalizing requirements for the competence of those involved in the operation and use of AI systems.
In addition, by the intended date of 2 May 2025, the European Commission should have published its AI Codes of Conduct, thereby systematizing desirable practices in this field.
2 August 2025 is another important date, as this is when regulations on general-purpose artificial intelligence systems and penalties and supervisory bodies will take effect.
Domestic legislators, on the other hand, have scheduled passing the draft act implementing the AI Act to Parliament between the first and second quarter of 2025.
Data
As announced, a draft Data Governance Act will be passed in the first half of 2025, which, among other things, will expand the catalogue of possibilities for the reuse of public sector data by the private sector. This is a result of the implementation of the provisions of the EU’s Data Governance Act.
In addition, the provisions of the Data Act, an EU regulation seeking to increase access to and use of data by market participants, will take effect on 12 September 2025. This should realistically free up competition in this field. The regulations will apply to both personal and non-personal data.
Cyber security
Despite the fact that NIS2, the EU’s cyber security directive, should have been applied by October 2024, many EU countries, including Poland, are struggling to adopt it.
In Poland the work on the implementation was intensive at the end of last year, but it is still unclear whether the latest published version will make it to the parliamentary stage without further amendments. Nevertheless, according to conservative forecasts, a draft amendment to the National Cyber Security System Act is expected to finally reach Parliament in the first quarter of 2025.
As a result, entities classified as within critical and important sectors will have to adapt their internal policies and procedures to the enhanced cyber security requirements, and according to the latest published version of the draft, will have 6 months to do so from the effective date of the amendment. In addition, by 1 April 2025, they will have to self-identify and submit a corresponding application for registration.
Financial sector
As early as from 17 January 2025, the Digital Operational Resilience Act will become applicable, with the need for both the financial sector and ICT service providers to comply with enhanced and harmonized standards in the area of operational digital resilience.
Therefore, as announced in December, the Polish Financial Supervision Authority (KNF) also plans to repeal and revoke a number of soft law acts that have so far set the cyber security framework for the financial sector. These include the Cloud Communiqué and Recommendation D as well as the Guidelines on the Management of Information Technology and ICT Environment Security.
From 30 December 2024, the Markets in Crypto-Assets Regulation (MiCA), has been in full effect. By establishing a harmonized legal framework, the transparency, security and integrity of cryptocurrency markets in the European Union will increase. However, this requires the adoption of relevant legislation implementing MiCA into the Polish legal system, which is unfortunately delayed. Nevertheless, the Polish cryptoasset market draft act is forecast to be completed in 2025.
In addition, negotiations of the Council of the European Union on a common position on the payment services regulatory package, including the PSD3 Directive and the Payment Services Regulation, are expected to continue in the first quarter of 2025.
In addition, the adoption of the Financial Data Access Framework Regulation (FiDA), which deals with so-called Open Finance, i.e. services that allow users to easily and securely access their financial data, is projected to be completed in the third quarter of 2025.
Digital services
Although the DSA, i.e. the EU’s Digital Services Act, already began to be fully effective at the beginning of last year, work on the Polish draft implementing the regulation is still ongoing.
In line with this, a draft amendment to the Act on the Provision of Services by Electronic Means should be submitted to Parliament for consideration in the first quarter of 2025.
This will mainly concern procedural changes and the designation of bodies responsible for supervising digital service providers’ compliance with the new regulation.
Any questions? Contact us
