EIOPA Publishes Consultation on Opinion on AI Governance and Risk Management
On February 12, 2025, the European Insurance and Occupational Pensions Authority (“EIOPA”) published a consultation on its draft opinion on artificial intelligence (“AI”) governance and risk management (the “Opinion”).
Engage with the U.S. SEC’s Crypto Task Force and Shape the Future of Crypto Regulation
On February 21, 2025, Commissioner Hester Peirce of the U.S. Securities and Exchange Commission (SEC) issued a statement inviting public input on a wide range of issues related to crypto assets and blockchain technology (the Statement). Although the Statement was issued by Commissioner Peirce in her individual capacity and does not necessarily reflect the views of the Commission or other Commissioners, it resembles a concept release in its scope and format, inviting public input on a wide range of issues concerning crypto assets and blockchain technology.
(more…)

EDPB Adopts Report on GDPR Right of Access Following 2024 Coordinated Enforcement Action
On January 20, 2025, the European Data Protection Board (EDPB) adopted a report on the implementation of the right of access by controllers under the GDPR (the Report). The right of access was the subject of the EDPB’s third coordinated enforcement action (CEF) in 2024 which involved 1,185 controllers of varying size, industry, and sectors. The Report provides useful recommendations for controllers on how to comply with access requests, including guidance on how long access request documentation should be retained, the importance of maintaining internal documentation, and how to avoid a ‘one size fits all’ approach. The Report emphasizes that access requests should be handled on a case-by-case basis, considering the broad scope of the right and the limited exemptions.
Artificial Intelligence: U.S. Securities and Commodities Guidelines for Responsible Use
Despite recent focus on artificial intelligence (AI) by U.S. financial regulators, the Securities and Exchange Commission (SEC), Commodity Futures Trading Commission (CFTC), and Financial Industry Regulatory Authority (FINRA) have not yet issued new regulations specifically addressing the use of AI. Nonetheless, during the Biden administration, guidance from these agencies emphasized the necessity of responsible use of AI within existing regulatory frameworks, urging market participants to exercise additional diligence to navigate compliance risks associated with AI usage.

U.S. Copyright Office Issues Report on Artificial Intelligence and Copyrightability
On January 29, 2025, the U.S. Copyright Office issued the second part of its Report on Copyright and Artificial Intelligence, following a Notice of Inquiry (NOI) the Office issued in 2023. The first part of the Office’s Report, released in July 2024, addressed digital replicas. This second part addresses copyrightability, an issue that attracted considerable interest from authors, artists, and the media and technology industries — approximately half of the more than 10,000 comments that the Office received in response to the NOI addressed copyrightability questions.
CMS Seeks Comments on Proposed Guidance Addressing Study Protocols That Use Real-World Data
On January 17, 2025, the Centers for Medicare & Medicaid Services (CMS) issued a proposed guidance document on study protocols that use real-world data (RWD). The proposed guidance focuses on studies with RWD sources in the context of Medicare National Coverage Determinations (NCDs) using CMS’s Coverage with Evidence Development (CED) paradigm. It presents a proposed standardized template for manufacturers or other sponsors to use when developing CED study protocols using RWD. The proposed guidance could also have broader implications with respect to RWD studies and coverage considerations. Comments on the proposed guidance are due by March 18, 2025.

U.S. Department of Commerce Finalizes Connected Vehicles Supply Chain Restrictions
On January 16, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a Final Rule formalizing prohibitions on certain connected vehicles (CVs) transactions involving hardware and software linked to the People’s Republic of China (China) and Russia.1 The Final Rule is scheduled to take effect on March 17, 2025. However, given that the Final Rule is one of several new regulatory frameworks on trade issued in the final days of the Biden administration, it remains to be seen what will happen with these regulations after January 20.

Action Items for U.S. Public Companies for 2025
Rapid rulemaking and aggressive enforcement by the SEC, combined with legislative, judicial, and regulatory developments, have created new requirements and expectations for U.S. public companies.
U.S. Department of Commerce Seeks to Protect Drones Supply Chain From Foreign Adversaries
On January 3, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published an Advance Notice of Proposed Rulemaking (ANPRM) on the national security risks posed by foreign adversary involvement in the supply chain for unmanned aerial systems (UAS) (i.e., drones), including risks to critical infrastructure and U.S. sensitive data. BIS seeks public input to inform regulations on the supply of certain UAS components developed by entities linked to the People’s Republic of China (China) and Russia.
Looking Ahead to 2025 in EU Cybersecurity Developments
As 2024 draws to a close, we look ahead to notable upcoming cyber developments in the new year. From the adoption of new cyber laws to the initiation of infringement proceedings by the European Commission against a number of EU Member States for alleged failures to adequately implement the EU Network and Information Systems Security 2 Directive, the EU continues to emphasize cybersecurity in a rapidly evolving legal and technological environment. There are no signs of this momentum slowing down in 2025.

