The fractured regulatory landscape tech companies face in 2025
The rise of data nationalism – when governments look to control data for security reasons – is leading to the creation of a patchwork of country or region-specific regulations that can add another layer of complexity to businesses’ global compliance.
The development of laws and regulations such as the EU AI Act and the UK’s Data Use and Access Bill reflects a growing recognition from governments that data is a critical asset, and has led to a growth in data sovereignty – where data is subject to the laws and regulations of the country where it’s collected or stored.
More often than not these new regulations mandate local data storage, but while being similar in their goals, there are often small differences in these laws’ data protection and cybersecurity frameworks.
Take a positive view
These new regulations may feel like yet another burden IT leaders must shoulder but they show a maturing of the cybersecurity landscape. And while there is room for interpretation, leaders will find the main nuances are in enforcement and penalties.
“The laws aim to enforce more robust data sharing and resilient infrastructure, which is a change for the better,” notes Christian Have, CTO at IT security services provider Logpoint.
There are multiple ways to look at this growth of regional data regulations, says James Hodge, group vice president and chief strategy advisor at Splunk and member of the TechUK AI Committee. He recommends taking the view that it’s a positive thing for business.
“These kinds of frameworks give us concrete ways of working, give us certainty on how we should go about doing business in a specific country. So, I think that overall, we should take it as a very positive thing.”
Complying with region-specific data residency requirements
Even so, it’s impossible to ignore the new challenges organizations are facing due to this growth in data residency requirements.
New laws and policies may force organizations to fragment their data architecture, creating inefficiencies and redundancies notes Lauren Murphy, CEO of data consultancy Friday Initiatives, who also points to the challenge of aligning operations with varying legal definitions of data use, consent, and personal data and keeping up with evolving laws.
Then there’s the related cost burden. “Building localized infrastructure and hiring region-specific expertise increases operational costs significantly,” she says.
To meet the growing number of regional data regulations, forward-thinking companies are adopting dynamic, purpose-based frameworks, having acknowledged that traditional manual compliance programs no longer work.
These may include dynamic data profiling, which provides real-time visibility of data flows and use cases to ensure transparency and regulatory requirements, and purpose-based access controls that regulate data access and usage by aligning permissions with specific lawful purposes in different jurisdictions.
Murphy points to hybrid architectures that combine centralized and decentralized systems to balance operational efficiency and localization needs, and cross-functional teams to bring together legal, technical, and business stakeholders to develop holistic strategies. There are also a multitude of tools and services available to help businesses collect, store, and analyze their data in line with regional regulations, Hodge says.
“We’re seeing data residency in software and management platforms to help track where data is stored and processed, and data localization technologies, typically with multi-cloud architectures, the hyperscalers, and potential edge computing.
“I also think there’s a lot of opportunity in the automation and analytics spaces,” he adds.
Technologies like dynamic data mapping, AI-driven data governance tools and privacy-preserving methods like differential privacy streamline compliance with real-time insights and automation. Murphy champions context-aware governance tools that align data value with protection by integrating regulatory and business nuances in particular.
But while essential, experts agree that tools aren’t the full solution. They believe an organization’s data strategy should be about optimizing people, processes, and technology and gaining full visibility of your infrastructure to achieve the perfect balance between data value and protection.
Murphy advises focusing on starting small and scaling smart, integrated governance and human oversight.
“Pilot in critical areas before rolling out solutions broadly, and embed data policies and automation into daily workflows across departments,” she says. “Don’t be naïve to think everyone in every role wants to be responsible for data governance because then it just won’t happen.
“Most tools can’t grasp legal nuances or adapt to business-specific rules, and even those that can you don’t want calling the shots; humans must drive strategic implementation.”
Shifting mindsets for evolving data laws
Many organizations are currently unequipped to handle the evolving data regulation landscape because of the way they approach compliance and require a shift in mindset.
Rather than approaching it as a checklist task, compliance should be integrated into any organization’s strategic priorities and treated as a driver of trust, operational efficiency, and value creation. This will be critical for long-term success says Murphy, as those organizations that adapt will not just comply but thrive in an increasingly complex regulatory environment.
“I don’t think you should look at regulation as a burden and compliance as a cost. It should be seen as just another project that needs to be done to address a market need. The most important thing is to ask what are the opportunities to come out of that compliance,” Hodge points out.
It’s also important for businesses to consider not only existing data laws and regulations but what’s also in the pipeline advises Will Richmond-Coggan, a partner in the data protection team at law firm Freeths.
“In the next couple of years, we expect to see new rounds of legislation focused both on updating data protection rules to reflect better understanding of the range and extent of the data that these should apply to; and increasing regulation of emerging technologies, such as AI, which is often used to process such data.”
“I think there’s one thing we can say with almost 100 percent certainty and that’s there will be more legislation in data, cybersecurity, and AI,” agrees Hodge. “The more prepared you are as a business the faster you can respond – you can’t become agile unless you’re resilient first.
“By putting the hard work into understanding your digital infrastructure and developing an effective data strategy you’re building for the future rather than reacting to the latest regulation that comes out,” he concludes.
Source link
