I promise this legislation section has something for everyone.
European Union officials are poised to modify the General Data Protection Regulation, a key privacy law, in an effort to support the artificial intelligence industry. Draft proposals indicate that the European Commission plans to introduce a “digital omnibus” package aimed at easing regulations for tech businesses, which may include exceptions allowing AI companies to process sensitive personal data without the stringent protections currently in place. The changes come amid concerns about Europe’s competitiveness in the global market, with former Italian Prime Minister Mario Draghi highlighting the regulation as a barrier to innovation. Critics, including privacy advocates, warn that these amendments could significantly undermine data protection standards, raising alarms about potential impacts on citizens’ privacy rights.
The United Kingdom has introduced new legislation aimed at strengthening cybersecurity defenses for critical infrastructure, including hospitals, energy systems, water supplies, and transport networks. This initiative follows significant cyberattacks that have caused disruptions and financial losses estimated at nearly £15 billion annually. The Cyber Security and Resilience Bill, introduced in Parliament on November 12, 2025, mandates that medium and large IT management and cybersecurity service providers comply with mandatory security standards for the first time. The bill also allows regulators to designate critical suppliers, ensuring they meet minimum security requirements to mitigate supply chain vulnerabilities. According to the UK government, the average significant cyberattack costs over £190,000, contributing to an annual total of approximately £14.7 billion, which represents about 0.5% of the nation’s GDP.
Starting November 10, 2025, the defense industry is officially required to comply with the Cybersecurity Maturity Model Certification standards for protecting controlled unclassified information. This shift follows nearly a decade of warnings, with the Department of Defense now mandating a Level 1 certification for new contracts, which involves self-certification of 15 basic cyber hygiene controls. In one year, the requirement will escalate to Level 2, necessitating third-party assessments for compliance with all 110 controls outlined by the National Institute of Standards and Technology. Currently, there are approximately 450 certified assessors available, yet only 85 organizations are accredited to conduct these evaluations, raising concerns about the capacity to assess up to 70,000 contractors.
Businesses are increasingly facing lawsuits over user data collection practices, with a significant rise in claims attributed to outdated privacy laws. According to a recent analysis by Coalition, 77 percent of wrongful collection claims stem from routine web activities, often linked to tracking technologies like pixels and analytics platforms. Notably, small and midsize businesses are becoming prime targets, with 59 percent of claims originating from companies earning less than $100 million in revenue. The research highlights that nearly 75 percent of web privacy claims cite the California Invasion of Privacy Act from 1967, indicating that older laws are being leveraged in today’s digital landscape. Furthermore, only 19 percent of businesses displayed consent banners regarding data collection, signaling a gap in compliance practices, particularly among smaller companies. As litigation increases, many businesses lack visibility into their tracking technologies, underscoring the challenge of navigating privacy regulations effectively.
Why do we care?
The EU wants to loosen up its privacy law — GDPR — to make life easier for AI developers. Think of it as Brussels realizing it may have over-tightened the screws. But privacy advocates are already warning this could gut some of the protections that made the GDPR famous in the first place.
Over in the UK, lawmakers are going the other direction — they’ve dropped a Cyber Security and Resilience Bill that makes MSPs and security providers serving critical infrastructure legally accountable for minimum security standards. That’s a big deal for anyone touching hospitals, utilities, or transport systems. Plus, the EU and UK are not automatically in sync anymore due to Brexit… so there’s that too.
In the U.S., the Department of Defense has finally flipped the switch on CMMC. Starting now, even entry-level defense contractors need Level 1 certification, and by next year, it gets a lot tougher with third-party audits. The issue? There aren’t nearly enough assessors — so expect delays and higher costs.
And if that wasn’t enough, privacy lawsuits are exploding — most of them targeting smaller businesses that didn’t realize a tracking pixel or analytics tool could violate laws written in the 1960s.
The takeaway? Regulation is tightening, loosening, and colliding all at once. MSPs that can navigate these compliance shifts — and help clients do the same — are going to find real opportunity while everyone else scrambles.