Key takeaways from the 13th Annual European Data Protection and AI Conference

In September and October 2025, the NRF Annual European Data Protection and AI Conference returned for the 13th time, bringing with it discussions on the latest developments in AI, cybersecurity, and data law across the EU and the UK. With sweeping reforms and new legislation, plus the rise of agentic AI, the conference offered critical insights for organizations navigating compliance and innovation.

The events were held in Amsterdam, Frankfurt, Paris, London and – adding a fifth location for the first time this year – Milan.

Overview and update on the data and digital legislation landscape

The EU’s digital strategy is reshaping how data is accessed, shared, and protected across sectors through a series of new laws.  Many of these have become applicable since the last conference in September / October 2024:

• NIS2 Directive (Oct 2024)
• DORA (Jan 2025)
• AI Act (Feb 2025)
• European Accessibility Act (June 2025)
• Data Act (Sept 2025)

The revised Product Liability Directive and Cyber Resilience Act will become applicable next year and in 2027 respectively.

Changes to the GDPR procedural rules on cross-border enforcement are also likely to complete the legislative process shortly, with some minor changes to the GDPR records of processing activity thresholds proposed by the Commission.  The UK has also made changes to the UK GDPR and its e-Privacy rules under the Data (Use and Access) Act, including introducing greater flexibility for automated decision-making (with safeguards).

Further changes to the EU’s data, AI, and cybersecurity rules may be on the horizon in the form of the upcoming Digital Omnibus.

Data protection: Litigation, enforcement, and changes to the risk landscape 

It has been another eventful year in the world of data protection.  This year, our team covered four topics:

1. Litigation and enforcement trends: There have been a number of significant Court of Justice of the European Union (CJEU) cases on Article 82 data subject claims for non-material damages. We also looked at mass claims under the Representative Actions Directive and cases brought in Germany and the Netherlands, as well as trends in mass claims and individual claims across jurisdictions. Alongside this, we examined enforcement trends and key enforcement action across jurisdictions.
2. Automated decision-making and AI: We shared insights from the recent CJEU case on the data subject’s right to receive meaningful information about automated decisions (Dun & Bradstreet Austria). It also compared automated decision-making rules under the AI Act and GDPR. We then looked at recent data protection authority enforcement on AI and takeaways from the EDPB’s Opinion on training AI models.
3. Pseudonymization and anonymization: This section discussed the recent draft guidelines from the European Data Protection board on pseudonymization and anonymization, as well as UK ICO guidance in this space. 
4. Data export: We discussed the recent judgment following Philippe Latombe’s challenge to the EU-US Data Privacy Framework – that challenge was unsuccessful, but appeal and further challenges are possible. Elsewhere, the UK is likely to maintain its adequacy status, and a draft adequacy decision has also been reached for Brazil. Pressure group noyb has been focusing its campaigning on transfers to China.

Meanwhile, the number of jurisdictions outside Europe with requirements for standard contractual clauses, transfer impact assessments, and other formalities for and restrictions on data transfers continues to increase.

The Data Act and NIS2 implementation

The Data Act mandates easier access to IoT data, interoperability between cloud services, and safeguards against unlawful international transfers. It introduces FRAND terms for B2B data sharing and empowers users to control how their data is used. The rules on cloud switching have applied from 12 September 2025.

NIS2 expands cybersecurity obligations to more sectors, requiring incident reporting within 24 hours and robust supply chain security. Implementation varies across Member States, with many member states, including Germany, still finalizing their national implementation laws.

Deploying AI agents

This session focused on the wave of low and no code offerings allowing users create AI agents.  These tools are already widely available in many organizations, and provide a quick and user-friendly way to create agents, including for those with no coding experience. There are a wide range of possible use cases, from insurance claims management to recruitment. These agents can be connected to a range of internal and external data sources, applications, and systems to perform their tasks. They incorporate LLMs, allowing users to create them and interact with them in natural language, but also introducing an element of randomness into their decision-making and outputs.

Agents bring a range of legal risks. Regulatory risks include creating AI Act prohibited or high-risk AI, or inadvertently creating a medical device, alongside a range of data protection risks like failing to comply with the rules on automated decision making. There are also many opportunities for inadvertent or inappropriate disclosure of personal or confidential data.  Potential liability risks are also numerous, including around discrimination claims, or agents entering into (potentially) binding contracts.

Th information security risks are also significant, with a greatly increased attack surface available. Infosec teams may be unaware of the new risks when building agents, as the functionality is often introduced on trusted platforms.

Existing gen AI policies often include human checks as a key method of controlling risk. These will need an uplift to ensure guardrails are implemented at set up stage. With most business teams keen to innovate, legal and compliance teams will also need to identify low-risk use cases that can proceed with policy controls, to focus review efforts on more complex cases.

Key takeaways

The European AI and data protection conference highlighted how fast AI and data laws are evolving across Europe. With new legislation and emerging technologies like agentic AI reshaping the landscape, organizations must stay informed and ready to adapt their compliance and governance strategies.

Drafted with the kind assistance of Alexander Verhatke, Louis Schreiber, and Uma Suri.