Top compliance challenges facing the technology industry in 2025

Regulatory-driven risks

Responsible AI

Lawmakers, governments, standard-setting organisations and regulators across the globe are focused on ensuring that proper guardrails exist to manage the risks of artificial intelligence (AI). Notable examples of AI governance frameworks published to date include the OECD Principles on AI, the Asilomar AI Principles, the U.K. Government Centre Data Ethics Innovation Guidance Framework, the Singapore Model AI Governance Framework, the NIST AI Risk Management Framework and the EU AI Act, the last arguably the most significant AI regulation to date issued by any jurisdiction. Technology companies, as providers and users of AI, need to understand and address the standards already issued, both as they relate to the technology industry directly and as they relate to industries to which technology companies provide AI services and products. Just as importantly, technology companies need to continuously monitor developments in this space to understand how they may impact their business today and their strategic plans.

Online safety

For the technology industry, online-safety regulations are aimed at creating a safe digital environment that may require, depending on the specific law or jurisdictions, adhering to data protection requirements and cybersecurity standards; and overseeing online intermediaries and platforms to prevent illegal and harmful activities online, including the spread of misinformation. While the United States lags in passing comprehensive content-moderation regulations, the global regulatory environment, particularly in Europe, is requiring technology giants to address these risks. Notable examples of online safety laws are the EU’s Digital Services Act, the U.K.’s Online Safety Act, Australia’s Online Safety Act and several regulations aimed specifically at child protection, which because of their significance we have identified as a separate priority. These regulations introduce the first set of comprehensive obligations that require technology platforms to take accountability and provide proactive oversight over what and who is on their platforms.

Child protection

Safeguarding children from harmful content, cyberbullying, sexual exploitation and other online threats and protecting the mental health of children are existing social issues that have recently become widespread government priorities. These concerns are reflected in proposed bills such as the U.S. Kids Online Safety Act (KOSA), the U.S. Children’s Online Privacy Act 2.0 (COPPA 2.0), and implemented regulations such as the U.K. Online Safety Act — Volume 2 South Korea’s Youth Protection Revision Act, and Germany’s Network Enforcement Act, among others. The U.S. environment is further amplified on these topics by lawsuits brought by state attorneys general against some technology companies.

For most technology companies, safeguarding children is not just a regulatory compliance obligation, it is also a matter of corporate ethics and social responsibility. Many technology companies have pledged in their names and through membership in organisations such as the Internet Watch Foundation to make online experiences safer for children.

Antitrust/anticompetitive risk

In recent years, several technology companies have faced significant litigation related to antitrust and anticompetitive practices. These cases, which often call for increased regulation of the technology industry and sometimes for company breakups, stem from concerns that the dominance of large technology companies may hinder competition. To some extent, this risk is influenced by politics — the views of the party currently in power — but it represents an ongoing, significant threat to the technology industry’s largest players. In Europe, the implementation of the Digital Markets Act (DMA) has fundamentally changed the way large technology companies (called gatekeepers by the regulation) are developing their products and going to market, posing a threat to bottom-line profits.

Operational resiliency

Operational resilience remains a priority for the technology industry in part because it is critical to maintaining market trust, but also because technology companies that provide services to financial institutions and critical infrastructure, for example, may be subject to resilience requirements directed at these industries. The EU Digital Operational Resilience Act (DORA) and its counterparts in the U.K. (U.K DORA) and Australia (CPS230) are examples of how this would work for technology companies that provide services to the financial services industry. Technology companies that provide services such as cloud computing services, data analytics platforms, and cybersecurity solutions that are critical to the operations of financial services companies will be required to ensure that their services comply with the operational and security standards imposed by these financial services-focused requirements and may be subject to regulatory review. Similar requirements have long existed in the U.S. under the Bank Services Company Act but have received even more attention in recent years in large part because of the high number of large-scale cyber breaches, which many believe will be exacerbated by bad actors using AI.

Third- and fourth-party risk management

Third- and fourth-party risk management is often embedded in operational resilience requirements. DORA, for example, requires, among other things, that technology companies provide critical services to be transparent about their subcontractor arrangements, to perform appropriate due diligence and risk assessments of their contractors, to include in their contracts with subcontractors the mandate that subcontractors comply with DORA, and that subcontractor arrangements have exit strategies that allow for terminating a relationship without disrupting critical operations.

Other regulatory programmes, though, may also impose third- and fourth-party risk management requirements on technology service providers. For example, technology companies providing critical services to the government may also be subject to explicit third- and fourth-party risk management requirements. In the U.S., for example, the Federal Risk and Authorization Management Program (FedRAMP) prescribes specific third- and fourth-party risk management requirements for technology companies providing cloud services to federal agencies.

Beyond regulatory requirements and industry standards, the importance of third- and fourth-party risk management is further amplified by the increased threat of security breaches. Developing a clear understanding of who your third- and fourth-party service providers are and managing the risk associated with those providers through contracting, enhanced due diligence and ongoing monitoring is becoming more complex but essential.

Sanctions/export controls/investment limitations

The escalation of geopolitical tensions across the globe has subjected the technology industry to a growing number of requirements aimed at protecting the national security of the West and its allies and, in the case of the U.S., maintaining its competitive position versus China. These requirements include economic sanctions prohibiting dealings with certain countries, entities and individuals; export controls that preclude providing certain hardware and software to prohibited jurisdictions and parties; and restrictions on Chinese investment in U.S. technology and vice versa. While coordination among the Western allies has been significantly enhanced over the last two-plus years, there are differences in how various jurisdictions have set and apply restrictions that can complicate compliance. Like other requirements discussed above, there is also an expectation that sellers of prohibited or restricted goods and services understand the entire supply chain, including the ultimate destination and end user of the goods and services.