28.01.2025

Services: Data Protection and Cybersecurity

Data Protection Day – 2025

Today, January 28, 2025, marks the celebration of Personal Data Protection Day, which is an opportunity to reinforce the importance of and commitment to compliance with the General Data Protection Regulation (“GDPR” – Regulation (EU) 2016/679, of April 27) – which turns seven years old in May – and to promote good practices in the processing and security of information.

We therefore take this date as a reminder of the need to protect individuals’ personal information and for organizations and/or companies to adopt or continue to adopt responsible and transparent data processing practices.

It should also be noted that in 2025 we will continue to see many developments in the privacy landscape across the European Union. In this regard, we stress that rules contained in legislation on artificial intelligence, cybersecurity and harmonized rules for fair access to and use of data will become applicable to regulate new and demanding technologies, many of which will affect personal data. The legislation to be considered for this purpose is as follows:

  • Artificial Intelligence Regulation (“AI Act”) – Regulation (EU) 2024/1689 of June 13: entered into force on August 1, 2024 will be fully applicable on August 2, 2026, with some exceptions: the prohibitions on some Artificial Intelligence systems and the obligation to adopt measures for Artificial Intelligence literacy will take effect on February 2, 2025; obligations for general-purpose Artificial Intelligence models will apply from August 2, 2025 and the rules for classifying high-risk Artificial Intelligence systems and their obligations will apply from August 2, 2027;
  • Regulation on the digital operational resilience of the financial sector (“DORA”) – Regulation (EU) 2022/2554 of December 14: entered into force on January 16, 2023 and became applicable on January 17, 2025;
  • Regulation on harmonized rules on fair access to and use of data (“Data Act”) – Regulation (EU) 2023/2854 of 13 December 2023: entered into force on 11 January 2024 and will become enforceable from 12 September 2025;
  • Regulation on horizontal cybersecurity requirements for products with digital elements (“Cyber Resilience Act”) – Regulation (EU) 2024/2847 of October 23: entered into force on December 10, 2024, and the main obligations introduced by this law will apply from December 11, 2027; and
  • Directive on measures for a high common level of cybersecurity across the Union (“NIS2”) – Directive (EU) 2022/2555 of December 14 (“NIS2”) – entered into force on January 3, 2023, and Member States had until October 17, 2024, to transpose it. In Portugal’s case, the government presented a proposal to transpose the NIS2, which was in public consultation until December 31, 2024, on the Consulta Lex platform. All that remains now is to wait for the law to be approved and published.

Notwithstanding the current and future need to comply with the rules stipulated in the aforementioned diplomas, it should not be forgotten that the central law on the protection of personal data will continue to be the GDPR, which is why it will be crucial for organizations and/or companies to comply or continue to comply with its rules, as this is the only way they will ultimately be able to promote trust and transparency, benefiting their business.

DOWNLOAD PDF

Thinking about tomorrow? Let's talk today.

Ricardo Henriques

Partner

Simão de Sant’Ana

Professional Partner

Knowledge

11 Feb 2025
Abreu News

Abreu Advogados recognised in the WTR 1000 ranking
10 Feb 2025
Abreu News

Abreu Advogados shortlisted for “National Law Firm of the Year” at the IFLR Europe Awards 2025
07 Feb 2025

European Commission presents Draft Guidelines on Prohibited Practices of Artificial Intelligence
07 Feb 2025
Abreu News

Abreu Advogados hosts the 2025 edition of the Purpose Lab
View More