The year 2025 will bring a large number of regulatory changes and associated obligations for companies. In the following overview, we have compiled the most important changes for your company so that you are well prepared.
Important implementations in AI law
EU-wide regulation of artificial intelligence is progressing. The AI Act has been in force since August 2024 and sets new standards for dealing with AI systems. Further requirements will gradually follow: As early as February 2025, bans on certain AI systems will come into force, including those for manipulating behavior or biometric categorization. Companies must also prepare for extended documentation requirements from August 2025, particularly for high-risk AI systems. Political discussions are currently underway on further liability regulations for AI and data protection aspects, which will continue to be a focus in 2025.
New obligations for online retailers
2025 brings numerous new requirements for online retailers in particular. Due to the new EU-wide Product Safety Regulation (GPSR), retailers have had to provide detailed information about the manufacturer and safety and warning notices since December 2024. In addition, labeling requirements for radio equipment, including smartphones and laptops, have been in force since the end of 2024. Retailers must ensure that their online offers contain all the necessary labels and pictograms.
Conversion to the e-bill
As of January 2025, e-invoicing has found its way into the B2B sector: Companies must ensure that they can receive and process electronic invoices. It must also be possible to issue e-invoices if turnover exceeds €800,000 from 2027, otherwise from 2028. Adjustments to internal processes and IT systems are therefore recommended in order to comply with the new standards. Failure to comply could result in fines and the loss of the option to deduct input tax.
Focus on environmental protection
The EU regulation for deforestation-free products (EUDR) aims to prevent trade in products that have been produced by deforestation. New due diligence obligations for companies that import agricultural raw materials such as cocoa, coffee or wood have been in force since December 2024. However, implementation could be postponed until the end of 2025, as the organizational effort is currently estimated to be higher than expected. Traders should nevertheless prepare for the requirements at an early stage.
Manufacturers must also pay levies into a single-use plastic fund for food containers, films, carrier bags, wet wipes, balloons and tobacco products via the Single-Use Plastic Fund Act. Since January 1, 2024, this has had to be preceded by the registration of such products. In addition to warnings from competitors and industry and consumer protection associations, fines are also conceivable.
A self-service ban for certain biocidal products will come into force from January 2025. Retailers must ensure that staff have the relevant expertise and offer advice – including by telephone or video in online retail. Otherwise, there is also a risk of sanctions.
Accessibility and inclusion
The Accessibility Reinforcement Act comes into force in June 2025 and requires software manufacturers and online store operators to design their products and services in such a way that they are also easily accessible for people with disabilities. This includes, for example, the barrier-free design of websites and the provision of clear product information. Violations can result in fines of up to 100,000 euros, which can be avoided, for example, through improved web design using a plugin.
Data protection and cyber security
The EU Data Act will become binding from September 2025. The aim is to ensure the legally compliant use of data between companies and between companies and consumers. This primarily affects manufacturers of networked products and providers of digital services, who will have to adapt to new obligations regarding the provision of data.
The further implementation of the NIS 2 Directive will also need to be taken into account. More specific obligations to introduce cyber security measures and to report cyber attacks will emerge, particularly for important critical infrastructure facilities.
Conclusion
2025 will therefore be a varied year for companies in terms of regulatory requirements. In order to avoid sanctions and secure competitive advantages, it makes sense to prepare early.
