Data
Data continues to underpin digital economies, and regulators are moving quickly to keep pace with the technologies that rely on it. Around the world, governments are tightening compliance frameworks, reshaping how organisations manage, collect, verify, share, and secure data. From the EU’s AI Act and GDPR updates to Asia-Pacific’s escalating age-verification mandates, data governance is becoming a global imperative.
By 2026, major frameworks such as Europe’s Digital Identity Wallet, updated AI governance, and rising demand for age assurance and synthetic-media transparency will shape how organisations design their digital services. At the same time, digital sovereignty initiatives and advancements in AI are driving significant investments in data infrastructure across regions, with the global edge data centre market projected to soar to $10.1 billion (GlobalData).
For organisations operating across borders, this means adapting early - aligning internal processes, leveraging automation where appropriate, and building governance structures that can flex with evolving regulatory standards. In a data-driven economy, staying ahead of these shifts is becoming a core operational requirement.
Digital identities
By November 2026, every European Union Member State should roll out their own European Digital Identity Wallets (EUDIW).
From 2027, companies across sectors like transport, energy, banking, health, education, and telecoms must be able to use the EUDIW for strong user authentication where this is required by the law for their services. Very large online platforms will be obligated to grant the use of the EUDIW for authenticating the users of their services where the users request it.
In 2026, a growing number of operators will consider the benefit of using the EUDIW as means of authentication and advanced features: secure payments, qualified electronic signatures and seals, and hosting or sharing electronic attestation of attributes (EEA). Businesses may also use EEA independently or alongside EUDIW.
Many different industries are interested in EUDIW and EEA, and the legal and technical framework is nearly complete after several implementing acts published in 2025.
The European Commission will likely launch an EU Business Wallet in 2026, following the first proposal of regulation in November 2025.
Businesses should assess how they can use the EUDIW, the EEA and, in the future, the EU Business Wallet - understanding their potential early on will help them stay ahead.
The UK is on the brink of a major shift in its approach to digital identity, marked by the government’s announcement in September 2025 of a centralised digital ID scheme, which will be mandatory for Right to Work checks.
This represents a significant departure from the UK’s historical aversion to centralised ID solutions, having instead implemented a decentralised, voluntary framework in the form of the UK Digital Identity and Attributes Framework (UKDIATF). While the UKDIATF will remain active, service providers face uncertainty as they navigate the transition to the new mandatory system.
Critics have raised concerns about civil liberties, data security, and the potential for expanded government oversight, as the scheme introduces digital identity as a compulsory element of daily life for some.
With full implementation still in flux, the relationship between the new scheme and the private digital ID market remains unclear, leaving service providers and the public awaiting further clarity. In the meantime, private service providers should continue complying with the UKDIATF. The Beta certifications expire on 31 March 2026 so service providers must upgrade to Gamma certification by then. Businesses should carefully consider what this requires, including how to implement the mandatory contractual flow-downs and changes to key policies and procedures.
Regulation
In 2026, stricter EU rules will guide how businesses use AI, manage data, and protect against cyber threats.
Key regulations such as the AI Act, the GDPR (as amended) and the Data Act, together with directives like NIS2, will impose obligations ranging from algorithmic transparency and data traceability to digital resilience and incident response.
Initiatives like the Digital Omnibus Package aim to align regulations, create consistency across different areas, and support a unified approach to tech governance. This complexity means businesses must replace siloed compliance efforts with unified strategies that address risks and obligations across AI, data and cybersecurity.
Organisations that update their policies and implement unified compliance frameworks will not only secure legal certainty but also gain a competitive advantage as data regulation drives Europe's digital transformation.
Data sovereignty
The GDPR is set to significantly evolve as the European Commission aims to simplify certain data protection rules to accelerate AI innovation. This marks a shift from stricter regulations to a more business friendly approach for data-driven technologies.
Triggered not least by the Draghi report on competitiveness, the pressure on the Commission has increased to cut regulatory “red tape.” Tech giants have lobbied hard for changes, arguing GDPR stifles AI development.
The Digital Omnibus proposes to:
- Allow AI training on personal data under “legitimate interest” without prior consent
- Narrow the definition of personal data, and adding new derogations for special categories of data
- Introduce cookie rule changes, allowing for other legal basis than consent
- Introducing one common breach portal to simplify notification obligations for data protection and cybersecurity
- Create exceptions for processing special-category data if removal is “disproportionate.”
However, loosening GDPR rules means opening Pandora’s box and clients should prepare for both the possibility of a reduced compliance burden and additional rules that may be inserted for balancing the proposal and making it acceptable in the European Parliament. Given that the changes have only just begun, businesses must follow developments closely and potentially get involved in the discussions.
Over the past year, generative AI tools have become mainstream for creating text, images, and video, with AI-generated content predicted to surpass 50% of social media posts in the coming years.
As platforms experiment with AI-driven engagement, and influencers and brands are increasingly relying on automation to scale content production, trust could be impacted - driving the need for identity management.
The issues with AI generated content range from harassment and disinformation to supporting extremist narratives and non-consensual pornography. The EU will likely react to those challenges in the coming reform rounds of various data laws, requiring clear labeling of AI-generated content. For example, the EU’s Digital Services Act (DSA) transparency obligations will remain crucial. Meanwhile, global discussions on “deepfake” legislation and authenticity standards are accelerating, signaling a regulatory push to preserve trust online.
Clients in media, marketing, and tech should prepare for a dual challenge: leveraging AI for efficiency while ensuring compliance and brand integrity. Start by implementing disclosure policies for AI-generated posts and investing in content authentication tools. Proactive governance will not only mitigate legal risk but also maintain consumer confidence in an era of synthetic media.
Data centres
Given the energy needs of AI, the data centre industry will play a crucial role in the acceleration of developing giant energy generation facilities, including private SMRs, deployment. Site selection for data centres is increasingly driven by having sufficient energy network capacity.
The UK government’s announcement that it will be building the nation’s first Small Modular Reactor (SMR) power station (in Wylfa, Wales) is a significant milestone. The reality of SMRs is that they are not modular just yet and it will take some time for the cost-saving benefit of repetition in production to be felt. The UK government has placed an order for three reactors with Rolls-Royce SMR but we’d need more than half a dozen ordered before an entirely private SMR is deployed in the UK to power Digital Infrastructure.
It’s intended that Wylfa will be a public-private partnership (PPP) so it will be interesting to see if they use the CfD (Contract for Difference; financing model typically used for wind parks and solar parks), RAB (Regulated Asset Base; financing model typically used for large, long-life infrastructure) model or a traditional public-private equity joint venture as a funding method. An equivalent to each of these models, plus state-backed guarantees and subsidised loans, are being used to fund new nuclear projects in other European nations. Fortunately, the civil nuclear industry continues to benefit from relaxed treatment under state aid laws on the continent.
The data centre industry in the EU is being shaped by the growing demand for AI technologies and the push towards digital sovereignty.
This “gold rush” around AI presents significant investment opportunities across the supply chain, from AI chip production and energy solutions to the construction and operation of data centres and the hosting of AI services. Ultimately, these developments are set to drive the emergence of new business models that will impact all industries.
In particular, the push for “digital sovereignty” across continental Europe is accelerating the need for data centres that align with European data protection standards and comply with digital law requirements without loopholes. This emphasises control over technological infrastructure, IT processes, and data management to ensure the enforceability of local laws, independent of external jurisdictions. As digital sovereignty takes hold, businesses should prepare for a resurgence of large-scale PPPs and assess how their own data storage and processing strategies align with this evolving regulatory landscape.
Data breaches
Cyberattacks are becoming highly automated and AI-driven, enabling faster, stealthier breaches.
Over the past year, ransomware-as-a-service and AI-powered phishing campaigns have surged. Attackers now exploit vulnerabilities within hours of disclosure, leaving organisations little time to respond. Businesses with global operations often maintain strong security frameworks at their headquarters but fail to apply the same standards consistently across international branches and subsidiaries. These subsidiaries frequently become entry points for threat actors, providing a pathway into the organisation’s global systems.
Generative AI in the hands of threat actors, combined with stricter regulations (e.g. EU’s new cyber laws such as NIS2), is reshaping the risk landscape and raising compliance stakes. An incident today means not just operational and reputational damage but also significant regulatory exposure.
Detection windows are shrinking. Proactive measures, such as continuous monitoring, AI-driven threat detection, and robust incident response plans, are essential. A silver lining is that AI can be leveraged to better detect and even manage incidents and incident reporting, but it does not offset the greater risks that businesses face. Boards must treat cyber resilience as a core governance priority, not just an IT issue.
