November 2025 Data Protection and Cyber Security Round-Up

Welcome to our detailed look at the final data protection and cyber security developments from November 2025. As organizations navigate the ever-evolving landscape of regulations and compliance obligations, it’s essential to stay informed. This month, major shifts emerged from the European Union, new cyber rules were introduced in the UK and China, India operationalized its privacy framework, and significant legal rulings were made.

EU’s Digital Omnibus Package

On 19 November 2025, the European Commission rolled out its Digital Omnibus package, which proposes significant amendments to key legislations, including the GDPR and the ePrivacy Directive. This comprehensive initiative aims at simplifying and harmonizing regulations to foster innovation while upholding high standards of data protection.

The package includes targeted amendments designed to clarify the relationship between the GDPR and the ePrivacy Directive, along with proposed adjustments to AI governance. It also features measures to streamline rules governing data access. While the Commission emphasizes reducing regulatory burdens, the details will depend on ongoing trilogue negotiations among the Commission, Parliament, and EU member states. Organizations should closely monitor these developments to prepare for transitional changes.

UK Cyber Security and Resilience Bill

The UK took a significant step by introducing the Cyber Security and Resilience (Network and Information Systems) Bill to Parliament on 12 November 2025. This legislation modernizes and expands the existing NIS framework, broadening the range of regulated entities to include data centers, cloud providers, and other critical suppliers.

Key provisions mandate new responsibilities for entities to identify and manage cyber risks, report incidents to authorities, and communicate with affected customers. This bill also enhances fines and gives authorities more robust enforcement powers. Companies operating in relevant sectors need to start reviewing their obligations and assess their incident response arrangements to ensure they comply with these new regulations.

China’s Enhanced Cyber Security Framework

On the international front, China tightened its cyber security regulations with two pivotal measures. Effective 1 January 2026, the amended Cybersecurity Law instates stricter penalties, extends personal liability, and enforces more rigorous personal data requirements, including localization and mandatory security assessments for cross-border data transfers.

Additionally, the Cyberspace Administration implemented the Measures for National Cybersecurity Incident Reporting on 1 November 2025. This new framework mandates critical information infrastructure operators to report cyber incidents within stringent deadlines, including a one-hour reporting requirement for severe incidents. Organizations with operations in China must reassess their compliance practices, enhance documentation, and transition from a reactive to a proactive stance on compliance.

Enforcement Highlights in the UK

In the enforcement landscape within the UK, the Financial Conduct Authority (FCA) made headlines by prosecuting a former employee of Virgin Media O2 for illicitly obtaining and selling customer data to facilitate a cryptocurrency fraud scheme. The FCA underscored that this conduct constituted unlawful obtaining and disclosure under section 170(1) of the Data Protection Act 2018, emphasizing the risks posed by insider data misuse.

Although fines were relatively small, the FCA signaled its commitment to combating data misuse that fuels financial crime. This case serves as a reminder for regulated firms to bolster insider threat controls and foster a culture of deterrence against such harmful practices.

EU Court Ruling on ePrivacy and GDPR

Turning to judicial developments, the European Court of Justice clarified the relationship between the ePrivacy Directive and the GDPR in the Inteligo Media SA case. The ruling states that when an email address is used for direct marketing, the ePrivacy regime prevails over the GDPR, eliminating the need for separate lawfulness under GDPR’s Article 6(1).

This decision supports the “soft opt-in” approach for certain freemium models but should be interpreted narrowly based on the specific context of the case. Organizations leveraging direct marketing exemptions must thoroughly evaluate their user journeys to ensure compliance with this ruling.

India’s Digital Personal Data Protection Framework

On the subcontinent, India made strides in operationalizing its Digital Personal Data Protection framework. On 13 November 2025, the Digital Personal Data Protection Rules 2025 were notified, bringing to life the provisions of the Digital Personal Data Protection Act 2023.

These rules establish the Data Protection Board and lay out a phased schedule for compliance obligations. Consent manager duties will commence in 12 months, while core compliance requirements related to security safeguards and transfer restrictions will take effect in 18 months. Organizations must map data flows, update governance structures, and gear up for phased enforcement to align with these new regulations.

Global Trends in Data Protection

As we reflect on these developments from November, it’s clear that regulators are tightening privacy and cyber security obligations while clarifying interactions among overlapping legal frameworks. Organizations are urged to prioritize cross-cutting risk assessments covering AI, incident reporting, insider threats, and cross-border data transfers.

Updating incident response playbooks and maintaining comprehensive documentation of compliance measures is crucial as enforcement activity intensifies. Given the dynamic regulatory environment, staying engaged with policy updates will be vital for all organizations handling personal data.

To delve deeper into these topics and more, feel free to explore our Knowledge Hub.

Source: Noah Wire Services