TMT 2025

INTRODUCTION Contributed by: Herald Jongen, Nienke Bernard and Wouter van Wengen, Greenberg Traurig, LLP

TMT Global Overview 2025 The global technology, media, and telecom - munications (TMT) landscape continues to be reshaped by significant regulatory and legal changes. These shifts reflect the growing inter - play between technological innovation and the evolving needs of society, with lawmakers striv - ing to balance the imperatives of economic growth, security and public trust. Rather than briefly touching upon all regula - tory and legal topics that are expected to be of importance in 2025, this chapter focuses on four pressing issues that we predict will stir the TMT sector in 2025. Of course, the full range of top - ics will be discussed in this guide by the country experts. The further legalisation of cyber-incident response: balancing risk, accountability and compliance Cybersecurity has moved from being a techni - cal concern to a legal priority, with lawmakers across jurisdictions codifying obligations around incident prevention, response and reporting. This trend, also referred to as the juridification of cyber-incident response, underscores the criticality of cybersecurity to economic stability and national security. Laws such as the EU’s Network and Informa - tion Security Directive (the “NIS2 Directive”) and the General Data Protection Regulation mandate specific actions for responding to cyber-attacks, including stringent reporting timelines, robust incident management processes and enhanced collaboration with regulators. In the US, frame - works like the Securities and Exchange Com - mission’s rules on reporting material cyberse - curity incidents, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “CIR - CIA”), and state data breach laws also impose

reporting requirements, reflecting a global shift towards regulated cyber-resilience. In addition, many of these laws also require a notification of the security incident to customers. As a result, companies must navigate complex liability landscapes, especially where third-party service providers and multiple jurisdictions are involved. The increased legal scrutiny raises critical ques - tions, such as: • what constitutes a legally sufficient response to a cyber-attack? • how can organisations balance legal compli - ance with operational realities during a crisis? • to what extent are “active defence” measures (eg, hack-backs) permissible under existing laws? • can the various reporting requirements coex - ist or is there an order of precedence? For TMT players, compliance now demands not only robust cybersecurity measures but also legally informed incident response plans and clear contractual risk-sharing arrangements with partners. Expanding contractual obligations for technology providers: the downstream impact of new legislation As technology becomes integral to critical sec - tors such as finance, healthcare and energy, lawmakers are introducing regulations that place increased responsibility on technology provid - ers to manage systemic risks. The EU’s Digi - tal Operational Resilience Act (the “DORA”) is a prime example, requiring financial entities to ensure the operational resilience of their technol - ogy providers and subcontractors. The DORA requires financial institutions to impose contrac -

CHAMBERS.COM