Global AI Regulatory Update - December 2025

In this edition of our global AI bulletin, we will be looking at:

• Global – Global bodies urge stronger AI oversight, improved data transparency, better risk management and enhanced cybersecurity measures.
• Asia – Singapore warns financial firms of deepfake cyber threats, while China issues an AI emergency response guide.
• Europe – EU possibly delays AI Act to December 2027 while launching support platforms, a science strategy, Jupiter supercomputer and new rules for incident reporting and governance.
• UK – Government and regulators outline AI regulation plans, legal issues, assurance roadmap and approaches to emerging tech.
• US – California enacts comprehensive legislation on AI transparency and child online safety, and an institute introduces proposals for AI security overlays.

Global

Using AI for policy purposes

On October 10, 2025, the Bank for International Settlements (BIS) submitted a report to G20 ministers outlining how central banks are using AI for policymaking. The report introduces key AI concepts relevant to public sector use, with a focus on machine learning. The report highlights four main areas of application:

• data collection and the compilation of official statistics
• macroeconomic and financial analysis to support monetary policy
• oversight of payment systems
• supervision and financial stability analysis

The report states that despite the significant potential of AI, challenges remain. These range from data governance to investing in human capital and IT infrastructure.

Impact: Central banks should improve their AI capabilities due to its rapid adoption. They should improve their ability to observe AI’s economic impact and use it effectively in policy and data analysis. Joining collaborative networks can help institutions share tools, data and best practices. The BIS encourages this approach to foster responsible and effective AI integration across the financial system.

International body outlines next steps for authorities on AI monitoring

On October 10, 2025, the Financial Stability Board published a report outlining the next steps for authorities on AI monitoring. The report sets out advice to authorities on how to tackle the challenges related to monitoring adoption of AI in the financial sector.

The report highlights early‑stage efforts and challenges, including data gaps and inconsistent terminology. It proposes using direct and proxy indicators to track AI adoption and related risks.

The report also includes a case study on recent developments in the AI supply chain. It highlights financial institutions’ growing dependence on a small number of critical third‑party AI providers. These providers include cloud service platforms, specialized hardware manufacturers and developers of foundational AI models.

Impact: National authorities should enhance their monitoring of AI adoption and related risks in the financial sector. Key actions include developing indicators linked to specific vulnerabilities, improving data collection methods and collaborating with domestic stakeholders. Authorities should also engage with financial institutions and AI providers to better understand emerging risks.

Organization maps AI training data collection mechanisms

On October 3, 2025, the Organization for Economic Co‑operation and Development published a policy paper mapping key data collection methods used to train AI systems. The paper focuses on the sources from which data are typically obtained: directly from individuals and organizations, and from third‑party providers. Within these categories, the paper identifies mechanisms that play a relevant role in the creation of AI training datasets. The paper also proposes a taxonomy to support discussions on privacy, data governance and responsible AI development.

Impact: Businesses developing AI should assess how they source training data, ensure transparency in their methods and engage with policymakers to shape future governance.

How are AI developers managing risks?

On September 25, 2025, the Organization for Economic Co‑operation and Development published their analysis of how industry is engaging with the reporting framework of the Hiroshima AI Process Code of Conduct.

The analysis indicates that organizations are employing a range of methods to evaluate and mitigate risks, such as adversarial testing and AI‑assisted tools to analyze model behaviour and enhance reliability. The report notes that major AI stakeholders are acknowledging the value of sharing information about risk management, which can facilitate trust, peer learning and more consistent settings for innovation and investment. Larger organizations tend to be the most developed in these areas.

Impact: The report will be of interest to those implementing their own approaches to AI risks. Businesses are encouraged to review their AI governance against the Hiroshima AI Process Code of Conduct and consider voluntary reporting to benchmark practices. Key priorities include strengthening risk identification, implementing multi-layered safeguards, and adopting transparency measures such as model cards or system documentation.

G7 urges action on AI cybersecurity risks

On September 22, 2025, the G7 Cyber Expert Group published a statement on AI and cybersecurity in financial services. The statement highlights how AI can improve resilience and risk management but also introduces new cyber threats. These include smarter malware, automated phishing and impersonation. The statement calls for better data governance, stronger cybersecurity and collaboration across sectors.

Impact: Authorities and firms should address risks early. Businesses are encouraged to review how AI is used in their operations and assess related cyber risks.

Asia

Singapore: Authority warns financial firms of deepfake cyber risks

On September 27, 2025, the Monetary Authority of Singapore published a circular to raise awareness of cyber risks linked to deepfake technology. The circular warns that deepfakes can convincingly impersonate senior executives, deceive staff and bypass biometric systems. This can potentially lead to financial fraud, data breaches and reputational harm.

The circular stresses the importance of strong governance and risk management to address these AI‑driven threats. It also outlines practical steps that financial institutions (FIs) can take to assess vulnerabilities, strengthen internal controls and improve detection and response capabilities.

Impact: Businesses and FIs are encouraged to:

• review their cybersecurity frameworks to address deepfake threats
• enhance staff training to spot impersonation attempts
• test biometric systems for spoofing risks and consider multi‑factor authentication alternatives
• monitor AI‑generated content and using forensic tools to verify authenticity
• engage vendors to ensure third‑party systems are resilient to deepfake manipulation

China: AI emergency response guide published

On September 22, 2025, the National Information Security Standardization Technical Committee published a guide for managing security incidents in generative AI services.

The guide introduces a four‑level grading system based on system importance, business impact and social harm. It outlines a four‑phase response process: preparedness, monitoring and early warning, incident handling and review. Each phase includes technical and management measures.

Impact: The guide aims to help AI providers and departments respond quickly and reduce risks. AI service providers are encouraged to adopt the guide's emergency response strategies to enhance security and mitigate risks effectively.

Europe

AI Act implementation possibly delayed to December 2027

On November 19, 2025, the European Commission proposed delaying full implementation of the EU AI Act until December 2027. The delay is part of the Digital Omnibus package, which aims to simplify compliance and give businesses more time to prepare. The original implementation date was August 2026.

The new timeline applies mainly to high-risk AI systems, such as those used in healthcare, recruitment and law enforcement. The Commission cited the need for technical standards and clearer guidance before enforcement.

This proposal is not yet law and requires approval by the European Parliament and EU member states before taking effect.

Impact: Businesses are encouraged to monitor legislative progress and review AI systems for possible high-risk classification. They should engage in industry consultations and prepare for technical standards expected in 2026. Companies should allocate resources for governance frameworks, risk assessments and documentation to ensure compliance with future obligations.

AI Factories Antennas launched

On October 13, 2025, the European Commission launched ‘AI Factories Antennas’ (Antennas) in seven EU and six partner countries. These Antennas offer secure remote access to AI‑optimized supercomputing resources for national AI communities. They are fully integrated into the European High Performance Computing Joint Undertaking ecosystem to support AI talent, infrastructure, and innovation. The initiative complements the expansion of Europe’s AI infrastructure, now totalling 19 AI Factories in 16 Member States.

Impact: Over €2.6 billion has been committed to the AI Factories and Antennas initiative to strengthen Europe’s AI leadership. The rollout supports the AI Continent Action Plan and aligns with the Apply AI Strategy for economic and public sector transformation.

AI Act Service Desk and Single Information Platform launched

On October 8, 2025, the European Commission launched tools to support AI Act implementation across the EU. The AI Act Service Desk and Single Information Platform aim to ensure legal certainty and promote trustworthy AI innovation. The platform offers resources, FAQs and guidance, including Member State materials and interactive digital tools. These include a Compliance Checker to assess legal obligations and an AI Act Explorer for intuitive navigation of the legislation.

The initiative aims to support democracy, safety and the rule of law while fostering responsible AI development.

Impact: Stakeholders can submit questions via an online form to experts at the AI Act Service Desk. AI Act full implementation is scheduled by August 2, 2027, with progressive application across sectors.

AI in Science Strategy launched

On October 8, 2025, the European Commission published its AI in Science Strategy (Strategy) to enhance AI integration in EU research. It proposes creating a Resource for AI Science in Europe (RAISE), a virtual institute to coordinate AI‑science infrastructure across Member States and sectors. The strategy includes an action plan structured around five pillars: talent, computation, data, funding and collaboration.

Key aspects of the Strategy include:

• up to €600 million from Horizon Europe will support researcher access to AI Gigafactories and scientific automation
• €58 million will fund Networks of Excellence and Doctoral Networks to attract and retain top AI and science talent
• Horizon Europe AI investments will double to over €3 billion by 2028, supporting foundational model development
• RAISE will include Data Labs in AI Factories and a European Network of Frontier AI Labs for cross-disciplinary work
• The Joint Research Centre will lead an AI Evaluation Hub to assess models in strategic scientific domains
• initial RAISE funding totals €108 million, with phased expansion under future EU frameworks
• it complements the Apply AI Strategy and AI Continent Action Plan

Impact: The Strategy gives businesses access to advanced infrastructure, funding and scientific automation tools. Businesses can collaborate through RAISE, benefit from AI Gigafactories, and tap into Horizon Europe’s €600 million support. Private sector involvement is encouraged via pledging campaigns and cross‑disciplinary labs for innovation and AI tool commercialization.

Tailored training and automation resources help businesses upskill teams and accelerate development in science‑driven sectors.

The AI in Science Summit took place in Copenhagen on November 3 and 4, 2025. It convened policymakers, researchers and industry leaders to showcase and launch key initiatives under the AI in Science Strategy. These included the pilot phase of the RAISE virtual institute and a campaign encouraging private sector commitments to support AI‑driven scientific innovation.

Reporting serious AI incidents under the EU AI Act

On September 26, 2025, the European Commission published draft guidance, a reporting template and a consultation seeking stakeholder input on the proposed reporting of serious incidents regime.

Under Article 73 of the EU AI Act, providers of high‑risk AI systems must report serious incidents to national authorities. This is separate to the obligation on general‑purpose AI reporting which is covered in Article 55 and the General-Purpose AI Code of Practice. While the Article 73 requirements are applicable from August 2, 2026, the draft guidance and reporting template is now available to help providers prepare for compliance.

The draft guidance contains key definitions (such as what is classed as a serious incident); how the incident causes the harm (be it directly or indirectly); examples (such as medical misdiagnosis or discrimination in recruitment or credit scoring) together with the providers’ obligations to report (within prescribed timescales), investigate and cooperate with the relevant national authorities.

The reporting template seeks information on the AI system affected, the nature of the incident and impact on users and the actions and investigations undertaken by the provider.

The consultation, which closed on November 7, 2025, invited input from AI providers and deployers, industry representatives, academia, the public sector and other stakeholders. Its objective was to identify practical examples of incidents involving AI systems that must be reported, explore how the reporting requirement interacts with other reporting obligations and highlight areas requiring clarification in the European Commission’s forthcoming guidance.

Impact: These measures are designed to help the market surveillance authorities to detect risks or harmful patterns early, ensure accountability of providers and users, support swift action and foster trust in AI. Those who are within the scope of the new reporting provisions are encouraged to review the draft guidance to help them prepare their approach to assessing AI risks and feedback on the practicality of the reporting requirements.

Launch of Jupiter supercomputer

On September 5, 2025, the EU inaugurated Jupiter, Europe’s first exascale supercomputer, in Germany. Jupiter performs over one quintillion operations per second, ranking fourth globally and first in Europe for computing power. It runs entirely on renewable energy and leads on energy efficiency in supercomputing. Jupiter enables kilometer‑scale climate and weather modelling, improving forecasts of extreme events like floods and heatwaves. It supports AI development, including the upcoming AI Factory for training advanced generative models.

Impact: The €500 million EU‑Germany investment is part of a broader strategy to build AI Gigafactories across Europe. These Gigafactories will integrate computing power, data and talent to develop hyperscale AI models and applications. 76 proposals from 16 Member States aim to establish these facilities, advancing Europe’s digital sovereignty and innovation leadership. The European Commission is planning to launch an official call for the establishment of AI Gigafactories in Q4 2025. Jupiter may benefit businesses by accelerating innovation in climate tech and AI development. Access to high‑performance computing may also attract investments.

Opinion on AI governance and risk management published

On August 6, 2025, the European Insurance and Occupational Pensions Authority (EIOPA) published an Opinion on AI governance and risk management in the insurance sector. The Opinion is addressed to national authorities. It clarifies how existing insurance legislation applies to AI systems, especially under the AI Act. It interprets provisions in the Insurance Distribution Directive and Solvency II Directive in the context of AI systems. High‑risk or prohibited AI systems under the AI Act are excluded to avoid regulatory overlap. The Opinion promotes supervisory convergence and clarifies expectations for national authorities. Key principles for governance and risk management include data governance, fairness, cybersecurity, explainability and human oversight.

Impact: The Opinion does not introduce new rules but interprets existing ones. EIOPA plans further analysis and guidance on emerging AI issues in insurance.

UK

Committee paper on private law issues in AI

On October 27, 2025, the Financial Markets Law Committee published a paper on private law issues in AI. The paper explores who is liable when generative AI used in financial markets makes mistakes. It asks whether AI should be seen as a tool or an agent. The paper focuses on legal attribution, liability and how this affects contract interpretation, care standards and market abuse. The paper concludes that AI should remain a tool to preserve legal certainty. It supports English common law’s flexible approach to new technologies without needing new legislation.

The paper also highlights areas needing clarity, including intellectual property and data protection, which affect AI use in finance.

Impact: The paper makes the following recommendations:

• businesses should treat AI as a tool, not an agent, to maintain legal certainty and manage liability risks effectively
• contracts should clearly define responsibilities, limitations and liability for AI use
• firms should assess whether deploying AI is reasonable and monitor its performance continuously
• over‑reliance on AI outputs should be avoided, especially when systems lack transparency or produce hallucinations

Government unveils blueprint for AI regulation

On October 21, 2025, the Department for Science, Innovation and Technology (DSIT) unveiled a new blueprint for AI regulation to help drive growth. The blueprint introduces AI sandboxes, where companies can safely test AI products under relaxed regulatory conditions. It also launches an AI Growth Lab to pilot responsible AI and gather evidence of its real‑world benefits. The blueprint forms part of the government’s broader “Plan for Change”, which seeks to cut bureaucracy and unlock economic growth through smarter regulation.

Impact: These measures aim to unlock AI’s potential in sectors like healthcare, planning and transport, while maintaining public trust. DSIT is seeking views on the AI Growth Lab, aimed at individuals/organizations who:

• are interested in using the AI Growth Lab
• are going to be affected by the AI Growth Lab
• have expert views on implementing sandboxes

Stakeholders are encouraged to participate in the consultation, which closes on January 2, 2026.

Bank outlines approach to AI, distributed ledger technology and quantum computing

On October 15, 2025, the Bank of England (BoE) outlined its approach to innovation in AI, distributed ledger technology (DLT) and quantum computing. In its report, the BoE supports responsible adoption of these technologies to boost productivity and economic growth. It aims to shape innovation, not slow it, while managing risks. The report states that AI could double UK GDP growth by 2035. Quantum computing may raise productivity by seven percent by 2045. DLT could save billions in global settlement costs.

The report stresses the importance of a resilient financial system and robust standards to support innovation.

Impact: The BoE will continue to collaborate with industry and regulators to guide safe adoption:

• businesses are encouraged to prepare for increased regulatory engagement around AI, DLT and quantum computing
• the BoE encourages firms to adopt these technologies responsibly, balancing innovation with risk management
• financial services firms are expected to lead in adoption and support broader sectoral benefits
• early engagement with regulators and industry peers is recommended to help shape best practices

Report on AI and Digital Hub pilot and call for views on agentic AI

On October 10, 2025, the Digital Regulation Cooperation Forum (DRCF) published a report on the effectiveness of its AI and Digital Hub pilot (Hub). The DRCF is a collaboration between the CMA, ICO, Ofcom and FCA, the key UK digital regulators. Its mission is to “support responsible technological innovation, protect people online, and enable businesses to thrive."

During the one‑year pilot project, the Hub gave free, informal, cross‑regulatory advice to organizations developing tech that has a public or societal benefit. The aims of the pilot were to help development of digital tech through enhanced clarity on regulatory compliance, as well as to help assess whether a permanent multi‑regulator service should be established.

The report concludes that the pilot was a success, whilst noting improvements for the future.

Impact: The DRCF now intends to expand the Hub’s reach and impact by launching a Thematic Innovation Hub. It describes this as “a cross‑cutting initiative, enabling businesses to benefit from joined‑up regulatory insight on emerging technologies” which will “extend the DRCF’s reach through tailored engagement and regulatory advice on priority topics”.

The first theme that the DRCF will focus on is agentic AI, which it defines as “AI systems capable of autonomous decision‑making and initiating actions without direct human prompts”.

The DRCF opened a call for views on agentic AI and regulatory challenges. The closing date was November 6, 2025. This was an information‑gathering exercise to help inform future work and to enhance understanding of emerging risks and opportunities.

Views were sought on issues such as the interplay between regulation and successful development and adoption of agentic AI, any sector‑specific issues, risks and opportunities and what advice and support would be beneficial.

Government publishes AI assurance roadmap

On September 3, 2025, the Department for Science, Innovation and Technology (DSIT) published an AI assurance roadmap. The roadmap outlines steps to grow a responsible AI assurance market. It sets out the immediate actions the government will take to support this emerging sector. This roadmap commits to: 

• convene a UK consortium of stakeholders to build a future AI assurance profession and improve market quality
• develop a framework outlining skills and competencies for AI assurance, supporting learning and professional development pathways
• launch an AI Assurance Innovation Fund to support novel solutions in eight key industrial strategy sectors

Impact: The roadmap aims to boost confidence in AI systems, enabling safe adoption and economic growth. The DSIT is committed to ensuring this is an open and multi‑stakeholder endeavour. It will engage across the assurance ecosystem to ensure that its actions are as informed and impactful as possible.

US

California strengthens online child safety rules with new laws

On October 13, 2025, the State of California signed a series of new laws to protect children online and regulate emerging technologies, social media platforms and AI chatbots. Key highlights of the legislation include:

• platforms and products must include age checks, warnings and other reminders to help protect children online and prevent them from accessing inappropriate or dangerous content
• platforms and products, including AI chatbots, must add protocols to address suicide and self-harm
• stronger penalties now apply to those who distribute nonconsensual sexually explicit material, including deepfakes
• clear legal accountability for those who develop, alter or use AI technology that results in tortious harm to others by preventing them from asserting that the technology acted autonomously

Impact: These changes aim to keep children’s safety at the heart of online design. The legislation will take effect on January 1, 2026. Notably, California Governor Gavin Newsom also vetoed similar legislation that would have banned companies from making AI chatbots available to anyone under the age of eighteen years old unless the developer imposed strict guardrails that would prevent minors from engaging in sexual conversations with the AI and ensure the chatbot would not encourage self-harm. Businesses operating in California should review compliance with new age verification and chatbot transparency rules.

California enacts landmark AI transparency and safety law for frontier model developers

On September 29, 2025, California Governor Gavin Newsom signed into law Senate Bill 53, the Transparency in Frontier Artificial Intelligence Act (TFAIA), legislation that imposes new regulatory requirements for the developers of advanced AI models. Key provisions in the law require developers to:

• publish a frontier AI framework that describes how the developer manages catastrophic risks, incorporates recognized standards and best practices for AI risk management and other safety information related to their model development activities
• issue transparency reports before deploying new or substantially modified frontier models with information detailing model capabilities, intended uses, restrictions on use and risk assessments conducted pursuant to the developer’s frontier AI framework
• report critical safety incidents that implicate catastrophic risks
• respect newly created whistleblower protections for employees who report safety concerns or violations relating to frontier AI models

Impact: The legislation places California at the forefront of regulating the largest AI developers advancing the state of the art in AI innovation. The legislation reflects the increasing focus of state legislatures in the US on targeted transparency measures as opposed to comprehensive state AI laws which have faced challenges from industry leaders and opposition from the federal government.

Institute proposes AI security overlays

On August 14, 2025, the National Institute of Standards and Technology (NIST) released a concept paper introducing control overlays for securing AI systems. These overlays adapt existing cybersecurity frameworks to address AI‑specific risks and aim to help organizations apply tailored safeguards to AI technologies.

The overlays build on NIST’s AI Risk Management Framework and Cybersecurity Framework. They focus on transparency, robustness and accountability in AI system design and deployment, and detail proposed use cases across predictive AI, generative AI and agentic AI applications and systems.

Impact: While this is an early request for comment, NIST remains a central player in shaping standards for responsible AI development and deployment. Businesses are encouraged to review the proposed overlays and assess alignment with current security practices, as well as monitor NIST updates and participate in public comment periods to help shape future standards. Companies should also be directly evaluating cybersecurity risks as part of their overall AI governance and risk management efforts with a focus on addressing the unique cyber threats to the security and reliability of AI systems.

Co-authored by Jon Botham, Uendi Barreti and Paola Paccani (Knowledge).