5 Emerging Tech Policy Shifts to Watch in 2025 & Beyond

If your inbox is overflowing with AI memos, privacy updates, cyber alerts, and FAR revamps, welcome to life in government affairs.  

Artificial intelligence, data privacy, cybersecurity, and acquisition rules are colliding with product decisions and public pressure. And there you are, in the middle of it, translating it all for your organization.

We asked four experts who bridge policy, compliance, and executive strategy what to watch now and why it matters. Here are their top tech policy concerns.

Data Privacy and Data Brokers

The U.S. still lacks a comprehensive federal data privacy law, and companies are feeling it. Instead, they’re navigating a patchwork of state rules, weak federal oversight, and growing scrutiny over how data is collected, shared, and sold. 

Tom Romanoff, policy director at the Association for Computing Machinery, says Congress has failed to act across 13 sessions, leaving states to fill in the gaps.

“You’re now seeing real traction in places like Oregon, Florida, and Texas,” Romanoff says.

That state-by-state approach is creating a significant compliance burden for companies operating across multiple jurisdictions.

Pavlina Pavlova, a global cybersecurity expert, calls the current environment unsustainable. She points to recent HIPAA changes, especially those expanding protections around reproductive health data privacy, that are already facing legal challenges. 

Combined with the lack of regulation around data brokers, she warns of mounting risks. “There are built-in security and safety implications because this data is being commercialized and exchanged with third parties regularly,” Pavlova says. “That’s deeply problematic.”

Secure by Design

Security is no longer an afterthought. Lawmakers want it built in from the start. That’s the message from both Washington and Brussels. 

Pavlova cites the U.S. Secure by Design pledge and the EU’s Cyber Resilience Act as clear signals. Vendors are expected to reduce risk before products ever reach users. 

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) is working with over 300 companies that have voluntarily committed to building in secure defaults, reducing smaller attack surfaces, and enhancing vendor accountability. 

This model “is about making the ecosystem more secure by default,” Pavlova says. 

In the EU, the approach is mandatory: the proposed Cyber Resilience Act would require vendors to meet baseline security standards before approval, with penalties for noncompliance. 

These policies also underscore the importance of public-private collaboration. CISA, for instance, meets monthly with pledged companies to track progress, identify gaps, and share feedback. Pavlova says this ongoing dialogue is key for securing supply chains and protecting national infrastructure. 

However, she warns that voluntary efforts alone aren’t enough, especially since cybersecurity is still often treated as a cost center. “If you don’t mandate it, companies struggle to get the resources they need,” Pavlova says. “Regulation helps justify the investment.”

Federal IT Buying 

Federal IT acquisition is undergoing a major shakeup. Legacy contract vehicles are disappearing, and the Federal Acquisition Regulation (FAR) rewrite is picking up speed. Trey Hodgkins, a procurement policy expert and president and CEO of Hodgkins Consulting, calls it one of the biggest changes in years.

He points to legacy contracts like CIO-SP3, once a key National Institutes of Health contract for IT, as a cautionary tale. It’s technically still alive, but “The doors are locked, the lights are off, nobody's answering the phone,” Hodgkins says. “And companies have products that those customers have been buying.”

That breakdown has forced vendors to reassess where their offerings stand. Many expect the General Services Administration (GSA) to consolidate the number of Government-Wide Acquisition Contracts (GWACs), so companies are trying to determine which vehicles will survive and whether their products are included in them. If not, they’re working to move listings before it’s too late and preparing to educate customers on where to find them. 

That scramble is part of a larger reckoning of how the government buys technology. Hodgkins says the FAR overhaul is long overdue, with the potential to fix longstanding pain points around mission delivery, taxpayer value, and time-to-service. 

“In many ways, it's esoteric to a lot of people — it certainly gets into that whole procurement gobbledygook, if you will, about the really technical stuff,” he says. "But sometimes, the really technical stuff is important. So there's a whole community of people watching that and commenting and looking at it.”

AI Oversight 

AI is moving faster than policy can keep up. Hodgkins says the federal government sees AI as a strategic asset in global competition, especially with China. But agencies are still bound by strict guardrails. 

“Broadly, people still don't really understand what [AI] is, what it can do,” he says. “It's kind of hard to build policy around something you don't know where it's going.”

Both the current and previous administrations have pushed for AI adoption, but their approaches differ. The previous administration focused on guardrails to ensure AI didn’t violate constitutional rights or block access to public benefits. Those constraints remain, even as the current administration pushes for faster AI implementation. 

The result is pressure to scale AI without a roadmap — a dynamic Hodgkins calls a “bow wave” few have figured out how to ride.

That lack of clarity is compounded by staffing gaps inside agencies tasked with oversight. Pavlova says many of these organizations don’t have the technical resources to keep up, which makes it harder for companies to plan for compliance. 

“For example, CISA . . .  has lost approximately one-third of its workforce since January, which is highly problematic because I believe that many things that were happening under [Former United States Director of the Cybersecurity and Infrastructure Security Agency] Jen Easterly were very needed in the community,” Pavlova says. 

That uncertainty isn’t limited to compliance. Romanoff says the shift is also affecting global hiring. In India, for example, tech talent is under pressure as U.S. companies slow engineering hires, partly because AI can now do some of that work. 

The reduced hiring isn’t just limited to foreign workers, but also recent graduates at U.S. institutions who would have filled those roles. This could weaken the tech pipeline in the U.S. and push companies to return workers to their home countries instead of sponsoring them. 

Meanwhile, questions are growing about who’s actually shaping AI policy and whose interests it serves. Daniel Schuman, executive director at the American Governance Institute, isn’t optimistic.  

“What we’re really going to see is a fight between different corporations,” he says. “It’s not going to be driven by what’s in people’s best interests.”

Schuman warns that without a baseline privacy law, AI could follow the same fractured reactive path that defined earlier tech debates. “We already don’t have basic privacy legislation for everything else in the U.S., so I don’t see why AI would be any different,” he says.

Global Pressures

Policy isn’t shaped just by regulation — it’s driven by geopolitics, infrastructure, and influence. 

That means you need to track more than just legislative text. Geopolitics, supply chains, and infrastructure decisions are changing the rules and raising new risks for your organization. 

Case in point: After Microsoft disabled access to the International Criminal Court’s chief prosecutor to comply with U.S. sanctions, backlash in Europe fueled a renewed push for sovereignty. Denmark began testing open-source tools to reduce dependence on U.S. tech.  

Romanoff sees the same momentum. “They want to establish a digital sovereignty outside of U.S. products,” he says. “It just doesn’t exist at the moment.” 

In the absence of hard regulation, solidarity-based governance is emerging, Romanoff says. Countries and organizations are beginning to adopt AI safety practices not because they’re required by law but because of shared concerns. At the same time, true digital sovereignty remains an aspirational goal.

These moves are driving conversations, but uneven progress means companies may face growing compliance challenges across jurisdictions. Pavlova notes that geopolitical tensions are now bleeding into technical standards, turning software and infrastructure decisions into national security issues. 

What To Do Next

Forget about business as usual. As the policy landscape is evolving, so should your role. That means: 

• Track more than bills. You need eyes on infrastructure decisions, staffing gaps, executive orders, and global standards. Stay current on AI, data privacy, and procurement requirements across jurisdictions. 
• Watch who’s influencing policy. Decisions aren't always made on merit; influence matters, too. So does knowing which factions are shaping the agenda.
• Work across teams. The line between IT, legal, and policy is blurring. Be the one who translates fast-moving changes into internal action. 

PolicyNote helps you stay ahead. It tracks developments across jurisdictions, highlights emerging risks, and gives you the insight you need to brief your leadership and teams with confidence.