Key regulatory changes shaping APAC in 2025

The regulatory landscape across APAC is set for significant shifts in 2025, with evolving compliance requirements and enforcement trends.

From stricter data protection laws to AI-specific clauses in arbitration courts, companies must navigate a complex web of domestic and international legislation.

Adding to the pressure, regulators are increasingly proactive, with higher financial and criminal penalties for non-compliance. Meanwhile, landmark developments, such as Hong Kong’s proposed cybersecurity law, signal a region-wide push for enhanced accountability and resilience.

What major regulatory changes are ahead for APAC?

Rebecca Kelly, managing partner at global law firm Clyde & Co said that the tension between enabling a hybrid workforce while also maintaining compliance with data protection rules is posing challenges.

“Two years ago, companies knew what legislation was going to impact their operations. But with the EU, US and UK having extra-territorial application of laws that apply cross-borders, companies are now having to comply with domestic legislation but also with these international regimes,” said Kelly.

“In relation to disputes, AI-specific revisions or clauses are in the spotlight in arbitration courts. We are seeing the initial stages of how we are going to manage them, but we are still at least 12 months away from regulatory compliance. There is potential for AI to be embraced across industries, but it also poses a disruption risk that clients must be ready for.”

Kelly said that strict enforcement means there is an increased risk of financial and criminal penalties for those failing to comply, while the appetite for enforcement by regulators is much higher than it has ever been before.

“Climate risk concern may have fallen because of a perception that its impacts are outside a company’s control. When you look at other pressing risks, such as regulatory risk, businesses feel like they can better manage these challenges. Perhaps there is also an underappreciation of the impact climate change is posing to operations at a time when regulatory burdens are becoming heavier and enforcement risk is felt more strongly,” said Kelly.

During 2025, Kelly said that APAC will not be immune from facing additional regulatory changes to respond to the overall global impact AI will have on business and the economic uncertainty through ongoing unresolved conflict across the world. “AI is at the forefront of what will both hinder and help companies respond to the regulatory changes as they struggle to keep pace with the change,” she said.

Simon McConnell, partner and chair of APAC at Clyde & Co, said Hong Kong is set to introduce a landmark cyber security law, with significant implications for businesses.

“While there is currently a voluntary data breach notification framework in place, mandatory breach reporting has been proposed under potential amendments to the Personal Data (Privacy) Ordinance (PDPO),” said McConnell.

“Organisations should watch these developments closely, and prioritise cyber resilience, address vulnerabilities, implement recommended practices, and consider taking out cyber insurance. Passing of the bill will align Hong Kong with other jurisdictions in the region, including Australia, Singapore and Malaysia, and support the integrity of critical systems.”

How can risk managers adapt to APAC’s evolving regulations?

Kelly said there is currently a confluence of risks greater than “anything we have seen in the past decade”, as well as an increased awareness of those diverse risks by risk managers.

“At the same time we notice a sense of enthusiasm from business leaders and risk managers for ensuring organisations are agile, operate with foresight and have the right structures in place to make their businesses resilient facing an increasingly complex set of challenges,” said Kelly.

“Today’s risk managers need to be across a number of different types of risks. Front of mind at the moment are economic risks, such as inflation, interest rates, and currency volatility, people challenges, and increased regulatory and compliance burden. Other increasingly important areas are geopolitical risk, reflective of current global conflicts and several recent or impending elections, as well as operational challenges, with AI integration being an area of focus.”

Kelly said that diverse risks can slow decision-making, but with agility and cross-functional collaboration, risk managers can respond swiftly and turn challenges into opportunities with clear action plans for continuity.

“While to some degree this is a mindset shift, risk managers should develop sound risk management systems to track and monitor market changes and assess their business impacts so that they can update strategies in real time,” she said. “Embedding risk management into core business processes is key, as is involving multiple functions, enabling diverse perspectives and cross-functional input.”