By 2026, being a privacy lawyer in an international context isn’t just about ticking GDPR checklists. Your remit is being drawn into a rapidly growing web of EU regulations within AI, operational resilience, cybersecurity, and platform regulation. Therefore, expectations and responsibilities for your role will change with it.
In this article, I share my analysis of what this shift means for you in practice.
If you work as a privacy lawyer in a multinational company, you can’t avoid having to deal with personal data protection laws in a regulatory environment that’s getting more complex and connected.
You need to view the legislation in a context where we are seeing an increase in sector-specific and technology-driven regulation.
Within this framework, the privacy lawyer plays a central role. In practice, the job is to assess legal risks and make sure compliance is put into action across different jurisdictions.
In a dynamic operational environment, the privacy lawyer turns regulatory requirements into internal policies, contracts, and processes that align with the company’s business model.
As I see it, this function therefore requires the skill to coordinate multiple activities:
The alignment with internal stakeholders and ongoing monitoring of regulatory developments at international levels.
Recent and forthcoming EU legislative initiatives expand the scope of responsibility we traditionally associate with privacy law.
This strengthens the privacy lawyer’s role as a key player in digital governance.
The AI Act uses a risk-based compliance model that closely aligns with – and in many ways builds on - established data protection principles.
From my point of view, today’s privacy lawyers must live up to an expectation of being able to this in practice:
AI compliance is therefore an extension of existing privacy governance into new technological domains.
Similarly, the DORA Act brings data protection, cybersecurity, and operational risk management closer together.
Especially for financial entities and their critical ICT service providers.
DORA reshapes the compliance landscape by imposing more structured governance, testing, and third-party oversight requirements.
Privacy lawyers are therefore more involved in aligning response procedures on personal data breach.
The procedures include ICT incident management frameworks, negotiating contractual protections with key technology vendors, and advising on governance structures designed to ensure operational resilience.
Beyond AI and DORA Act, the broader EU digital regulatory framework - including the Data Act, NIS2, the Digital Services Act (DSA), and the Digital Markets Act (DMA) - further expands the perimeter of the privacy lawyer’s intervention.
Your role is therefore to interpret and implement these frameworks with existing data protection obligations. This makes an integrated approach to compliance essential – from technical compliance to strategic role.
In this evolving landscape, the privacy lawyer can no longer be viewed exclusively as a specialist in data protection law.
Instead, your role is turning into a more strategic advisor who supports companies in embedding compliance into processes and managing regulatory risk as a core.
This task requires much more than legal expertise.
It also requires the ability to engage with technical, operational, and executive functions.
As well as translating regulatory requirements into practical governance solutions to create approaches to digital transformation that are resilient and legally compliant.
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.
.png)
.png)
