Plans for simplifying the EU's digital regulatory framework

Efforts to streamline the European Union’s digital regulatory framework are gaining momentum. Recently, the European Commission published 'Omnibus packages' aimed at simplifying a number of key EU laws on digital matters, such as the GDPR, the AI Act, the Cybersecurity Act and the Data Act. These planned reforms are part of the Commission Work Programme 2025, designed to cut red tape, foster innovation, and enhance Europe’s competitiveness globally.

The Commission aims to reduce administrative burdens and harmonize compliance obligations by consolidating or updating existing rules. A key focus is reducing the burden on small and medium-sized enterprises (SMEs), meaning essentially companies with fewer than 250 employees, recognizing that smaller businesses often lack the resources to navigate the complexity of EU digital rules.

Cybersecurity legislation has been chosen as the initial focus for this initiative. This simplification should begin with an update to the Cybersecurity Act. The Commission is currently asking for feedback to help make it easier to follow the rules in the Cybersecurity Act. This review should primarily address the role of ENISA (the EU's cybersecurity agency) and the European Cybersecurity Certification Framework (ECCF). At this stage, the Commission is exploring several policy options:

1. Maintaining the status quo: This option would involve no changes to the existing Cybersecurity Act, thereby keeping it as is.

2. Non-legislative measures: This approach would focus on improving the efficiency of the ECCF and enhancing the development and implementation of certification schemes. Additionally, the approach would include 'non-legislative measures in the area of … reporting obligations and other cybersecurity measures, such as clarification or further specification.'

3. Targeted legislative changes: This option would include making specific changes to better align the mandate of ENISA under the Cybersecurity Act with tasks already outlined in other legislative acts. For the ECCF, it would involve clarifying the framework and formalizing procedures for the 'maintenance phase of certification schemes'. It also aims to simplify reporting obligations through 'targeted amendments'.

4. Repealing the CSA and proposing comprehensive legislative changes: This approach would involve creating a new regulatory framework that would strengthen ENISA's mandate and role within the EU cybersecurity ecosystem. It would seek to improve the efficiency of the ECCF, extend its scope, and extensively address security challenges in the ICT supply chain, including non-technical risk factors. Additionally, it aims to simplify 'reporting obligations and potentially other cybersecurity measures'.
   

The Commission has also recognized that there are overlapping reporting obligations across various cybersecurity legal regimes, such as the Cyber Resilience Act, the AI Act and the GDPR. To address this, the upcoming digital package is expected to streamline these requirements, making it easier for authorities and stakeholders to manage multiple overlapping reports.

The fact that changes to the GDPR aimed at reducing certain administrative requirements may be on the horizon has been suggested by key decision-makers, including Commissioner Michael McGrath.

McGrath suggested, in an interview, that the simplification plan regarding the GDPR should concentrate on easing the reporting and record-keeping requirements for SMEs, without altering the core objectives and principles of the GDPR.

Some officials, including Member of the European Parliament Axel Voss, have also proposed introducing a tiered system with different obligations depending on the size and risk profile of a company’s data processing activities.

The AI Act, poised to become one of the first major legal frameworks for the regulation of artificial intelligence in the world, is also expected to be partially reviewed to ensure further simplification. Currently, companies may face overlapping obligations between the GDPR and the AI Act, including transparency and automated decision-making requirements. The forthcoming changes could introduce clarifications or amendments aimed at preventing duplication of compliance efforts when developing or deploying AI tools that process personal data.

Commission officials, including Roberto Viola, Director General of the European Commission’s Directorate General of Communication, Networks, Content and Technology (DG CONNECT), have expressed a willingness to “simplify—when necessary” the rules in the AI Act, particularly to avoid overburdening SMEs. However, the exact scope of this simplification remains unclear at this stage.

The Data Act is also highlighted as one of the legal frameworks that may undergo simplification. However, there is currently limited information on which specific obligations might be revised. The Act may be subject to changes before it comes into effect in September 2025.