Interventions

Brussels tries to simplify the European digital acquis

by Antonio Perrucci and Luca Megale

13 November 2025

5' min read

Translated by AI

Versione italiana

5' min read

Translated by AI

Versione italiana

Digital Europe is trying to put its regulatory maze in order. With the new Digital Package on Simplification (which is scheduled to be presented on 19 November, but some drafts of which are circulating with probable changes in the final version), the European Commission proposes to simplify and consolidate most of the rules that today make up the so-called digital acquis: from the Data Act to the GDPR, from the Privacy Directive to the NIS2 directive. Furthermore, the text states that this draft Regulation will be accompanied by a second one dedicated to the revision of the EU Artificial Intelligence Regulation (2024/1689), not included in the circulated draft. The two documents together will form the Digital Omnibus. On the same day, 19 November, the Data Union Strategy will be presented and it is uncertain whether the revision of the Cybersecurity Act will be presented (which could slip between December and January). A 'legislative cleansing' operation that aims to reduce burdens and overlaps, but which at the same time moves along a delicate ridge - that of simplifying without affecting the level of protection.

The draft Digital package on simplification, considered in Brussels as the first step towards a 'single European digital code', stems from the need to bring order to a regulatory framework that in recent years has been stratified through a multiplicity of regulatory interventions. According to the Commission itself, the proliferation of texts and obligations has ended up generating confusion, duplication and disproportionate costs, particularly for small and medium-sized enterprises. Hence the decision to aim for a Simpler and faster Europe, concentrating intervention in three core areas: data regulation, streamlining of cyber incident reporting and greater clarity for the implementation of rules on artificial intelligence. The proposal envisages a number of technical interventions that, cumulatively, should have a strong immediate impact on businesses, citizens and public administrations. The Commission estimates savings for the EU of at least EUR 1 billion per year from entry into force, plus a further EUR 1 billion in one-off savings, totalling at least EUR 4 billion over three years, by 2029. The economic estimates do not, according to the proposal, include the business opportunities that may be generated by the proposed new regulatory approach.

The heart of the reform is what is called the data acquis. The Data Act, already in force, thus becomes the container for a new unified body of legislation, intended to incorporate the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive. The result is a harmonised framework for the sharing and re-use of public and private data, with the intention of simplifying procedures and terminologies and offering greater consistency to economic operators. Public administrations will also be able to apply differentiated conditions and fees for large digital platforms, the so-called gatekeepers, when they re-use public data. The aim is to prevent the economic power of large operators from translating into an unjustified competitive advantage to the detriment of small innovative companies.

Another relevant novelty concerns the small mid-caps, the medium-sized enterprises that were hitherto excluded from the facilitated regime for SMEs. The Digital Omnibus extends to them the same benefits in terms of documentation and compliance obligations, in an attempt to ease the regulatory pressure on a business segment that represents a crucial driver of European innovation.

The proposal also intervenes on the GDPR, the General Data Protection Regulation, to introduce targeted and technical changes. For instance, the definitions of 'personal data' and 'sensitive data' would be clarified, data breach notifications would be simplified - with a deadline extended to 96 hours and the possibility to use a single European portal - and information requirements in cases of low-risk processing would be reduced. There would also be the introduction of a possible sandbox regime to strengthen the dialogue between innovation and regulation.

Brussels would be ready to open the door to a more flexible use of personal data in the training of artificial intelligence systems, provided that adequate security measures are taken. This is a choice that has already provoked mixed reactions: for the Commission, it is a necessary adaptation to a rapidly changing technological environment; for part of civil society and experts, on the other hand, it is a step backwards in the protection of privacy.

The simplification also concerns the use of cookies and tracking technologies, which have been the subject of controversy for years due to the excessive proliferation of consent banners. The intention is to overcome the double track between GDPR and the Privacy Directive, allowing users to manage their preferences once only, directly at browser or operating system level, with automatic transmission to the sites visited. Online publishing platforms will be exempted from the obligation, to safeguard the advertising-based funding model that supports independent journalism.

On the cybersecurity front, the package introduces a practical but high-impact change: the creation of a Single Entry Point for Incident Reporting, a digital one-stop shop managed by ENISA, through which companies will be able to fulfil with a single report all the reporting obligations required by various European regulations, from the GDPR to the NIS2 directive to the DORA regulation. The principle is that of report once, share many: a single communication automatically distributed to the competent authorities.

According to Commission estimates, the measure could generate savings in excess of EUR 4 billion in the first three years of implementation. Completing the streamlining, the Digital Omnibus repeals the Platform-to-Business Regulation of 2019, which is considered outdated by the Digital Services Act and the Digital Markets Act. The elimination of redundant regulations should provide greater clarity for operators and supervisors, reducing compliance costs and the risk of interpretative uncertainty.

According to rumours, the second proposal (on the subject of the AI Act, as already mentioned), would instead strengthen the powers of the AI Office, which would see its competence extended to include general purpose artificial intelligence systems and models covered by the Digital Services Act. There is also greater flexibility for companies, with exemptions and concessions extending to small mid-caps, including a reduction in penalties and softer requirements for technical documentation. For developers of generative systems, a one-year 'grace period' for the introduction of content labels is foreseen, while the obligation to promote so-called AI literacy is transferred from enterprises to public authorities. The possibility of introducing a temporary suspension of obligations - the so-called 'stop the clock' - is still uncertain

for those undergoing adaptation.

Between promises of efficiency and fears of backwardness, the Digital Omnibus represents a test case for Brussels: how to reconcile innovation and protection, flexibility and legal certainty.

Antonio Perrucci (Director, Astrid Observatory on Artificial Intelligence)

Luca Megale (Researcher, Astrid Observatory on Artificial Intelligence)

Brand connect

I prossimi eventi

Tutti gli eventi

Notizie e approfondimenti sugli avvenimenti politici, economici e finanziari.

Comments

Brussels tries to simplify the European digital acquis

Brand connect

I prossimi eventi

Newsletter