The European Union is in the process of introducing a number of simplification measures, aimed at reducing the administrative burden on a number of organisations across a range of legislative and regulatory measures. The proposals do not seek to lower regulatory standards, but they do carry particular significance for data protection and cyber practitioners. This article summarises the current position and explores what these developments might mean in practice.
Background
In 2024, following a comprehensive report by former European Central Bank president, Mario Draghi on the EU's competitiveness, EU leaders signed the Budapest Declaration, calling for a 'simplification revolution'. This would bring a drastic reduction in administrative and regulatory burdens, particularly for smaller organisations that are often subject to the same requirements as larger companies.
In response, the European Commission began advancing a number of 'Omnibus' packages throughout 2025. These cover diverse EU policy areas including the Common Agricultural Policy, sustainability reporting and due diligence for responsible business practices.
Omnibus IV
From a cyber and data standpoint, the published Omnibus packages offered limited reforms, although one eye-catching proposal emerged in Omnibus IV, which is aimed at freeing up certain companies from data protection compliance obligations. It suggested amending Article 30(5) of the GDPR, so that organisations with fewer than 750 employees would no longer need to create or update their existing records of activities, provided the processing is not likely to result in a high risk to the rights and freedoms of data subjects.
Currently the GDPR already provides an exemption for organisations employing less than 250 employees which means that they are not required to record their processing activities, except where the processing carried out is "likely to result in a risk to the rights and freedoms of data subjects," is not occasional or includes the processing of special category data or personal data relating to criminal convictions and offences.
In practice, however, many organisations, particularly in data-heavy sectors such as financial services, healthcare and technology, would still fall outside the exemption due to these carve‑outs. The practical impact may therefore be limited. Symbolically, though, this matters as it reflects a shift in Brussels’ stance. Regulators who once defended the GDPR as untouchable are now willing to recalibrate, especially to ease the burden on SMEs.
In terms of progression of these proposals, the European Council has been recently provided with a mandate by representative of member states, to negotiate with the European Parliament. A specific timescale for introduction remains unclear.
Digital Omnibus
Looking more broadly, the Commission is preparing a "Digital Omnibus" package later this year.
In preparation, the Commission launched a call for evidence in September, scheduled to end 14 October 2025, which aims to gather input on potential reforms across several areas:
- The Data Union strategy (covering the Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive)
- Rules on cookies and other tracking technologies under the ePrivacy Directive
- Cybersecurity related incident reporting obligations
- Application of the AI Act
This will build on three calls for evidence and public consultation that have already taken place in 2025, focusing on Data Union strategy, Cybersecurity and Artificial Intelligence.
The stated objective is to cut compliance costs and promote consistency. But the real question for businesses is whether simplification will bring clarity. Too often, the cost of compliance lies not in the volume of obligations but in the ambiguity of how they apply. The Digital Omnibus could therefore be pivotal as a tool to reduce uncertainty in interpretation. Alternatively, if poorly framed, it could just be another layer of complexity.
Cookie consents
One area under particular scrutiny is cookies. As we stated in our article last month, the formal withdrawal of the ePrivacy Regulation in February 2025 has left Europe with the 2003 ePrivacy Directive as its foundation, a regime often criticised as outdated, fragmented and poorly aligned with today’s digital economy.
The Commission does appear to recognise this problem. Its call for evidence highlights the need to tackle "consent fatigue" and provide clearer legal bases for online tracking and data access. Although no detailed proposals have yet been published the objectives indicate a clear direction of travel: pragmatic reforms aimed at simplifying consent requirements, reducing pop-up overload, and clarifying when cookies can be deployed for legitimate business purposes.
If successful, reforms could produce a single, streamlined standard on cookies, especially for analytics and advertising, which would be far more impactful for businesses than the Article 30 records exemptions. Any new framework is also expected to preserve strong privacy rights by improving transparency and giving individuals clearer, more intuitive tools to manage their preferences, while at the same time facilitating responsible data use by businesses.
From a comparative perspective, this approach mirrors in some respects the UK’s direction under the Data (Use and Access) Act, which aims to modernise consent mechanisms and reduce unnecessary friction in online interactions. However, the UK framework leans more explicitly toward enabling data use, allowing certain low-risk analytics and service cookies without consent, whereas the EU’s emphasis remains on simplifying consent, not removing it. The contrast highlights a subtle but important divergence: the UK is experimenting with a more permissive, innovation-led model, while Brussels is seeking to streamline without diluting fundamental rights.
Data Union strategy
The Data Union strategy was also the subject of a consultation earlier this year, with an emphasis on simplifying existing rules and developing tools to reduce administrative burden, including the development of infrastructures to enable automatic compliance with reporting obligations. This is significant. The Commission's direction appears less about deregulation and more about seamless compliance, building systems that reduce the friction of meeting obligations, rather than eliminating them outright. For organisations juggling overlapping reporting regimes, this could be transformative. Current rules to increase the uptake of data sharing mechanisms were also identified as unnecessarily complex or unclear.
Cybersecurity
Similarly, in cybersecurity, the Commission is considering streamlining the EU's frameworks by revising the Cybersecurity Act, with a call for evidence issued earlier this year. The revision would allow the streamlining and simplification of the EU cybersecurity framework, aiming to make the frameworks more user and business friendly. In addition, it would prioritise measures to support a secure and resilient supply chain, including the EU cybersecurity industrial base. The policy options considered would involve a revision of ENISA's mandate and the European Cybersecurity Certification Framework.
For businesses, the key benefit here would be the reduction of duplication. Current regimes such as NIS2 and DORA impose overlapping incident reporting requirements. Harmonisation would not only save cost but reduce the operational risks caused by conflicting reporting timelines and formats.
Apply AI strategy
The Digital Omnibus also looks ahead to the EU AI Act, with the consultation on the Apply AI strategy concluding in June of this year. The consultation focused on identifying policy actions and specific deliverables per sector, with concrete milestones to be achieved in the next three to five years. The Digital Omnibus call for evidence identifies a clearer focus on the AI Act. This would "seek to ensure the optimal application of the recently adopted rules and provide legal predictability to businesses that are about to apply the rules."
These proposals are not linked to suggestions that implementation of some provisions of the AI Act should be paused or delayed. This suggestion has been amplified following Mario Draghi's intervention, in which he recommended a significant simplification of the GDPR and proposed that the implementation of the next phase of the AI Act provisions be postponed allowing for further assessment of the regulatory framework.
In response, the EU Competition Commissioner has warned against 'stop the clock' proposals or any regulatory cutback. Developments in this area will be keenly awaited, as it has recently been reported by Euractiv Pro that a number of countries are keen to push back the introduction of high-risk AI provisions (due to be implemented in August 2026) with others keen to maintain the existing plans.
For businesses, this creates a strategic dilemma. On the one hand, a delay would relieve immediate compliance pressures. On the other, uncertainty is costly: should companies invest in compliance frameworks now, or risk falling behind if they wait? In sectors where AI adoption is accelerating, the bigger danger may be regulatory drift, with businesses preparing for requirements that later shift, or stalling only to see competitors press ahead.
Conclusion
The EU’s simplification agenda should not be seen as deregulation by stealth. Instead, it represents a series of incremental but important recalibrations: easing burdens on SMEs, addressing cookie fatigue, and rationalising reporting frameworks. The underlying signal is arguably more important than the substance, Brussels is beginning to acknowledge compliance fatigue and adapt accordingly. For organisations navigating Europe’s digital rulebook, that cultural shift may prove the most consequential development.