The European Commission has opened a call for evidence on its proposed ‘digital omnibus’ – a package of reforms that it said will “focus on immediate adjustments” to certain areas of EU digital regulation where, it said, “it is clear that the regulatory objectives can be achieved at a lower administrative cost for businesses, administrations and citizens”.
Measures to address “problems” and achieve “simplification” of EU rules relating to data, use of cookies, cybersecurity incident reporting and AI Act implementation will form part of the package, the Commission said.
“The challenges for businesses arising from cyber incident reporting obligations under the various legislative frameworks are very real,” said Dublin-based technology law expert Andreas Carney of Pinsent Masons. “Assessing the reportable nature of incidents, conducting risk assessments, notification of affected parties and dealing with different regulatory authorities under the different frameworks are just some of the challenges. This, of course, costs businesses time and money. Enabling business to streamline processes around these – potentially through legislative change – is an admirable goal. It will be interesting to see what can be done on this front.”
According to the Commission, its digital omnibus package will include “necessary” and “immediate” measures to simplify the EU’s incident and data breach reporting obligations, the Commission said. Those obligations are contained in various legislative frameworks – including the General Data Protection Regulation, second Network and Information Security Directive, and second Payment Services Directive. Navigating the different EU frameworks and different ways they are transposed by individual member states, the Commission said, places “a significant burden” on businesses.
“This issue is widely reported by stakeholders and immediate measures for simplifying compliance with the requirements and for the use of reporting tools are necessary while keeping a high cybersecurity protection,” the Commission said.
In relation to data legislation, the Commission cited the Data Governance Act, Free Flow of Non-Personal Data Regulation, and Open Data Directive, where it said the concern expressed by stakeholders is that the rules are outdated, fragmented and unnecessarily complex for businesses seeking to operate “innovative business models” with “a strong data-driven component” in the EU.
On the EU’s rules on cookies, the Commission said “pragmatic and immediate clarifications to limit consent fatigue, provide legal clarity on rightful access and processing, and enhanced data availability to businesses” are required.
Regarding the AI Act, the Commission said it wants “to ensure the optimal application of the recently adopted rules, and provide legal predictability to businesses that are about to apply the rules”.
The Commission said its planned AI Act “intervention” will “seek to address implementation challenges identified in consultation with stakeholders and member states, taking into consideration the needs of small mid-caps and facilitating the smooth interplay with other laws”.
The AI Act was written into EU law last year but only some of the provisions have taken effect so far – prohibitions on certain types and uses of AI began applying in February, while rules impacting providers of so-called ‘general purpose AI models’ came into effect in August. Rules applicable to ‘high-risk’ AI systems do not come into effect until August next year.
Earlier this week, former European Central Bank president Mario Draghi called for the rules on high-risk AI to be “paused”.
“The next stage, covering high-risk AI systems in areas like critical infrastructure and health, must be proportionate and support innovation and development,” Draghi said, according to a report by Euro News. “In my view, implementation of this stage should be paused until we better understand the drawbacks.”
In September 2024, in a wide-ranging report prepared for the Commission, Draghi flagged concerns about the EU’s competitiveness in the global marketplace. Among other things, he highlighted issues with the EU’s approach to tech regulation, including “complexity and risk of overlaps and inconsistencies” between the AI Act and the General Data Protection Regulation (GDPR). At the time, he recommended “simplified rules” and the enforcement of “harmonised implementation of the GDPR” across the EU, as well as the removal of “regulatory overlaps with the AI Act”.
Draghi’s latest comments were made at a conference to mark a year since his report was published. His is just the latest call for postponement of AI Act provisions.
In the summer, a group of 50 European business leaders warned that the “Europe’s AI ambitions” are “at risk” as a result of “unclear, overlapping and increasingly complex EU regulations”. The group includes senior leaders from AI trade associations as well as companies such as Airbus, BNP Paribas, Mercedes Benz, and Philips. The group called on the Commission to “propose a two-year ‘clock-stop’ on the AI Act before key obligations enter into force, in order to allow both for reasonable implementation by companies, and for further simplification of the new rules”.
The Commission has also come under pressure from politicians on both sides of the Atlantic over its approach to tech regulation. US vice-president JD Vance has described the EU approach as restrictive and paralysing and as hindering AI development, while the Polish government put forward wide-ranging proposals for digital regulatory reform in June that included potentially using ‘stop the clock’ legislative instruments to delay the effect of legislative provisions that have already been finalised – including the enforcement provisions in the AI Act – in the same way that has happened already in the context of EU sustainability-related due diligence and disclosure obligations.
The Commission held a consultation regarding implementation of the AI Act’s rules on ‘high-risk’ AI systems over the summer. According to that consultation, which closed in July, some changes to those rules are under Commission consideration – including in relation to the classification of high-risk AI systems and the obligations associated with providing, deploying, importing or distributing those systems.
The Commission’s digital omnibus is reportedly scheduled to be published in December. It will be just a first step in the reform of EU digital regulation – the Commission has promised to “stress-test the coherence and cumulative impact of the EU digital acquis governing the activity of businesses” in a separate ‘digital fitness check’.
Businesses have until 14 October to have their say on the Commission’s digital omnibus proposals.