Dive Brief:
- The European Commission unveiled a set of regulatory changes to simplify the European Union’s digital rules on AI, cybersecurity and data in a Wednesday announcement. Officials described the current regulations as burdensome to businesses in a press release detailing the changes.
- Some measures specifically target the EU AI Act, including pushing the timeline for rules governing high-risk systems to 16 months. The simplification measures are expected to save businesses up to 5 billion euros ($5.76 billion) in administrative costs by 2029, the release said.
- “We have all the ingredients in the EU to succeed,” Henna Virkkunen, EVP for tech sovereignty, security and democracy at the commission, said in the release. “But our companies, especially our startups and small businesses, are often held back by layers of rigid rules.”
Dive Insight:
European regulators pointed to compliance challenges and administrative burdens as drivers of policy simplification. The move echoes the Trump administration’s efforts to reduce regulations in the U.S., where many of the leading players in big tech are headquartered.
Nearly one-quarter of business professionals said they were not confident complying with the increasing number of digital regulations in the EU, according to an October report from nonprofit data privacy organization IAPP. The EU has more than 100 regulations with at least 20 more in progress, the report said.
In the digital omnibus proposal announced Wednesday, the commission focused on making AI, data and cybersecurity rules simpler. That includes refining some of the EU AI Act measures, most of which will go into effect August 2026. The commission wants to extend the timeline for AI Act rules governing high-risk AI systems by 16 months, from August 2026 to December 2027.
The commission also proposed linking the high-risk system rules’ effective date to the availability of support tools and necessary standards to help companies succeed. The commission plans to amend the AI Act to extend simplifications granted to small and medium-sized companies, such as simplified technical documentation requirements.
Officials also outlined plans to centralize oversight of AI systems built on general-purpose AI models with the European AI Office and broaden compliance measures to allow for greater use of regulatory sandboxes.
The commission’s proposals mark a “sweeping deregulation agenda for EU digital policies,” said EDRi, an international advocacy group headquartered in Brussels. The advocacy group voiced concerns that the move could dismantle EU tech policy.
However, regulations like the AI Act are here to stay, said Eduardo Ustaran, co-head of global law firm Hogan Lovells’ privacy and cybersecurity practice.
“We must acknowledge that this is a brand new and complex law that will take time to be understood and complied with, so the European Commission is intervening precisely to make it more relevant and influential as it comes into effect,” he said in an email to CIO Dive.
Cybersecurity reporting is set to change as well.
Companies currently must report cybersecurity incidents via several laws including the NIS2 Directive, the General Data Protection Regulation and the Digital Operational Resilience Act. The omnibus creates a single entry point for companies to meet all cyber incident reporting obligations, the release said.
The omnibus package also includes GDPR amendments to support company compliance and reduces the number of times cookie banners must appear on websites to indicate company consent with one-click obligations.
The proposal aims to simplify data rules as well by offering new compliance guidance with the EU Data Act and granting certain companies exemptions to some of the Data Act’s cloud-switching rules, and unlocking access to datasets for European AI companies.
The EU has long been a strong enforcer of digital laws, according to Ustaran. Businesses need to exercise caution by not confusing the simplification measures with an “abandoning of the principles, rights and rules that are at the core of the European digital regulation framework."
“This is an attempt at sharpening that framework in a way that is in practice more effective at making responsible innovation possible,” he said.
The commission’s digital omnibus proposals will be submitted to the European Parliament and Council for approval.
