Radu Nechita // 21 November 2025

“Always more than expected” seems to be the appropriate answer in the case of EU digital regulation. The European Commission is aware of the burden that EU regulation represents, sometimes increased by an extra layer at the national level. This awareness explains the recent initiative of public consultation (ended 14th October), preparing the Digital Omnibus Package that will be presented on 19th November.

Its ambition is to encompass the regulation relating to data collection and use. The current regulation is an accumulation of texts, sometimes conflicting, sometimes obsolete, which generates uncertainty and increases regulatory compliance.

The European Commission announced the guiding principles (“we will simplify existing rules wherever necessary and ensure that they are better implemented”). The procedure seems convincing: simplify the regulatory framework wherever the regulatory objectives can be achieved at lower administrative costs; check the coherence and the impact of further simplification measures; continue to protect citizens’ rights.

However, there are some concerns that this simplification process is set on a collision course with the General Data Protection Regulation (GDPR), considered an essential protection of the privacy of EU citizens. Since its entry into our lives in 2018, there has never been a shortage of criticism of its most annoying aspects, but until now, no amendment has changed the general architecture. Maybe there is now an opportunity to evaluate the consequences of this regulation in relation to the initial intentions, to the compliance and, sometimes, avoidance costs. A possible path would be to consider that GDPR rules apply only to data that can be linked (back) to a specific person.

A deep cleaning in the multilayer regulation texts is necessary and could be achieved with a “Digital Code” replacing all of them. This would reduce the regulatory uncertainty, with a corresponding drop in compliance costs.

Another objective highly appreciated by companies is the simplification of data legislation, including rules on the GDPR, ePrivacy rules on cookies and tracking, and data sharing in the Data Act. Any regulatory barrier has a higher impact on small businesses. The reduction of the barriers to entry stimulates entrepreneurship and innovation, enhances competition, and, eventually, benefits consumers.

The European Commission and the companies expect similar effects from the adjustments to the AI Act and cybersecurity incident reporting obligations. If these adjustments ensure a smoother application and reduced overlaps, the compliance costs will decrease, to the benefit of the whole European economy.

All this process will take time; it will probably be slowed down by (big) companies that have already adapted to the acquis communautaire (or, as they could call it in French, the maquis communautaire) and by some regulatory bodies. Therefore, the European Commission will need all the support to keep the momentum in this simplification process.

And all of those who favour regulatory burden reduction must remember that there is something even more complicated than simplification. It is keeping the regulation simple afterward.

Radu Nechita is an associate professor who teaches Microeconomics, Globalization and Development, European Economic Integration at Babeș-Bolyai University, Cluj-Napoca.