Can Brussels change? One year after Draghi – the EU's Digital Simplification Package

On 16 September 2025, almost a year after the European Commission published the landmark Draghi Report on lagging European competitiveness, the Commission opened a call for views on its upcoming “Digital Package on Simplification". In poignant timing, on the same day it also held a conference to review its progress on implementing the Draghi report’s recommendations.

This new two-part digital simplification package is a direct response to one of Draghi’s key findings, that overregulation is hindering EU firms from innovating and competing with the US and China, and the Commission has hailed it as “a first step in simplifying the EU’s digital rulebook”. The package builds on a number of previous consultations (on the Data Union Strategy, the Cybersecurity Act and the Apply AI strategy), and existing “omnibus” simplification packages announced for other sectors.

Digital Omnibus

The first part of the package is the “Digital Omnibus”. This is a series of regulatory adjustments designed to achieve the same objectives as the current rules but at a lower administrative cost. It is expected to cover the following areas:

1. Data – Measures to target fragmented EU data regulations (including the Data Governance Act, the Free Flow of Non-Personal Data Regulation, and the Open Data Directive), to streamline the accessing and processing of data and potentially to foster uptake of data sharing regimes.
2. Cookies/ePrivacy Directive – Updating the “cookie article” of the ePrivacy Directive to curb consent fatigue (reducing where user consent is needed) and achieve greater alignment between EU data protection rules. The use of modernised cookie/tracking technologies may also be facilitated, such as central cookie management mechanisms.
3. Cybersecurity reporting – Simplifying incident and data-breach reporting across overlapping EU frameworks, to minimise burdens and costs on businesses. Further measures are being considered under a separate review of the Cybersecurity Act.
4. EU AI Act application – Measures to ensure a “predictable and effective” application of the AI Act, addressing implementation challenges and smoothing the interplay with other laws (see our insights on the AI Act here and here).
5. Digital identity and trust services – Improving certainty and reducing compliance costs under the European Digital Identity Framework, including alignment with the forthcoming EU Business Wallet and the application of the “one in, one out” principle.

Digital Fitness Check

The second part of this package is the “Digital Fitness Check”, a tool to help the Commission to assess the “coherence and cumulative impact” of the EU’s digital regulations. There isn’t much detail yet, and more public consultation is expected, but it signals the Commission’s intention to continue assessing how digital regulation is impacting businesses, and identify future opportunities for simplification.

“The Draghi report: one year on”

At the conference, President von der Leyen gave a resolute and optimistic defence of her Commission’s progress, but Professor Draghi’s outlook was decidedly less rosy. A year on, he thinks the challenges have only “grown more acute” and that Europe is in a “harder place”.

It was clear the Commission is committed to its simplification agenda (and on competitiveness overall), although many feel streamlining alone is not enough, including Draghi. His report had pointed to the concerning volume, overlapping, and inconsistency of EU legislation (including “gold-plating” by member states), which he reiterated at the conference, noting the cost of data for EU firms is 20% higher than their US peers due to GDPR alone.

Importantly, Draghi also used his speech to join more than 40 European CEOs calling for the AI Act’s provisions on high-risk systems (coming in 2026) to be paused until their “drawbacks” are understood. That will be welcomed by businesses who remain uncertain on how to comply with the Act, but Yvo Volman (director for data at the Commission) subsequently confirmed that a pause of the Act “is not on the table”, so the AI Act seems to be full steam ahead. The Commission may yet be pragmatic in other ways, for example it will control enforcement of the AI Act’s GPAI provisions, so it may focus enforcement on only the largest GPAI providers (or on egregious breaches), but that remains to be seen.

Overall, the conference highlighted the difficult crossroads at which the EU still finds itself, with continuing disagreement on the balance between regulating against digital harms and promoting competitiveness. While Draghi and others call for more radical change, the Commission is focussing on streamlining only (it thinks “the EU digital rulebook is fit for purpose”, and it will be “keeping the same standards” while continuing to “promote citizens’ rights and interests”). In any case, Draghi and von der Leyen clearly agreed on one thing – the need for far more urgency from the EU co-legislators.

Our three takeaways for businesses

Firstly, keep an eye out for the full Digital Omnibus proposal when it lands later this year. Hopefully, it will lead to some simplified processes and costs savings for businesses.

Secondly, the Commission seems to be adamant on not planning any significant rolling back of regulatory standards (and the Digital Omnibus will still take time to be approved by EU co-legislators). Cautious businesses, or those needing certainty in the short term for their product development cycles, should plough on with compliance efforts against existing regulations.

Finally, however, in the face of growing dissatisfaction with the weight of EU regulation, and with pressure only intensifying on Brussels for a rethink, we doubt this is the end of the conversation. For businesses with a more pragmatic view of compliance, or those with time to spare in their product development cycles, it may be worth holding back to see whether a potential softening in Brussels’ regulatory approach is coming.