Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Stakeholders have stressed repeatedly to regulators and policymakers that "in many instances, the simplification effort is less about modifying the rules, and more about providing clarity on their application," as a recent European Commission staff working document captures. The proposed Digital Omnibus may provide simplification down the road but, until it does, practitioners must navigate the landscape as it is today.
Managing the intersectionality of rules across digital domains is a daily challenge for practitioners. The IAPP EU Digital Laws Report 2025 shows that only one in five professionals surveyed have total confidence in their organization's ability to be fully compliant with the Artificial Intelligence Act, Digital Services Act, Digital Markets Act, Data Governance Act, Data Act and NIS2 Directive.
The report also captures that requirements around key issues — for example, transparency, data subject rights and accountability — serve disparate aims and manifest differently across these varied laws. European privacy regulators and the Commission have committed to collaborating more closely on the application of EU digital legislation, including by developing joint guidelines, aligning on enforcement capabilities.
Meanwhile, many of these laws have a scheduled review in the coming years. The Commission is expecting to publish a review of the Digital Markets Act and among others an evaluation of the Copyright Directive in 2026, which will be important in the context of AI discussions. It will evaluate the cybersecurity NIS2 Directive and the DSA in 2027, the Data Act in 2028 and the AI Act in 2029.
The DMA, despite its material scope being primarily focused on a small subset of stakeholders — the so-called "gatekeepers" — is a good illustration of these dynamics. Its interplay with the EU General Data Protection Regulation raises questions about the coexistence of the two laws in practice, their joint impact on gatekeepers' business models and the broader ecosystem. Compliance regarding consent-or-pay models and transparency requirements are among visible examples.
The cooperation initiated between the European Data Protection Board and the Commission could therefore contribute positively to legal certainty and harmonization, as the worlds of competition and privacy seek to build this consistency in practice.
Since it became applicable to core platform services 2 May 2023, the DMA has been met with some critiques that, while it has achieved progress toward more balanced digital markets, it falls short of expectations to create market predictability and enable fair competition against gatekeepers, to support the emergence of alternative distribution channels and payment systems, and to improve portability as intended.
Perhaps the common critique from many detractors resides in the scope of the instrument itself. As the Commission closes a consultation ahead of the DMA review planned for next year, many voices are calling for a widening of its scope to include all digital services provided by a gatekeeper's group entities and major cloud service providers.
These discussions illustrate the inherent living fate of digital rules.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.