The European Commission has its sights set on easing certain digital regulatory burdens on businesses, and the landmark Artificial Intelligence Act will be included in the endeavor. According to a new public consultation on the Commission's omnibus proposal for digital simplification, an effort will be made to "ensure the optimal application" of AI Act rules that took force 2 Aug.
In addition to clarifying aspects of the AI Act, the omnibus will target updates to third-party cookie and tracking technology rules under the ePrivacy Directive; the application of the European data strategy to small and medium-sized businesses; cybersecurity incident reporting requirements; and European Digital Identity Framework clarifications. The public comment period to address these initiatives ends 14 Oct. and the omnibus is expected to be finalized in December.
The call for feedback follows separate listening sessions previously launched and completed on EU AI, cybersecurity and data approaches.
"We need to make doing business in Europe easier without compromising our high standards of online fairness and safety," European Commission Executive Vice-President for Tech Sovereignty, Security and Democracy Henna Virkkunen said in a statement. "We want an innovation-friendly rulebook: both in the way we apply the rules, and in simplifying the laws where our objectives can be reached at lower costs and streamlined procedures. We aim for less paperwork, fewer overlaps and less complex rules for companies doing business in the EU."
In its consultation document, the Commission stated the simplification of "horizontal, and sector-specific rules" will address "complexity in implementation, fragmentation in their application at national level and misalignment in the enforcement approaches." However, the initiative also aims to address "a need for re-asserting that the EU digital rulebook is fit for purpose" and "opportunities that can be generated to boost the competitiveness and innovation of the digital sector."
Bringing 'legal predictability' to AI development and use
Under the simplification consultation, the Commission will "seek to address implementation challenges" raised by stakeholders and member states around the AI Act while working toward "facilitating the smooth interplay with other laws."
Rules and requirements for general-purpose AI systems became applicable in August. The remainder of the phased implementation will play out over the next two years, including obligations around high-risk AI systems on 2 Aug. 2027.
The Commission's consultation outline does not specify if it is taking feedback on all AI Act rules or only those that are currently enforceable. In June, a Commission spokesperson told the IAPP "all options remain on the table" with the AI Act's potential inclusion in the simplification proposal.
As Denmark assumed the presidency of the Council of the European Union July, Danish Minister for Digital Affairs Caroline Stage Olsen told Euronews the AI Act, among other digital rules, needed to be added to the simplification initiative.
"I think it's important to underline that there are no sacred cows here. We should look through all of our digital regulations and we should all, all 27 member states, look into where we can simplify (them),” Stage Olsen said.
The Commission chose simplification over "stopping the clock" altogether on its landmark regulation. The calls for a delay are still coming, with former Italian prime minister and European Central Bank President Mario Draghi the latest to urge a pause.
Draghi authored a competitiveness report for the Commission in 2024 that recommended "removing regulatory overlaps" with the AI Act. He recently told Euronews the regulation is "a source of uncertainty," pointing to ambiguity around the high-risk system obligations coming online in 2027.
"The next stage — covering high-risk AI systems in areas like critical infrastructure and health — must be proportionate and support innovation and development. In my view, implementation of this stage should be paused until we better understand the drawbacks," he said.
Data, cybersecurity wrinkles
Beyond the AI Act, the Commission's simplification plan includes many expected areas.
The effort to address cookies and tracking technologies is notable given the Commission abandoned its long-debated proposal for the ePrivacy Regulation in February. Instead, the Commission will seek targeted updates to what it deemed "outdated rules" under the ePrivacy Directive, which took effect July 2002.
"This requires pragmatic and immediate clarifications to limit consent fatigue, provide legal clarity on rightful access and processing, and enhanced data availability to businesses," the Commission stated in its consultation outline.
The proposal for SME-focused changes to the European data strategy will include relaxed recordkeeping obligations under the EU General Data Protection Regulation. The European Data Protection Board and the European Data Protection Supervisor each offered preliminary support for the changes while stakeholders initially told the Commission it was "missing the mark of genuine simplification" with its first proposal.
Broader proposals for the data strategy include amending rules on data-sharing mechanisms, including the Data Act and the Data Governance Act, that he Commission said "are often perceived as unnecessarily complex or unclear and as challenging for scaling up." Business groups and relevant national authorities overseeing the Data Act, which took force 12 Sept., raised concerns of uncertainty over balancing the applicability of the law and its inclusion in simplification.
Improvements to the transposition of horizontal and sector-specific cybersecurity incident reporting rules are also proposed, with the Commission noting the issues are "widely reported" and "immediate measures for simplifying compliance with the requirements and for the use of reporting tools are necessary."
Joe Duball is the news editor for the IAPP.
