Making the EU's digital regulatory reset count: Four recommendations

The EU digital rulebook has grown rapidly in recent years, becoming cumbersome and sometimes hampering trade. The forthcoming digital regulatory package is an opportunity to simplify the rules.

Over the years, the EU has introduced new rules at a fast pace, often with laudable goals such as improving security, safeguarding competition or promoting sustainability. Today, however, EU companies face increasing regulatory hurdles because of the many regulations, which mandate reporting requirements that are sometimes both cumbersome and costly. As the landmark Draghi report rightly identifies, overregulation has become a barrier to European competitiveness.

In response, the European Commission is in the process of introducing several so-called omnibus packages, aimed at simplifying regulation by reducing reporting requirements. This insight outlines four considerations for the EU’s digital package – a regulatory simplification package that is expected this Autumn – and the results it should deliver to strengthen the EU digital economy. 

Background

The digital economy has been heavily affected by the cumulative burden of EU regulations. A Bruegel mapping exercise from 2024 identifies more than 100 different digital regulations for areas such as cybersecurity, e-commerce and data that companies operating in the EU now face. In concert, companies often note, these regulations can create a complex and costly web of overlapping reporting requirements, and limit their ability to innovate. Moreover, several of these rules allow for fragmentation across the single market, with different implementation in different member-states. 

The digital economy has been heavily affected by the cumulative burden of EU regulations.

It is therefore commendable that the Commission has begun addressing regulatory complexity, including in the digital economy. For example, it recently proposed to reduce the need for mid-sized companies, in addition to smaller companies, to keep records under the General Data Protection Regulation (GDPR). However, in the face of the challenges to EU competitiveness, proposals such as these fall short of giving European companies the freedom they need to innovate, trade and grow. 

That is why the ‘Digital Package’, announced in the Commission’s most recent work programme and expected for Q3 2025, is so important. If executed properly, the digital package could become the start of a process to remove regulatory overlaps, reduce the compliance burden and address the single market fragmentation that is currently hampering the digital economy. A proper review – and revision – of the EU digital rulebook could significantly improve conditions for European companies in their home market. Moreover, it could boost the EU’s position in global digital trade by improving European companies’ productivity and reducing restrictions on cross-border digital transfers into and out of the Union. That would be no small step towards the goal of improving overall competitiveness, given that digital trade currently makes up a quarter of global trade and that the EU is a world leader in digital services trade – meaning that this is an area where it has a comparative advantage. 

To improve competitiveness in the digital sector, the EU should take the following steps: 

1. Get the basics right: Remove regulatory overlaps, eliminate excessive reporting requirements and address fragmented implementation

A natural start for simplification is mapping and eliminating the regulatory overlaps that companies now face between numerous digital rules. One such area is cybersecurity, where a number of horizontal and sectoral rules mean that a single company may have to report on similar issues to several authorities. The business organisation Digital Europe reports that compliance costs in this field alone amount to at least €60 billion a year. Consolidating rules and setting up ‘one-stop shop’ reporting could eliminate these overlaps and thereby reduce the cost for firms. 

Another important priority is removing excessive regulatory requirements that harm the competitiveness of EU firms. A report from the Swedish National Board of Trade that compiles evidence on effects of the GDPR illustrates the detrimental effects rules can have when they become too complex. On the one hand, the GDPR protects citizens’ personal information, which, apart from being important in itself, can also increase consumer trust in digital markets. On the other hand, the regulation has a suboptimal design which means it hurts firms’ performance by imposing costs, decreasing revenue and thereby harming profitability. On average, after the introduction of the GDPR, the profit margins of data-intensive firms in the EU were estimated to increase by 1.7 to 3.4 percentage points less than the profit margins of US counterparts. The regulation has also reduced certain economic activities of importance to the digital economy over the past decade: it has had a negative effect on website page views, website revenue and apps. It has also reduced EU companies’ data storage and processing, both of which are important and will likely become even more important in the age of AI. Finally, venture capital funding and investment in tech firms fell when the GDPR was imposed. 

One common rule is better than 27 different ones, but EU rules continue to be implemented differently across member-states.

Finally, one common rule is better than 27 different ones, but EU rules continue to be implemented differently across member-states. This is often true for directives, where EU members engage in ‘gold-plating’ – taking a more stringent approach than EU law requires. But the interpretation of regulations such as the GDPR also differs across (and sometimes even within) member-states, effectively creating a costly patchwork for companies operating in the single market. This problem urgently needs to be addressed for many digital rules. One solution is to continue strengthening co-ordination across implementing agencies in EU countries, as well as granting a stronger role to EU agencies (such as the European Data Protection Board, in the case of the GDPR). An even better solution, albeit one that is more challenging politically since member-states are not usually keen on giving up competences to the EU, would be to centralise the enforcement of digital rules completely by moving enforcement from member-state agencies to EU agencies. 

2. Put revision on the table: Simplification requires change

In initiating its simplification agenda, the Commission has shown that it has taken long-standing concerns of industry seriously, and that it wants to address existing competitiveness hurdles. At the same time, the Commission needs to balance this with the legitimate interest in regulating risks to security, integrity and the environment. It also needs to ensure that it does not back track on regulation in a way that increases regulatory uncertainty or compliance costs for firms because they need to adapt to new rules again.  

Delivering results for competitiveness will require tough choices to rebalance the various societal interests that underpin regulation. In this sense, the importance of competitiveness and trade appear to have been underestimated. That is why it is worth reflecting on repeated statements by Commission officials that “simplification does not mean deregulation”. While simplification should not lead to drastic changes, such as the removal of long-standing principles of EU regulation, it is likely to require amending substantive rules. One example of a rule that should be revised is the GDPR, the results of which have been outlined above. While data protection will continue to remain an essential interest in the EU and the GDPR will help protect that interest, policy-makers must move beyond ‘cutting red tape’ to actually revising the GDPR. The regulation needs to allow for more flexibility in the negotiation of data transfer mechanisms and internationally standardised approaches to data regulation, allowing data to flow freely between the EU and more of its trading partners. Additionally, the GDPR needs to be implemented and interpreted in the same way throughout the EU.

3. Do not leave certain rules unscrutinised in the name of regulatory autonomy  

In his costly trade war on Europe and other US allies, Donald Trump has tried folding issues from security to domestic regulation into negotiations for tariff relief. Digital regulation has not been spared from the trade threats of the current US administration, which has pressured the EU over rules such as the Digital Markets Act (DMA) and Digital Services Act (DSA). The Trump administration claims that these rules deliberately harm US companies.

In response to such external pressure and tariff threats, Commission officials have insisted that enforcement of rules such as the DMA and DSA is not on the negotiating table. This is important, because as a democratic entity governed by the rule of law, the EU should neither increase nor decrease enforcement of its laws in response to external tariff threats. 

But besides the radical tariff agenda of the current US administration, transatlantic disagreements over how to regulate the digital economy are in fact long-standing, and US dissatisfaction with certain EU regulations is often bipartisan. More importantly, initiating a simplification agenda should entail recognition that certain rules in the EU’s rulebook may be suboptimal in design. Therefore, while maintaining regulatory autonomy from US tariff threats is important, it should not lead the EU to leave some of its digital rules unscrutinised or immune to internal revision. For example, it is worth asking if enforcement of the DMA should reside with the European Commission rather than an independent agency, given that separation of powers is desirable. It is also worth reviewing to what extent the DMA differs from similar laws in important trading partners such as the United Kingdom, given that both the effectiveness of the regulation and its impact on digital trade would benefit from a standardised and interoperable approach. 

While maintaining regulatory autonomy from US tariff threats is important, it should not lead the EU to leave some of its digital rules unscrutinised or immune to internal revision.

4. Evaluate the Brussels effect to future-proof digital rule-making 

An important piece of the puzzle missing in the EU’s simplification debate is the need to review the so-called ‘Brussels effect’ – the idea that the EU has the regulatory capacity and a market size that allows it to set standards for the rest of the world. While there is some evidence for this, experience suggests that for tech the effect is more limited than sometimes perceived. This because relatively few countries have bought into the EU’s digital rulebook wholeheartedly. 

For example, if many countries had adopted GDPR-like rules, the EU should have a large number of so-called adequacy decisions that allow for data transfers to jurisdictions with data protection rules deemed sufficiently similar to the GDPR. However, the EU has only finalised 16 adequacy decisions. Excluding territories that are European microstates, member-states of the EEA or overseas dependencies of current or former EU member-states, the number of jurisdictions with an adequacy decision drops to eight out of the hundreds in the world. Meanwhile, in the Asia-Pacific region, where purchasing power is rapidly growing, a standardised approach to data protection is being developed without the EU’s participation. 

Some scholars have argued that the EU’s swift adoption of new rules stems partly from a strong belief in the Brussels effect. This because EU policy-makers prioritise being the first to regulate emerging digital domains, in order to cement the EU’s role as the global standard-setter. That means the drive to regulate partly operates independently of factors such as societal demand or legislative timing, because establishing universal standards has become a central EU goal in itself. This stance could continue to drive some of the costs of over-regulation that the simplification agenda is trying to address. 

Over time, the EU’s share of the global economy has decreased – a process that is likely to continue as more low- and middle-income countries become richer. With this development, the relative market power underlying the Brussels effect will continue to wane over time. A previous CER insight argued that this decline in the Brussels effect has not affected digital regulation as much, in part because the EU’s share of digital services imports has grown over the past decade. However, in the digital field, as in others, the EU’s relative influence will naturally shrink as more countries become richer and start consuming more digital products, thereby increasing their market influence. The EU’s decrease in relative market power might be mitigated if it strengthened its single market, for example, by improving conditions for digital trade. However, all other things being equal, the EU’s digital trade performance will increasingly depend on its ability to converge with other countries on digital policies, at least partly by being more willing to compromise. 

Over time, the EU’s share of the global economy has decreased – a process that is likely to continue as more low- and middle-income countries become richer.

It would therefore make sense to consider whether revising certain digital rules could help to standardise a regulatory approach across jurisdictions with which the EU has digital trade agreements, digital partnerships or trade and technology councils (such as Japan, Singapore and South Korea). That should also include countries with which it is about to negotiate a digital trade chapter as an expansion to existing free trade agreements (such as Canada), as well as wider formats such as the Data Free Flow with Trust discussions in the Organisation for Economic Co-operation and Development. 

Conclusion 

The forthcoming digital package presents an opportunity for the EU to recalibrate its digital regulatory framework to support competitiveness, innovation and international coherence. To contribute effectively to EU competitiveness, simplification must extend beyond administrative adjustments, and include regulatory revision, consolidation and enhanced co-ordination across the single market. 

Safeguarding the EU’s regulatory autonomy should not preclude critical reflection on the design and impact of existing rules, particularly where evidence indicates unnecessary economic costs or suboptimal design. Moreover, sustaining the EU’s role in global digital trade will require greater interoperability with key international partners. A streamlined, coherent and future-oriented digital rulebook could bolster the EU’s position as a competitive, resilient and globally relevant digital economy. 

Hannes Berggren is a trade policy advisor writing independently for the CER.