Digital Omnibus: The EU Commission is ready to rewrite the rules on AI, data, and cybersecurity.

On July 9, 2025 , European Commissioner for Economic Affairs Dombrovskis announced a review of EU legislation on AI , cybersecurity, and data protection, as part of the Digital Omnibus package, for next November. The European Commission's stated goal is to simplify the regulatory framework while also taking into account the views expressed by technology companies.

A pragmatic choice

Both the structure of the AI ​​Regulation and the content of the implementing acts , and in particular the code of conduct for companies in the sector , had raised considerable concern (for various reasons) among operators and NGOs active in the field , particularly regarding issues related to copyright and transparency, leading to calls for a postponement of the entry into force of the AI ​​Regulation . The implementation of cybersecurity regulations and directives has also not been entirely straightforward, given that, for example, the so-called "NIS2"—which specifically addresses critical infrastructure —has yet to be fully implemented in the EU , and even in Italy, the National Cybersecurity Agency has decided to give companies more leeway by postponing the deadlines for certain requirements .

The promise of a new approach to regulation

An important aspect of the European Commissioner's statements concerns the true significance of the commitment to listening to the business world in determining regulatory content.

Currently, discussions between the EU, industry, and civil society are already ongoing, manifested through participation in public consultations launched by the European Commission, the submission of position papers , and the organization of formal meetings. It will therefore be interesting to understand how this cooperation will be increased or better considered, and above all, whose positions will be taken into account. In other words, given the geographical distribution of the relevant markets, the Commission's openness could allow for even more significant intervention by Atlantic and Eastern Big Tech companies, if not in policy decisions, then in their implementation. The issue, in other words, is how to prevent the need for simplification from becoming—or causing—de facto deregulation , despite the Commission's commitments not to negotiate down the level of protection for citizens and businesses.

Current obligations remain in force

Finally, it's important not to get carried away by easy enthusiasm and decide to postpone the formal and substantive requirements required by the regulations currently in force.

The announcement of the simplifications is certainly good news, but it's not yet known which legislative acts will be amended. Therefore, pending the adoption of the various measures, all current obligations under the regulations are still fully in force, and non-compliance may result in penalties.