ACT welcomes the European Commission’s initiative to simplify and consolidate the current EU digital framework. This objective reflects the calls made by both Draghi and Letta reports to ensure a legislative environment that can support small and medium-sized enterprises (SMEs) and startups to grow.

The current digital and data acquis has experienced a substantial increase during the past 10 years, with the introduction of several legislative developments that have a direct impact on small companies. We believe that simplification is the key element that will help European companies to scale and grow cross-border, by making compliance workable, predictable, and proportionate. In this respect, the Digital Omnibus represents an important step forward to ensure tangible benefits.

For these reasons, ACT shares the ambition of new simplification measures, concretely:

Download the Position Paper

• Targeted simplification and streamlining measures can reduce compliance burdens for SMEs and startups developing artificial intelligence (AI) systems.
• Clear guidance on classification, risk assessment, and conformity procedures is essential to enable smaller companies to innovate confidently.
• Proportionate obligations that account for company size and risk level will help ensure the AI Act does not create insurmountable barriers to entry for European AI developers.
• Harmonised implementation across Member States is critical to prevent fragmentation and
  ensure a level playing field.

• Clarifying GDPR obligations for SMEs, including definitions of personal data, pseudonymisation criteria, and proportional responses to abusive data requests reduce overcompliance and legal uncertainty.
• Risk-based adjustments to personal data breach notifications, including high-risk thresholds, extended deadlines, and common templates, improve predictability and reduce administrative burdens for SMEs.
• Harmonised data protection impact assessment requirements and consistent guidance across the EU addresses fragmentation, lowering compliance costs and enabling SMEs to focus resources on effective data protection.
• Clear rules on AI-related data processing, including the use of legitimate interests and narrowly tailored exemptions for special category data, support responsible innovation while maintaining robust consumer safeguards.

• The consolidation of the Free Flow of Non-Personal Data Regulation, the Data Governance Act, and the Open Data Directive within the Data Act, will reduce fragmentation and improving legal clarity.
• Strengthened protections for trade secrets with a clearer risk-based approach to international data sharing are essential to preserve investment incentives.
• More clearly defined thresholds for public-sector access to private data improve predictability and limit disproportionate requests.
• Increased flexibility for cloud users and providers, particularly through eased switching requirements for SMEs, addresses longstanding concerns about feasibility and compliance costs.
• Further clarification is needed on how data holders should assess and demonstrate risks related to third-country access to prevent legal uncertainty.

• The creation of a Single Reporting Mechanism operated via ENISA will allow companies to fulfil incident reporting obligations under multiple EU legal acts through a single entry point.
• Streamlining cookie consent requirements and introducing machine-readable user preferences under the revised e-Privacy Directive will reduce compliance costs while improving user experience.
• The repeal of the Platform-to-Business Regulation is a positive step toward reducing regulatory overlap, as its objectives have been largely overtaken by newer digital laws.

The Digital Omnibus is a welcome and necessary initiative to rationalise the EU digital framework. By consolidating overlapping instruments and streamlining compliance processes, it has the potential to create a more navigable regulatory environment that supports innovation and cross-border growth.

ACT strongly supports the Commission’s efforts to simplify data regulations, establish a Single Reporting Mechanism, streamline cookie consent requirements, and repeal redundant legislation. These measures respond directly to longstanding concerns raised by the startup and SME community about regulatory complexity and compliance costs.

The interaction between different legal frameworks, particularly between the GDPR and the Data Act, requires further clarification to prevent legal uncertainty and overly conservative compliance strategies that discourage beneficial data sharing. Clear, practical guidance with concrete criteria for risk assessment, including safe
harbours and standardised tools, would enable startups to make confident compliance decisions without extensive legal resources.

Across all areas, AI regulation, data protection, data sharing, and incident reporting, the key challenge is ensuring that simplified frameworks are practical and proportionate for SMEs. This means going beyond legal consolidation to provide accessible implementation tools, harmonised standards, and flexibility that accounts for differences in company size and capacity.

We also encourage the inclusion of robust monitoring and review mechanisms to assess the real-world impact of the Digital Omnibus on data sharing, competition, and innovation. Such mechanisms would allow for timely adjustments where objectives are not being met or unintended consequences arise.