Out-Law News Lesedauer: 5 Min.
09 Jun 2025, 3:42 pm
Major changes to the way businesses navigate and comply with digital regulation in the EU – such as rules on AI, use of data, and cybersecurity – could follow from a package of proposals put to law makers on Friday.
The “ideas” (10-page / 403KB PDF) were presented by the Polish presidency of the Council of Ministers to other EU member state governments. They include, among other things, a delay being applied to the effect of certain legislative provisions that have already been finalised – including, potentially, certain rules under the AI Act – in the same way that has happened already in the context of sustainability-related due diligence and disclosure obligations.
Further changes businesses would see from implementation of the ideas include simplified transparency obligations; reduced cyber incident notification duties; and lighter touch regulation for SMEs. Other measures envisage harmonisation of the way important concepts are defined across different pieces of digital regulation; greater coordination between regulators responsible for enforcing the various legislation; and publication of guidance to help businesses better understand how the different EU rules interact.
The proposals impact a wide range of EU digital regulation, including the AI Act and General Data Protection Regulation (GDPR), the second Network and Information Security Directive (NIS2) and the Cyber Resilience Act, as well as the Data Act, the Digital Services Act (DSA), Platform-to-Business (P2B) Regulation, and Digital Operational Resilience Act (DORA).
The Council of Ministers is one of the EU’s law-making institutions. It is comprised of representatives from the governments of each of the 27 member states in the bloc. Digital ministers from across those governments met on Friday where Poland’s proposals were presented but not discussed. The proposals derive from input received from industry.
As well as from businesses, EU policymakers are coming under increasing political pressure to reduce regulatory burdens in digital markets. The US government, for example, has called on the EU to do more to support technological innovation by companies, with many US-headquartered technology companies operating in the EU market, while Mario Draghi, the former European Central Bank president, in a report into EU competitiveness, last year urged action to reduce regulation – particularly for tech companies.
Amidst this backdrop, there is political will to act. European Commission proposals for “simplification” of the EU’s digital policy rulebook are expected to be published in the autumn, EU commissioner for tech sovereignty, security and democracy Henna Virkkunen confirmed at a press conference that followed the Council’s meeting.
The Polish proposals are the pre-cursor to those proposals being set out and could inform how they are developed by the Commission – or how the Council, when it comes to scrutinise the simplification package, responds and the amendments it might prepare.
The contents of the Commission’s simplification package could, potentially, also be influenced by the outcome of a new consultation regarding implementation of the AI Act’s rules on ‘high-risk’ AI systems, which it opened on Friday. The rules on ‘high-risk’ AI are not due to take effect until August 2026. According to the consultation, some changes to those rules are under Commission consideration – including in relation to the classification of high-risk AI systems and the obligations associated with providing, deploying, importing or distributing those systems.
The consultation closes on 18 July 2025. Commission president, Ursula von der Leyen, previously pledged to “cut red tape” in relation to AI – a pledge repeated by Virkkunen on Friday.
Virkkunen confirmed that there will be no “back-slide” from the “main objectives” of the AI Act by the Commission but said that simplification of processes and cutting of red tape, bureaucracy and reporting obligations are under consideration.
Addressing the fact that AI Act rules applicable to ‘general purpose’ AI (GPAI) models are due to take effect on 2 August this year but that a highly anticipated code of practice to support compliance with those rules has yet to be finalised, Virkkunen said she expects the code to be published in the coming weeks. She added that the Commission would ensure that further guidelines and standards anticipated under the legislation are delivered before relevant provisions addressed by those guidelines and standards take effect. Some of those provisions are due to take effect on 2 August 2025.
Wouter Seinen of Pinsent Masons in Amsterdam, who specialises in technology law, said: “The Polish proposals address a number of challenges facing businesses operating in the EU’s digital single market, including the lack of concrete guidance, best practices and technical standards to help organisations test and ensure that they comply with digital regulations.”
“As the Polish presidency has identified, governments and regulators at member state level apply their own interpretation of the regulatory requirements and expect organisations to operationalise abstract legal concepts such as ‘transparency’ and ‘privacy by design’ in their, often complicated, ecosystems. A company is, for instance, often required to explain in plain and simple terms how they have weighed the legal interests of individuals against the interests of the company and third parties when seeking to use that individual’s data. Similar simplified explanations of complex assessments of – often conflicting – interests are required under the AI Act and the DSA, without clear guidance and examples to help them.”
“On top of this, organisations are not able to seek confirmation that the compliance solution they have built meets the standards of the regulator, let alone the law. This definitive answer is only available if those solutions are challenged by a regulator or the subject of claims before the courts,” he said.
“In my view, innovation would be served if there were mechanisms for organisations to help them find a balance, in discrete use cases, between conflicting fundamental interests detailed in various regulations, as well for seeking confirmation or advice from government or regulators of the position they have taken,” Seinen added.
Frankfurt-based expert in AI regulation, Dr Nils Rauer of Pinsent Masons, said: “It goes without saying that the digital single market within the EU requires a certain level of regulation: for example, we want to have effective and efficient means to battle unauthorised and illegal content on the internet, and limit fake news and undue manipulation. Inevitably, this comes with transparency and record-keeping obligations as well as other administrative burdens. Thus, the Polish initiative is not meant to turn back the wheel to zero but is instead striving for the right level of regulation – a goal that is difficult to achieve but represents a worthy aim.”
Dublin-based technology law expert Andreas Carney, also of Pinsent Masons, added: “The sheer number of EU directives and regulations relevant to digital regulation identified by the Polish presidency is a simple indicator as to the challenges that businesses face in seeking to meet their compliance obligations. Whether sector specific or general in application, navigating the various requirements and the inevitable overlap of certain obligations is proving burdensome. At a time when Europe’s competitiveness in this area is in sharp focus, a more concise and joined up approach would no doubt help to ease that.”
Out-Law revealed in April that the mainstream emergence of DeepSeek – the Chinese open source model that the company behind claims to have developed at a fraction of the cost of other LLMs on the market, and without access to the same computing power – has spurred discussions within the Commission around classification of ‘general purpose AI’ (GPAI) models in the context of the scope of rules applicable to GPAI models under the AI Act.