Measures included in the digital package aim to cut red tape through “digital by default” services and applying the “once-only” principle, which will mandate public sector bodies across the EU to reuse citizen and business data instead of requiring it to be provided separately to different agencies.
On 16 September 2025, the European Commission (EC) launched a call for evidence to collect research and information on best practices for its upcoming digital package. This is a new round of feedback and follows earlier consultations on data regulation, cybersecurity rules, and the implementation of the Artificial Intelligence Act (AI Act).
As the EC announced in the Communication on A Simpler and Faster Europe, the digital package will include measures to address “over-regulation” and promote “simplification” of EU rules on data, cookies, cybersecurity incident reporting, and implementation of the AI Act. Backed by public consultations, the digital package aims to modernise digital regulation and reduce compliance burden for businesses.
The digital package is expected to respond to stakeholders’ calls for “consistent application of the rules and legal clarity”. According to the EC, the digital package will focus on immediate adjustments in areas where “it is clear that regulatory objectives can be achieved at lower administrative cost for businesses, public administrations, and citizens”.
In recent years, multiple horizontal and sector-specific legislative instruments have been adopted, creating complexity in implementation, fragmentation at the national level, and divergent enforcement approaches. At the same time, there is a need to ensure the EU’s digital regulation remains relevant amid rapid socio-technical change.
It is hoped that a fit-for-purpose digital package will boost competitiveness and innovation within the EU’s digital sector and digitally-enabled industries and services. The digital package forms part of the EC’s competitiveness agenda to “cut administrative burden by at least 25% for all companies and at least 35% for small and medium-sized enterprises”.
Henna Virkkunen, the EC’s executive vice-president for tech sovereignty, security and democracy, said that conducting business in Europe needs to be easier “without compromising the high standards of online fairness and safety”. The intention is to have “less paperwork, fewer overlaps and less complex rules for doing business in the EU”.
Scope of the digital package
The digital package will target problems in the following areas:
- Data acquis (Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive). The review of the existing EU legislation aims to reduce rules and fragmentation in their application across the EU. The review will likely align terminology with existing EU law, adjust for sector-specific rules, and introduce targeted reforms.
- Cookies and other tracking technologies (ePrivacy Directive). The objective is to “limit cookie consent fatigue”, strengthen users’ online privacy with clear information and options for managing cookies, and make it easier for businesses to use other tracking technologies and increase data availability. The digital package will “potentially include modernised rules on cookies”.
- Cybersecurity incident reporting.“The review of the Cybersecurity Act and clarification of the mandate of the EU Agency for Cybersecurity” aims to minimise costs for businesses by streamlining reporting processes. Key measures could include harmonising reporting timelines, creating a single reporting template usable across the Network and Information Security Directive, the Cyber Resilience Act, the General Data Protection Regulation and other frameworks, and enabling a unified EU reporting platform.
- Smooth application of the AI Act. The objective is to ensure predictable, effective implementation aligned with the availability of the necessary support and enforcement structures.
- Electronic identification and trust services (European Digital Identity Framework). The intention is to align with the forthcoming EU Business Wallet proposal and apply the “one in, one out” principle—where every new regulatory obligation will result in removing an old one.
Consultation and call for evidence
The proposed digital package is informed by the initial three rounds of stakeholders’ feedback, multiple position papers, and additional interactions throughout 2025. This new call for evidence invites stakeholders to share their views, expertise, and evidence relevant to the proposal. Submissions previously provided in topic-specific consultations are being assessed and do notneed to be resubmitted.
Feedback in response to the call for evidence can be provided via the following link before 14 October 2025.
Simon Sepesi contributed to this article