The EU’s simplification drive will dramatically alter the landmark accomplishments of recent European Commission terms, including the European Green Deal and core pillars of data protection, AI and cybersecurity laws.
Shutterstock.com/Alexandros Michailidis
The European Commission began 2025 with a clear message: its focus over the coming year, and beyond, would be on making it easier to do business in Europe.
Plans to overhaul ESG rules affecting companies were trailed in November 2024 before being published in February, although changes to more rules impacted by the shake-up are still being worked out. The proposed simplification of the bloc’s data protection, AI and cybersecurity frameworks are less advanced, and could take even longer to work out.
The commission says the proposals come in response to last Summer’s Draghi Report on European competitiveness, and will “make it easier to do business in Europe.” Some critics say that simplification is a euphemism for deregulation, and that the commission has entered into a race with Donald Trump’s White House to cut regulations.
The changes, to the extent that they become law, will have ramifications for all companies that do business in Europe.
Lexology PRO breaks down what businesses need to know about the simplification drive, and what to look out for next.
ESG
What does simplification mean?
The Omnibus Directive
The European Commission published the full details of its Omnibus Directive – a long-awaited plan to merge and simplify the core pillars of its ESG framework – on 26 February.
The omnibus encompasses:
- the Corporate Sustainability Reporting Directive (CSRD);
- the Corporate Sustainability Due Diligence Directive (CSDDD);
- the EU Taxonomy Regulation; and
- the Carbon Border Adjustment Mechanism (CBAM).
Legal experts told Lexology PRO that the proposal creates uncertainty for companies and investors, but warned businesses against making any quick decisions in response to the proposal. The proposed changes include:
| Original | Omnibus | |
| CSRD | All companies other than “micro undertakings” (a balance sheet below €350,000, net turnover below €700,000, employees below 10) are in scope. | Only companies with more than 1,000 employees and either a turnover of €50 million or a balance sheet of above €25 million are in scope. |
Companies in the second group (more than €50 million (US$53 million) in annual revenue) begin reporting in 2026. Companies in the third group (those not already included and not micro-undertakings) begin reporting in 2027. | Reporting for these groups postponed to 2028 and 2029 respectively. | |
| Sector-specific reporting standards to begin in 2026. | Sector-specific standards abandoned. | |
| Moving from requiring “limited assurance” to “reasonable assurance”. | Limited assurance of reporting only. | |
| CSDDD | Requirements come into effect in July 2026. | General due diligence requirements delayed to July 2027, reporting delayed to July 2028. |
| Due diligence obligations extend through supply chains. | Due diligence only extends to direct partners. | |
| Companies must terminate relationships with suppliers that do not improve. | Requirement removed. | |
| Breaches subject to the EU’s liability regime under the Product Liability Directive 2024. | Breaches only held accountable under national laws. Fines no longer must be linked to company turnover. | |
| Relevant stakeholders include the company's employees, the employees of its subsidiaries, and other individuals, groups, communities or entities whose rights or interests are or could be affected. | Definition only includes workers, their representatives and individuals and communities whose rights or interests are or could be directly affected. | |
| Companies must devise a net zero transition plan. | Transition plans can include actions already undertaken. | |
| Taxonomy Regulation | Companies with more than 500 employees required to report on six areas of activity related to environmental impacts. | Very large companies with over 1,000 employees and €450 million in revenue are able to opt-in to reporting. |
| Extensive reporting on activities covered in the Regulation. | Reduction of data points by 70%. | |
| CBAM | All companies importing to the EU are subject to the tax according to whether their imports would be subject to the Emissions Trading Scheme (if they were produced in the EU). | Only companies importing goods with a mass-based threshold of 50 metric tonnes per year are in scope. |
Supplementary guidance and regulations
The re-opening of the EU’s core sustainability rules will have knock-on effects for guidance and regulations that support the implementation of the core directives, such as the European Sustainability Reporting Standards (ESRS).
In late March, the commission tasked the European Financial Reporting Advisory Group (EFRAG) with providing technical advice for the adoption of a delegated act to revise and simplify the ESRS.
The SFDR
The commission is due to review the Sustainable Finance Disclosure Regulation (SFDR), which requires ESG disclosures from investors, by mid-2025, although this is set to be postponed to take account of negotiations over the Omnibus Directive. The proposal is expected to reflect the detailed proposals published in December 2024 by the EU Platform on Sustainable Finance, including the creation of a new “transition” category for investments.
State aid
Competition commissioner Teresa Ribera has promised changes to the EU’s state aid rules to accelerate renewable energy and industrial decarbonisation. The commitment came as part of the EU’s “clean industrial deal” announced by the commission alongside the Omnibus Directive in February, in part to show how the EU will reach its green goals while watering down its sustainability rules.
The Deforestation Regulation
On 15 April the commission announced that the Deforestation Regulation (EUDR) will also be encompassed by its simplification drive. The EUDR contains stringent due diligence requirements for businesses importing to the EU and was the subject of fierce debate in both the EU Parliament and Council last year.
In December 2024, the EUDR’s implementation was delayed. It will now come into effect on 31 December 2025 for large businesses, and six months later for SMEs.
The simplification is designed to make compliance easier for businesses and reduce their reporting responsibilities. Rather than demonstrating each import can be traced to its origins, for example, companies will be able to submit an annual report demonstrating how their imports comply with the due diligence requirements.
What stage has simplification reached?
The EU paused the CSRD and CSDDD on 17 April for two years, to allow for the omnibus to be negotiated and passed. It aims to expedite the negotiations, but will face a fight in the European Parliament.
In a brief debate on whether to allow the pause to go ahead, Manon Aubry, an MEP for the Left parliamentary group, said the move was a “disgrace.”
“It was the companies and their lobbies who are damaging the planet and harming people who asked for this [delay] and who you are acting on behalf of. It’s a scandal,” she said.
An MEP for the European People’s Party, which lobbied for the omnibus, said SMEs desperately needed greater clarity and breathing room to “make Europe competitive again.”
The omnibus proposal has also been the subject of fierce criticism from campaigners and some business groups, some of whom have questioned whether the rushed process has been compliant with EU law.
ClientEarth warned the Commission on 6 February that the lack of consultation around the omnibus could breach EU law.
So far, the commission has invited external feedback on the proposal only once. Lexology PRO revealed that energy giants ExxonMobil and Total Energies were among the companies invited to behind-closed-doors meetings to discuss the ESG overhaul, in a process heavily criticised for failing to meet transparency standards.
The commission also admitted that it had not conducted an environmental impact assessment, which could provide more grounds for challenges.
What to look out for next
All of the omnibus proposals will need to be negotiated and approved by the European Parliament and EU member states before coming into effect and there is not yet a timeframe in place for this process. The commission has said it hopes to fast-track the process, and expects to begin negotiations quickly, now that the CSRD and CSDDD have been formally paused.
Proposed changes to state aid rules are due to be published by June. A draft delegated Act on reforms to the EUDR is open for consultation until 13 May, although there is not yet a timeframe for taking the reforms forward.
EFRAG has launched a public consultation on potential ESRS revisions and is expected to deliver its technical advice by the end of October, while SFDR reforms are expected to be published in Q3 2025.
Data and digital
What does simplification mean?
The commission has announced plans to simplify the GDPR, AI Act and Cybersecurity Act, although there are not yet precise details on what this will entail. There are currently open consultations on the programme for the Cybersecurity Act and a call for views on the AI Act, which give a sense of the commission’s priorities in those areas. But information on the intent for the GDPR is limited to commissioner Michael McGrath’s statement on 13 March that it would be focused on record-keeping obligations for SMEs.
The drive for simplification of digital legislation was clarified in a commission communication in February 2025. Among other aims, it expanded the ambition to reduce reporting burdens by at least 25% for all companies and 35% for SMEs to apply to a baseline of all administrative costs.
AI Act
The commission’s call for evidence on the AI Act lists Brussels’ main objectives in revisiting the legislation:
- “Fostering the integration of AI technologies in the EU’s leading strategic industrial sectors”;
- “Unlocking the potential of innovation and enabling EU companies to be global AI front runners”; and
- “Fostering the integration of AI solutions in the public sector to substantially improve the quality of services provided to the public”.
It identifies several perceived issues with the current state of AI in the EU: the fact that most AI development takes place in other jurisdictions, that EU enterprises are dependent on foreign technology, that companies – particularly SMEs – are behind in AI adoption, and a lack of private investment in AI.
The call for evidence will inform an ‘Apply AI strategy’, which is itself a part of the broader “AI Continent Action Plan”. That plan will cover a range of undertakings including investment in computing infrastructure and developing AI skills, but its aim for regulatory simplification is so far limited to the launch of an ‘AI Act Service Desk’ to “serve as the central point of contact and hub for information and guidance” on the law.
The extent to which there will be further regulatory streamlining may depend on the outcome of the call for evidence. Dutch start-up PassiveLogic, for example, suggested in its submission that the commission could establish certification and “safety pathways” for AI systems operating in sensitive infrastructure like data centres – a move which the company said would help “[ensure] regulatory clarity without stifling innovation”.
The call for evidence is open until 4 June.
GDPR
Details on what simplification of the GDPR will look like are even more scarce. In the announcement of the GDPR’s inclusion in the upcoming Omnibus Simplification Initiative, made in an interview with the Center for Strategic & International Studies, commissioner McGrath said only that the review would be focused on “record-keeping for SMEs and other small and medium-sized organisations with less than 500 people. We will be examining in what ways we can ease the burden on smaller organisations in relation to the retention of records while at the same time preserving the underlying core objective of our GDPR regime.”
Organisations employing fewer than 250 people are already exempt from the GDPR’s requirements to retain records of processing activities, with certain exceptions such as special category data.
There are already some third-party proposals for what a more radically simplified GDPR could look like. MEP Axel Voss, who was the EPP Group’s rapporteur for the GDPR in 2016, has already put forward a proposal for a new three-layered version of the data protection law.
This would involve a ‘GDPR Mini’ layer for businesses which process personal data from fewer than 100,000 data subjects – which Voss claims covers 90% of all businesses – involving simplified transparency obligations and administrative fines capped at €500,000. This would be followed by a ‘GDPR Normal’ layer for the next tranche of companies and those processing sensitive data and a ‘GDPR Plus’ layer for the largest companies, online advertisers and data brokers.
“My proposal is not about weakening the high EU privacy standards. It is about making the GDPR smarter, more enforceable, and more proportionate. In line with the Draghi report, it would significantly reduce red tape for most EU companies and immediately increase our competitiveness in the digital field,” Voss said in a post on social media.
Other senior figures have made their own ambitious suggestions for reform over the years. Didier Reynders, the commissioner for justice preceding McGrath, has called for the biggest data protection cases to be handled centrally by the European Data Protection Board (EDPB) rather than relevant member state authorities. Despite Reynders’ exit, the proposal still has support within the commission.
Meanwhile Renate Nikolay, deputy-director general for communications networks, content and technology at the commission, has bid for the constituent parts of the long-debated – and since officially withdrawn – ePrivacy Regulation to be folded into the GDPR.
Cybersecurity Act
Of all the modifications to the digital acquis, mooted changes to the Cybersecurity Act are the most advanced. On 11 April the commission opened a consultation on proposed changes to the law, noting the “significant” evolution of the cybersecurity landscape in the five years since its passing and subsequent legislation changing and expanding the role of the EU Agency for Cybersecurity (ENISA).
The suggested changes are therefore focused on two main areas: updating the mandate of ENISA to better reflect its new role and the modern state of cybersecurity, and improvement of the European Cybersecurity Certification Framework. Adjustment of the latter is targeted at the adoption process, the framework’s effectiveness, the various roles of those involved, and clarity on the risks which the certification covers.
The commission outlined four policy options for feedback:
- Maintaining the status quo – no change to the CSA;
- Non-legislative measures in the area of: (i) the ECCF to improve efficiency of the development and implementation of schemes, and (ii) reporting obligations and other cybersecurity measures, such as clarification or further specification;
. - Targeted regulatory intervention: it could consist of targeted changes to better reflect the mandate of ENISA by adding the tasks already provided for in other legislative acts. Regarding the ECCF, it could consist of targeted changes to clarify the framework and to formalise procedures regarding the maintenance phase of certification schemes. It could also include targeted amendments to simplify reporting obligations; or
- Repealing the CSA and proposing a comprehensive regulatory intervention that would aim at: strengthening the mandate of ENISA and its role in the cybersecurity ecosystem, improving efficiency of the ECCF, extending its scope and addressing ICT supply chains security challenges, including non-technical risk factors. It would also simplify reporting obligations and potentially cybersecurity measures.