The European Commission is seeking to tackle what it sees as regulatory burdens affecting businesses in the bloc. In-House Perspective assesses the proposed changes and the impact on legal teams.

The need for further growth, the tariffs being imposed by the administration of US President Donald Trump and rising energy costs are all adding to the pressure on EU Member States and their companies. In this context, the European Commission is looking for ways to assist business – and it believes that a 25 per cent cut in what it terms regulatory burdens by 2029 and a 35 per cent reduction for small and medium-sized enterprises (SMEs) is one method to do so. To achieve this, a raft of EU regulation is set to be reformed or simplified, and in some cases new legislation is being introduced.

Via the European Commission’s Omnibus package of measures – presuming it’s all approved – the scope of the Corporate Sustainability Reporting Directive (CSRD) will be reduced, while reporting obligations for the second and third waves of businesses to be affected by the legislation will be pushed back by two years. The Omnibus measures would delay implementation of the Corporate Sustainability Due Diligence Directive (CSDDD) until summer 2027, and limit due diligence requirements under the legislation to direct business partners in the value chain and the company’s own operation.

The EU’s landmark General Data Protection Regulation (GDPR) is also set to be modified with the goal of improving its ‘one-stop-shop mechanism’ and making cross-border data protection enforcement more straightforward. It’s possible there will be exemptions from some record-keeping and data protection impact assessments for micro-enterprises, too. Formal recommendations are expected from the European Commission later in 2025, with national data protection authorities set to implement these simplified processes from 2026.

The EU Listing Act came into force at the end of 2024, meanwhile, and a key aim here is to simplify the rules for companies that wish to list on public stock exchanges. There will be a relaxation of some financial reporting requirements under the MiFID II too, to be transposed by September 2025. Finally, the VAT in the Digital Age package, adopted in March, will streamline EU rules in this area to counter fragmentation and target administrative burdens for companies operating cross-border.

Competition is the main reason behind these changes, says Giovanni Lombardi, Treasurer of the IBA Corporate Counsel Forum. ‘Europe is waking up to the reality that data is the currency of progress,’ he explains. ‘When European businesses struggle to train AI models effectively due to data access limitations, while competitors in the US and Asia surge ahead, policymakers take notice.’

Multiple drivers are at work however, says Lombardi, who’s Deputy CEO of illimity Bank, based in Milan. ‘Fragmented enforcement across EU Member States has created compliance nightmares for cross-border operators,’ he says. ‘Small businesses are drowning in administrative requirements. Medical researchers can’t access vital datasets. All these real-world issues have been building pressure for reform.’

He also believes there’s been a philosophical shift in the EU. Initially the GDPR, for example, emphasised absolute control over personal data as being of the highest value, Lombardi explains. Now, he sees a growing recognition that responsible data use can serve important societal aims, whether that’s advancing medical research or developing competitive AI systems. ‘The banking sector has witnessed how data limitations can hinder our ability to detect fraud patterns or develop more personalised financial products for SMEs,’ says Lombardi. ‘That practical experience is finally filtering up to the policy level.’  

Streamlining the reporting requirements set by the CSRD and the CSDDD can decrease compliance costs, enabling companies to better focus on their primary operations, says Abhijit Mukhopadhyay, Regional Fora Liaison Officer on the IBA Corporate Counsel Forum, while he believes that the proposed revisions to the GDPR will provide clearer guidelines for cross-border data handling, greatly benefitting multinational corporations in their compliance efforts.

He adds, however, that although looser regulations may favour larger corporations, they could suppress competition and put SMEs at a disadvantage. ‘In addition, weakening GDPR regulations could jeopardise user privacy and data security, increasing the likelihood of breaches and diminishing consumer trust, while easing sustainability reporting standards could reduce transparency, making it more difficult to hold companies responsible for their environmental and social effects,’ says Mukhopadhyay, who’s President (Legal) and General Counsel at the Hinduja Group, London.

Looser rules bring real upsides in terms of cash, speed and strategic headroom, but they also shift latent cost from compliance to the litigation line, says David Gammill, Founder of Gammill Law Accident & Injury Lawyers, based in Los Angeles. ‘My courtroom docket shows that accidents, corruption and data breaches fill whatever gap governance leaves,’ he says. ‘Boards that pocket today’s savings while keeping audit, whistle-blower and supplier-monitoring systems tight will fare best.’

When lawmakers start pruning rules instead of planting them, the first risk is uneven uptake, says Benson Varghese, Managing Partner of Varghese Summersett in Texas. ‘Large multinationals will keep internal privacy frameworks that mirror the old regime, because courts in California, São Paulo or Seoul already expect that level of care,’ he says. ‘Smaller suppliers, thrilled by lighter paperwork, will scale those controls back. The gap between big company compliance and SME compliance widens, and the liability chain snaps right where plaintiffs can still find deep pockets. That means Fortune 500 companies will spend more, not less, on indemnity clauses and vendor audits. Regulatory loosening shifts cost; it seldom eliminates it.’

It’s possible that other EU rules may also be reviewed at a later date and many commentators have an idea as to where they’d like legislators to focus their attention.

Monitoring the impact of the EU Digital Services Act – which came into effect in 2024 – on online platforms and ensuring it complements existing data protection laws is crucial, says Mukhopadhyay. ‘The implementation of the second Network and Information Security Directive should also be assessed to ensure it effectively enhances cybersecurity across Member States,’ he says.

Mukhopadhyay adds that while the GDPR has established a global benchmark for data protection, recent proposals and overlapping regulations such as the EU Data Act introduce complexities that might diminish its effectiveness. ‘Conflicting requirements and possible loopholes could threaten its status as the primary framework,’ he says.

The EU regulatory framework is much like an historic Italian building, says Lombardi – solid and magnificent in design, but occasionally in need of renovation to remain functional. ‘The Payment Services Directive deserves attention,’ he believes. ‘While its open banking aims are admirable, implementation has been inconsistent, creating friction for financial service providers and confusion for consumers. For SMEs, simplification of VAT regulations for cross-border transactions would remove significant administrative burdens. The current system is a maze that small businesses struggle to navigate without expensive advisory services.’

Aspects of the current Anti-Money Laundering Directive also deserve review, he says. ‘The one-size-fits-all approach to customer due diligence does not always reflect actual risk profiles and creates unnecessary friction in legitimate business relationships,’ Lombardi says. ‘Most urgently, we need to achieve harmonisation across existing regulatory frameworks. Take artificial intelligence: we now have the AI Act, but its interplay with GDPR and sector-specific regulations remains murky at best. This creates legal uncertainty that may hamper innovation.’

As general counsel, Lombardi would especially value clearer, more consistent regulations. ‘Regulatory coherence is ultimately more important than regulatory reduction,’ he says. ‘The regulatory landscape constantly evolves, and those who navigate it daily need to be vigilant and adaptable. The best regulations protect fundamental rights while enabling progress. Finding that balance is the true challenge for European policymakers today.’