Brussels, 10 October 2025
FERMA has published its response to the European Commission’s call for evidence on the Digital Omnibus, a key initiative aimed at simplifying and streamlining the EU’s digital regulatory framework.
Read the response here
On 16 September, the European Commission launched a call for evidence on the Digital Omnibus. The Digital Package on Simplification will be a first step in ‘stress-testing’ the EU digital rules. First, it will focus on immediate adjustments with the Digital Omnibus in areas where the regulatory objectives can be achieved at a lower administrative cost for businesses, administrations and citizens. More precisely, the Digital Omnibus is likely to include measures targeting problems and seeking simplification in the following areas:
- The data acquis (Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive).
- Cybersecurity related incident reporting obligations.
- The smooth application of the AI Act rules.
Cybersecurity has always been a key concern for FERMA members. Our 2024 Global Risk Manager Survey reveals that cyberattacks are the top one threat for risk managers in the short term (whereas data breach ranks as the fifth most concerning threat).
FERMA welcomes this package as a positive signal for companies. Indeed, the proliferation of EU cybersecurity regulations has resulted in substantial complexity and overlapping requirements, often diverting organizational resources from genuine security enhancement toward compliance administration. The proliferation of regulations such as the General Data Protection Regulation (GDPR), the Network and Information Systems directive (NIS2), the Digital Operational Resilience Act (DORA), the Cyber Resilience Act (CRA) and, more recently, the AI Act have created a complex regulatory ecosystem with often overlapping cybersecurity requirements. This fragmentation not only imposes a significant administrative burden, diverting resources from actual security strengthening to compliance management, but also introduces inconsistencies in incident reporting obligations and deadlines. A cyberattack on a high-risk AI system in critical infrastructure, for example, could trigger simultaneous reporting obligations under NIS2, the AI Act, and GDPR (if personal data is compromised).
This complexity increases the risk of non-compliance and may discourage proactive incident reporting.
Therefore, we firmly believe that a more comprehensive strategic approach required. Providing consolidation that is not only limited to ‘cutting red tape’ is also essential. This strategic approach must be holistic and harmonise risk management frameworks to prevent each regulation from imposing its own model. Therefore, FERMA stresses that the awaited “Digital Omnibus” must focus on the following areas:
- Simplify the EU cyber legislative framework to make it more practical and fit to good risk management practices.
- Implement more consistency between different legislations, notably when it comes to reporting cyber incidents.
- Enhance further proportionality measures, notably for SMEs.
- Develop a better governance through more streamlined compliance structure and enhanced technical standards.