On March 13, 2025, the Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, Michael McGrath, confirmed that the Commission is considering simplifying the GDPR with a view to reducing the burden on smaller businesses.  This statement aligns with the Commission’s broader goal of simplifying the EU digital framework.

The Digital Package

On February 11, 2025, the EU Commission published the 2025 Commission Work Programme.  In accordance with the Competitiveness Compass published in January 2025, the Commission included initiatives regarding simplifying and effectively implementing EU law among the goals for 2025.  The first action in this direction has been the “Omnibus packages,” presented on February 26,  2025, which aim to simplify rules relating to sustainability and EU investments.

Similar developments are expected in the area of digital policy.  The Commission Work Programme includes a “Fitness check on the legislative acquis in the digital policy area” and a “Digital Package,” both planned for Q4 2025.  According to the Commission communication on implementation and simplification, the Digital Package will include the review of cybersecurity legislation and its related reporting obligations, alongside other digital legislation that the fitness check on the legislative acquis in the digital policy area deems necessary to amend between, among others, the General Data Protection Regulation, the Data Governance Act, the Data Act, the Cybersecurity Act, the Cyber Resilience Act, the EU Chips Act, and the Artificial Intelligence Act. 

GDPR

On March 13, 2025, Commissioner for Justice Michael McGrath further confirmed on a livestreamed interview that the GDPR will undergo a simplification process.  According to Commissioner McGrath, the simplification will focus on record-keeping obligations for SMEs and other small and medium-sized organizations with less than 500 people while maintaining the core principles of the GDPR.  These anticipated amendments differ from a separate set of changes focusing on the GDPR enforcement procedures (see our blog here), which are currently being negotiated.

*          *          *

The Covington team will continue to monitor developments on these proposals, and we are happy to assist clients if they have any queries.

(This blog post was written with the contributions of Alberto Vogel).

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Read more about Kristof Van Quathem
Show more Show less