Digital Regulation at a Breaking Point

In less than a decade, the European legislature has produced more than 100 legal acts targeting the digital sector: GDPR, the AI Act, the Data Act, the Cyber Resilience Act, NIS-2, DORA, the Digital Services Act, the Data Governance Act¹…and the list keeps going. The regulatory puzzle, at this point, can no longer be assembled.

Here's how to think about it.

Recognize the Weight of What's Been Built

Some of these regulations have had enormous international influence. The GDPR reshaped global privacy standards. The AI Act is the first comprehensive framework of its kind. European lawmakers have met the digital revolution with real legislative energy.

But this energy has also produced an impenetrable web of obligations. Companies across Europe are calling for a regulatory breathing pause. Not because they reject regulation, but because they need time to comply with what already exists. The compliance burdens triggered by overlapping rules are leading to some kind of overload, and some rules are being overtaken by reality before they're fully implemented. What's well-intentioned doesn't always hit its target. Unfortunately, it increasingly drives up costs and crowds out space for innovation.

Spot the Overlaps Before They Spot You

A textbook example: Data Protection Impact Assessments under Article 35 GDPR and Fundamental Rights Impact Assessments under Article 27 of the AI Act. Both are triggered by the same activities. Both require substantial documentation. But they differ in scope and procedural rules. If your company is deploying an AI system that processes personal data, you're running two parallel assessment tracks that don't talk to each other.

The same duplication plays out in cybersecurity. The AI Act, the Cyber Resilience Act, NIS-2, and DORA each impose their own compliance obligations. Often on the same company, for the same systems. The European Parliament's own research service has confirmed that this regulatory complex leads to parallel documentation, conflicting requirements, absent mutual recognition, and fragmented enforcement.²

For general counsel, the practical takeaway is uncomfortable: compliance with one regulation does not guarantee compliance with the next, even when the subject matter is nearly identical.

Understand Who Actually Pays the Price

The effects of regulatory density are not distributed evenly. Large multinationals have the resources to staff up compliance departments and find the gaps in the regulatory thicket.

Smaller European market participants, by contrast, lack the headcount and the institutional infrastructure to navigate a regime this complex. The result is a competitive distortion running in exactly the wrong direction: European regulation, designed in part to level the playing field, ends up tilting it toward larger foreign players. The Commission acknowledges the problem directly:

"SMEs in the EU are struggling to understand and navigate the complex panorama of digital and green legislation at national and European level."³

European Commission

Watch the Fragmentation Layer

Even within the same legal framework, enforcement varies dramatically across Member States. Opt-outs, gold-plating, divergent interpretations, and inconsistent enforcement levels mean that a company operating in multiple EU jurisdictions may face materially different compliance expectations depending on where it does business. The idea of a unified internal market — which, by the way, is the foundational concept of the EU — is being undermined from within.

Know What's Coming Next

The European Commission responded in November 2025 with the Digital Omnibus Package. It's a legislative initiative aimed at consolidating overlapping digital regulations, particularly across the GDPR, the AI Act, the Data Act, and the Cyber Resilience Act. A separate AI Omnibus was designed in parallel, focused on implementation conditions under the AI Act, including extended timelines for high-risk AI systems.⁴

The Digital Omnibus has broad institutional support. The hopes are for harmonized requirements, mutual recognition of assessments, streamlined documentation, and reduced administrative burden. If it delivers, the payoff could be significant. Lower compliance costs translate directly into more capital and time for innovation.