25.06.2025

Do the EU digital rules actually work?

As part of its 2025 Work Programme, the European Commission has announced a comprehensive fitness check of the EU digital acquis. This presents a critical opportunity to promote a more coherent, innovation-friendly regulatory environment that protects consumers while enabling responsible and data-driven financial services.

As part of its 2025 Work Programme, the European Commission has announced a comprehensive fitness check of the EU digital acquis, with the results to be published in the last quarter of 2025. The initiative aims to assess whether the EU’s digital rules are still fit for purpose, and to identify areas where regulatory obligations could be simplified with small and medium-sized enterprises (SMEs) in mind.

The fitness check is believed to encompass a wide range of legislation that underpins the EU digital single market, possibly including:

  • The General Data Protection Regulation (GDPR)
  • The Data Governance Act
  • The Data Act
  • The Digital Markets Act
  • The Digital Services Act
  • The AI Act
  • Cybersecurity legislation

The Commission’s objective is to assess the coherence, effectiveness, and proportionality of these frameworks and to identify any overlaps, inconsistencies or cumulative burdens. The review aligns with the Commission’s broader focus on regulatory simplification and boosting Europe’s economic competitiveness.

The Commission has also proposed targeted simplifications to the GDPR – specifically raising the employee threshold for recordkeeping exemptions from 250 to 750 in its 4th Omnibus package. Under this proposal, small and midcap enterprises (SMCs) with fewer than 750 employees (and within defined turnover and balancesheet limits) would be exempt from maintaining records of processing activities unless their operations are deemed “highrisk”. These adjustments reduce documentation obligations while upholding the general dataprotection principles. This represent a meaningful first step toward more proportionate compliance requirements, as well as a more general opportunity to engage broader on the GDPR´s overall application and effectiveness.

The European Court of Justice´s SCHUFA ruling in December 2023 illustrates how diverging legal interpretations across the EU can create significant uncertainty for credit providers. In this case, the Court found that credit scoring, even when advisory, could be classified as automated individual decision-making under the GDPR.

This interpretation could imply serious questions and repercussions about the future use of established, data-driven credit assessment tools. It risks restricting methods that are both effective and responsible, and may force the abandonment of scoring practices widely used across the sector.

It also underscores the lack of consistency among national data protection authorities (DPAs), as well as far-reaching interpretations and/or decisions by DPAs, (who are frequently in conflict with guidance of relevant financial supervisors). These discrepancies threaten legal certainty and undermine the smooth functioning of the single market for financial services, complicating compliance and risks to strangle technological innovation as well as adoption.

The forthcoming assessment process by the Commission presents a critical opportunity to promote a more coherent, innovation-friendly regulatory environment that protects consumers while enabling responsible and data-driven financial services.