Europe can’t simplify its cyber politics away

European cyber policymaking has often managed political disagreement by fragmenting issues and translating them into technical fixes, rather than forcing an explicit negotiation over competing visions, cost allocation, authority, and governing logics.

The EU has now spent two decades turning digital dependence into regulatory power by writing rules, and then writing more rules. Those rules formed the channels through which firms, regulators, and states had to operate. As those channels became costly, contested, and uneven, Brussels has moved from expanding the rulebook to reordering the machinery behind it. 

The November 2025 Digital Package – a set of amendments to EU legislation centred on the  Digital Omnibus proposals – promises to simplify this layered rulebook. The Cybersecurity Package, tabled in January 2026, adds to the security side, with details on how to certify trust, allocate supply-chain risk, and supervise resilience across a fragmented system.

But this is precisely where simplification becomes political. These conflicts cannot be resolved once and for all: trade-offs over privacy, security, data ownership, data availability for model development, institutional authority, and compliance costs will remain. Can simplification make these conflicts visible and governable, or will it keep displacing them into technical arrangements? 

How fragmentation became governance

Cybersecurity entered EU policy in the early 2000s, through two doors at once: from the realm of law enforcement, anchored in criminal law and judicial cooperation, and from the market, which treated networks as economic infrastructure exposed to systemic risk. As digital dependence deepened, the market strand gained prominence, and the NIS Directive, and later NIS2, recast cybersecurity as a problem of risk management and resilience.

Defence followed cautiously, remaining national and coordinated rather than commanded. Diplomacy came still later, with the Cyber Diplomacy Toolbox, attribution practices, and sanctions, in a field with fewer entrenched national veto players and more room for EU-level initiative. Each of these four layers crystallised around its own legal basis, policy constituency, and governing logic.

The wider digital rulebook grew in the same way – data protection, platform regulation, AI governance, and industrial policy all came in on their own. Security was rarely the organising principle. The result is not a designed architecture but an accumulated one. 

Fragmentation was not the goal, but it proved politically useful. Keeping cybercrime, market resilience, data protection, defence, and diplomacy on partly separate tracks made agreement possible by preventing different conflicts from collapsing into one negotiation. It also left implementation scattered across authorities with different mandates, aims, and assumptions about risk. That is the system the Digital Omnibus and the Cybersecurity Package now try to make administrable, and the reason their reordering cannot be neutral.

The politics behind simplification

While the von der Leyen Commission agenda aims for competitiveness and simplification, it has not abandoned regulation. Rather, it is reworking the layer through which regulation is implemented – redesigning the channels through which authority, costs, and safeguards move.

Every area brings with it different conflicts. Data protection wavers between surveillance, rights, and innovation; cybersecurity reporting raises questions of authority and capacity; certification turns trust into a condition of market access. Addressing these conflicts separately once made them easier to manage. Simplification now brings them back to shared channels.

It is tempting to read this as one debate. It is not. The simplification agenda includes many linked but distinct aspects, each moving conflict into a different venue. The Digital Package reopens, for amendment, parts of the GDPR, the ePrivacy Directive, the Data Act, NIS2 and CER, while folding older data instruments into a restructured Data Act. Additionally, a separate AI Omnibus recalibrates the AI Act, while the Data Union Strategy and European Business Wallets build administrative infrastructure for identification, document exchange, and data reuse. Meanwhile, the formally separate Cybersecurity Package proposes a revision of the Cybersecurity Act and targeted amendments to NIS2.

Considered separately, the two packages look like housekeeping: fewer duplications, cleaner reporting channels, sharper cyber tools. Together, they reveal something more consequential. Europe is not stepping back from digital regulation. It is trying to reorganise the machinery through which regulation becomes power. The fight is no longer only over whether Europe has too many rules. It is over who controls the infrastructures through which those rules apply, who absorbs the costs of compliance, and who maintains the safeguards when friction is removed.

What is the EU trying to do?

Against this backdrop, the appeal of simplification is easy to understand. But the Digital Omnibus and the Cybersecurity Package are not simply pruning the system. They are trying to make a layered architecture administrable by redesigning the institutions and interfaces through which rules are applied.

The details are where the politics begins. For example, the single entry point for cyber-incident and data-breach notifications does not abolish obligations under NIS2, the GDPR, DORA, CER or eIDAS; it changes the channel through which they are met. ENISA would build and operate that channel. For firms with mature compliance teams, reporting once rather than many times is a real gain. For smaller firms, a cleaner interface still presupposes legal, technical, and organisational capacity they may not have. Member states have already questioned whether a central, ENISA-run platform can be reconciled with national systems and security sensitivities. Data protection authorities have drawn their own line: the EDPB and EDPS support simplification in principle, but have urged co-legislators not to narrow the GDPR’s definition of personal data, and judged a dedicated legitimate-interest provision for AI training unnecessary. Digital-rights groups call the package a rollback. 

The fight is not privacy against innovation in the abstract; it is over who defines personal data, how that definition is operationalised, when pseudonymised data leaves GDPR protection, who carries the burden of objecting, and who controls the harmonised channels through which compliance is organised. 

The security package makes the redistribution even plainer. The revised Cybersecurity Act renews EU certification, expands ENISA – whose projected budget would increase by more than 80% over the 2025 baseline – and builds a ‘trusted ICT supply-chain’ framework aimed at potentially risky third-country suppliers. Certification can make security claims comparable across borders and reduce dependence on untrustworthy suppliers. But it also decides who counts as trusted, who pays to prove it, and who may be pushed out of procurement chains and critical-infrastructure markets. 

NIS2 amendments make the same point operationally: jurisdiction determines the supervisor, ransomware rules determine what gets reported, and cross-border provisions determine who coordinates.

Police forces, intelligence services, defence establishments, sectoral regulators, data-protection authorities, and EU agencies all carry institutional legacies built during earlier phases of cyber governance. The new packages do not remove conflicts between them. They translate them into new venues. Some conflicts will return as explicit political choices; others will be folded into reporting portals, standards, certification schemes, and compliance interfaces. 

Towards a governable reordering

If the Digital Omnibus and the revised Cybersecurity Act are to do more than rebrand fragmentation, they must make the trade-offs visible. NIS2, the DSA, and the GDPR rest on different assumptions about risk, compliance, and rights. A serious simplification agenda must clarify what happens when differing assumptions collide. It must also avoid mistaking harmonisation for uniformity. Member states differ in administrative capacity, threat exposure, and institutional organisation. Minimum standards and interoperability are necessary, but flexibility remains essential if national differences are to become sources of learning rather than permanent silos.

A harder task awaits for the institutions that make the machinery run. Fragmentation is reproduced not only by legal texts, but by the political institutions that turn them into policy. Cleaner statutes will matter less if the institutions that produce and enforce them continue to work on separate timelines and separate assumptions about what cybersecurity is for.

The Digital Omnibus and the revised Cybersecurity Act will not, on their own, settle Europe’s cybersecurity governance. They mark a shift from a phase in which the European Union projected power by writing rules to one in which power depends on the channels that apply, interpret, and enforce them.

The next question is therefore not how much digital regulation Europe needs, or which rules should be cut. It is whether the union is willing to govern the institutional machinery that rule-making has produced: to understand how its channels allocate authority, to recognise diversity without turning it into permanent fragmentation, make explicit the political conflicts that technical fixes have long kept in the background, and to accept and publicly acknowledge that resolving them produces winners and losers. 

Simplification will matter only if it means Europe will turn away from fragmentation as a negotiating convenience and finally begin to govern.