Regulatory Inflation in the EU Digital Ecosystem

Starting with the landscape.

Organisations operating in the EU today must simultaneously navigate three intersecting domains: Artificial Intelligence, Cybersecurity, and Data Protection. Each domain has its own legislative stack, its own supervisory authorities, its own liability regime.

In the AI domain, the AI Act introduces a risk-based classification for AI systems, imposing specific conformity obligations for high-risk applications, and creates an entirely new category - the General Purpose AI model - with its own transparency and systemic risk obligations.

In cybersecurity, we have the NIS2 Directive, transposed in Italy by Legislative Decree 138 of 2024, which significantly expands the scope of mandatory entities and tightens incident reporting timelines. Alongside it, DORA imposes sector-specific operational resilience requirements on financial entities, while the Cyber Resilience Act introduces security-by-design obligations for connected products throughout their lifecycle.

And in data protection, GDPR remains the cornerstone, now complemented by the Data Governance Act — governing trusted intermediaries and public sector data sharing — and the Data Act, which introduces novel rights of access to industrial and IoT-generated data.

Organisations must satisfy all of them, simultaneously, with overlapping scopes, inconsistent definitions, and different supervisory authorities — often without clear guidance on how the regimes interact.

This brings us to what may be called the inflated legal order.

Seven distinct instruments. Look at the sanctions' regime: GDPR at up to 4% of global annual turnover; the AI Act up to 7%; NIS2 up to 2%; DORA with daily turnover-based penalties; the CRA at 2.5%.

Let’s take an example of a possible event which is relevant for all these legislations: a cyberattack - e.g. ransomware, or any cyber intrusion affecting personal data processed by an AI system. This could trigger simultaneous enforcement under GDPR, NIS2, DORA, and potentially the AI Act: different notification timelines; different supervisory authorities which have competence to manage the violation; different legal standards of care.

This is not a theoretical concern.

Unfortunately, we are witnessing a low-intensity global conflict (and in some areas of the world the intensity is high) where cyberattacks increase every year.

Cybersecurity professionals often say that the right question to ask to enterprises is not whether they have been victim of a cyberattack, but when it happened.

EU companies tend to not notify the incidents, not only due to reputational risks but also because there are not clear and simply rules on how to manage the attack and its consequences.

For years, the dominant model has been what may be described as understanding in isolation: each instrument studied separately, compliance functions siloed, legal teams’ expert in GDPR but unfamiliar with DORA, cybersecurity teams aware of NIS2 but disconnected from AI Act obligations. The result is duplicated effort, fragmented controls, and compliance treated as a pure cost — a tax on doing business in Europe.

The alternative - and the only professionally and commercially viable model going forward - is the integrated compliance framework. This means mapping obligations across all seven instruments to identify overlaps and efficiencies, building shared controls that simultaneously satisfy multiple regimes, establishing unified governance structures that bring together the DPO, the CISO, legal counsel, and business leadership under a single accountability chain.

It is important to be precise about what "overlap" means in this context, because it is not merely a problem — it is also an opportunity. Consider: the security measures required under NIS2 for essential entities are substantially consistent with the technical and organisational measures required under GDPR Article 32, and with the ICT risk management framework under DORA. A well-designed control satisfies all three. The question is whether the organisations concerned have the governance architecture to recognise and exploit that overlap - or whether it is paying three separate teams to implement three parallel frameworks.

The answer to that question is what determines whether compliance remains a cost or becomes a competitive advantage.

Is the EU aware of the above-mentioned situation? The answer is: yes. This discussion should be viewed in its broader political and economic context  as developments at the EU legislative level have direct implication on the advise provided to stakeholders and clients.

The Draghi Report on European Competitiveness contains a stark diagnosis. According to the Draghi Report, the EU now has approximately 100 tech-focused laws and over 270 regulators active in digital networks across Member States. The net effect, as Draghi puts it plainly, is that only larger companies — often non-EU based — have the financial capacity to bear these compliance costs. Young innovative tech companies may simply choose not to operate in the EU at all.

It identifies the EU's regulatory stance toward technology companies as a structural impediment to competitiveness. The EU's precautionary, ex-ante regulatory model imposes costs that compound across the stack. Limitations on data storage and processing, fragmented national implementations, regulatory gold-plating by Member State authorities: together, these create high compliance costs while simultaneously hindering the creation of the large, integrated datasets needed to train competitive AI models. The consequence is that 61% of global funding for AI start-ups goes to US companies, 17% to China, and just 6% to the EU.

The Commission's response is the Digital Omnibus - a first step toward regulatory simplification. It proposes to amend GDPR, the AI Act, NIS2, and several other instruments simultaneously. Its stated objectives are to streamline compliance costs, harmonise incident reporting, and provide legal certainty for AI implementation. It also proposes to relieve small mid-caps from certain obligations - extending protections that currently apply only to SMEs.

But - and this is important - the Omnibus explicitly states that its amendments remain technical in nature, seeking to adjust the regulatory framework without amending its underlying objectives. In other words, the architecture remains. The seven instruments remain. The obligations remain. What changes is some of the procedural complexity at the margins.

The risk of the Brussels effect — the EU's tendency to set global regulatory standards — is therefore not that it disappears with the Omnibus. The risk is that it becomes not a benchmark for the protection of fundamental rights, but a burden that systematically advantages non-European competitors who operate without equivalent constraints and who are scaling without equivalent friction

So what should organisations and their legal advisers actually do?

Three strategic pillars can be proposed

The first is to map and harmonise. Before any organisation can manage this regulatory stack efficiently, it needs a cross-instrument obligation matrix: a structured analysis of where GDPR, the AI Act, NIS2, DORA, the CRA, the Cybersecurity Act, and the Data Act impose obligations that are substantively similar, where they conflict, and where one instrument explicitly constitutes lex specialis with respect to another — as DORA does with respect to NIS2 in the financial sector. This mapping exercise is not merely an academic exercise. It is the foundation of a rational compliance architecture and, increasingly, a prerequisite for demonstrating accountability to supervisory authorities.

The second pillar is to govern and integrate. Compliance cannot remain siloed by discipline. Organisations need cross-functional governance that brings together legal counsel, data protection officers, CISOs, AI system owners, and business leadership. Policies must be consolidated. Incident response procedures must be unified. The documentation trail — which regulators will demand — must be coherent across regimes, not a patchwork of separately maintained records.

The third pillar is to compete and grow. This may seem counterintuitive when we are discussing compliance, but it is the correct framing. Organisations that can demonstrate — credibly and verifiably — that they manage AI risk responsibly, that their cybersecurity posture meets the highest EU standards, that their data governance is robust and rights-respecting, possess a genuine competitive differentiator. They are more trusted by institutional clients, more attractive to international partners, and better positioned for public procurement in an environment that is increasingly conditioning market access on compliance credentials.

Finally, these are some takeaways:

First: the EU digital regulatory stack is now sufficiently dense and sufficiently interlocking that no organisation of material size can manage it through instrument-by-instrument analysis alone. An integrated framework is not optional — it is the only professionally sound approach.

Second: the overlaps between instruments are not merely a source of burden. They are a source of efficiency for organisations that invest in mapping them. Shared controls, unified governance, and coherent documentation reduce costs and reduce legal exposure.

Third: the political signal from Draghi and the Omnibus is real, but it should not be mistaken for structural relief. The underlying obligations remain. What is changing — slowly — is the Commission's awareness that simplification is a competitiveness imperative, not merely an administrative convenience.

And fourth: the organisations that will lead in this environment are those that treat compliance not as a legal minimum to be achieved and forgotten, but as a strategic capability — a demonstration of organisational quality that builds trust with regulators, clients, and partners alike.

The central line to retain is the following:

From fragmented obligations to integrated resilience — compliance is strategy.

Authored by Massimiliano Masnada.