Jochen Michels, Director Public Affairs, Europe, Kaspersky
Over the past decade, the European Union has undertaken an ambitious journey to shape the rules of the digital age. A growing body of legislation now governs key areas such as data protection, cybersecurity, artificial intelligence, online platforms, and digital markets. Together, these initiatives form the backbone of the EU’s Digital Decade vision, designed to achieve a secure, inclusive, and fully digitalized Europe by 2030. This policy drive reflects the EU’s determination to promote technological innovation while ensuring that digital progress remains firmly anchored in European values of privacy, fairness, and trust.
However, as the digital landscape has evolved at unprecedented speed, so too has the complexity of its regulatory environment. Multiple overlapping obligations, diverse implementation schedules, and varying levels of national interpretation have made compliance increasingly challenging. For many organizations, this patchwork of requirements can slow innovation, increase costs, and obscure the ultimate goal of the rules: to make Europe’s digital ecosystem safer, more competitive, and more resilient.
As a cybersecurity company committed to strengthening Europe’s digital resilience, Kaspersky operates within a broad array of EU regulations and has first-hand experience navigating their diverse and occasionally overlapping requirements. We therefore welcome the EU’s ongoing efforts to improve efficiency and coherence in the digital rulebook, which can ease compliance for both users and businesses while accelerating the pace of digitization across the Union. In this spirit, as of October 2025, we were pleased to contribute to the European Commission’s Public Consultation on the Digital Omnibus (Digital Package on Simplification).
Kaspersky’s recommendations in the context of the Digital Omnibus
1. Harmonization of cybersecurity reporting obligations – “report once” principle
From a cybersecurity perspective, Kaspersky strongly supports efforts to harmonize and rationalize reporting obligations across the various pieces of EU legislation. Currently and going forward, organizations operating within the EU are required to submit incident notifications and compliance reports under several frameworks, including the NIS2 Directive, the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the General Data Protection Regulation (GDPR) – each with its own definitions, formats, and timelines. Aligning these requirements would substantially improve clarity and reduce duplication.
We therefore advocate for the adoption of a “report once” principle, facilitated by secure, interoperable digital tools. This approach would allow relevant authorities to share information efficiently, avoiding repetitive submissions while maintaining the highest standards of protection. Beyond administrative efficiency, this harmonization would also strengthen Europe’s collective cyber resilience by allowing faster detection, analysis, and response to threats across sectors and borders.
2. Enhancing usability for cookies and tracking technologies
Another area that would benefit from simplification is the framework for cookies and tracking technologies. Excessive or repetitive consent banners have led to widespread user fatigue, undermining the very transparency they were meant to foster. Kaspersky supports the EU Commission’s intention to revisit these rules and recommends a risk-based, technology-neutral approach that aligns with the broader principles of the Data Act and the Digital Services Act (DSA). Such an approach would help distinguish between practices that genuinely pose privacy risks and those that serve legitimate technical or security purposes, fostering both user empowerment and smoother digital experiences.
3. Aligning AI regulation with cybersecurity needs
Artificial intelligence represents another crucial dimension of Europe’s digital transformation as well as a powerful tool for improving cybersecurity. AI systems now play an essential role in detecting threats, automating responses, and protecting users from emerging risks. Kaspersky therefore believes that regulatory clarity and proportionality are vital to ensure the AI Act achieves its objectives without inadvertently limiting innovation in defensive technologies. Adjustments that clearly differentiate between high-risk AI systems and AI used for protective or resilience-enhancing purposes would be a pragmatic way forward. Furthermore, aligning conformity assessment procedures and documentation requirements with existing EU cybersecurity certification schemes would avoid unnecessary duplication, promote consistency, and reduce compliance burdens.
4. Prioritizing interoperability and digital-by-default governance
What is more, the principles of interoperability and digital-by-default governance should remain at the center of the EU’s simplification agenda. The use of standardized, machine-readable data formats, secure APIs, and automated reporting systems can make regulation not only easier to follow but also more responsive and adaptive to technological change. These mechanisms would create a more agile regulatory ecosystem that encourages innovation while maintaining security and accountability.
5. Simplification Without Compromising Security and Trust
Regulatory simplification must be guided by balance: it should make compliance easier without diluting Europe’s commitment to high standards of cybersecurity, data protection, and transparency. Streamlined rules can foster innovation, strengthen competitiveness, and enhance trust among citizens, provided they remain grounded in the principles that define the European digital model.
Leveraging Expertise to Support Europe’s Digital Future
Kaspersky believes that this balance can best be achieved through ongoing collaboration between policymakers, regulators, and industry experts. By combining the EU’s strong normative framework with the practical experience of cybersecurity providers and other stakeholders, Europe can build a truly smart regulatory environment one that is coherent, proportionate, and future-proof.
