Espresso Briefings by BusinessEurope
Timely insights and expert perspectives from BusinessEurope, served in short, sharp episodes to fuel your thinking.
Espresso Briefings by BusinessEurope
Navigating Europe’s digital rulebook
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
How does Europe’s digital rulebook, built on risk-based compliance and proportionate data protection, impact innovation and cross-border operations?
In our latest Espresso Briefing podcast, we take a closer look at how the evolving digital framework is impacting businesses across the EU, from how they use data to how they operate across borders and deploy new technologies.
Our recent publications point to a growing challenge: increasing complexity, uneven enforcement and rising compliance costs. At a time when global competition is accelerating, these trends risk holding back innovation and Europe’s competitiveness.
In this episode, our Senior Adviser Svetlana Stoilova walks us through the key issues and what they mean for businesses on the ground.
Listen now to understand what’s at stake for Europe’s digital future.
Welcome to Espresso Briefings by Business Europe. Timely insights and expert perspectives served in short, sharp episodes to fuel your thinking. Hello, my name is Alan Cherlock, Acting Director of Communications with Business Europe, and you're very welcome back to this episode of Espresso Briefings. Today we're looking at Europe's digital rulebook and how it shapes the way companies use data, operate across borders, and scale new technologies. Recent Business Europe publications highlight growing complexity, uneven enforcement, and rising compliance costs that risk slowing down innovation at a moment when global competition is accelerating. We'll explore where the system is creating value, where it's creating friction, and what reforms could make Europe's digital framework more coherent and more competitive. And to guide us through it, we're joined by Svetlana Stoilova, senior advisor in Business Europe's internal market department, who brings a strong passion for digital technologies and for shaping policy that works in practice for European companies. Svetlana, you're very welcome.
SPEAKER_01Thank you very much. I'm very happy to be here.
SPEAKER_00Now, so if we look towards recent business Europe publications, we're seeing them report of a widening gap between what is regulatory ambition and practical implementation. From your experience and observation, what exactly is it that's driving this gap and how can the EU ensure that well-intended rules translate into outcomes that are workable for businesses?
SPEAKER_01That is a very pertinent question. I would say that with our members here, we have gone through quite a long exercise for the past one year to discuss exactly where that 10-year of intense digital regulation was creating friction and complexity. And we published a paper last July, which was our contribution to this big digital omnibus exercise. There we had many examples, I believe more than 30 regulations, not only from the digital domain, but also from other domains, because digital is not a silo or just a sector, it actually transcends different sectors too. We see digital technologies as an enabler for other sectors, and for that reason, we would like to see more coherency when it comes to how digital worlds interact with market surveillance, for example, or they interact with general product safety. So these are things that we have included in our paper. And we also notice then that there is so much complexity that especially businesses of smaller sizes, for them it's very difficult to navigate. It's not only for the business community that this complexity is problematic, but it's also problematic for the competent authorities that are supposed to enforce those rules. While it may sound bizarre that we have businesses calling for better enforcement, sometimes this actually gives you quite a lot of guidance and quite a lot of guardrails, and you know in what type of parameters you are expected to operate. Clear rules means that the rules are actually enforceable. In our paper, digital omnibus paper, we had a couple of examples. It seems that we have at least three or four definitions of product across the digital rulebook. What would be a product in normal legislation, let's say non-digital legislation, would potentially be a connected product and then would potentially be in another legislation product the digital element. So it just feels that it's proliferating definitions, but actually we don't see that clarity there. Another issue that we wanted to see, and when it comes to that clarity and that enforceability as well, was the extension of the deadlines applicable for Annex 1 and Annex III of the AI Act, because we need to have that clarity as business community in order to drive our economy forward. And if we want to say it in a bit more potentially poetic way, it's the long hours of the organizations, of the enterprises, the curiosity of researchers that pushes our economy. And if we're speaking about competitiveness, we need to deliver that breathing space for them.
SPEAKER_00Something that we're seeing consistently argued by Business Europe is that GDPR is not fully delivered on this concept of a risk-based promise. So, what do you believe that a genuinely risk-based approach would look like in practice? And why do you think we need to get there for that impact on competitiveness?
SPEAKER_01I would like to say something very clear from the very beginning about GDPR. That is, that GDPR is actually not a legislation that is only impacting data protection in the online world. GDPR is a regulation that impacts every size of organization, whether you operate online or offline. And when we speak about this regulation, it's very often that we are driven by high-profile cases, or especially when it comes to judicial uh rulings. So that becomes a little bit like a moving target for the smaller offline organizations which are not able to absorb the complexity of the regulation. We had an implementation dialogue last summer with the Commissioner McGraw, and uh everyone there agreed that the current rule book was too complex and needs to be applied consistently. So if you're pro-innovation, if you're about innovation, complexity can slow you down. And at the same time, if you care about rights, complexity doesn't strengthen your protection, but it weakens it because it's too difficult to be enforced. So simply because rules are hard to be interpreted, they're making it hard to be enforced. And in that case, the question that we should be asking in the digital omnibus isn't whether we need strong safeguards, we actually do. But it's how do we change that rule book so actually the safeguards are more real for the ones who are relying on them and more predictable and clear for the ones implementing them. And that's how both sides end.
SPEAKER_00Predictability and clarity are circumstances I think that businesses will universally respond to. So it's a key theme, I think, particularly within digital and within GDPOR. If we're to look at something else, I suppose, that that seems to be an emerging theme within this file. Where does fragmentation in the EU single market cause the greatest harm to business and particularly through those administrative burdens to SMEs? And where do you think these targeted reforms could most effectively reduce compliance costs while still, I mean, you know, still preserving this concept of strong data protection?
SPEAKER_01Thank you for that question. And I hear I would like to bring one very important figure from the OECD, the report that they published in December. I believe it was called Time for Regulatory Reset. There um it was very clear diagnosis for Europe that we have 3.9% in 2023 of total employment that works on compliance rules. And we have 1.7% of people working on RD. This is material difference. This is even if you double the RD percentage, 1.7, you still don't get to the 3.9. So what does that tell us? You have people who are day in and day out trying to push the scientific boundaries of Europe, and they are with millions less than the people who are scrambling rules and trying to get their way through different obligations. If you're thinking about this, if you try to imagine a situation in a boardroom where you have the scientific person and you know the compliance persons, you know, they come with this amazing idea, but then the compliance people are so much more powerful because they just have so many more numbers of people working on them trying to tell you how this could be risky or how this could not work. Well, then, in a way, it's this scientific innovative spirit could be toned down. And in that is something that, as a European, strikes me very personally in a way, because I want our continent to be more at the forefront. I want our continent to be able to apply the technologies that we are developing. And this is something that the GDPR currently, in the clarification we have in the digital omnibus, is actually trying to achieve. It tries to reconfirm what is already in the legislation, that research should be considered in a broad way, and that the research grounds for data processing should be considered also for technology development, for AI training, as well as like having more legal grounds to train AI. This is really, really important because then we will get that hands, minds, and budgets open for the real change in our continent pushing the scientific boundary. That is a goal which I believe everybody around the table, the ones who are pro-innovation, so to speak, and the ones who are pro more safeguards, they could agree around this. Because this is working for both. Because if you have more safeguards, which can be underpinned with technology, well then why not?
SPEAKER_00Proportionality seems to be kind of key, really, to this actually being an effective piece of work. If we look at something else that seems to be kind of causing strain, um, it's around this concept of data subject rights, including repetitive and misused requests. How do you think that the EU can preserve strong rights for individuals while ensuring the system is workable and proportionate again for organizations?
SPEAKER_01I would like to start with one clear signal of the business community we represent. We understand that the GDPR clarifications right now can cause concerns for lowering data protection, etc. But you can still want strong protection and still recognize that complexity is failing them. And clarity matters more than just layering rules and the volume of rules. As business community, we are operating on a level of trust. We compete on that level technically. So that is important. Business operations and protections are not mutually exclusive. So this is a very important thing to stress here. But when it comes to specifically data subject rights and the proportionality element of the exercise of those rights, this is important to mention here as well a recent case from the European Court of Justice that delivered ruling which was saying that companies could refuse requests if they have been abusive. This type of judgments of the of the ECJ just show that the rule of law cuts both ways. If obligations are not respected by organizations or rights are not exercised in a way that is pertinent to the GDPR, then the judicial system responds with proportionality and will respond with consistent rulings. And that creates fairness and trust in the entire system. So it is good that we have this type of clarifications.
SPEAKER_00If we go just to kind of wrap up our episode today, I think that even within the recent Business Europe ambition to delivery campaign, we're seeing messaging that essentially stresses Europe excels at strategy but struggles with execution. So it's this concept of takeoff versus landing, uh, that the challenge around that. For you to sum up for us, what does this successful landing look like for Europe's digital and data policies over maybe the next five years?
SPEAKER_01I don't want our listeners to think that so you know I'm only thinking about GDPR day and night and technology. I mean, it's uh I also like this type of metaphor when it comes to takeoff and landing. And this reminds me of Milano Cortino Olympic Games, and exactly, you know, this is a very good example because in jump ski you have a spectacular takeoff. It's it's so beautiful. You see these people flying. But then what counts is actually the landing because if your landing is wobbly, then your chances to win a medal is technically zero. That is exactly what we should be looking at for our digital ambition. Successful landing for Europe means that we turn the GDPR from a power that is confined on a PDF on the European Lex website into this well-designed jump where the in-run gives you the speed to launch, but also the framework all around ensures that you can land far and clearly and translate that jump into innovation, into stable, scalable leadership in data-driven technologies. So that would be my landing.
SPEAKER_00Perfect. I think the analogy there sums this up perfectly. It's ambition to delivery, it's takeoff, and it's landing. So Delana, thank you so much for your contribution today. This is a complex topic. I think we've explored it insofar as we can, but listeners can, of course, find out lots more about Business Europe's position, our members' position on this topic at businesseurope.eu. If you've enjoyed this episode of Espresso Briefings, don't forget to subscribe wherever you get your podcasts. We'll be back soon with more insights on the developments shaping European business. Thanks for listening and see you next time.