Notes from the IAPP Europe: Digital fitness check public consultation, what are the expectations?

The European Commission's digital simplification project does not stop with the Digital Omnibus proposals that were tabled last November. As the Digital Omnibus rapidly advances through EU lawmaking procedure, the digital fitness check, referred to as "the second stage of the Commission's plan to simplify the EU's digital rules," is also kicking off. 

While the Digital Omnibus focuses on targeted, technical changes to the existing rules, the digital fitness check will stress test the coherence and relevance of the digital rulebook against the goals of competitiveness and fundamental rights protection and identify areas that need further alignment. It is not yet clear what the scope of this exercise is and what tools the Commission will propose to ensure this alignment. 

The Commission did not pause before launching the second stage of its digital simplification plans. The call for evidence on the digital fitness check opened the day the Digital Omnibus proposals were published. Four months later, 11 March 2026, this initiative just completed the introductory step in the policy-making process with the closing of its four-month long feedback period, which generated slightly under 200 submissions. 

More than 60% percent of all contributions came from industry representatives. Many organizations point out the same laws and issues that were predominant in the Digital Omnibus public consultation. The core challenge remains the severe fragmentation of the EU digital legislation, with more than 100 laws and over 270 regulators to navigate. 

Conflicting definitions and overlapping scopes are raised as important issues that need resolution, including the intersection between the EU General Data Protection Regulation and the ePrivacy Directive, Artificial Intelligence Act and Data Act. The same is flagged on the interplay between sectoral rules and the AI Act, as well as between different pieces of the EU's cybersecurity legislation. 

When it comes to cybersecurity laws, a strong emphasis is placed on duplicative reporting requirements and inconsistent reporting timelines, as well as a lack of consistent definitions. 

The issue of unrealistic timelines and lack of standards is raised as well, not only in relation to the AI Act, but also the NIS2 Directive and the Cyber Resilience Act. Another common criticism relates to the Data Act and its cloud switching as well as data sharing obligations, which are seen as too broad, unclear and carrying a risk of trade secret leakage. 

Small- and medium-sized enterprises and startups draw attention to the disproportionate burden they carry when it comes to compliance with the digital rulebook, and the lack of guidance. 

The broad conclusion among industry is that while the Digital Omnibus is helpful, it is not doing enough, as it does not resolve structural issues. The industry is collectively calling for unified terminologies, clarification on legal precedence, reusable impact assessments and consistent enforcement, but some go as far as demanding a moratorium on new digital laws until issues are resolved. 

Consumer organizations and certain public bodies believe the Digital Omnibus may already be doing too much and risks weakening protections offered under the GDPR, the AI Act and other digital laws. They underline that the issues stand with enforcement rather than the laws themselves, hence asking the EU to steer away from using the Omnibus for substantive revisions. 

Another topic that is commonly addressed among stakeholders is the flagship digital policy initiative that is expected at the end of this year — the Digital Fairness Act. Despite its own call for evidence receiving over 4,000 submissions, stakeholders found it important to highlight it in feedback on the digital fitness check. 

The consumer groups express strong support for this law, seeing it as an opportunity to consolidate scattered consumer law obligations and address gaps in EU legislation concerning manipulative designs, minors' protection, influencer marketing and unfair personalization practices. 

The feedback from industry is mainly negative, as they fear that the DFA will re-regulate areas already covered by the GDPR, the DSA, the Unfair Commercial Practices Directive and the Consumer Rights Directive. Therefore, they request strong evidence of such gaps before proceeding. Companies worry this new law is not only unnecessary but may even create issues, such as forcing intrusive data collection in the context of the concept of "vulnerability" under the DFA.  

The outcomes of the digital fitness check will be clear once the Commission publishes its communication, which is expected in the first quarter of 2027. 

While there are a lot of similarities with the Digital Omnibus consultation in terms of issues flagged, one difference is that the Commission will have much more time to analyze the feedback. The timeframe between the end of the call for evidence and the Commission's publication of the Digital Omnibus proposals was slightly over one month and this time the Commission is getting a year.