Share
In recent weeks, the European Union has entered a new phase of regulatory recalibration. Rather than scaling back on its ambitions, Brussels is reopening and reshaping cornerstone sustainability and digital frameworks through the competitivity prism; the same rules that have long positioned the EU as a global regulatory trendsetter. This shift confirms the broader regulatory evolution we highlighted in our 19 November 2025 analysis.[1]
On the ESG side, the Commission’s Omnibus Simplification Package and its wider simplification agenda signals a clear commitment to reducing administrative friction. With targets to cut reporting burdens by roughly 25% for large companies, and 35% for SMEs, the EU aims to streamline overlapping requirements across the CSRD, CSDDD and the Taxonomy.[2] The European Parliament’s latest stance would significantly narrow the scope of both CSRD and CSDDD, limiting mandatory reporting to only the largest multinationals and shifting due diligence duties to groups above 5,000 employees and EUR 1.5 billion in turnover.
At the same time, the Commission’s new Digital Package "the digital omnibus” would extend the timeline for high-risk AI obligations to 2027 and modernise the EU’s data and cybersecurity ecosystem by amending the AI Act, GDPR, ePrivacy Directive and Data Act. The Commission positions this as an opportunity for businesses to “spend less time on administrative work and compliance and more on innovating and scaling up”, projecting approximately EUR 5 billion in administrative savings by 2029 thanks to harmonised incident reporting and updated cookie rules.[3]
For companies operating globally, this new phase is not a retreat from regulation but a strategic pivot. The environment remains dense and litigation-prone. Boards now face critical decisions: identifying which entities remain in scope for CSRD/CSDDD, determining which sustainability practices to maintain voluntarily as thresholds rise, and reassessing AI and data strategies in a framework that may feel more flexible but will be scrutinised more intensely by regulators, NGOs and courts. Legal exposure for companies, particularly in relation to human-rights and supply-chain risks, remains intact. The recent police investigations in Italy [4] concerning labour abuses within luxury-sector subcontracting illustrate that reduced reporting requirements do not translate into reduced responsibility.
From a risk-management perspective, simplification shifts the focus from formal disclosures to substantive controls. Authorities increasingly evaluate corporate compliance on the basis of the effectiveness, documentation and operational execution of internal oversight systems. Key risk dimensions include:
- Supply-chain governance risk: exposure persists where due diligence mechanisms are incomplete, untested or insufficiently documented.
- Regulatory and enforcement risk: investigations may arise even absent direct involvement in the underlying misconduct, particularly where supervision of subcontractors is deemed inadequate.
- Litigation risk: claimants can rely on alternative legal grounds where reporting is reduced, especially in jurisdictions with established ESG litigation pathways.
- Reputational risk
In this context, reducing the administrative burden does not reduce liability. Instead, it raises the premium on traceability, supplier supervision, internal auditability and demonstrable due diligence performance. Companies that cannot evidence robust, effective and risk-appropriate compliance frameworks remain fully exposed to civil, administrative and criminal consequences. Simplification is procedural; responsibility remains substantive.
Kennedys’ regulatory and compliance team is guiding businesses through this transition. We treat the ESG and digital packages not as signals to dial back ambition but as opportunities to redesign governance models, align AI and data initiatives with fast-evolving EU standards, and build cross-border compliance systems resilient enough to absorb growing regulation while accelerating innovation and growth. As our recent work shows, the companies that thrive are those that transform EU ESG and digital requirements into engines of governance, risk management and trust, not merely obligations to absorb.
[1] See our analysis in Kennedys, “Regulatory evolution in Europe and growing pressure on companies – compliance as a strategic lever”, 19 November 2025
[2] https://finance.ec.europa.eu/news/omnibus-package-2025-04-01_en
[3] European Commission, press release “Simpler digital rules to help EU businesses grow”, 19 November 2025; Reuters, “EU to delay ‘high risk’ AI rules until 2027 after Big Tech pushback”, 19 November 2025
[4] https://www.globalbankingandfinance.com/italy-fashion-labour-abuse-zero/
Denmark
France
Ireland
Spain