EU Digital Fitness Check consultation – implications for multinational businesses

Why should I read this?

The European Commission (EC) is reviewing how EU digital rules interact across data, cybersecurity and AI frameworks. This matters if your business develops or uses AI, relies on data access or sharing, or faces EU cybersecurity obligations. It also matters if you place connected products or digital services on the EU market.

The same systems and processes can fall under several frameworks, including the NIS2 Directive, GDPR, the Data Act and the AI Act. These regimes may apply to the same products, services, teams and compliance workflows. This can create overlapping obligations, duplicated reporting and uncertainty in cross-border scenarios.

Following the Digital Omnibus simplification package, the EC launched the Digital Fitness Check consultation. The aim is to identify where frictions arise and how rules interact in practice.
We submitted a response focused on issues facing multinational groups managing digital risk across borders. A key concern is inconsistent national interpretation, particularly under NIS2, which can fragment group-wide compliance. Cross-border incident reporting is another pressure point, especially where EU disclosure duties conflict with foreign legal protections.

The direction of travel is not deregulation, but clearer and more workable implementation.
For businesses, this is an opportunity to identify duplication, stress-test reporting pathways and clarify internal ownership ahead of any follow-on simplification measures.

What should I do?

Although no immediate compliance action is required, this review can help identify existing friction and operational strain. In particular, businesses should consider:

• Mapping overlap across different regimes: identify where the same systems, datasets, products or processes fall within more than one EU regime.
• Testing cross-border interaction: examine how obligations interact across Member States, especially where national implementation diverges.
• Checking scope and reporting triggers: assess whether differences in national rules affect scope, notification thresholds or supervisory touchpoints.
• Reviewing incident response processes: test whether overlapping regimes impose different timelines, thresholds or disclosure requirements.
• Clarifying internal ownership: check whether data, cybersecurity and AI responsibilities are split across teams dealing with the same activity.

The objective is not to redesign compliance frameworks but to identify existing duplication, uncertainty or operational tension.

What else do I need to know?

Key challenges under the current EU digital framework

In our response to the consultation, we focused on several practical challenges for multinational businesses under EU digital rules:

• Under NIS2 directive, scope is not applied consistently across Member States. In practice, thresholds and exemptions are interpreted differently. This includes electricity production thresholds, minor or ancillary activities and the treatment of non-EU operators. As a result, it can be difficult to determine whether an entity is in scope, leading to fragmented compliance across jurisdictions.
• Cross-border reporting can create legal conflicts. EU cybersecurity obligations under NIS2 may require disclosure of information that may be protected or sensitive under foreign laws. This creates risks for international businesses, particularly in situations requiring rapid incident reporting.
• Regulatory engagement remains fragmented across Member States. The same EU framework may require engagement with multiple national authorities. This can lead to parallel processes and jurisdiction-specific approaches, even where activities are similar across the group.

Regulatory direction and upcoming developments

Recent EU initiatives confirm a shift towards implementation, clarification and simplification of existing digital rules. This includes the Commission’s March 2026 draft Cyber Resilience Act guidance, ongoing NIS2 implementation work, and the January 2026 cybersecurity package. These initiatives align with the broader direction of the Digital Omnibus and the Digital Fitness Check consultation. The focus is on how existing rules interact in practice and where cumulative burdens arise.

The draft Cyber Resilience Act guidance provides direction on scope, product classification and vulnerability handling. It also clarifies interaction with other EU frameworks. Reporting obligations are expected from September 2026, with core requirements applicable from December 2027.
At the same time, NIS2 implementation is exposing divergent national scoping and supervisory approaches. This makes it harder to apply a consistent group-wide compliance model.

The January 2026 cybersecurity package responds to these issues. It combines a proposed Cybersecurity Act revision with targeted NIS2 amendments and more streamlined incident reporting. It is also intended to complement the upcoming Cloud and AI Development Act and the Digital Omnibus simplification effort. For businesses, compliance expectations will continue to evolve as implementation becomes more structured and coordinated across Member States.

Further reading:

- Five months of the EU Data Act: Key lessons for your organisation

- EU Digital Omnibus: At a glance

- NIS2 Hub: Navigating cybersecurity compliance

- Insights: NIS2 Implementation Tracker

- Updata: Your quarterly privacy & cybersecurity update

- EU: Regulatory developments concerning the AI Act

- Executive Compliance Guide: EU Data Act

- Executive Compliance Guide: GPAI Guidelines