European founders build world-leading companies. We have proven it.
Across AI, health technology, fintech and deep tech, the startups coming out of Europe are not chasing the frontier but are defining it. The talent is here, the ambition is here. But political will keeps failing to match it, with that gap becoming an economic liability Europe cannot keep ignoring.
Much attention has rightly gone to the AI Act simplification process, but there is another reform underway in Brussels that deserves equal urgency: the amendment of GDPR. What we are seeing so far is not serious reform. It is not close — and European business knows it.
The cost of marginal reform
The changes are expected to form part of the EU’s broader “Digital Omnibus” effort — a package intended to simplify overlapping digital regulations and reduce administrative burdens on businesses.
Brussels has increasingly acknowledged concerns that Europe’s regulatory framework, while well-intentioned, has become difficult for startups and growth-stage companies to navigate in practice.
We have heard the speeches, read the Competitiveness Compass and lived every proof point the Draghi report contains. We do not need another diagnosis.
We are asking for this to be the moment Europe actually delivers, because if this reform ends in marginal technical adjustments while the structural problems remain, we may not get another serious opportunity for years. The cost will be measured in companies built elsewhere, capital flowing to other shores, and breakthroughs that happen anywhere but here.
The data definition trap
The problems are fundamental. The definition of personal data has been stretched through years of regulatory interpretation to the point where it captures hypothetical connections to individuals with no grounding in reality.
Almost any dataset qualifies. Almost any use of data is regulated. European companies carry a compliance burden their global competitors do not — and it falls hardest on the startups and scaleups that can least afford it.
A genuinely risk-based framework, where real risk of real harm determines the burden, is not a radical idea; it is what GDPR was designed to be. But the text must now reflect that, because years of hoping interpretation would improve have proven that hope insufficient.
Unlocking data for AI training is not something that can wait for the next reform cycle. It is an immediate economic necessity. For every day it remains unresolved, the gap between Europe and its competitors grows - and becomes harder to close.
The same logic applies beyond GDPR. The cookie consent regime under the ePrivacy Directive is long overdue for reform and the proposed browser-level consent mechanism would make things worse, not better.
Creating a dual regime, with one set of rules under GDPR and another under ePrivacy, adds complexity at precisely the moment Europe has committed to reducing it. If simplification means anything, it means not building new layers of fragmentation on top of old ones.
We are not asking Europe to abandon its values. Privacy matters and we support it. We are asking lawmakers to show the same boldness European founders show every day.
The ambition is here. Meet it.
