Civil society groups will warn that Europe’s simplification plan represents a dangerous rollback in privacy protections. Industry complains that simplification doesn’t go far enough. Both will be right. Brussels will split the difference with a carefully calibrated compromise. In a few years, we risk discovering that we have no idea if we achieved anything, because we never defined what a “successful result” means.
Companies and citizens expect measurable results, and Ukraine demonstrates how regulators should obtain these measurements. When your infrastructure is under active bombardment and you’re trying to maintain citizen services while missiles are falling, you cannot afford processes that aren’t measurable.
Ukraine’s digital team — and agencies such as the National Agency on Corruption Prevention — have introduced Objectives and Key Results (OKR) methodology not as a management trend but as a survival mechanism. They use OKRs to discipline, measure progress, and adjust quickly if results do not support the objectives.
After six months of OKR implementation, Ukraine’s Ministry of Digital Transformation achieved about 70% of its objectives and revised roughly a third of its goals during execution based on real-time data. The point isn’t perfection; it’s having the metrics to know when to adjust.
The UK’s GOV.UK platform adopted OKRs in 2023 to align teams around their growth strategy, demonstrating that the methodology works in public service delivery outside crisis conditions. Each team now works on objectives and key results aligned to measurable outcomes like traffic growth, user satisfaction, and service findability. The difference: accountability is built into how teams organize and prioritize, not just into post-implementation reports that arrive too late to adjust.
What would OKR discipline mean for the European Union and its Digital Omnibus? It means every policy declaration gets tied to specific and measurable results. The exact metrics will vary by domain — data protection, cybersecurity, AI development, market competitiveness — but the principle is the same: you must measure whether you’re achieving your stated goal.
Consider data protection versus AI innovation. The Omnibus declares it wants to “enable AI development while protecting fundamental rights.” With OKR discipline, that declaration becomes: What does “enable” mean in measurable terms? What does “protecting” mean we can track? If lawful data use for AI doesn’t increase, or if unauthorized processing incidents spike, the policy failed — regardless of how balanced the compromise looked on paper.
Or cybersecurity reporting. The Omnibus promises to “reduce administrative burden while maintaining security.” But what’s the measurable reduction? What is the measurable security outcome? The specific targets require policy expertise to set, but without targets at all, there’s no accountability.
In the era of artificial intelligence, this approach becomes much easier and simpler as data and progress can be measured by automated tools, databases, and financial reporting analyses. We’re regulating AI — we should be using it to make compliance smart.
The hardest test is whether European companies can compete under these rules. The Omnibus will aim to build Europe as a “global standard-setter for trustworthy technology.” But what does trustworthy mean in OKR-measurable terms?
If European companies’ time-to-market doesn’t improve, or if their global market share continues to decline, the regulatory framework isn’t working. European cloud providers hold just 15% of their home market, with US cloud leaders controlling 70%, despite Europe pioneering the GDPR as a global standard. When the reports show your protection metrics holding steady, but market share declining, you know something needs adjusting.
This is a management reform, not a policy tweak. We need discussions focused on the results. EU institutions must set clear objectives, define measurable results, track progress, and adjust when targets aren’t met.
Ieva Ilves advises Ukraine’s Ministry of Digital Transformation and WithSecure, a Finnish cybersecurity company. She has a master’s from Johns Hopkins University SAIS. Previously, she led Latvia’s first national cybersecurity strategy and the project to establish NATO’s Strategic Communications Centre of Excellence in Riga.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
2025 CEPA Forum Tech & Security Conference
Explore the latest from the conference.
