The European Commission has issued its much debated Digital Omnibus. Its core proposals aim to streamline rules on AI, cybersecurity and data. While aimed at simplifying the rules, it could end up making things more complex, particularly with the uncertain timing of the rules on high-risk AI systems coming into force. It also gives the AI Office more clout.
The Commission has also announced a Data Union Strategy and a European Business Wallet.
AI
The Commission proposes linking the entry into application of the rules governing high-risk AI systems to the availability of support tools, including the necessary standards. The timeline for applying high-risk rules is being adjusted to a maximum of 16 months, so the rules start applying once the Commission confirms the needed standards and support tools are available, aiming to give companies support tools they need. There will also be an altered transition for synthetic-content watermarking. A six-month grace period only applies to generative AI systems placed on the market before 2 Aug 2026, requiring compliance by 2 Feb 2027.
The Commission is also proposing targeted amendments to the AI Act that will:
- Extend certain simplifications that are granted to small and medium-sized enterprises (SMEs) and small mid cap companies (SMCs), including simplified technical documentation requirements.
- Provide for an EU-level sandbox from 2028 and more real-world testing, especially in core industries like the automotive sector; and
- Increase the AI Office’s investigatory and enforcement powers and centralise oversight of AI systems built on general-purpose AI models. It will supervise AI systems based on a general-purpose AI model where both system and model stem from the same provider; and AI systems integrated into designated very large online platforms or search engines.
- Reduce the obligations on employers to ensure that employees are AI-literate. AI literacy will be a responsibility of the Commission and Member States.
- Provide for AI providers to process special categories of personal data to carry out bias testing, within a framework of stringent safeguards.
Simplifying cybersecurity reporting
The Omnibus also introduces a single-entry point where companies can meet all incident-reporting obligations. Currently, companies must report cybersecurity incidents under several laws, including among others the NIS2 Directive, the GDPR, and the Digital Operational Resilience Act (DORA). The interface will be developed with robust security safeguards and will undergo comprehensive testing to make sure that it is reliable and effective.
Updating the privacy framework
Targeted amendments to the GDPR will harmonise, clarify and simplify certain rules to boost innovation and support compliance by organisations. The Commission says “In particular, we are adopting measures to ensure that AI development is encouraged in Europe and clearly framed by our rules.” These also include:
- Clarifying the definition of personal data to reflect the case law of the European Court of Justice;
- Specifying when data protection impact assessments should be conducted;
- Simplifying and facilitate data breach notifications from organisations to supervisory authorities;
- Simplifying the information that needs to be provided by companies to citizens in low-risk cases. This aims to address a long-standing request from smaller operators when managing their customer data, for example, local sports clubs when managing memberships; and
- Clarifying that personal data can be used in the development of AI subject to the GDPR.
Modernising cookie rules
The amendments will reduce the number of times cookie banners pop up and allow users to indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers and operating system.
The end of the Platform to Business Regulation
The proposal also repeals the Platform to Business Regulation as it has been superseded by the Digital Markets Act and the Digital Services Act.
Improving access to data
The digital package aims to improve access to data as a key driver of innovation. It simplifies data rules and makes them practical for consumers and businesses by:
- Consolidating EU data rules through the Data Act, merging four pieces of legislation into one for enhanced legal clarity;
- Introducing targeted exemptions to some of the Data Act’s cloud-switching rules for SMEs and SMCs;
- Offering new guidance on compliance with the Data Act through model contractual terms for data access and use, and standard contractual clauses for cloud computing contracts;
- Helping to boost European AI companies by unlocking access to high-quality and fresh datasets for AI, strengthening the overall innovation potential of businesses across the EU.
Other announcements
Data Union Strategy
The new Data Union Strategy outlines additional measures to unlock more high-quality data for AI by expanding access, such as data labs. It puts in place a Data Act Legal Helpdesk, complementing further measures to support implementation of the Data Act. It also strengthens Europe’s data sovereignty through a strategic approach to international data policy: anti-leakage toolbox, measures to protect sensitive non-personal data and guidelines to assess fair treatment of EU data abroad.
European Business Wallet
This aims to provide European companies and public sector bodies with a unified digital tool, enabling them to digitalise operations and interactions that in many cases currently still need to be done in person. Businesses will be able to digitally sign, timestamp and seal documents; securely create, store and exchange verified documents; and communicate securely with other businesses or public administrations in their own and the other 26 Member States.
Next steps
The Digital Omnibus legislative proposals will now be submitted to the European Parliament and the Council for adoption.
The Commission has also launched a consultation on the Digital Fitness Check which ends on 11 March 2026. The Fitness Check aims to ‘stress test’ how the rulebook delivers on its competitiveness objective, and examine the coherence and cumulative impact of the EU’s digital rules.
