The European Union has built one of the most comprehensive digital regulatory frameworks in the world. From the GDPR to the AI Act, the EU has positioned itself as a global leader in setting rules for the digital economy. But success has come with a downside: complexity.
The Digital Omnibus package (2025) is a sweeping effort by the European Commission to simplify, consolidate, and recalibrate existing digital legislation. While often framed as technical clean-up exercise, the proposals go much further. They touch on the core architecture of EU digital law, including data protection, AI governance, cybersecurity, and platform regulation.
So, what exactly is being proposed and why is it controversial?
The Big Picture: Simplification with Strategic Intent
At its core, the Digital Omnibus aims to address three systemic problems:
- Fragmentation across multiple overlapping laws
- High administrative burdens, especially for SMEs
- Legal uncertainty, caused by unclear interactions between rules
The Commission’s solution is not to create entirely new legislation, but to reshape and align existing frameworks. This happens through two main proposals:
- A General Omnibus Regulation (data, privacy, cybersecurity)
- A Digital Omnibus on AI (targeting the AI Act specifically)
While presented as simplification, many of the changes introduce substantive policy shifts, particularly in how data and AI are regulated.
1. Rewriting the Data Rulebook: Consolidation Around the Data Ac
One of the most structural changes is the transformation of the EU data framework.
The proposal would:
- Repeal several laws, including the Data Governance Act (DGA), Open Data Directive (ODD), and Free Flow of Non-Personal Data Regulation
- Integrate their key elements into the Data Act, turning it into the central pillar of EU data law
What does this mean in practice?
- A single framework for public-sector data reuse, instead of multiple overlapping regimes
- A shift toward a more market-driven model, with fewer mandatory obligations for data sharing
- A voluntary trust-based regime for data intermediaries (instead of strict regulation)
- At the same time, some important recalibrations are introduced:
- Business-to-government (B2G) data access is narrowed to public emergencies
- Data holders gain more ability to refuse access, especially to protect trade secrets
- Data altruism rules are relaxed, reducing reporting and governance requirements
In short: the system becomes simpler but also less interventionist, giving more discretion to companies.
2. GDPR Under Revision: Subtle Changes, Big Consequences
The Omnibus introduces some of the most debated changes to the GDPR, often framed as “clarifications” but with significant implications.
A new definition of personal data
- The proposal shifts from an absolute to a relative definition of personal data:
- Data is considered personal only if a specific entity can realistically identify the individual
- The same dataset could be personal for one actor, but not for another
- This could reduce compliance burdens but also lead to uneven protection and potential loopholes.
Easier data use for AI and research
Several changes aim to facilitate innovation:
- Legitimate interest is explicitly recognised as a legal basis for AI development
- The definition of “scientific research” is expanded to include commercial innovation
- Some exemptions allow reuse of data without informing individuals, if effort is disproportionate
There are also new allowances for:
- Residual sensitive data in AI datasets
- Broader use of data for bias detection and fairness testing
Together, these changes make it easier to use data for AI but shift more responsibility to companies to apply safeguards.
Changes to individual rights
The proposal also affects how individuals exercise their rights:
- Organisations may refuse or charge for data access requests deemed excessive or unrelated to data protection
- The threshold for data breach notifications is raised EU-wide templates for compliance (e.g. DPIAs) would replace fragmented national approaches
Critics argue this could weaken transparency and accountability tools.
Fixing “cookie fatigue”
To address constant consent pop-ups:
- Cookie rules are moved from the ePrivacy Directive into GDPR
- Websites could rely on browser-level, machine-readable consent signals
- Repeated consent requests would be limited (e.g. every 6 months)
This could improve user experience but depends heavily on how browsers implement it.
3. A Single-Entry Point for Cybersecurity Reporting
Another key proposal is the creation of a Single-Entry Point (SEP) for incident reporting.
Currently, companies must report incidents under multiple laws (GDPR, NIS2, DORA, etc.). The SEP would:
- Provide one unified portal for submissions
- Route reports to relevant national authorities
- Standardise templates and reporting formats
While this reduces duplication, it does not fully harmonise the underlying rules, meaning complexity may persist behind the scenes.
4. AI Act Adjustments: From Fixed Rules to Flexible Timelines
The Digital Omnibus on AI focuses on implementation challenges rather than rewriting the AI Act.
Flexible timelines for high-risk AI
Instead of fixed deadlines:
- Obligations would apply only once standards and guidance are ready
- Absolute deadlines remain as a fallback
This “readiness-based” approach reflects reality but introduces uncertainty for planning and investment.
Reduced burden for smaller companies
The proposal extends simplifications to small mid-cap companies (SMCs):
- Lighter documentation and compliance requirements
- Reduced fines
- Easier access to AI sandboxes and testing environments
This aims to support European innovation but may also create uneven compliance standards.
“Once-only” conformity assessment
For high-risk AI systems already subject to product safety laws:
- A single certification process would apply
- Existing notified bodies can assess AI compliance
This reduces duplication and speeds up market entry.
Centralised EU-level oversight
The AI Office would gain stronger powers:
- Supervising general-purpose AI systems and large platforms
- Running an EU-level regulatory sandbox
- Conducting tests and checks for high-impact systems
This marks a shift toward more centralised governance for advanced AI.
Other notable changes
- AI literacy becomes voluntary (instead of mandatory)
- Expanded ability to use sensitive data for bias detection
- More flexible real-world testing of AI systems
These changes reduce formal obligations but may weaken practical safeguards.
5. Removing Overlaps Across the Digital Rulebook
Beyond individual reforms, the Omnibus tries to fix how laws interact:
- P2B Regulation is repealed, as its functions overlap with the DSA and DMA
- Privacy rules are aligned by merging ePrivacy into GDPR
- AI and data protection rules are better connected (e.g. for data use in AI)
- Reporting systems are unified through the SEP
The goal is a more coherent legal architecture, rather than a patchwork of rules.
So… Is It Really Just Simplification?
Not quite.
While many measures clearly reduce duplication (and are widely supported), others redefine how core protections work in practice. The line between simplification and deregulation becomes blurred.
The key tension runs through the entire package:
- More flexibility vs. less legal certainty
- Lower compliance costs vs. weaker safeguards
- Innovation support vs. protection of fundamental rights
Final Thought: A Turning Point for EU Digital Policy
The Digital Omnibus is more than a technical update-it signals a strategic shift in how the EU approaches digital regulation.
After years of building a strong regulatory framework, the focus is now on making it usable, efficient, and innovation-friendly. But simplification comes with trade-offs.
The real question is not whether the rules should be simpler, but it is:
how much flexibility can be introduced without undermining the principles that made the EU’s digital model globally influential?
The answer will define the next phase of Europe’s digital future.
