BREAKING: EU announces major digital and data simplification package and delay to AI Act

The European Commission has published its long-awaited “Digital Omnibus” simplification package, with significant changes proposed to a range of EU regulations, including the AI Act, the GDPR, the NIS2 Directive, and DORA.

As detailed in our recent blog, this package has been hotly anticipated as a key part of the Commission’s centrepiece simplification agenda to streamline EU regulation. It is one of a number of “omnibus” simplification packages (6 others have already been announced for other sectors) and is designed to address issues identified in the Draghi Report. The report concluded that complex and overlapping EU regulations are contributing to the EU’s lagging competitiveness. The Digital Omnibus also comes at a time of intensifying domestic and international pressure on the Commission to reduce digital regulation.

We will publish deep dives on the proposed changes in upcoming blogs, but some of the most significant amendments highlighted by the Commission include:

• delaying the implementation of the EU AI Act’s rules on use of high-risk AI by up to 16 months (until relevant standards and support tools are available);
• simplifying cybersecurity reporting with a single-entry point for all incident reporting obligations (rather than separate obligations under e.g. NIS2, the GDPR and DORA), which could utilise the platform currently being designed for the Cyber Resilience Act (CRA);
• amending the GDPR to foster an “innovation-friendly privacy framework”, including by relaxing the current data breach notification regime (including notification threshold and timeline), clarifying the definition of “personal data” and introducing new exemptions and clarifications to support AI development and operation;
• modernising cookie rules to reduce cookie banners, and allow cookie preferences to be set centrally in browsers; and
• consolidating new and existing data legislation. Plans include folding the Free Flow of Data Regulation, the Data Governance Act and the Open Data Directive into the Data Act, and then aligning and streamlining those rules.

Alongside this package of simplification measures and regulatory adjustments, the Commission also announced:

• the “Data Union Strategy”, to “unlock more high-quality data for AI”, including a new Data Act Legal Helpdesk, and measures to strengthen Europe’s data sovereignty (such as protections for sensitive non-personal data, and fair treatment of EU data abroad);
• the “European Business Wallet”, a “unified digital tool” for European entities to digitalise operations such as signing and sealing documents (including with entities and bodies in other member states), to reduce administrative processes and costs across the EU;
• non-binding model contractual terms on data access and use and standard contractual clauses on cloud computing contracts, to help parties implement the EU Data Act; and
• a call for views on the proposed “Digital Fitness Check”, a tool to help the EU analyse the interplay between different EU rules and their cumulative impact on businesses and EU competitiveness.

Overall, the changes go much further than anticipated, based on the Commission’s initial call for views back in September. While the Commission had been publicly firm it would not be reducing regulatory standards or delaying the AI Act, this more comprehensive proposal is not surprising given the intense political pressure it is under. The delay to the AI Act, for example, follows intense lobbying from businesses and tech companies as well as perceived pressure from the Trump administration.

Next steps

These proposals now enter a consultation phase and will require approval from the European Parliament and Council before they can take effect. The journey ahead is unlikely to be straightforward: business groups and several member states are pushing for deeper cuts to regulatory burdens, while civil rights advocates warn the measures will “wreck” existing digital protections. With such opposing pressures, the proposals are likely to face a challenging and highly scrutinised legislative process.