European Commission launches Digital Package to simplify EU digital rules

• The European Commission introduced a Digital Package to simplify and harmonize EU digital rules across data, cybersecurity, and AI.

• The Digital Omnibus consolidates data legislation into two main laws: the Data Act for non-personal data and GDPR for personal data, while streamlining cybersecurity incident reporting through a single-entry system managed by ENISA.

• The AI-focused Omnibus revises the AI Act by delaying high-risk AI obligations until support tools are ready, extending simplifications to mid-cap companies, and easing conformity assessment processes.

• Complementary initiatives include a Digital Fitness Check to evaluate rule interactions, a Data Union Strategy to boost data availability and sovereignty, and a European Business Wallet to facilitate secure business-public authority interactions across the EU.

On 19th November 2025, the European Commission unveiled its long-awaited Digital Package, aimed at making the EU’s digital rulebook simpler, more consistent, and easier for businesses to apply. The package brings targeted changes across data, cybersecurity, and artificial intelligence, and marks a first step toward a more streamlined digital framework in Europe.

Advertisement

Below is an overview of the package and some preliminary observations on its key novelties.

Digital Omnibus(es): First Step Towards Simplification

The Digital Omnibus is announced as a starting point to reduce complexity in the EU’s Digital Rulebook. It consists of two proposed regulations: one addressing the broader digital legislative framework, and another focused on AI.

a. Digital Omnibus on the digital acquis (data, cybersecurity, privacy)

The main goal of the proposed regulation is to simplify the EU’s data legislation and reduce administrative burdens, particularly in reporting cybersecurity incidents.

On the EU data framework, the Digital Omnibus introduces significant changes to the European data laws. Outdated rules, such as provisions of the Free Flow of Non-Personal Data Regulation, have been repealed and integrated into the Data Act, while the overlapping requirements across the Data Governance Act (DGA), Data Act, and Open Data Directive (OPP) have been streamlined. The Commission’s main goal is to consolidate the main data rules into two key laws: the Data Act, covering non-personal data and integrating the DGA, ODD, and FFDR, and the GDPR, which will continue to govern the processing of personal data.

Notably, targeted amendments to the Data Act under the Digital Omnibus include an expanded scope, clearer definitions of terms such as “data holder” and “data access,” stronger safeguards for trade secrets in IoT data-sharing, and narrower business-to-government obligations limited to public emergencies. In addition, new chapters address data intermediation services and data altruism, while rules on re-use of public sector data have been merged and data localisation requirements prohibited. GDPR has been updated with a refined definition of personal data, simplified obligations for controllers and data subjects, and a narrower notification requirement for data breaches, limited to high-risk incidents with a 96-hour deadline.

Regarding the simplification measures on cybersecurity legislation, the creation of a Single-Entry Point for incident reporting across multiple regulations is mandated, managed by ENISA, which will pilot the system within 18 months, ensuring that severe incidents only need to be reported once under overlapping legal frameworks.

b. Digital Omnibus on AI

The AI-focused Digital Omnibus is designed to simplify the AI Act implementation and make it less costly for businesses, while addressing challenges identified by stakeholders during 2025 consultations.

It introduces several important adjustments to the AI Act, beginning with a new “stop-the-clock” mechanism that links the application of high-risk AI obligations to the availability of essential support tools such as harmonised standards, common specifications, and Commission guidance. These obligations will only start applying once the Commission confirms that adequate measures are in place, followed by a transition period, and must in any case apply no later than 12 months after that confirmation (for high-risk AI under Article 6(1) and Annex I of the AI Act) while, in the absence of a decision, flexibility remains until 2 August 2028.

Beyond this mechanism, the proposal extends existing simplifications for SMEs to also cover small and mid-cap companies, introduces new legal definitions for both SMEs and SMCs, and shifts the responsibility for promoting AI literacy from providers and deployers to the Commission and Member States. It also removes certain registration duties for Annex III AI systems that are exempted from high-risk classification and streamlines the designation process for conformity assessment bodies and notified bodies through a single application and assessment procedure across the AI Act and relevant harmonisation legislation. Furthermore, a new Annex XIV clarifies the designation scope for notified bodies, and a 18-month cut-off is set for already-designated bodies to apply for designation under the AI Act.

Complementary Initiatives published as part of the Digital Package

Alongside the Digital Omnibus, several related initiatives also form part of the Commission’s broader digital simplification package. The Digital Fitness Check (expected in early 2027) will assess how EU digital rules interact in practice, examining their cumulative effects on strategic sectors and SMEs and identifying where further simplification may be needed. Complementing this, the EU Data Union Strategy outlines measures to unlock high-quality data for AI and innovation, while consolidating the EU’s data framework, strengthening interoperable data spaces and Data Labs, and reinforcing Europe’s data sovereignty. Finally, the proposed European Business Wallet introduces a new digital tool designed to streamline and secure interactions between businesses and public authorities across the EU.

On the next steps, the potential implications of the Digital Package for our sector will be explored during the upcoming CECE Technical Week in December, which will also provide an opportunity to coordinate CECE approach on the recent Commission’s proposals and start planning CECE common contributions to the ongoing consultations.