The EU’s ‘Digital Omnibus’: proposed reforms to simplify AI and digital regulation

The question

What has the European Commission proposed under its emerging ‘Digital Omnibus’ initiative, and how might these changes affect businesses operating in the EU digital and technology sectors?

The key takeaway

The European Commission has signalled a major simplification drive across EU digital regulation as part of its 2025-2029 programme. A package informally referred to as the ‘Digital Omnibus’ sets out early proposals to streamline and clarify aspects of the AI Act, the GDPR and wider data-governance rules. While the proposals are not yet legislative texts, they indicate the Commission’s direction of travel and the areas where businesses can expect future regulatory adjustments.

The background

In her 2024-2029 political guidelines, Commission President Ursula von der Leyen emphasised the need to simplify and harmonise the EU’s regulatory landscape, reduce administrative burdens and strengthen Europe’s competitiveness. The European Council reinforced this direction in its October 2025 conclusions, calling for clearer, more coherent rules for the digital sector.

The Commission has therefore begun outlining a set of simplification measures across key digital regulations. These proposals aim to support growth in the EU technology ecosystem - valued at €791 billion in 2022 - while maintaining high standards of safety, fundamental rights and data protection.

The development

As part of this agenda, the Commission has introduced an early-stage package of measures commonly referred to as the Digital Omnibus. This is not yet a formal legislative proposal, but a policy framework highlighting areas for future legislative amendments. The package will require full negotiation and adoption by the Council and European Parliament. Below is a summary of the proposed areas of reform.

AI Act: Proposed adjustments

• Revised implementation timelines: The Commission has indicated that the application dates for high-risk AI system requirements may be aligned with the availability of harmonised standards and detailed guidance. This could extend compliance deadlines beyond their current 2026 timings.
• Enhanced role for the AI Office: The AI Office would take a more central role in supervising general-purpose AI (GPAI) models and certain high-impact uses - particularly where the same provider develops both model and system. While national authorities would remain responsible for imposing penalties, the AI Office may receive additional investigatory or coordination powers.
• AI literacy obligations: The requirement for all deployers to promote AI literacy may be scaled back, with literacy initiatives instead coordinated by the Commission and Member States. High-risk AI deployers would retain more stringent obligations.
• Bias detection and special category data: A new, narrowly framed legal basis may allow processing of special category data for the specific purpose of detecting and correcting bias in AI systems, subject to safeguards.
• EU-level AI sandboxes: A single EU regulatory sandbox could be introduced from 2028 to support innovation and cross-border experimentation.

GDPR: Areas identified for clarification or amendment

• Pseudonymised data: Clarifications are being considered on how pseudonymised data should be treated, particularly when shared across entities within a group or with third-party partners.
• Legitimate interests and AI: The Commission is examining whether further guidance is needed to clarify when legitimate interests can be relied on for AI training and operation, subject to the usual balancing test.
• Residual special category data: A potential new legal basis may apply where a controller has taken reasonable steps to remove special category data from training sets, but small amounts remain that would require disproportionate effort to eliminate - again, subject to strict safeguards.
• Data subject access request (DSAR) refinements: The Commission may seek to clarify the circumstances in which controllers can refuse manifestly unfounded or abusive DSARs, particularly where requests appear to pursue objectives unrelated to data-protection rights.
• Breach notification: Amendments under discussion would require notification only where a breach is likely to present a high risk to individuals and could extend the deadline from 72 to 96 hours.
• Machine-readable consent signals: New standards for automated, machine-readable consent signals may be developed to improve cookie and tracking-consent management, while maintaining alignment with ePrivacy rules.

Data Act and wider data governance: potential future reforms

• Alignment with existing data governance laws: The Commission may explore closer alignment between the Data Act, the Data Governance Act, and the Open Data Directive, though not consolidation or replacement.
• Stronger transfer safeguards: Additional protections may be introduced for trade secrets and transfers of non-personal or mixed data to third countries.
• Incident-reporting pathways: Future reforms may streamline cybersecurity and data-incident reporting, coordinated at national level under NIS2, with ENISA supporting guidance rather than acting as a central reporting gateway.
• European Business Wallets: Expansion of secure cross-border digital identity tools to help businesses verify identities, sign documents and exchange information.
• Platform-to-Business Regulation review: The Commission may revisit the P2B Regulation, given its partial overlap with the Digital Markets Act (DMA) and Digital Services Act (DSA), although no repeal has yet been formally proposed.

Why is this important?

The Digital Omnibus represents an early step towards simplifying the EU’s complex digital regulatory framework. For businesses, especially those deploying AI systems or handling large volumes of data, the proposals could lead to clearer rules, reduced administrative burdens and more predictable compliance timelines.

The proposals will also be watched closely by the UK’s Information Commissioner’s Office (ICO), which may consider similar measures as it continues modernising UK data protection law without jeopardising EU adequacy.

Any practical tips?

Although these proposals remain at an early stage, organisations - particularly digital platforms, AI developers, cloud providers and data-driven businesses - should:

• follow legislative developments closely as the Council and Parliament begin their discussions and trilogue negotiations;
• track any adjustments to AI Act timelines, which may affect internal deployment and product-development roadmaps;
• review how they rely on legitimate interests and pseudonymisation, as these areas are likely to receive further clarification;
• assess how future consent-signal standards or DSAR refinements could change user-interface and privacy-management design; and
• prepare for a transitional period once the final text is adopted.

If the Digital Omnibus achieves its stated goals, businesses may see a reduction in compliance complexity. Early awareness and planning will remain essential.

Winter 2025