Table of Contents >> Show >> Hide
- What the Commission actually unveiled
- Why Brussels is doing this now
- What is inside the Digital Omnibus package?
- Why the package is getting both applause and side-eye
- Where things stand as of March 2026
- What businesses should do now
- Practical experience: what this looks like on the ground
- Conclusion
Europe’s digital rulebook has long had the energy of a closet stuffed with winter coats, tennis rackets, and one mystery box nobody wants to open. On November 19, 2025, the European Commission decided it was time to tidy up. Its answer was the Digital Omnibus, a sweeping simplification effort designed to trim overlapping compliance duties across data, privacy, cybersecurity, and artificial intelligence, while also rolling out a broader Digital Package that includes a Data Union Strategy and proposed European Business Wallets.
That sounds wonderfully bureaucratic, and yes, it absolutely is. But it is also a big deal. For companies doing business in Europe, the Digital Omnibus package is one of the clearest signs yet that Brussels is trying to shift from “regulate first, ask for more forms later” to “keep the guardrails, but maybe stop making everyone file the same report six times.” The Commission says the goal is to reduce administrative burden, strengthen competitiveness, and make the rules easier to use in real life. Critics say some of the proposed changes could weaken hard-won privacy protections and make the EU’s digital identity wobble a little. In other words, classic Brussels: one part simplification, one part philosophical cage match.
What the Commission actually unveiled
The first thing to understand is that the phrase Digital Omnibus legislative package is doing a lot of work. At its core, the Commission released proposals to simplify parts of the EU’s digital legislative framework and the implementation of the AI Act. The broader package also includes a strategy to improve access to quality data for AI and a proposal for European Business Wallets that would let companies prove identity, exchange official documents, and interact with public authorities more easily across the EU.
The Commission’s pitch is straightforward: the EU has piled digital laws on top of digital laws, and even if each law made sense on its own, the stack has become messy. Businesses have complained that the current system is fragmented, repetitive, and expensive to navigate. The Commission responded by promising more consistency, fewer overlaps, and lower compliance friction. It has even argued that, if widely adopted, the package could generate major savings for businesses, with the business wallet proposal doing much of the heavy lifting.
Why Brussels is doing this now
The Digital Omnibus did not appear out of thin air like a surprise software update you forgot to disable. It grew out of a broader competitiveness push in the EU, shaped by worries that Europe has become too slow, too fragmented, and too burdened by administrative complexity to keep pace with the United States and China. The Draghi competitiveness debate, industry lobbying, and business frustration over overlapping requirements all helped create the political momentum.
There is also an AI angle that is impossible to ignore. The EU wants to remain serious about trustworthy AI, but it also knows that companies cannot build or deploy advanced systems efficiently if the compliance map looks like a bowl of regulatory spaghetti. That tension sits at the heart of the package. The Commission is not trying to erase the GDPR, the AI Act, the Data Act, NIS2, or DORA. It is trying to make them fit together with fewer collisions, fewer duplicate notices, and fewer “please submit the same thing again, but this time in a different portal” moments.
What is inside the Digital Omnibus package?
1. Data and privacy changes
The data and privacy side of the proposal is where things get most interesting, and also where the knives come out. The Commission wants to simplify how the GDPR and related laws work in practice. One headline idea is to clarify how personal data should be understood in cases involving pseudonymization and identifiability. Another is to provide more legal certainty for the use of personal data in AI development and operation, including clarifying when legitimate interest may serve as the legal basis.
That sounds technical, but the real-world impact could be huge. If companies get clearer rules on when data can be used for AI development, especially with safeguards and a right to object, they may have an easier time building and fine-tuning AI systems in Europe. At the same time, privacy watchdogs have already warned that some of the draft wording could narrow the concept of personal data too much and create legal uncertainty rather than reduce it.
The package also tries to tackle one of the internet’s most universally mocked features: the cookie banner. The proposal would simplify cookie requirements, expand low-risk exemptions for benign uses, support browser- or machine-readable preference signals, and push websites toward genuine one-click acceptance or refusal. If that sounds like Brussels finally noticed that everyone is rage-clicking through cookie prompts, that is because Brussels finally noticed that everyone is rage-clicking through cookie prompts.
2. A single entry point for cyber incident reporting
This may be the least glamorous part of the package, but for compliance teams it could be the most useful. Today, organizations responding to a serious cyber incident can face parallel reporting obligations under several EU laws, including GDPR, NIS2, DORA, and other frameworks. The Digital Omnibus proposes a single-entry point for incident reporting, managed by ENISA, the EU cybersecurity agency.
The idea is simple: instead of forcing a company to navigate multiple reporting tracks while it is already dealing with a breach, the EU would create one interface capable of serving overlapping obligations. The existing legal duties would not disappear, but the process would become more centralized and more practical. Some legal analyses also note that the proposal would raise the threshold for certain breach notifications and extend the GDPR notification window from 72 to 96 hours. For companies that have ever lived through an active cyber incident, that extra breathing room is not just nice to have. It is oxygen.
3. AI Act adjustments
The AI side of the package is probably the most commercially important piece for tech companies, software vendors, and manufacturers that embed AI into products. The Commission proposes to link parts of the high-risk AI timeline to the availability of standards and support tools. In practice, that means some deadlines would move later, with a long-stop structure that delays the toughest requirements for certain systems.
The proposal also extends some simplified compliance treatment beyond small and medium-sized enterprises to small mid-cap companies, reduces some registration burdens, gives businesses more flexibility on post-market monitoring plans, expands support through sandboxes and testing tools, and centralizes parts of oversight in the AI Office. In plain English: the Commission is trying to keep the AI Act alive and credible without asking companies to comply on a schedule that many argue is not operationally realistic.
That does not mean the EU has suddenly gone full “move fast and ignore paperwork.” The bar for high-risk AI remains high. The proposal is more about sequencing, narrowing overlaps, and making the regime more usable than about tearing it down. Even many business-friendly legal analyses warn companies not to treat this as a hall pass. The message is more like: yes, you may get more time, but no, you should not use that time to take a nap.
4. Data consolidation and cloud switching relief
The Commission also wants to simplify the broader data framework. One of the more ambitious talking points is the idea that Europe could effectively operate with two main data laws instead of five, centered on the GDPR and the Data Act. The proposal would pull parts of other digital data rules into a more consolidated structure, while also easing certain burdens for SMEs and small mid-caps.
For cloud and data service providers, the package includes targeted relief on switching requirements for some custom-built services and preexisting contractual arrangements. It also includes changes meant to protect trade secrets and narrow some business-to-government data sharing duties to clearer emergency situations. None of this is flashy, but it matters. The less time companies spend deciphering overlapping data-sharing rules, the more time they can spend doing actual business, which is usually the part the finance team likes.
5. European Business Wallets
Although the Business Wallet proposal sits in the broader Digital Package rather than inside the narrowest reading of the Omnibus text, it is politically and commercially tied to the same simplification agenda. The concept is a digital tool that lets a business prove who it is, sign and send official documents, share licenses and certificates, and communicate with public authorities across the EU with legal effect.
If that works as advertised, it could take a lot of friction out of cross-border operations. Instead of juggling local procedures in 27 member states, a company could use a more standardized digital identity and document workflow. The Commission has described it as a flagship single-market measure and has floated very large savings estimates if the wallets see broad adoption. That is the upside story. The harder part will be implementation, interoperability, and persuading public authorities to make the system genuinely useful instead of merely very official-looking.
Why the package is getting both applause and side-eye
The Commission wants the package framed as simplification without deregulation. That phrase is doing its own overtime. Supporters argue that the current digital rulebook is too fragmented, too repetitive, and too expensive to operate under efficiently. They see the Omnibus as overdue housekeeping that can make European tech policy more coherent and innovation-friendly without discarding core protections.
Critics are less convinced. Privacy and civil society voices argue that some proposed changes, especially around personal data, AI training, and cookie rules, risk turning simplification into rollback. The EDPB and EDPS have supported the general goal of reducing compliance burdens, but they have also raised significant concerns, especially about attempts to redefine personal data too narrowly. At the same time, those same regulators have been more receptive to efforts aimed at reducing cookie-banner fatigue and improving machine-readable preference signals. So the reaction is not a simple thumbs-up or thumbs-down. It is more like, “we support the cleanup, but please stop throwing out load-bearing walls.”
Where things stand as of March 2026
This is the part companies really need to remember: the Digital Omnibus is still a proposal, not a finished law. As of March 2026, the legislative process is moving, especially on the AI side. The Council agreed its position on the AI streamlining proposal in mid-March, and Parliament’s committees have backed postponing certain AI rules while also pushing additions such as a ban on certain non-consensual intimate-image systems. Other parts of the package, including the broader data and privacy reforms and the Business Wallet proposal, are still working their way through the EU machinery.
That means the final text could change materially. Some provisions may be softened, tightened, or dropped altogether. So businesses should read the package as a strong signal of direction, not as a final compliance manual carved into stone tablets.
What businesses should do now
For companies operating in Europe, the smart response is not panic and it is not complacency. It is preparation. Legal, privacy, cybersecurity, product, and policy teams should map where the Omnibus could reduce friction, where it may introduce transition risk, and where core obligations are unlikely to disappear. The biggest opportunities are in rationalizing incident-reporting workflows, rethinking cookie and consent mechanics, updating AI governance timelines, and identifying whether a business might qualify for lighter treatment as a small mid-cap.
U.S. companies, in particular, should pay attention. The Omnibus is not just an internal EU spring-cleaning project. It affects any company selling into Europe, monitoring users there, training models on relevant datasets, or relying on cloud and data services covered by EU law. If your business touches the EU, Brussels has once again found a way to become part of your Monday morning.
Practical experience: what this looks like on the ground
To make the Omnibus feel less abstract, it helps to picture how it lands in real compliance life. Start with a software company running a SaaS platform across several EU countries. Before the Omnibus, its legal team may have had one internal playbook for GDPR incident reporting, another for NIS2 exposure, and a separate crisis workflow tied to sector-specific obligations. During a real incident, that kind of fragmentation is a nightmare. The proposed single-entry reporting point does not magically make the breach fun, because nothing makes a breach fun, but it does point toward a saner process where lawyers, engineers, and security teams are not duplicating the same work under different labels.
Now consider a company developing AI tools for hiring, customer service, or medical support. The biggest complaint from these teams has not always been that the EU regulates too much. Often, it is that the timelines, standards, and operational requirements do not line up neatly enough to build a reliable roadmap. The Omnibus on AI tries to answer that by linking parts of the high-risk timeline to the availability of standards, expanding simplified support measures, and trimming some procedural obligations. In practical terms, that means a compliance officer might finally be able to tell product leadership, with a straight face, what the next 18 to 24 months are supposed to look like.
There is also the website and publishing side. Marketing teams, publishers, e-commerce brands, and app operators have spent years living in cookie-banner purgatory, where every user journey starts with a wall of pop-ups and every privacy review turns into a debate over button color, consent language, and whether “manage preferences” is a dark pattern. The Omnibus proposal does not eliminate consent. But by supporting one-click refusal, browser-level signals, and exemptions for low-risk uses, it tries to move the system from cluttered ritual toward actual user choice. For digital businesses, that would be a practical quality-of-life improvement, not just a legal one.
Then there is the cross-border admin headache. A mid-sized manufacturer trying to expand from one EU market into six can lose absurd amounts of time proving identity, sending documentation, and dealing with public authorities through inconsistent channels. That is where the proposed European Business Wallet becomes more than a shiny policy phrase. If implemented well, it could reduce paperwork friction in exactly the kinds of interactions that drain time and budget but never make it into investor presentations. Nobody puts “submitted the same form four different ways” in a growth deck, but everyone pays for it.
So the real experience behind the Digital Omnibus is not glamorous. It is compliance teams asking for fewer duplicate reports, product teams asking for clearer AI timelines, publishers begging for less cookie-banner theater, and businesses wanting a simpler way to prove who they are across borders. That is why the package matters. It is not just a legal rewrite. It is an attempt to make Europe’s digital rules feel a little less like a maze and a little more like a system.
Conclusion
The European Commission’s Digital Omnibus package is not a revolution, and it is not a surrender. It is a recalibration. Brussels is trying to preserve its rights-based digital model while making it easier for companies to comply, innovate, and grow. Whether it succeeds will depend on what survives the legislative process, how carefully lawmakers handle the privacy trade-offs, and whether the final system is genuinely simpler in practice rather than just simpler in PowerPoint.
Still, one conclusion is already clear: the EU has heard the complaints about fragmented digital regulation and responded with a major attempt to streamline the rulebook. For businesses, that creates both opportunity and uncertainty. For privacy advocates, it raises meaningful red flags. And for everyone else, it is another reminder that in Europe, even simplification can arrive in a package large enough to require its own glossary.
