The Digital Package

The vision of the Digital Omnibus 
Current regulation in the field of digital law presents substantial challenges for businesses due to its complexity and the difficulties involved in navigating them. This complexity is largely attributable to the lack of harmonization among the regulations, which are marked by overlapping requirements, imprecise definitions, and repetitive obligations, thus making compliance more challenging.

The Digital Package aims to make conducting business in the EU simpler and more cost-effective while maintaining commitment to fundamental rights.

What initiatives have been proposed? 
The Digital Omnibus includes the following key proposals:

AI Act

• Phased implementation: High-risk AI rules will only apply once the Commission confirms that necessary standards and support tools are available. The timeline for the application of the high-risk rules is adjusted to a maximum of 16 months.
• Lighter burden for mid cap companies: Regulatory simplifications previously reserved for SMEs are extended to small mid cap companies, including simplified technical documentation requirements.
• More innovation support: Broader access to regulatory sandboxes, including a new EU-level sandbox from 2028, enabling real-world testing across borders.
• Streamlined oversight: The AI Office gains centralized powers over general-purpose AI systems, reducing governance fragmentation across member states.

Cybersecurity rules

• Single-entry point for reporting incidents: Currently, companies must report cybersecurity incidents under multiple legal frameworks. The Digital Package introduces a single-entry reporting system, allowing companies to fulfill multiple incident-reporting obligations through one comprehensive report.

Data rules

The Digital Omnibus seeks to consolidate data regulations into two primary frameworks: the Data Act and GDPR.

The Data Act

• Targeted exemptions for cloud switching: SMEs, SMCs, and providers of custom-made data processing services are exempted from cloud-switching rules.
• Reduced barriers for data intermediaries: Mandatory registration and labelling requirements for data intermediation service providers have been removed, lowering market entry barriers.
• Simplified data altruism: The data altruism framework has been streamlined to facilitate sharing data for the public good.
• Consolidated public sector data rules: Rules on publicly held data have been unified to support EU data-driven innovation.
• Clarified business-to-government sharing: The scope is limited to genuine emergency situations (e.g. floods, pandemics), reducing compliance burdens outside emergencies. Expected to deliver approximately €20 million in annual savings for companies.

The GDPR

• Cookie Banner Modernization: The proposed amendments to cookie consent mechanisms will reduce the frequency of pop-ups and enable users to provide consent with a single click. Users will be able to save their preferences through centralized browser and operating system settings.
• European Business Wallets: European Business Wallets will provide a unified digital platform enabling businesses to digitally sign, timestamp, and seal documents. This tool will facilitate secure creation, storage, and exchange of verified documents, streamlining communication with other businesses and public administrations across member states. The system will reduce both administrative processes and associated costs.
• Change of the definition of “personal data”: According to the proposed change, information may not be considered personal data for an entity if that entity does not have the means reasonably likely to identify the individual. This change could facilitate data sharing and analytics in cases where the risk of re-identification is lower for the recipient. 
• New definitions in Article 4: Several new definitions will be added to Article 4, including a proposed definition of “scientific research.” This addition could provide greater legal certainty for research projects.
• Amendment to purpose limitation: The proposed change will make it clearer, that further processing for scientific research purposes is compatible with the initial purpose. 
• Exemptions to processing of sensitive personal data: Two exemptions to article 9(2) are introduced permitting (i) processing of biometric data for identity verification when the data or the means needed is under the sole control of the subject, and (ii) processing in the context of development/operation of an AI system or an AI model subjected to safeguards. 
• Clarification of Article 12: Abusive access requests may be refused or subject to a fee when they are unfounded, excessive, or when access rights are misused for purposes unrelated to data protection.
• Exemptions to the right to information in Article 13: Exceptions to the information obligation when (i) there is a clear, circumscribed relationship between the controller and the data subjects, when the processing is not data-intensive and when there are reasonable grounds to assume the subjects already has the key information, and when (ii) the processing takes place for scientific research purposes.
• Clarification of the rules regarding automated decision-making in Article 22: The amendment confirms that automated decision-making is allowed when the conditions set out in the current Article 22(2) of the GDPR are satisfied. The “necessity for a contract” does not imply that a human decision-maker is required; rather, controllers must select the least intrusive option that is equally effective.
• Higher threshold regarding notification of a personal data breach in Article 33: The proposed changes to article 33 will raise the threshold to notify the supervisory authorities to “likely high risk” situations as well as extend the deadline from 72 hours to 96 hours.
• Expansion of Article 35 regarding data protection impact assessment: It is proposed to add a list in Article 35 of processing activities that do not require a DPIA, complementing the existing list of activities that do. Additionally, the proposal includes the creation of a DPIA template to be developed by EDPB.
• Introduction of a new Article: The introduction of article 41a, which gives the Commission the option of adopting implementing acts to specifying means/criteria to determine when pseudonymized data is no longer considered personal data. 

Important: These proposals have not yet been implemented. Current regulations remain in effect until the Digital Omnibus is formally adopted and enters into force. It is important to know, that the AI Omnibus is expected to be adopted in July 2026, whereas the Omnibus on Data GDPR and Cyber has an unknow timeline in terms of adoption.

Read more

Digital Package | Shaping Europe’s digital future

EUR-Lex - 52025PC0837 - EN - EUR-Lex