Last November 19th, the European Commission released its simplification Digital Omnibus package. It covers EU rules related to cybersecurity and data (Digital Omnibus Regulation Proposal, on the acquis), AI (Digital Omnibus on AI), a new European Business Wallet (Regulation) and a Data Union Strategy (Communication and a Recommendation on model contractual terms on data access and use, and standard contractual clauses on cloud computing contracts), with the aim of reducing administrative burdens while creating opportunities for European companies. The package of digital rules will now be submitted to the European Parliament and the Council for discussion and adoption.
At the same time, the Commission has launched a consultation on the Digital Fitness Check open until 11 March 2026. It aims to examine the interplay between different rules, their impact on businesses EU competitiveness, with additional simplification measures expected to be proposed in the first quarter of 2027.
In a separate report, the Commission has identified areas of potential duplications between the Digital Services Act and other digital rules. And finally, the Commission has published its 2030 consumer agenda.
Ultimately, a significant wave of digital regulation proposals was published in a single week, totaling 22 documents and over 1,200 pages (in English), across more than 9 web pages.
The value of regulatory simplification
As we underlined in our last post, simplifying means recognising that regulation should add value, not undermine it, and that Europe cannot afford another cycle of unproductive complexity.
This is a first step, but greater ambition is still needed. Among other aspects, a key opportunity remains to streamline cybersecurity overlaps and withdraw the ePrivacy Directive, resolving its duplication with the GDPR and the asymmetric treatment of telecom providers.
The Parliament and the Council, in the context of the data acquis simplification, can still choose to remove this outdated and increasingly counterproductive ePrivacy Directive, which generates fragmented and overlapping rules with GDPR and undermines efforts to combat fraud.
They will also need to consider the necessary timeframe to accommodate the proposed delays in the application of the AI Act and to address what the Commission has overlooked: the effective repeal of national laws linked to the amended EU directives, thereby promoting consistency and genuine simplification. It will also be essential to avoid duplication in incident management at both the national and European levels, which would undermine the very purpose of a simplification initiative.
Digital Omnibus – Cybersecurity incident reporting
The Digital Omnibus proposes that incident notifications under NIS2, GDPR, DORA, CER (with eIDAS2 incidents still unclear and AI incident reporting not yet included) be submitted via a EU single entry-point platform, established and maintained by the EU cybersecurity agency (ENISA), to national competent authorities.
Each Member State shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority in accordance with paragraph 4 of this Article of any incident that has a significant impact on the provision of their services as referred to in paragraph 3 of this Article (significant incident) via the single-entry point established pursuant to Article 23a
The European Commission estimates that “maintaining the single-entry point would require 8 FTEs within ENISA,” which appears insufficient given the scope: 24/7 coverage for 27 countries, in 24 official languages, interacting with multiple authorities and companies across at least four laws, covering incidents in 18 critical sectors, as well as data breaches affecting all businesses. It appears, therefore, that ENISA’s role would be primarily limited to maintaining the platform (which would need different languages) and providing access-related support (and possibly reporting aggregated statistics), while national competent authorities handle the actual incident data and assist companies with incident resolution.
ENISA will need to work with Member States and the private sector to determine the types and formats of information to be notified, which will subsequently be formalised through implementing acts. Within [18] months from the entry into force of this Regulation, ENISA shall pilot the functioning of the single-entry point for each added Union legal act. The single-point-of-entry would only take effect once the proper functioning of the platform has been thoroughly assessed by Member States.
We advocate for a “once-only” compliance approach across multiple regulations and a “report once, share many” system for incident reporting, creating a single notification platform (with incidents mostly managed at national level), while empowering ENISA to ensure coherence and alignment. The single-entry point is a strong proposal, but it needs to be carefully structured to prevent multiple and inconsistent incident notifications to different platforms or authorities, define reasonable standardised formats and content for reporting, and ensure very high availability and confidentiality of the platform.
ENISA’s already limited resources would require a substantial increase to take on this new responsibility. The next missing regulatory step is the implementation of simplified “once-only” compliance.
Digital Omnibus – Data rules
The Digital Omnibus looks to consolidate all data rules mainly into two major laws: the Data Act, and the General Data Protection Regulation (GDPR), which will remain central. It proposes repealing the Free Flow of Non-personal Data Regulation, the Platform-to-Business Regulation (P2B), the Data Governance Act and the PSI directive.
The Commission proposes to amend the privacy data protection framework in aspects such as the definition of personal data (e.g. pseudonymised data); simpler cookie requirements and ‘whitelist’ of harmless purposes to tackle the “cookie consent fatigue”; more flexibility to rely on the legitimate interest legal basis of GDPR for the processing of personal data for AI model training. It also proposes targeted amendments to help businesses overcome practical obstacles and limits and clarifies the scope of the business to government sharing provisions.
But it stops short of fully repealing the ePrivacy Directive, leaving in place sector-specific rules that apply only to telecom providers (with also GDPR applying), even as cookie provisions are revised and moved under the GDPR. Repealing the directive and incorporating the remaining necessary provisions (e.g., confidentiality of communications) into broader legislation – such as the GDPR, the European Electronic Communications Code, or the DNA- represents the path forward.
Digital Omnibus – AI Act
The simplification measures proposed in the Digital Omnibus on the AI Act are targeted amendments designed to address specific implementation challenges. The proposal:
- delays the application of the AI Act provisions for high-risk AI systems, currently due to take effect in August 2026, by up to 16 months, linked to the availability of the 10 AI standards and support tools (e.g. 12 proposed guidelines). Once available, it allows a six-month window for Annex III systems and a twelve-month window for Annex I products.
- introduces a six-month transitional period (until 2 February 2027) for GPAI to comply with transparency obligations for synthetic audio, image, video, or text content
- expands the enforcement powers of the AI Office, centralising oversight of GPAI model systems or AI integrated into very large online platforms and very large search engines
- expands AI regulatory sandboxes and real-world testing
- extends existing regulatory simplification for SMEs to also small mid-caps (SMCs)
- reduces the registration burden for AI systems used in high-risk areas for tasks that are not considered high-risk (limited to narrow or procedural tasks)
- requires the Commission and the Member States to foster AI literacy
- enable more flexibility in post-market monitoring of high-risk AI systems
- allows providers of high-risk AI systems to exceptionally use sensitive personal data for the purpose of bias detection and correction – also amending GDPR
- introduces other targeted adjustments (eg. related to conformity assessment bodies)
The proposal seeks a more workable AI Act, and it is positive that the timeline is tied to the availability of the necessary documents. However, it still sets a very short six-month implementation period, despite standards remaining unclear and key guidelines on high-risk not yet being available. Coherence between laws -such as the with RED Directive – also remains uncertain. And once again, the GDPR is set to be amended, yet the application of the ePrivacy Directive to operators, which is not addressed, would still hinder effective fraud or bias detection and correction.
Securing Parliament and Council approval of the Omnibus by August 2026 will be challenging. Nevertheless, the upcoming debate presents a valuable opportunity to pursue a genuinely pragmatic simplification of the regulatory framework and to finally address the outdated ePrivacy Directive. Meaningful simplification is essential to fostering innovation and growth.
