Simplification of the digital legislative framework (Digital Omnibus)

PURPOSE: to simplify the digital legislative framework (Digital Omnibus).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: in its Communication on a simpler and faster Europe, the Commission announced its commitment to an ambitious programme to promote forward-looking, innovative policies that strengthen the EU’s competitiveness and radically lighten the regulatory load for people, businesses and administrations, while maintaining the highest standard in promoting the EU’s values.

Consequently, the Commission prioritised the proposal of immediate adjustments to legislation, including digital legislation, to address the competitiveness challenge of the Union.

The Digital Omnibus proposal simplifies European data laws and makes them easier for consumers and businesses to comply with. It comprises a set of technical amendments to a broad body of digital legislation, selected to provide immediate relief to businesses, public administrations, and citizens, thereby boosting competitiveness. The immediate objective is to ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and brings in itself a competitive advantage to responsible businesses.

The proposal groups all data-related rules into just two major laws: the Data Law and the General Data Protection Regulation (GDPR), which remains central.

At the same time, the proposed amendments remain technical in their nature, seeking to adjust the regulatory framework but not to amend its underlying objectives. The measures are calibrated to preserve the same standard for protections of fundamental rights.

The proposal is accompanied by a second proposal amending Regulation (EU) 2024/1689 (AI Law), together forming the "Omnibus" package in the digital field.

CONTENT: the principal amendments concern the following:

Modernising cookie rules

The Commission sets out provisions to reduce the number of times cookie banners pop up and allow users to indicate their consent with one-click and save their cookie preferences through central settings of preferences in browsers.

Clarifications to the GDPR to ease compliance

Targeted amendments to the GDPR will harmonise, clarify and simplify certain rules to boost innovation and support compliance by organisations, while keeping intact the core of the GDPR, maintaining the highest level of personal data protection. Draft amendments would bring greater legal certainty on pseudonymisation and the point at which data can be treated as non‑personal for a given entity. The Commission also proposes to adjust breach notification by extending the authority notification deadline to 96 hours and aligning thresholds to focus on higher‑risk incidents, coupled with a common EU reporting template.

Lawful basis for AI development and operation under the GDPR

The proposal clarifies how "legitimate interests" may apply to processing personal data for developing and operating AI systems, subject to safeguards and individuals' right to object. Moreover, a narrowly framed derogation would allow residual special‑category data present in datasets to be handled for bias detection/correction or where removal is disproportionate, with technical measures to minimise and prevent disclosure of such data in outputs.

Streamlining the data acquis through the Data Act

The proposal consolidates elements of the EU's public‑sector re‑use and data intermediation frameworks into the Data Act to reduce fragmentation, remove outdated provisions and simplify re‑use conditions. It narrows business‑to‑government data access to clearly defined "public emergencies" and introduces reinforced trade secret protections, including the ability to refuse disclosure where there is a substantial risk of unlawful acquisition or third‑country leakage. It also calibrates the cloud switching rules under the Data Act with targeted exemptions for custom‑made services and certain SME/SMC providers under legacy contracts.

Single entry point for cyber incident reporting

The Digital Omnibus also proposes a very clear solution for streamlining cybersecurity incident reporting, bringing under the umbrella of a single reporting mechanism all related reporting obligations. Through fostering a “report once, share many” principle, the single-entry point will reduce administrative burden for entities, while ensuring effective and secure flow of information about security incidents to the recipients defined in respective legislation. Currently, companies must report cybersecurity incidents under several laws, including among others the NIS2 Directive, the General Data Protection Regulation (GDPR), and the Digital Operational Resilience Act (DORA).

The proposed regulation entails very strong burden reduction for businesses, as well as for public administrations and citizens. Initial estimates foresee possible savings of at least EUR 1 billion annually, from moment of entry into force, with an additional EUR 1 billion savings in one-off costs, amounting to a total of at least EUR 5 billion over 3 years by 2029.