EU “Digital Omnibus” proposal: regulatory simplification or a step backward on digital rights?
The European Commission has launched the “Digital Omnibus”, a legislative initiative aimed at harmonising and coordinating the main EU digital regulations, from the Digital Services Act (DSA) to the Digital Markets Act (DMA), up to the AI Act and the Data Act, into a single governance and supervision framework.
Officially presented on 19 November 2025, the proposal marks the start of a phase of regulatory consolidation which, according to the Commission, aims to “simplify implementation and strengthen legal certainty for Member States and operators”. In other words, instead of introducing new obligations, the Digital Omnibus aspires to “carry out maintenance” on the existing system: eliminating overlaps, unifying definitions and aligning procedures across the various digital rules adopted in recent years.
The initiative responds to calls raised at EU level (Letta and Draghi reports, European Council) to lighten a regulatory landscape that has become complex and potentially harmful.
Who it is for
The audience targeted by the Digital Omnibus is very broad. The proposal, in fact, would apply “to all companies and public administrations subject to at least one of the following regulations: DSA, DMA, AI Act or Data Act”.
It covers the entire digital ecosystem: from large online platforms and market gatekeepers (regulated by DSA/DMA), to companies that develop or use high-risk AI systems (AI Act), to businesses involved in data sharing and processing (Data Act) and critical infrastructures subject to cybersecurity rules (NIS2, DORA, etc.).
No one is excluded, not even public administrations that hold reusable data. The stated intention is to provide “immediate relief” in terms of lower compliance costs and reduced administrative burdens, to the benefit of both the private and public sectors.
Unsurprisingly, the SMEs and mid-caps are expressly listed among the beneficiaries, with additional exemptions from current obligations; this expands the facilitations already granted to startups and micro-enterprises. In theory, therefore, the Digital Omnibus is aimed at all the “responsible actors” in the digital single market, promising them clearer rules, fewer duplications and greater legal certainty.
And yet, looking at the situation with a disenchanted eye, it is hard not to notice that the real recipients of the proposed simplifications are the large global technology groups. It is well known that giants such as Google, Meta, OpenAI and even major European companies (Siemens, SAP) have long been calling for an easing of EU regulations on AI and data, which they consider excessively burdensome. The Commission itself admits that the initiative also arises in order to “prevent Europe from falling further behind in the global technological race” to the benefit of the United States and China.
In this sense, the Digital Omnibus almost seems tailor-made to respond to industry pressure: for example, by finally allowing big tech to exploit Europeans’ data for training their algorithms with fewer constraints.
Supporters speak of a “win-win” in which citizens also stand to gain (less bureaucracy, more innovative digital services).
But the question is: simplification for whom? For the small entrepreneur overwhelmed by compliance, or for the web giants that see some regulatory obstacles removed?
How cooperation between competent authorities changes
One of the pillars of the Digital Omnibus is the reform of governance and cooperation between authorities. Today each digital regulation has its own supervisory mechanisms: for example, the DSA provides for a Digital Services Coordinator in each Member State, the DMA is managed centrally by the Commission (with input from national competition authorities), the AI Act will establish a coordinating body (the European AI Office) alongside national authorities, and so on.
This patchwork risks generating overlaps in competences and conflicts. The proposed solution? To introduce the principle of “single digital coordination” at national level, by designating in each country a Digital Coordination Authority (DCA) as the single point of reference.
Each Member State will have to identify a digital regulator responsible for coordinating the application of the DSA, DMA, Data Act, AI Act (and related legislation) in its territory. In parallel, at European level, a federated network of digital authorities would be created, composed of these national DCAs.
At the top would sit the European Commission as the central supervisory authority of the entire system. This implies that Brussels would have a more forceful and formalised role in enforcing digital rules, potentially going beyond the current limited intervention (today the Commission intervenes directly only in areas such as the DMA and for “very large platforms” under the DSA).
Mutual cooperation between authorities in different Member States is also extended and made mandatory, building on and expanding the assistance mechanism between authorities already provided for by the DSA.
National authorities will have to assist one another in cross-border cases, reducing dead times and back-and-forth shifting of responsibility. The hoped-for result is more consistent supervision: the same definitions, the same procedures, coordinated sanctions (as we will see) and a single European conductor orchestrating everything. From an optimistic perspective, this “federal” shift in digital governance could fill the current gaps in coordination, avoiding both power vacuums and duplications.
How NIS2 and DORA incident notification changes
Among the more concrete and technical simplifications in the package is the creation of a single European mechanism for reporting cybersecurity incidents. Currently, companies subject to rules such as the NIS2 Directive (network security) and the DORA Regulation (digital operational resilience in the financial sector) have to navigate through fragmented reporting procedures: a single major cyber-incident may require multiple notifications to different authorities (for example to the national CSIRT for NIS2, to the central bank for DORA, to the cybersecurity agency for CER, etc.), using different forms and channels. The
Digital Omnibus tackles this problem head-on by establishing at ENISA (the EU Cybersecurity Agency) a single reporting portal valid for all regimes. Obliged entities will thus be able to submit a single notification through a centralised interface, which will then automatically route the information to the competent authorities under the various applicable laws. A one-stop shop for incident reporting: no more duplicate submissions of the same report to different channels.
The substantive obligation to notify within certain time limits remains, but the “workflow is significantly streamlined” without altering the underlying legal requirements. This integrated system will cover not only NIS2 and DORA, but also personal data breach notifications under the GDPR, effectively unifying every digital incident reporting obligation that currently exists.
The simplification at operational level is evident: companies will face less repetitive bureaucracy and can focus on managing the incident rather than filling out forms for each regulator.
Authorities will also benefit from a centralised, coordinated view of threats, being able to share information quickly through the common platform. ENISA, tasked with developing and managing the portal, will have to ensure its security and consult national bodies during the technical set-up. A pilot project will be launched and only when the Commission certifies that the system is functioning correctly (reserving the right to verify reliability, confidentiality, etc.) will it become fully operational.
How the AI Act changes
The Commission proposes to delay and soften some measures of the AI Act to ease pressure on the tech industry. The regulation on artificial intelligence (AI Act, formally Regulation (EU) 2024/1689) was recently adopted with the aim of imposing, from 2026, strict requirements on so-called high-risk AI systems (from biometrics to credit scoring).
With the Digital Omnibus, however, the Commission aims to “facilitate the smooth and effective application” of those rules, which in practice translates into a loosening and postponement of some key provisions. First of all, it plans to postpone by around a year and a half the entry into force of the most stringent rules for sensitive AI uses: from biometric identification systems to tools used in medical, financial or law-enforcement contexts. Instead of August 2026 (as originally set), the “stricter AI rules” would only kick in in December 2027.
The official justification is to give industry and authorities more time to adapt; the concrete effect is that European citizens will remain for a longer period without robust safeguards precisely in areas where AI can cause the most harm. A second change concerns transparency: in its original version, the AI Act requires every high-risk AI system placed on the EU market to be registered in a dedicated public database.
The Digital Omnibus introduces an exemption from this obligation: if a high-risk AI system is used only for “narrow or procedural” tasks (for example, internal company functions), the company may avoid registering it in the EU database.
Therefore, not all high-risk systems will be visible to the public: some AI used behind the scenes will escape public scrutiny, weakening what was intended as a fundamental tool for accountability and awareness.
Beyond these specific amendments, the Commission has simultaneously proposed (as part of the Omnibus package) a series of horizontal amendments on data protection that directly impact AI. For example, the criteria are clarified for defining “when data ceases to be personal” under the GDPR, with the clearly stated goal of facilitating the use of anonymised / pseudonymised data of EU users for algorithm training. Even more controversial is the intention to allow the processing of personal data to train AI models on the basis of the controller’s legitimate interest.
This would represent a seismic shift: currently, using individuals’ personal data for large-scale machine learning requires solid legal bases (often explicit consent or other very strict conditions), whereas with the new Digital Omnibus derogation big tech companies could lawfully feed their algorithms with vast amounts of personal information without having to ask for permission, invoking “legitimate business interest”.
In fact, as reported by various agencies, the proposals “would allow Google, Meta, OpenAI and others to use Europeans’ personal data to train AI models”, a regulatory turn strongly desired by industry.
How the Data Act changes
Alongside AI and platforms, the other major worksite is data.
The Data Act (Regulation (EU) 2023/2854) was created to regulate access to and sharing of industrial and IoT device data, but it operated in a crowded regulatory ecosystem: there was already the Data Governance Act (DGA) on public-private data sharing, the Open Data Directive on the re-use of public-sector data, and even the older Regulation 2018/1807 on the free flow of non-personal data. A real “patchwork”, often misaligned in terminology.
The Digital Omnibus intervenes with a radical reorganisation: it integrates into the Data Act the key provisions of the DGA, the Open Data Directive and the Free Flow Regulation. In practice, the Data Act becomes the single container for the European data strategy, absorbing those parts of the other texts that could overlap or prove redundant. For example, an entirely new chapter on re-use of public-sector data and documents is inserted into the Data Act, combining the general rules of the DGA and the Open Data Directive. Definitions are also harmonised: concepts such as “data” (digital) and “document” (non-digital) are finally clearly distinguished and used consistently across the entire regulatory framework.
Likewise, a single definition of “data intermediation service” is introduced and common principles are laid down, such as non-discrimination in access to public data and the ban on exclusive agreements for the re-use of government data.
In essence, thanks to the Omnibus, the various pieces of the regulatory puzzle on data (public, industrial, personal and non-personal) are fitted into a single, more coherent framework. At the same time, the Digital Omnibus strengthens some safeguards and clarifies obligations within the Data Act.
Particular emphasis is placed on the protection of trade secrets of companies that share data: new safeguards are introduced to prevent confidential information from ending up in the wrong hands, for example in unsafe third countries.
This move, welcomed by industry, mitigates one of the biggest concerns linked to the mandatory data-sharing obligations (such as those towards public authorities foreseen by the Data Act).
Secondly, the framework for data sharing for public-interest purposes (B2G) is simplified, a framework that has so far been considered cumbersome and “too wide-meshed” (there were fears it might apply to almost any type of data).
There will be more precise criteria to define when a public body may request data from companies, thereby increasing legal certainty for the latter. The rules on smart contracts are also clarified, as they had proved difficult to understand in practice.
The obligations on portability and switching of cloud services are partly revised: the principle remains crucial to open up the market, but it is acknowledged that some provisions were “excessively burdensome not only for SMEs but also for mid-caps”.
The Omnibus introduces derogations for legacy contracts on customised cloud services and lightens interoperability requirements, so as not to penalise medium-sized players.
Cookies and privacy: what changes?
Equally significant, the Digital Omnibus intervenes on privacy and electronic communications, with a particular focus on the much-hated cookie law. In fact, the entire set of cookie rules currently contained in the ePrivacy Directive is transferred into the GDPR.
The underlying idea is to integrate cookie consent into the general GDPR framework, thus leveraging its stronger and more uniform enforcement mechanisms (remember that the ePrivacy Directive, unlike a regulation, left room for differences in national transposition).
Automated consent mechanisms are promoted: for example, browsers or operating systems could send websites the user’s general cookie preferences, eliminating the need to click on banners every time. This could mean the adoption of a standard similar to “Do Not Track” or comparable signals to simplify user experience and reduce reliance on annoying pop-ups.
It is important to note that Article 4 of the ePrivacy Directive is repealed, namely the provision requiring providers to notify personal data breaches to authorities and users. That obligation is now absorbed by the GDPR and NIS2, respectively for personal data breaches and network security incidents, thereby eliminating a duplicated requirement.
In short, the result is an alignment of communications-confidentiality rules with the general framework: fewer separate laws and more coherence with the GDPR.
What new sanctions are introduced by the Digital Omnibus
Finally, we come to the issue of sanctions, where fortunately the Omnibus legislator does not add further draconian penalties, but instead adopts an approach of harmonisation and transparency.
Rather than introducing new sanctioning offences, the regulation proposes to harmonise the enforcement regimes already existing in the different digital acts.
This is done through several key measures:
- Common proportionality criteria: unified parameters are established for assessing the seriousness of infringements, mitigating factors and possible grounds for exemption, so as to ensure that the same violation is treated with comparable severity in all Member States.
- National guidelines on calculating fines: Member States will be required to publish official guidelines on how monetary sanctions are quantified in practice. This is intended to avoid excessive opacity and discretion in the imposition of fines.
- European sanctions database: a centralised database of imposed digital sanctions will be created, managed by the Commission. This will make it possible to monitor how rules are applied and to compare enforcement across countries, increasing transparency.
In short, no new sanctions are introduced beyond those already provided for in sector-specific regulations; instead, “the criteria for calculating and publishing” sanctions are harmonised.
A company that breaches the DSA or the Data Act will therefore not face different fines than before, but it will know that common criteria exist everywhere in the EU and that there is a database recording violations (with a likely reputational deterrent effect).
For its part, the Commission will be able to use the database to monitor the effectiveness of national enforcement and exert pressure if some countries turn a blind eye. The intentions seem reasonable: consistent sanctions and publicity as safeguards against arbitrariness and leniency. The question is whether that will be enough.
Critics point out that the current problem is not so much the lack of criteria (laws already provide ranges and general principles), but rather the weak enforcement of sanctions where they would be most needed. Harmonising the rules of the game is positive, but the Digital Omnibus does not address the issue of varying capacities among authorities to enforce the rules.
Furthermore, setting common criteria could inadvertently encourage some authorities to reduce the level of fines in order to align with the European average, especially in countries that have so far taken stricter approaches. An “harmonisation downwards” is a risk to keep in mind. On the other hand, greater transparency could trigger a virtuous race to the top: no regulator will want to appear as the weak link in the EU fines league table.
Another choice that seems designed to reassure businesses is the “same objectives at lower cost” narrative promoted by the Commission: the rules and related sanctions on paper remain, but it is promised that they will cost everyone less time and money.
Conclusion
The Digital Omnibus is an ambitious piece of legislative engineering, probably necessary in many practical respects, but one that raises fundamental questions: simplification for whom? modernisation at what price?
The feeling, shared by many critical voices, is that the EU is walking a fine line between updating a complex system to make it more efficient and quietly deregulating that same system, thereby sacrificing long-fought-for principles of transparency and protection.
From the very first reactions, many observers have looked at the proposal with scepticism. Behind the appealing rhetoric of “simplicity by design” and the need to “support innovation and growth” in the digital sphere, the Digital Omnibus hides a dangerous step backwards from long-established principles of transparency, governance and protection of digital rights.
Unsurprisingly, a coalition of 127 civil society organisations has described this proposal as “the biggest rollback of fundamental digital rights in the history of the EU”. Activists such as Max Schrems (noyb) likewise warn that, with these changes, “all your data will be thrown into the algorithms of Meta, Google or Amazon, enabling AI systems that will know your most intimate details and will therefore be able to manipulate people”.
In short, behind the mantra of regulatory simplification and competitiveness, the feared risk is that of a form of “creeping deregulation”, where the real winners would be the large tech companies, at the expense of users and their rights.
