European Commission aims to simplify EU digital legislation.

On 19 November, the European Commission presented its seventh omnibus proposal – this time concerning digital legislation. The aim is to harmonise and simplify the rules of the European Union (EU) in the areas of artificial intelligence (AI), data and cybersecurity. To this end, two draft regulations were published. The first draft regulation concerns only AI, while the second covers all remaining topics. The Digital Omnibus is part of the Digital Package, which also included the Data Union Strategy and the European Business Wallet (EBW).

Longer deadlines for the implementation of the AI Act

In the field of AI, the European Commission’s proposal aims to amend the AI Act. The main objective is to postpone the date of application of the rules for high-risk AI and link them to the availability of supporting instruments, including the necessary standards. In recent months, there has been repeated discussion of extending the deadlines, and the German Federal Government has also advocated this. This applies in particular in view of the significantly delayed standards that are intended to specify the legal requirements for the high-risk area. These were originally due in August 2025 – and thus one year before the entry into application of the rules. According to the current state of play, however, they will not be available until a year later.

Against this background, the proposal for the Digital Omnibus provides for a flexible approach: the rules for high-risk AI under Annex III are to apply only once the European Commission confirms that the required standards and supporting instruments, such as relevant guidelines, are available. The timeline for application is to be postponed by up to 16 months. From the moment the European Commission considers implementation feasible, six months remain for implementation. At the latest, the rules will apply after 16 months – that is, in December 2027. For the implementation of the rules for the harmonisation legislation listed in Annex I, the proposal provides that 12 months will be available once the European Commission confirms the availability of all necessary supporting instruments. These rules are therefore to apply no later than August 2028.

Streamlined rules in the areas of cybersecurity and data

To simplify cybersecurity reporting, the Digital Omnibus proposes the introduction of a single contact point through which companies and public authorities can fulfil all reporting obligations for security incidents. At present, cybersecurity incidents must be reported under several legal acts, including the NIS2 Directive, the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA) and the eIDAS Regulation.

Furthermore, the Digital Omnibus provides for targeted amendments to the GDPR to make the data protection framework more innovation friendly without lowering the high level of protection for personal data. The ePrivacy Directive is to be amended so that the rules for the processing of personal data on and from end-user devices are aligned with those of the GDPR. For the processing of non-personal data, the provisions on protecting the integrity of the end-user device under the Directive remain unchanged.

In addition, data access – as the basis for all innovation – is to be improved. For this purpose, three relevant legal acts – the Free Flow of Non-Personal Data Regulation, the Data Governance Act and the Open Data Directive – are to be repealed and their contents integrated into the Data Act in order to increase legal certainty. New guidelines in the form of model contractual terms for data access and use, as well as standard contractual clauses for cloud-computing contracts, are intended to support the implementation of the Data Act. Finally, European AI companies are to be strengthened by improving access to high-quality and up-to-date datasets for AI development.

Upcoming legislative process

The Council of the EU and the European Parliament must approve the Digital Omnibus. The division of the Omnibus into two draft regulations is interpreted as a way to prioritise the AI part due to the planned postponements of deadlines. This is intended to enable faster agreement in this area, even if other topics require more time in the legislative process.

In the Council, a dedicated working party has been set up to deal with the Omnibus proposals. At the same time, difficult negotiations are emerging in the European Parliament. Both the Greens and the S&D have expressed opposition to amendments to the AI Act, among other concerns. The Renew Group has raised doubts that the current proposal could undermine data protection standards and fundamental rights safeguards. Apart from the EPP, all groups of the pro-European majority in the European Parliament therefore see a need for improvements.

Outlook

The European Commission views the Digital Omnibus as a first step towards simplifying the EU’s digital rulebook. As a next step, a comprehensive fitness check of existing digital legislation is to follow. To this end, the Commission launched a consultation at the same time as the publication of the Digital Omnibus, which will remain open until 11 March 2026. The fitness check covers all EU legislation with significant digital relevance, including its implementation. The aim is to ensure coherent and effective interaction between the laws and to identify potential for simplification – particularly for small and medium-sized enterprises.