Regulatory Compliance

EU proposes targeted digital rule simplifications to save €5 billion

Friday, 19 December 2025 6:35PM UTC

The European Commission unveils the Digital Omnibus package, aiming to streamline digital rules across data protection, AI, and cybersecurity, potentially saving EU businesses billions and enhancing legal clarity amidst upcoming approvals.

The European Commission’s Digital Omnibus package, unveiled on 19 November 2025, proposes a series of targeted amendments to the EU’s digital rulebook intended to simplify compliance, reduce administrative burdens and shore up legal clarity across data protection, ePrivacy, cybersecurity, AI and data-governance regimes. According to the Commission, the initiative is technical and selective rather than a wholesale overhaul and is designed to make rules "cost-effective" for businesses while preserving protections for fundamental rights. The Commission estimates the package could save EU businesses up to €5 billion by 2029. ^[1]^[2]^[3]

At the centre of the package are two complementary proposals: a Digital Legislation Omnibus that would amend and consolidate parts of the GDPR, the ePrivacy Directive and key cybersecurity instruments such as the NIS2 Directive, DORA, CER and the Digital Identity Regulation; and a separate Digital Omnibus on AI that seeks to streamline elements of the AI Act and adjust implementation timelines. The Commission frames the measures as alignment and simplification to address provisions that have proved ineffective or overly burdensome in practice. ^[1]^[3]^[4]

On personal data, the Omnibus would adopt a more "relative" definition: information would qualify as personal data for a controller only where that controller can identify the data subject using means reasonably available to it; the mere ability of a subsequent recipient to re‑identify would not automatically render the information personal data for the current holder. The proposal also narrows some obligations by expanding exemptions and clarifications, such as additional information‑obligation carve‑outs and clearer rules on compatibility for archiving, scientific research and statistics, while preserving Member States' ability to impose stricter rules in certain areas. ^[1]^[3]

Notably, the Omnibus proposes to recognise some processing for AI development and operation as lawful under legitimate interests (Article 6(1)(f) GDPR) and to permit specific, residual processing of special‑category data under Article 9 GDPR for AI development, model operation and certain biometric uses under a user’s sole control. The package also aims to limit abusive data subject access requests by clarifying that Article 15 GDPR cannot be misused for aims unrelated to personal‑data protection. Member State law would still retain the option to require consent where applicable. ^[1]

The ePrivacy reforms would migrate several cookie and terminal‑equipment rules into the GDPR framework, aligning legal bases and creating a closed list of low‑risk purposes exempt from consent. Consent would remain the default for storing or accessing information on terminal equipment, but the Omnibus would introduce a technical framework for automated, machine‑readable signals expressing consent, refusal and objections that controllers must honour, and would require non‑SME browser providers to support those signals. The objective is to replace the current fragmented ePrivacy approach with a GDPR‑centred regime that is more predictable for businesses and users. ^[1]^[3]

Cybersecurity and incident reporting would be rationalised through a higher notification threshold, shifting breach notifications toward "high‑risk" cases, an extended deadline from 72 to 96 hours, and a single EU reporting portal piloted by ENISA to handle incidents across GDPR, NIS2, DORA, eIDAS and CER. The portal is intended to be operational within 18 months of the Omnibus entering into force, offering a single entry point intended to reduce duplication of reporting obligations across regimes. ^[1]^[3]

The Digital Omnibus on AI would delay certain compliance deadlines for high‑risk AI systems: obligations for Annex III high‑risk systems would apply no later than 2 December 2027, and for Annex I systems subject to sector‑specific product legislation no later than 2 August 2028, with earlier application possible once relevant standards or common specifications are in place. The proposal also removes the registration requirement for systems that providers determine are not high‑risk, broadens de‑biasing exemptions to permit processing of special‑category data beyond strictly high‑risk AI, transfers AI literacy duties from providers to the Commission and Member States, and reinforces the AI Office’s supervisory reach over systems built on general‑purpose models in specified circumstances. The package seeks to balance innovation space with entrenched safety and rights safeguards. ^[1]^[4]

Amendments to the Data Act in the Omnibus aim to clarify data‑sharing obligations and strengthen safeguards for businesses. Companies would be able to refuse data sharing where there is a substantial risk of misuse of trade secrets, business‑to‑government requests would be confined to narrowly defined "public emergencies," micro‑enterprises and small businesses would be entitled to compensation for compliance costs, and several instruments, the Free Flow of Non‑Personal Data Regulation, the Data Governance Act and the Open Data Directive, would be consolidated into the Data Act to create a single framework for public‑sector reuse. The mandatory regime for data intermediaries would be replaced with a voluntary certification system supported by an EU register. The Omnibus would also ease cloud‑switching obligations for custom‑made services and SME providers for contracts concluded on or before 12 September 2025. ^[1]

The package still requires approval from the Commission, the European Parliament and the Council. The Council’s broader simplification agenda and earlier “omnibus” steps signal political appetite for targeted easing of burdens across sectors, from digital services to defence procurement and batteries regulation, but the Omnibus is expected to produce refinements rather than radical change. Entities should therefore review affected processes and contracts to mitigate transitional risk and prepare for revised timelines and centralised reporting mechanisms if the proposals are adopted. ^[5]^[6]^[7]^[1]

##Reference Map:

^[1] (JD Supra) - Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 7, Paragraph 8, Paragraph 9
^[2] (European Commission press release) - Paragraph 1
^[3] (Digital Strategy EU – Digital Omnibus Regulation Proposal) - Paragraph 2, Paragraph 3, Paragraph 5, Paragraph 6
^[4] (Digital Strategy EU – Digital Omnibus AI Regulation Proposal) - Paragraph 2, Paragraph 7
^[5] (Council of the EU press release) - Paragraph 9
^[6] (Council of the EU – Omnibus IV batteries position) - Paragraph 9
^[7] (Council of the EU – Simplification policy) - Paragraph 9

Source: Noah Wire Services

More on this

https://www.jdsupra.com/legalnews/eu-digital-omnibus-how-eu-data-cyber-8323446/ - Please view link - unable to able to access data
https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en - On 19 November 2025, the European Commission introduced a Digital Omnibus package aimed at simplifying existing digital regulations, including the GDPR and ePrivacy Directive. This initiative seeks to reduce administrative burdens for businesses, potentially saving up to €5 billion by 2029, and to foster innovation and competitiveness within the EU. The package also includes proposals for a Data Union Strategy and European Business Wallets to further streamline operations and data sharing across member states.
https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal - The Digital Omnibus Regulation Proposal, published on 19 November 2025, outlines technical amendments to various digital legislations, including the GDPR and ePrivacy Directive. The proposal aims to optimise the application of the digital rulebook, ensuring compliance is cost-effective and provides a competitive advantage to responsible businesses. It is part of the Commission's broader effort to simplify EU rules and enhance the digital economy.
https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal - The Digital Omnibus on AI Regulation Proposal, also released on 19 November 2025, focuses on simplifying the implementation of certain provisions of the AI Act. The Commission proposes targeted measures to ensure timely and proportionate application of AI regulations, addressing challenges in the AI sector and aiming to support innovation while maintaining high standards of safety and fundamental rights.
https://www.consilium.europa.eu/en/press/press-releases/2025/11/26/defence-industry-council-agrees-position-on-simplification-package-to-boost-europe-s-defence-industry-and-readiness/ - On 26 November 2025, the Council of the EU agreed on a position regarding a simplification package aimed at enhancing Europe's defence industry and readiness. This package, part of the EU's broader simplification agenda, seeks to streamline security and defence procurement processes, facilitate defence investments, and improve market conditions for the defence industry, thereby boosting the EU's defence capabilities.
https://www.consilium.europa.eu/en/press/press-releases/2025/06/19/simplification-council-agrees-position-to-stop-the-clock-on-due-diligence-rules-for-batteries/ - On 19 June 2025, the Council of the EU agreed on a position to postpone the application of due diligence obligations for batteries by two years. This decision is part of the 'Omnibus IV' package, which aims to simplify EU rules and boost competitiveness, particularly for small and medium-sized enterprises (SMEs) and small mid-cap enterprises (SMCs) in the battery sector.
https://www.consilium.europa.eu/en/policies/simplification/ - The Council of the EU is actively working on simplifying EU legislation to enhance competitiveness and reduce administrative burdens. This includes various 'Omnibus' packages, such as Omnibus IV and Omnibus VII, which focus on areas like digitalisation, common specifications, and defence industry readiness, aiming to streamline regulations and support economic growth across member states.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 10

Notes: The narrative is based on a press release from the European Commission dated 19 November 2025, indicating high freshness.

Quotes check

Score: 10

Notes: The narrative does not contain any direct quotes, suggesting originality.

Source reliability

Score: 10

Notes: The narrative originates from JD Supra, a reputable legal news platform, and references official European Commission press releases, indicating high reliability.

Plausibility check

Score: 10

Notes: The claims align with the European Commission's Digital Omnibus package announced on 19 November 2025, and are corroborated by other reputable sources.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative is based on a recent and original press release from the European Commission, with no discrepancies or signs of disinformation.

EU
Digital Regulation
Data Protection
AI
Cybersecurity