On Wednesday (19 November), the European Commission presented a major digital simplification package designed to foster innovation while maintaining high standards. The proposal intends to cut administrative costs by up to €5 billion by 2029 and introduce new European Business Wallets, which could generate an additional €150 billion in yearly savings. Overall, the package is designed to enable European companies to scale more effectively and sustain their position as technology leaders by simplifying and harmonising regulations on artificial intelligence, data, and cybersecurity.
The digital omnibus and AI rules
The core of the Commission’s effort lies in its digital omnibus, a legislative proposal that simplifies several existing EU rules, particularly concerning the vital areas of AI and data.
A central focus of this omnibus is the intersection of AI and data protection, specifically the General Data Protection Regulation (GDPR). Recognising the need for vast datasets to effectively train and operate AI systems, the Commission proposes a significant change to how companies can access personal data.
Under the new rules, companies will be able to rely on “legitimate interest” as a legal basis for using personal data for AI development and operation. This is a crucial shift, as it is far less restrictive than the current requirement for explicit consent. By broadening access to data in this manner, the proposal wants to give Europe’s AI sector the resources it needs to compete globally. To support this change, the omnibus also provides greater clarity on the often-debated definition of personal data itself.
Moreover, the proposal introduces innovation-friendly AI rules that directly address the landmark EU AI Act. The Commission is proposing a delay in the entry into force of the stringent requirements for High-Risk Systems (HRS). These rules will now apply by December 2027, a postponement from the original August 2026 deadline. This extension offers valuable time for regulators and industry to finalise the necessary technical standards and comprehensive compliance guidance. Furthermore, the proposal includes expanded exemptions from certain reporting obligations, designed to benefit a wider range of companies, particularly smaller and medium-sized enterprises.
Streamlining compliance and consumer experience
First, the system for reporting cybersecurity incidents will be simplified. Instead of reporting incidents under multiple laws, such as the NIS2 Directive and the Digital Operational Resilience Act (DORA), the omnibus introduces a single-entry point where companies can meet all their incident-reporting obligations, saving time and administrative efforts.
The new legislation takes a substantial step toward simplifying the labyrinth of EU data law by proposing the consolidation of four major existing data regulations, including the Data Act and the Data Governance Act, into a single, unified instrument. This move is intended to improve clarity and coherence across the digital rulebook.
Other adjustments have also been proposed in areas affecting business operations and consumer experience. For example, Rules concerning tracking cookies, currently governed by the ePrivacy Directive, are set to be integrated into the GDPR. This change aims to reduce the proliferation of annoying consent banners seen across websites by widening the list of “harmless” processing activities that no longer require explicit user consent. In addition, the package would simplify the requirements for conducting Data Protection Impact Assessments (DPIAs) and the reporting of data breaches to supervisory authorities, aiming to reduce the administrative burden on companies.
Data Union Strategy
Besides, presented alongside the omnibus package is a new Data Union Strategy, which seeks to build upon the legislative changes and further expand access to high-quality data for the AI ecosystem.
The strategy outlines practical steps, including the creation of new data labs and a dedicated Data Act Legal Helpdesk to support implementation and compliance across the bloc. Crucially, the strategy also focuses on strengthening Europe’s data sovereignty. It includes an anti-leakage toolbox, measures to protect sensitive non-personal data, and guidelines designed to help assess the fair treatment of EU data when it is processed abroad.
European Business Wallet
Finally, a fundamental part of the new package is the introduction of the European Business Wallet. This proposal will give European companies and public sector bodies a unified digital identity tool that moves many in-person operations online.
With the Wallet, businesses will be able to digitally sign, timestamp, and seal documents; securely store and exchange verified documents; and communicate securely with public administrations across all 27 Member States. Scaling up a business, paying taxes, and completing cross-border paperwork will be easier than ever, with the Wallets estimated to unlock up to €150 billion in savings for businesses each year
