The European Commission’s Digital Omnibus package, a proposal to cut red tape across EU digital laws, has received much heat from all sides as the Parliament prepares its negotiating position for discussions with the Council later this year. Aimed at reducing administrative burden and improving legal clarity for businesses, those same businesses have come out against the measures, with some calling them detrimental and insufficiently thought through.
At its core, the package is an attempt to consolidate the EU’s famously sprawling digital rulebook. That means changes to GDPR, the EU’s landmark personal data law, as well as rules on non-personal data (the Data Act and Data Governance Act), and cybersecurity frameworks, including NIS2 and DORA. The Commission’s ambition is to reduce this to essentially two laws rather than five, centred on the Data Act and the GDPR, while also introducing a single-entry point for reporting cyber incidents.
Simpler on paper but wildly contested in practice.
The package has achieved the rare feat of antagonising almost every constituency at once. One industry coalition arguesthe proposals don’t go far enough in cutting compliance costs. A separate coalition of 14 European tech associationsargues the opposite: that changes are being rushed through and risk making things worse. Privacy advocates worry protections are being quietly hollowed out. The European Parliament’s Internal Market (IMCO) committee opines that simplification is in principle but warns that it must not come at the expense of consumer rights.
The cookie wars …
Nothing captures the chaos better than the fight over EU cookie rules (e.g., those consent banners that greet you on almost every website).
Today, cookie rules sit in a legal world of their own. The ePrivacy Directive governs cookies, while GDPR covers personal data, leaving companies to navigate two overlapping rulebooks. In February 2026, the Commission formally withdrew the planned ePrivacy Regulation, opening the door to folding cookie rules into GDPR instead.
The aim is to reduce “consent fatigue”, the endless stream of pop-ups users click through. Research suggests only a small share of people actually want to be tracked, but design tricks such as hidden “reject” buttons can push consent rates close to 90 per cent. The Commission’s answer was a browser-level setting: choose once, and websites would have to respect it; no more banners.
Publishers and ad-tech firms pushed back, arguing this would give too much power to browser makers like Google, Apple and Mozilla. On 18 June, member states removed the browser-consent idea from the Council text.
Commissioner Michael McGrath defended the original approach this week, arguing it makes little sense to separate data storage from data processing. For now, many EU governments appear unconvinced.
… and the next battle
The Parliament’s long-awaited report is expected soon, although its two rapporteurs, Salla and Kaljurand, have taken notably different approaches.
Progress in the Council has also been slow. Negotiators are still wrestling with key questions, including how GDPR’s definition of personal data should apply and how a single cyber-incident reporting system would work.
Member States remain divided. Poland broadly supports the proposal, while Germany and Denmark worry that the compromises are weakening the rules without simplifying them. Germany has flagged concerns about cookies, AI training data, GDPR and cyber reporting.
As a result, trilogue talks, where Parliament, Council and Commission negotiate a final deal, are unlikely to start before autumn. For now, the package designed to simplify EU digital rules remains anything but simple.
