Youtube icon Spotify icon Facebook icon Instagram icon LinkedIn icon
Logo gray

EU unveils “Digital Omnibus” – major shake-up for AI, data and cybersecurity rules

On 19 November 2025, the European Commission presented a broad reform package known as the Digital Omnibus. The initiative aims to simplify overlapping digital regulations in areas such as artificial intelligence, data protection and cybersecurity. According to the Commission, these changes could save EU companies up to €5 billion in administrative costs by 2029.

As part of the reform, the Commission intends to adjust the implementation schedule of the EU Artificial Intelligence Act. The full application of obligations for high-risk AI systems, previously expected in 2026, is now planned for December 2027. This delay affects key areas including biometric identification, healthcare services, creditworthiness checks, job applications and exams, transportation, and police applications – systems that imply serious data protection and ethical risks. The extension is also intended to give regulators time to finalise technical standards and to allow organisations to prepare their compliance frameworks.

The Digital Omnibus also introduces targeted amendments to the AI Act to extend simplifications for SMEs to small mid-cap companies and to broaden access to regulatory sandboxes starting from 2028, particularly for industries like automotive. The scope of the Digital Omnibus extends beyond the AI Act to include the GDPR, the e-Privacy Directive, and the Data Act. The proposal contains a single-entry point for cybersecurity incident reporting to cover obligations under NIS2, GDPR, and DORA, and seeks to modernize cookie rules to allow users to indicate consent with “one click” via central browser settings. The package also simplifies the Data Act by easing cloud-switching requirements for smaller firms, which currently oblige providers to enable customers to transfer data, applications and other digital assets between cloud services without undue delays, technical barriers or excessive fees.

While the revised timeline can be seen as a pragmatic step, several civil-society organisations have expressed concerns. They warn that certain elements of the Digital Omnibus may weaken existing privacy safeguards and could permit major technology companies (including Google, Meta and OpenAI) to use European users’ data for AI training. Although the Commission stresses that simplification aims to balance regulatory objectives with competitiveness rather than dilute protections, the draft has prompted significant debate.

The proposal will now move through the legislative process. Its final shape will depend on negotiations between EU institutions and Member States, and businesses should expect a period of regulatory uncertainty as the digital framework continues to evolve.