EU: Simplification of digital package and omnibus announced

 

The EU Commission has launched a public consultation to simplify some of its digital laws.

The digital package will set out the Commission’s simplification agenda for the years to come. Based on feedback from 3 public consultations, it will include a digital omnibus with a first set of measures to quickly reduce the burden on businesses.

These measures focus on:

• data legislation, including rules on cookies and other tracking technologies
• cybersecurity incident reporting
• targeted adjustments to the Artificial Intelligence Act to ensure the optimal application of the rules.

Over recent years, the EU’s “data legislative acquis” has expanded across multiple regulations, resulting in legal complexity, overlap, inconsistencies in definitions and questions about how the different instruments interact. For example, Regulation (EU) 2018/1807 on the Free Flow of Non-Personal Data was intended to establish a single market for cloud services, but has since been partially superseded by Chapter VI of Regulation (EU) 2023/2854 (the Data Act), which governs switching between data processing services.

Similarly, Chapter II of Regulation (EU) 2022/868 (the Data Governance Act – DGA) complements the re-use rules for public sector information in Directive (EU) 2019/1024 (the Open Data Directive) for data that cannot be re-used without restrictions. Other chapters of the DGA introduced rules on data intermediation services, data altruism, requirements for foreign government access to non-personal data, and established the European Data Innovation Board. Regulation (EU) 2023/2854 (the Data Act) also introduced substantive obligations for manufacturers of connected devices and providers of related services to share data with users, obligations for businesses to share data with public authorities, and rules on fair data-sharing contracts.

To simplify this landscape, the Omnibus proposal repeals outdated provisions—most notably Regulation (EU) 2018/1807 (FFDR), except for the ban on data-localisation requirements—and consolidates and streamlines the remaining rules within Regulation (EU) 2022/868 (DGA), including those on data altruism and data intermediation services, in order to make these mechanisms more attractive. In addition, the DGA’s rules on the re-use of protected data are merged with those in the Open Data Directive, creating a single framework on the re-use of public-sector data incorporated into Regulation (EU) 2023/2854 (Data Act). This consolidation benefits both public administrations and re-users by simplifying processes and reducing the administrative burden caused by fragmented national rules.

The proposal also allows public-sector bodies to apply differentiated conditions and higher fees for re-use of public-sector data by very large enterprises, particularly gatekeepers under Article 3 of Regulation (EU) 2022/1925 (DMA), given their substantial influence on the internal market. This prevents such companies from using their market power in ways that undermine competition and innovation.

The proposal brings together the streamlined rules of Regulation (EU) 2024/1689 (Free Flow of Data Regulation), Regulation (EU) 2022/868 (Data Governance Act) and Directive (EU) 2019/1024 (Open Data Directive) into the Data Act, creating one consolidated instrument for the EU’s data economy. As a result, Regulation (EU) 2024/1689, Directive (EU) 2019/1024, and Regulation (EU) 2022/868 are repealed. The harmonised rules across all instruments enhance clarity, consistency, and effectiveness, while supporting business innovation. This approach is aligned with the Data Union Strategy’s objective of simplifying the EU’s legislative framework.

To further support smaller firms, the simplified compliance rules that previously applied only to SMEs are extended to small mid-cap companies (SMCs). Regulation (EU) 2023/2854 (the Data Act), which became applicable on 12 September 2025, remains unchanged in substance; however, four key areas require calibration to strengthen legal certainty, reduce burdens, and enhance competitiveness. These include: (1) stronger safeguards against the risk of trade-secret leakage to third countries under mandatory IoT data-sharing obligations; (2) greater clarity around the scope of the business-to-government framework; (3) reducing legal uncertainty concerning essential requirements for smart contracts used in data-sharing agreements; and (4) refining the provisions on switching between data processing services to better reflect highly customised services and services provided by SMEs and SMCs, without compromising the overall objective of preventing vendor lock-in. The proposed amendments retain the ambition to remove switching and egress charges, while reducing administrative burdens and enhancing legal clarity.

Regarding personal data, Regulation (EU) 2016/679 (GDPR) has provided a harmonised EU-wide framework for personal-data processing since May 2018. While stakeholders consider the GDPR balanced and generally fit for purpose, some smaller organisations with low-risk processing activities have raised concerns about certain obligations. Some issues can be resolved through more consistent interpretation and enforcement across Member States, while others require targeted legislative changes. The proposal therefore clarifies key definitions (such as “personal data”), supports controllers in assessing whether pseudonymised data falls outside the GDPR, simplifies information obligations and breach-notification requirements, and clarifies rules on processing for AI training and development. It also addresses legal uncertainty regarding data processing for scientific research by defining “scientific research”, confirming that further processing for scientific purposes is compatible with the original purpose, recognising scientific research as a legitimate interest, and extending certain exemptions from information obligations. Where relevant, corresponding amendments are reflected in Regulation (EU) 2018/1725, which governs personal-data processing by EU institutions.

A long-overdue solution is also proposed for “consent fatigue” and the proliferation of cookie banners. Directive 2002/58/EC (ePrivacy Directive) currently governs the use of cookies and similar technologies and requires consent when storage or access is not technically necessary for communication or the provision of an information society service. This has resulted in intrusive and often confusing banners, increased compliance costs, and legal uncertainty because cookies fall under ePrivacy rules, whereas subsequent personal-data processing falls under the GDPR and is enforced by different authorities.

To simplify the regime, the proposal subjects the processing of personal data on or from terminal equipment exclusively to the GDPR, including the consent requirement for accessing terminal equipment. It also clarifies situations where consent is unnecessary and where subsequent processing is lawful, particularly where the risks to individuals’ rights are low or where access to the device is required for a service requested by the user.

In addition, the proposal lays the groundwork for automated, machine-readable expressions of user choices, and requires websites and apps to respect these signals once relevant standards are developed. The Commission is empowered to mandate standardisation bodies to establish such standards, following earlier policy initiatives from 2009, the 2017 ePrivacy Regulation proposal, and Article 21(5) GDPR. Controllers that adopt systems complying with these standards benefit from a presumption of compliance. The rules are technologically neutral, allowing emerging tools—such as agentic AI—to support users. Due to the importance of advertising revenues for independent journalism, media service providers under Regulation (EU) 2024/1083 (European Media Freedom Act) are exempted from the obligation to respect automated signals, enabling them to interact directly with users when obtaining consent.

The proposal also creates a single entry-point allowing entities to meet incident-reporting obligations under multiple legislative acts through a “report once, share many” mechanism. This reduces administrative burden while ensuring secure and efficient information flow. ENISA is tasked with developing this entry-point, aligned with the reporting platform under Regulation (EU) 2024/2847 (Cyber Resilience Act). Existing legal obligations remain unchanged, but the reporting process becomes significantly more streamlined.

The single entry-point becomes mandatory for incident reporting under Directive (EU) 2022/2555 (NIS2), the GDPR, Regulation (EU) 2022/2554 (DORA), Regulation (EU) 910/2014 (eIDAS), and Directive (EU) 2022/2557 (CER). Additional sector-specific reporting frameworks—such as the cybersecurity network code for cross-border electricity flows and aviation sector instruments—will be integrated through future amendments.

To further harmonise reporting, the proposal empowers the Commission to develop common reporting templates across various acts, ensuring consistency, reducing duplication, and drawing on existing templates developed under DORA.

Finally, the proposal repeals Regulation (EU) 2019/1150 (P2B Regulation). Although pioneering when adopted in 2019, its provisions have largely been overtaken by the Digital Markets Act and Digital Services Act. Key provisions needed for cross-referencing remain in force. Simplifying these overlapping rules reduces compliance costs for online platforms and increases legal clarity, while enabling more focused enforcement.