The Digital and AI Omnibus are presented as technical amendments to simplify and reduce compliance costs in EU data, cybersecurity and AI laws. In reality, they propose substantive changes. Because they are being advanced through an omnibus process, the proposals are not supported by a comprehensive assessment of their potential impacts. This is particularly problematic where they could weaken existing fundamental rights safeguards, and makes them vulnerable to legal challenges. It is also unclear whether the package would actually deliver economic benefits for European businesses as they are based on overly simplistic and one-sided cost savings estimates that could be outweighed by other, negative effects. Several amendments could increase legal uncertainty and create loopholes rather than reduce complexity. In markets dominated by foreign tech companies, looser rules risk entrenching foreign big tech and undermining the EU’s objectives of strengthening competitiveness and digital sovereignty. While the AI Omnibus is already in the final stage of negotiations, lawmakers in the European Parliament could still request an impact assessment for the Digital Omnibus.
Introduction
Boosting EU competitiveness and economic growth has been Ursula von der Leyen’s priority since her re-election as Commission president in 2024. Many leaders in her conservative European People’s Party felt that the regulatory ambitions in von der Leyen’s first term – especially the European Green Deal – had gone too far and proved to be excessive and burdensome. They were seen as stifling economic growth and pushing EU productivity to fall further behind the US and China. To remedy this, the Commission put forward a far-reaching “simplification” agenda, aiming to reduce administrative burdens by 25 percent for all businesses and by 35 percent for small and medium-sized enterprises (SMEs) by 2030.
To achieve this goal, the Commission in 2025 proposed ten omnibus simplification packages, covering different policy areas ranging from environmental legislation to defence. The omnibus approach enables the Commission to submit amendments to multiple existing legal frameworks within a single package. In a first step toward overhauling its online rulebook, the Commission presented this package in November. It consists of the Digital Omnibus Regulation proposal (Digital Omnibus) and the Digital Omnibus on AI Regulation proposal (AI Omnibus). A second step toward simplifying the EU’s digital rules is a wider “digital fitness check”, intended to examine the cumulative effect of the regulations. Its adoption is planned for the first quarter of 2027.
The Digital Omnibus proposes changes to EU laws on non-personal data governance and consolidates them in the Data Act. It also amends the General Data Protection Regulation (GDPR) and cybersecurity laws. The AI Omnibus contains amendments to the AI Act, which entered into force in August 2024, with some provisions gradually taking effect between six and 36 months later. Notably, the AI Act’s rules on high-risk AI systems are set to start applying from 2 August 2026. The AI Omnibus could postpone this deadline, if adopted before then.
Negotiations in the European Parliament and in the Council are currently underway. The AI Omnibus was agreed on in the European Parliament on 26 March and trilogue negotiations started the same day. The last trilogue is planned for 28 April. On the Digital Omnibus, negotiations have not started. There is reportedly still disagreement in parliament over responsibilities for the file and working methods.
While the Digital Omnibus package was presented as merely technical amendments to reduce compliance costs for businesses, it proposes substantive changes without a proper assessment of their potential impact. This poses several critical issues. First, especially where they could lower fundamental rights protections, this could amount to a breach of the principle of proportionality and invites challenges to their legal validity. Second, many of the proposed amendments are unlikely to clarify or simplify the legislation and thus will not ease compliance costs. The projected reduction in the administrative burden for businesses is based on an overly simplistic, one-sided calculation that might in reality be outweighed by other costs. Lastly, the omnibus proposals’ underlying logic that looser rules will foster economic growth and innovation, especially in AI development, is questionable. Given the current market concentration and dominance of foreign big tech, it is not clear why deregulation would primarily benefit European businesses. That is why the proposals should not be adopted without a proper assessment of impacts.
The Digital and AI Omnibus package should have been subject to appropriate impact assessments and public consultations before they were proposed. While the AI Omnibus is in the final stage of negotiations and it is too late for a proper assessment, members of the responsible parliamentary committees could still request an impact assessment on the most relevant amendments of the Digital Omnibus.
What are the proposed changes?
On 19 November, the Commission presented a new digital package to “save billions for businesses and boost innovation”. This included the omnibus proposals for streamlined rules on AI, cybersecurity and data as well as a Data Union Strategy and European Business Wallet.
Digital Omnibus
The Digital Omnibus proposal seeks to simplify the existing cybersecurity and data rules. Here is an overview of the most important amendments:
First, in the area of non-personal data, it seeks to create a unified legal framework in the Data Act, merging the Free Flow of Non-Personal Data Regulation, the Data Governance Act and the Open Data Directive. Further changes concern the better protection of trade secrets and an exemption from cloud-switching obligations for small companies. While the consolidation is intended to clarify how the laws interact and when they apply, the S&D Group cautioned that the change could result in a less-coherent framework with unclear structures for the supervisory authorities and fragmented compliance regimes.
Second, the GDPR is facing an overhaul. It is the EU’s main legal framework for the processing of personal data and has been in force since 2018. With the proposed amendments, the Commission seeks to “harmonise, clarify and simplify certain rules to boost innovation and support compliance by organisations”. This entails several key amendments:
- Changes to the definition of personal data, a central element of the GDPR: The Digital Omnibus proposes that pseudonymised data should not necessarily be considered personal data if the holder is not reasonably likely to be able to re-identify individuals. Pseudonymised data is personal data in which directly identifying details are replaced, for example using aliases for names. It is currently still subject to personal data rules in the GDPR. The change aims to take into account a recent ruling on pseudonymisation by the European Court of Justice, but it would considerably narrow the definition of personal data. If adopted, less data would fall within the scope of the GDPR. This could benefit companies as it would make more data available for AI development. Tech and business lobby groups welcomed this proposal. The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), by contrast, criticised it as “going far beyond a technical amendment” and “not accurately reflecting and clearly going beyond CJEU jurisprudence”. They warned that the proposal creates legal loopholes and further confusion.
- Adding a definition of scientific research to the GDPR: This term is used in several articles of the GDPR but currently not legally defined in the text. The Omnibus proposes to change this. The EDPB and EDPS supported introducing a definition as it would enhance legal certainty but caution that it should be precise because practices that fall under the definition of scientific research are exempt from many obligations under the GDPR. The NGO noyb warned that a broad definition that includes “any research which can also support innovation” could create a loophole for companies to avoid having to comply with obligations, for example on the processing of sensitive personal data.
- Allowing the processing of personal data for the development and operation of AI in certain circumstances: In order to “not disproportionately hinder the development and operation of AI”, the Digital Omnibus proposes an exception to the ban on processing special categories of personal data where the data is processed residually or incidentally. The EDPB and EDPS are in favor of the exception but had concerns about its unclear scope and lack of appropriate safeguards. The NGO noyb warned that without such safeguards, there is a risk that the use of personal data for AI could lead to AI systems sharing personal data with other users, inaccurate or misleading outputs about individuals, and generally making it difficult for people to opt out of the use of their personal data for AI training and operation.
Third, the Digital Omnibus proposes limiting terms for Data Subject Access Requests. The proposal would limit the right of individuals to request information held about them, allowing organisations to refuse requests that are unfounded, excessive, repetitive or are abused for reasons other than the protection of personal data. The German government pushed for this change to counteract abusive information requests. Researchers, however, have pointed out that the change would increase legal uncertainty and is in contravention of EU case law because the Court of Justice considers the right to access to be without limitation of purpose.
Fourth, an overhaul of the cookie consent rules under the ePrivacy Directive is planned. To reduce the time users spend accepting and rejecting cookie banners, the new rules would introduce an easier “one-click consent” that lasts for six months. Moreover, users would be able to choose central settings of preferences that apply across websites. Basic functions, such as counting website visitors would no longer require consent. This aims to address users’ “consent fatigue” and save costs for businesses. German digital lobby group Bitkom welcomed the direction of the changes but sees persistent inconsistencies in the different applicable laws persistent fragmentation. The EDPB and EDPS raised concerns that the different applicable legal instruments could lead to legal uncertainty.
Lastly, in the area of cybersecurity, the Digital Omnibus proposes a new single-entry point (SEP) for reporting cybersecurity incidents. Organisations would need to report incidents only through the SEP rather than to different national authorities. Member states have raised concerns about the security of a centralized platform and interoperability with national systems. Six member states, including France and Germany, are opposed to the move, saying it could lead to greater complexity.
AI Omnibus
The AI Omnibus is intended to address current implementation challenges such as the delayed designation of national authorities and publication of harmonized standards. It also aims to lower the regulatory burden on companies. Notably, it would delay the implementation of part of the AI Act.
First, it proposes delaying the application of the AI Act’s rules on high-risk AI. High-risk AI systems are those that pose a risk to health, safety or fundamental rights of people and are used in specific contexts such as law enforcement or specific products such as toys or cars. The rules were meant to apply from 2 August 2026. The AI Omnibus proposes linking their start date to the availability of harmonised standards and other compliance tools – at the latest by August 2028. This delay was widely demanded by industry representatives, who are pushing for the rules to apply even later. The EDPB and EDPS have expressed concerns that later dates could potentially impact fundamental rights protections.
Second, the AI Omnibus proposes broadening the ability of providers and deployers to process special-category personal data for the purpose of bias detection and correction, extending this possibility to all AI systems and models rather than limiting it to high-risk systems, provided appropriate safeguards are in place. The EDPB and EDPS called for strict limits to avoid abuse. Bitkom welcomed the intention of the amendment but expressed doubts the current wording would bring more clarity.
Third, the proposal seeks to reduce compliance costs by replacing mandatory AI literacy obligations for companies with a commitment by the Commission and member states to promote AI literacy. It also proposes that companies that consider themselves exempt from rules on high-risk AI systems because they use the systems only for narrow or procedural tasks no longer have to register in an EU database. Companies would have to self-assess whether they fell into that category. These changes are supported by the industry association Connect Europe, while EDPB and EDPS recommend maintaining the obligations on companies for accountability. Civil society organisations strongly oppose removing registration obligations.
Other amendments include the expansion of regulatory privileges currently reserved for SMEs, such as simplified documentation requirements and lighter fines, to small mid-caps, which are medium-sized companies. Regarding AI innovation, the omnibus proposes broader use of regulatory sandboxes as a testing environment for innovative solutions not yet formally approved, including an EU-level sandbox from 2028. This move is generally supported by stakeholders.
The omnibus procedure is a flawed tool for substantive changes
EU laws must comply with the principle of proportionality laid down in Article 5(4) of the Treaty on European Union. They must have a legitimate aim, be suitable, and not go beyond what is necessary. Where a law limits the exercise of fundamental rights, the conditions set out in Article 52(1) of the Charter of Fundamental Rights must also be fulfilled. This includes the principle of proportionality and respect for the essence of any particular right.
The Commission claims that its omnibus proposal is proportional because it includes only technical amendments necessary “to achieve the objectives of reducing administrative burdens and providing regulatory clarity” while preserving the underlying objectives of the amended legislation. With regard to how the proposal relates to fundamental rights, the Commission claims that the amendments “preserve the highest standards of protections”.
In reality, the proposals entail substantial changes. The Digital Omnibus would significantly narrow the concept of personal data and limit the right to information access, affecting the level of fundamental rights protection for individuals. The AI Omnibus touches on matters that were agreed on only recently at the EU’s highest political levels after extensive negotiations. These changes are being advanced via an omnibus process, designed to accelerate the policy-making process, with limited public consultations and no comprehensive impact assessments.
This creates risks for the legal validity of these omnibus proposals, should they be adopted. Similar concerns have been raised concerning the Omnibus I on sustainability (for example in papers on its legal consequences and legal validity). The Court of Justice has ruled that, while a formal impact assessment may not always be necessary, the EU legislature must have sufficient information available to assess whether a measure complies with the principle of proportionality. In practice, this would likely mean that lawmakers have to show that they possess sufficient information to confirm that a policy choice is proportionate and, where the level of fundamental rights protection is affected, demonstrate that other, more rights-preserving options were not feasible.
The Commission has provided very limited evidence for the proposed policy changes: No other options and no potential negative impacts were considered. In its legislative proposal, the Commission argues that an impact assessment was not necessary because the proposed changes are targeted and technical in nature, “not prone to multiple policy options that could meaningfully be tested and compared”. However, where the amendments pursue the policy goal of “unlocking opportunities in the use of data”, a potential conflict with data protection rights is obvious. Different options for pursuing this policy goal and how they affect fundamental rights could have been tested and compared. At the very least, a comparison to the status quo would have been an option. Regarding the AI Omnibus, the Commission could for example have considered what risk delaying the AI Act’s rules on high-risk AI systems, which are intended to safeguard people’s safety, health and fundamental rights, carries for individuals. The Commission claimed that savings and the relevant “other types of impacts” were outlined sufficiently in the Staff Working Document accompanying the proposals. The Staff Working Document, however, was limited to a one-sided analysis of potential cost savings. Other types of impacts that could arise, such as adaptation costs (explored in more detail below), are dismissed with the argument that they would be only minimal as the changes merely simplify or clarify.
It is thus unclear whether the Commission’s proposals and Staff Working Document sufficiently demonstrate the proposed changes’ necessity and proportionality. This would be especially problematic in cases concerning the level of fundamental rights protection, such as changes to the definition of personal data and the right to information access. It raises the risk that the changes might be challenged before the Court of Justice, potentially prolonging the legal uncertainty in these areas.
These procedural shortcomings are not incidental. In its Communication on the simplification approach, the Commission explains that “a new approach to the legislative process is needed”. It intends to rely on “a simple methodology” that can assess the impact of significant amendments, notably without “unduly delaying the legislative process”. Where the goal is merely to clarify and streamline, the omnibus could be a useful instrument. It is not suitable, however, as a tool to introduce regulatory changes that go further. Circumventing the procedural safeguards built into the EU’s ordinary legislative process risks producing poor-quality legislation, creating legal uncertainty, and undermining democratic accountability. In a case concerning the preparation of the Omnibus I on sustainability, the EU’s Ombudsman preliminarily found that the procedural shortcomings in preparing the legislative proposal amounted to maladministration.
The economic benefits of this Omnibus package are unclear at best
Fundamental rights and procedural concerns aside, it is also questionable whether the proposed changes would really be beneficial from an economic perspective. With its Digital Omnibus package, the Commission is pursuing two goals: 1) reducing the administrative costs on businesses, public administrations, and citizens and 2) stimulating economic growth. It claims they do so by streamlining rules, simplifying provisions, and relieving SMEs and small mid-caps from certain obligations. The Commission also claims the proposals will create more legal certainty that will stimulate opportunities for a vibrant business environment.
But the Staff Working Document the Commission presented in lieu of a full impact assessment provides little evidence for these claims. The estimated €5 billion in administrative cost savings for businesses by 2029, with an additional €1 billion in estimated savings for public administrations by 2029, are based solely on a calculation of cost savings from a limited number of amendments that introduce quantifiable changes. The estimated cost savings vary widely between amendments, with most having only a negligible savings effect.
In any case, the informative value of these estimates is limited. The Commission, in its regulatory proposal, claims that it has done a cost-benefit analysis. In reality, it only provides a cost-savings analysis. It does not consider potential costs for any of the amendments. It only mentions once in its conclusion that adaptation costs are expected to be limited because of the targeted nature of the amendments.
An exclusive focus on cost savings has very little value for estimating the overall impact of a regulatory measure. The cost savings estimated could be outweighed by a variety of other direct and indirect costs such as adjustment costs for companies, information costs for consumers, or enforcement costs for public authorities. The Commission’s own Better Regulation Toolbox emphasizes that for estimates of cost savings, “it is very important to complement any such estimation with an assessment of indirect costs and of direct and indirect benefits. This guarantees that cost savings do not reduce regulatory benefits”. It also states that it is necessary to consider possible trade-offs among different categories of costs. In its Digital and AI Omnibus proposals, the Commission dismisses every such consideration with the claim that they do not apply because of the targeted nature of amendments.
For example, the AI Omnibus proposes that companies that consider themselves exempt from rules on high-risk AI systems no longer have to register in an EU database. The Commission estimates that this could save €100 per company – €148,500 in total per year. At the same time, this change could create difficulties in enforcing the AI Act, as the rule was intended to enable oversight for authorities and public transparency around the use of high-risk AI systems. It could lead to higher enforcement costs for public authorities and higher information costs for consumers. The Commission did not consider such negative, indirect effects even though they might prove to be disproportionate to the modest savings. More broadly, companies that have already adapted to the high-risk AI rules set to apply from August may have already incurred compliance costs and may now face additional compliance costs, as well as facing the uncertainty of how the legislative process will progress.
Another example of such shortcomings is the amendment of the AI literacy obligation in the AI Act. The Commission estimates that companies would save €222.75 million per year because they would no longer have to ensure their staff’s AI literacy. Instead, member states and the Commission should be “offering training opportunities, providing informational resources, and allowing exchange of good practices and other non-legally binding initiatives” to encourage companies to train their staff sufficiently. It is quite unlikely that they could do so meaningfully without incurring any extra costs.
Where savings are not quantifiable, the Commission nevertheless expects that easier compliance and greater legal certainty from the clarification or simplification of rules will reduce overall costs. Yet, many of the proposed amendments may not necessarily simplify or clarify the existing legal framework. They may even make things more complicated. For example, on the GDPR amendments, the Commission argues that while exact cost savings cannot be calculated, enhanced legal certainty will benefit companies through reduced need for legal advice, consultancy and decreased non-compliance costs. The EDPB, in contrast, estimates that the proposed definition of personal data would create legal uncertainty and make it more difficult to apply the law in practice. Similar concerns have been raised with regard to other amendments, including those affecting the limitation of information provisions, which the EDPB considers may lead to uncertainty and divergent interpretations.
German industry associations have also criticised the proposed changes in access to terminal equipment and automated signals in the GDPR as making the rules “more complicated, creating legal uncertainty, creating hurdles for the use of data, privileging certain kinds of technology and weakening the competitiveness of European businesses”. With increased legal uncertainty or regulatory complexity, compliance costs could rise rather than fall, potentially offsetting the anticipated economic benefits.
Regarding the proposal’s objective of stimulating growth and innovation, the Commission mostly relies on the assumption that lower compliance costs will free up resources that are then redirected towards growth and innovation in Europe.
Loosening the rules bears the risk of entrenching foreign big tech
There is a risk that instead of simplifying the digital rulebook and reducing administrative costs for businesses, the Digital and AI Omnibus could have a deregulatory effect. The underlying idea driving the proposals appears to be that reducing regulatory constraints in the digital acquis is necessary to keep up in the global “AI race” and avoid falling further behind the US and China. The Commission states that the amendments “focus on unlocking opportunities in the use of data”, reflecting an implicit assumption that there is a trade-off between regulation and innovation. But this assumption may not hold in practice.
In digital markets that are dominated by foreign big tech, it does not seem likely that small European businesses will necessarily benefit the most from regulatory rollbacks. Rather, it could entrench the incumbents. Where amendments create legal uncertainty and potential loopholes, big tech companies, with more legal and financial resources, are better positioned to exploit and benefit from such changes. Stakeholder reactions reflect these concerns. For example, the European Digital SME Alliance has pointed to these concerns in their reaction to the Digital Omnibus package, stating that “The Commission must avoid creating new advantages for foreign tech incumbents.” In addition, the view that regulation constitutes a primary constraint for a lack of innovation in Europe has been widely challenged, as it tends to disregard other structural factors that likely have a more distinct effect on innovation such as internal market barriers, investment barriers and the high concentration of market power in the digital realm.
These risks are amplified by the alignment of US private and public interests and continuing geopolitical tensions. US big tech companies like Google and Meta have an obvious interest in influencing the EU’s simplification agenda and were highly involved in lobbying the omnibus proposals. A study by the Corporate Europe Observatory shows how closely the final proposals reflect big tech’s lobby positions. These efforts are supported by the Trump administration, which has taken an aggressive stance against the EU’s digital regulation, threatening sanctions and retaliatory measures where European rules threaten to affect US companies’ revenue and dominance.
In their push for deregulation, the US administration has found allies in the groups on the right of the European Parliament who position themselves as “pro-business”. While the center-left groups in Parliament have raised concerns on the risks of deregulation, the groups to the right of von der Leyen’s own EPP welcomed the Commission’s proposal in November, urging moves to go even further. As of January, Meta representatives reportedly met 38 times with MEPs from the ECR, Patriots for Europe and Europe of Sovereign Nations groups.
All of this points to who stands to benefit from the Digital and AI Omnibus: While it could reduce some administrative burdens for European businesses, there is a real risk that the proposals could in fact undermine the goal of strengthening European competitiveness and the EU’s ambition to advance digital sovereignty and become less dependent on foreign big tech.
Conclusion
The Commission claims that the Digital and AI Omnibus proposals are limited to technical amendments when, in reality, they propose substantive changes. In some cases, those changes could lower fundamental rights protections online. In its proposals, the Commission does not engage in any real assessment of the potential impacts of the amendments, arguing this is unnecessary because the targeted nature of the changes can only result in a positive impact.
This is an overly simplistic and one-sided approach, not suitable to assessing the effect of the proposals in which a number of direct and indirect costs could outweigh the benefits. While the proposals were meant to remedy alleged excessive European regulation, they are examples of rushed law-making based on little evidence, not aligned with the Commission’s own Better Regulation principles. Should the proposals be adopted, the Commission’s failure to establish an appropriate evidentiary basis could make them vulnerable to legal challenges down the line.
Even from an economic perspective, it is unlikely that the proposals will meaningfully benefit European competitiveness. The positive effects for European businesses such as reduced administrative burdens could be outweighed by costs such as increased legal uncertainty and adaptation costs. Instead, the proposals might further strengthen the already dominant position of foreign big tech incumbents. These risks are a reflection of who is pushing for the changes – an alliance of far-right political parties in the European parliament, big tech lobby groups and the US government.
The Digital and AI Omnibus package should have been subject to appropriate impact assessments. The AI Omnibus is in the final stage of negotiations and it is too late for an assessment, but discussions on the Digital Omnibus have not started. In the European Parliament, members of the responsible LIBE and ITRE Committees could still request an impact assessment on the most relevant amendments from the Directorate for Impact Assessment and Foresight. While this may take some months – and cannot remedy all procedural shortcomings in the preparation of the proposals – it could go some way towards ensuring the Digital Omnibus does not do more harm than help.
Photo: CC Paolo Chiabrando on Unsplash