The European Commission presented its Digital Omnibus package on Wednesday, outlining a series of legislative changes to EU tech rules, including the AI Act and the GDPR. The proposals form part of a broader simplification drive that will be assessed through a Digital Fitness Check running until 11 March 2026.
Brussels says the measures are intended to ease compliance and lower administrative costs for companies, with projected savings of €5bn by 2029. Civil society groups, however, have warned that several of the planned revisions risk weakening key digital-rights protections.
Slower and softer AI Act
One of the most impactful points is the redesign of the AI Act’s implementation timeline. Instead of a fixed date for the start of obligations for high-risk AI systems, the Commission now wants these rules to enter into force only when the necessary standards, guidelines and support tools are available. The deadline is capped at 16 months once Brussels certifies that those tools exist. The AI high-risk systems under the EU AI Act refer to applications that can significantly impact people’s safety or fundamental rights. For example, those applicable to healthcare, employment, law enforcement or critical infrastructure.
The new framework responds to past pressure from Mario Draghi. Earlier this year, the former Italian prime minister warned that the AI Act’s high-risk phase had become a source of uncertainty. He urged that such provisions should not move ahead until Europe understands the economic impact.
But the Omnibus goes further. It extends the AI Act’s existing simplifications for SMEs and small mid-cap companies, especially on technical documentation. According to Commission modelling, those changes alone would save companies at least €225m annually.
You might be interested
The reforms also broaden access to regulatory sandboxes. This includes the launch of an EU-level sandbox from 2028 with more real-world testing in industries like automotive. Oversight of AI systems built on general-purpose models would be centralised under an AI Office, which the Commission says will reduce “governance fragmentation”.
GDPR reopened
Another politically charged element of the Omnibus is the Commission’s decision to reopen the GDPR. Brussels frames this as a targeted effort to “harmonise, clarify and simplify” provisions that companies say are interpreted inconsistently across Member States.
The proposal clarifies what counts as personal data by allowing pseudonymised datasets to be shared if the receiver cannot identify anyone in them, while the original organisation remains fully responsible under the GDPR. It also explains how companies can use personal data to train AI systems under the “legitimate interest” legal basis, but only with strong safeguards and with an unconditional right for people to object. Other changes would make it clearer when organisations need to carry out impact assessments or report data breaches, and would ease information obligations in cases where it is reasonable to assume that individuals already know how their data is being used.
For Justice Commissioner Michael McGrath, the goal is to strike a balance between “simplification and competitiveness” and a “high level of protection for the fundamental rights of individuals”. Nevertheless, one clear difference is the reporting of GDPR incidents. Currently, companies must notify different authorities under NIS2, the GDPR and the Digital Operational Resilience Act, often for the same incident. The new package introduces a single-entry interface through which all incidents must be reported.
“One-click” cookie banners
The Commission is also pushing to reduce the number of cookie banners users face online. Under the proposal, users would give or withdraw cookie consent directly through “one-click” browser or operating-system settings instead of pop-ups on each website.
Digital rights groups have already expressed concerns about possible changes in the e-Privacy regulation. They said, in a letter to the Commission, that weakening the framework “will make it a lot easier for those in power to control people’s phones, cars or smart homes, while also revealing sensitive information about where people go, and with whom”.
The warning that lands at a critical moment. A recent investigation found that actors were using commercially traded data to spy on EU officials and other citizens. “This included revealing their home addresses, as well as visits to healthcare clinics and places of worship”, reads the letter.
Data Union and Business Wallet
Beyond rights and enforcement, the Omnibus also reshapes the EU’s data-governance landscape. The Commission plans to merge four existing data laws into a consolidated Data Union strategy. The reforms include model contracts for data sharing, harmonised clauses for cloud contracts and exemptions from cloud-switching obligations for SMEs and small mid-caps. Brussels estimates these measures will save about €1.5bn in costs.
In parallel, the Commission proposed a European Business Wallet. A cross-border digital identity and credential tool for companies, public bodies and non-profits. Businesses would use it to digitally sign and store documents, exchange verified data and access services across Member States.
Civil society fears a “rollback” of protections
Civil society groups had already raised the alarms. Last week, a coalition of 127 organisations warned that what Brussels describes as “technical streamlining” risks a “covert dismantling” of Europe’s strongest digital protections. Their concerns contrasted sharply with the Commission’s message of simplification and competitiveness. For Executive Vice-President Henna Virkkunen, the measures help European companies “often held back by layers of rigid rules”.
However, the organisations urged the Commission to “immediately halt any attempts to reopen the GDPR, ePrivacy framework, AI Act or other core digital rights protections”. The groups singled out the treatment of the AI Act and GDPR as especially worrying. They warned that the Omnibus could “remove some of the guardrails” designed to ensure AI is developed safely and without discrimination. Moreover accused Brussels of “hollowing out” the GDPR, weakening one of the few instruments that gives people meaningful control over their sensitive information.
What comes next
The Digital Omnibus now moves to the European Parliament and the Council. The negotiations there will determine how far lawmakers are willing to go in adjusting the EU’s tech laws.
