As parliamentarians begin to debate the Digital Omnibus package — the Commission’s latest attempt to simplify EU digital legislation and boost competitiveness — familiar criticism is emerging: Will simplification weaken safeguards? Could easing compliance rules ultimately reinforce Europe’s external dependencies rather than strengthen digital sovereignty?

The European Parliament’s Internal Market and Consumer Protection (IMCO) Committee held an initial exchange on Thursday, signalling that what is framed as a technical streamlining exercise may quickly become a political battleground.

During the session, Goda Skiotytė, policy researcher at Visionary Analytics, presented a study entitled “A Digital Omnibus: Identifying Interlinks and Possible Overlaps Between Different Legal Acts in the Field of Digital Legislation to Streamline Tech Rules.”

She situated the initiative within the competitiveness push launched after the 2024 Draghi report. The Omnibus was presented alongside the Data Union Strategy, the European Business Wallet proposal and a Digital Fitness Check — together forming what the Commission describes as a coordinated effort to cut red tape and strengthen Europe’s position in the global AI race.

You might be interested

Campaign from People vs Big Tech, WeMove Europe, and EDRi, with mobile billboards

Two proposals, broader implications

The Digital Omnibus consists of two legislative proposals.

The first amends a broad range of legislation in data protection, data governance and cybersecurity. It touches the GDPR (General Data Protection Regulation), the Data Act and several cybersecurity instruments, while repealing acts the Commission considers redundant, including the Platform-to-Business Regulation, citing overlaps with the Digital Services Act and the Digital Markets Act

The second proposal focuses exclusively on the AI Act, targeting implementation timelines, SME simplification and institutional coordination.

Although framed as simplification, MEPs made clear that the ripple effects could be substantial.

GDPR back in focus

The most far-reaching amendments concern the GDPR. According to the study, these changes sit at the centre of the “simplification versus deregulation” debate.

Among the most controversial elements is a proposed shift in how personal data is defined. Rather than assessing whether any actor could theoretically identify an individual, the revised test would examine whether a specific controller can realistically do so using the means at its disposal.

Supporters argue this would reduce disproportionate compliance burdens. Critics warn that narrowing the identifiability test could weaken protection. Several MEPs also noted that reopening elements of the GDPR after years of political negotiation inevitably raises questions about the stability of the entire framework.

AI Act under revision

The package further clarifies the use of “legitimate interest” as a lawful basis for AI development and broadens the notion of scientific research to include commercial innovation. Combined with exemptions for the residual presence of sensitive data in AI training datasets, the proposals reflect a broader shift towards easing legal constraints around AI-related data processing.

Skiotytė acknowledged concerns that such adjustments could disproportionately benefit dominant — often non-EU — AI firms seeking expanded access to European data. Lawmakers repeatedly asked how Parliament could prevent revised rules from facilitating greater access for foreign tech companies.

The Omnibus also proposes revisiting the AI Act’s implementation schedule. High-risk obligations, currently due to apply from August 2026, would no longer be triggered by a fixed date but instead by the availability of necessary standards and guidance.

Supporters argue this reflects practical reality, as companies cannot comply with requirements that lack technical benchmarks. The study recognises the timeline challenge but warns that replacing a clear deadline with a “readiness” trigger could introduce uncertainty if criteria are not transparent and predictable.

Further changes would extend simplified compliance procedures to small mid-caps, soften AI literacy duties and strengthen the role of the AI Office in overseeing general-purpose AI models at EU level.

Cookie fatigue

The Omnibus also promises to tackle “cookie fatigue”. Key provisions from the ePrivacy framework would be integrated into the GDPR, with greater reliance on machine-readable consent signals rather than pop-up banners.

However, the study cautions that legislative reform alone will not resolve the issue. Much will depend on how browsers, platforms and standard-setting bodies design technical interfaces in practice.

On the broader data economy framework, the Omnibus proposes a bigger clean-up. Specifically, consolidating the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation into a streamlined Data Act. The aim is to reduce overlap and administrative duplication. 

Competitiveness versus sovereignty

The study concludes with a call for a “strategic reality check.” Regulatory simplification alone, the authors argue, will not alter Europe’s position in the global AI value chain. There is also a risk that loosening obligations could benefit dominant non-EU players, reinforcing external dependencies rather than strengthening digital sovereignty.

As parliamentary scrutiny begins, that tension between competitiveness and sovereignty is likely to define the political debate around the Digital Omnibus in the months ahead.