The long-awaited European Commission proposal for a simplification of the Digital Rulebook arrived on Wednesday 19 November with a splash that is certain to cause ripples for the years to come. After weeks of rumours, the new Digital Package delivers not just adjustments to the current rulebook but marks a historic pivot in the way data is regulated in the EU.
As part of the Digital Package, the European Commission introduced the following:
-
Digital Omnibus – on the GDPR, e-Privacy, the Data (Governance) Act and Cybersecurity
-
Digital Omnibus on AI
-
Data Union Strategy
-
Consultation on the Digital Fitness Check
-
New MCTs and SCCs on the Data Act
-
Proposal of a new Regulation on European Business Wallets
In this Flash, we provide you with a high-level overview of what was announced.
Digital Omnibus on the GDPR, e-Privacy, Data (Governance) Act and Cybersecurity
The Digital Omnibus is the headliner of the Digital Package. It features proposed amendments to the concept of personal data and the relaxation of certain obligations under the GDPR; moving modernised cookie rules from the ePrivacy Directive to the GDPR; streamlining cybersecurity reporting; and integrating of the Data Governance Act, the Free Flow of Non-personal Data Regulation and the Open Data Directive into an expanded Data Act.
-
The GDPR reforms will bring changes to the definition of personal data inspired by the recent C-413/23 P SRB case-law of the Court of Justice, introducing a more relative definition of personal data. A change to Article 9 and a new Article 88c will enable AI developers to process (sensitive) data under the legitimate interest basis in Article 6(1)(f) GDPR. Relaxed data subject rights will allow controllers to refuse data subject requests that are abused for non-data protection purposes, reduce information requirements for certain controllers and allow more forms of automated decision-making.
-
On ePrivacy, the Digital Omnibus presents a renewed attempt to modernize cookie rules, by moving them into the GDPR. Under these updated requirements consent is no longer required for certain functional cookies and users can set cookie preferences through their browser. All websites, except for media services, must respect these preferences.
-
A new single-entry point for incident reporting developed by ENISA is intended to prevent the need to file multiple reports under different regulations, with an extension from 72 to 96 hours for reporting providing more time and promising fewer sleepless nights for data protection and cybersecurity professionals.
-
Finally, the Data Governance Act, the Free Flow of Non-personal Data Regulation and the Open Data Directive will cease to exist with most provisions integrated into the Data Act alongside several targeted adjustments being made.
AI Digital Omnibus on AI Act reforms and postponement
A specific Digital Omnibus on AI brings changes to the application and several substantive provisions in the AI Act, covering AI literacy, the interaction with the GDPR and oversight.
-
The most awaited change for high-risk AI developers and deployers will be the proposed delay in the application of the obligations for high-risk AI systems. If the current proposal would be adopted in time (i.e. before the currently envisioned 2 August 2026 deadline), the application of these obligations would be delayed until after the Commission decides that adequate measures in support of compliance are available. Ultimate deadlines are set on 2 December 2027 (Annex III high-risk AI systems) and 2 August 2028 (Annex I high-risk AI systems).
-
The AI literacy obligation on providers and deployers that entered into application at the start of 2025 will be transformed from an obligation into an encouragement from the Commission and Member States.
-
The previous exception for the processing of sensitive data for debiasing AI systems under Article 10(5) AI Act will also be transformed. It will now apply to all developers of AI systems, instead of just developers of high-risk AI systems.
-
The proposal makes further adjustments, including removing the obligatory registration of exemptions from the high-risk AI qualification in Article 6(4) AI Act, and making changes to AI sandboxes and the oversight of AI systems by VLOPs and VLOSEs designated under the Digital Services Act.
Data Union Strategy
The Data Union Strategy contextualises the Digital Package and marks a pivot from previous Commission strategies that expanded the Digital Rulebook. It lays out the Commission’s new priorities in the digital sphere. Enhancing access to high-quality datasets and compute for AI development, reducing regulatory burdens for SMEs and other businesses and protecting the EU's data sovereignty are now the guiding lights in the Commission’s digital strategy.
These goals will be implemented through the launch of Data Labs, providing high-quality anonymized or pseudonymized datasets. Data spaces on health, mobility, media, the judiciary, the green deal and defence are intended to open up access to data. Data centre capacity will in turn be provided through the adoption of a Cloud and AI development Act (CAIDA), which is expected for Q1 2026.
The simplification agenda is pursued through the Omnibus proposals, whilst compliance will be eased through a one-click-compliance programme for cybersecurity and additional guidance on the Data Act.
New consultation Digital Fitness Check
Whilst the Digital Omnibus Proposals already present significant changes to the data acquis, the Commission launched a further Digital Fitness Check consultation. Based on this consultation on the cross-regulatory impact of the Digital Rulebook, the Commission intends to present further revisions to the Digital Rulebook in 2027.
New MCTs and SCCs on the Data Act
To further aid compliance with the Data Act, the Commission has adopted (non-binding) Model Contractual Terms on data sharing and Standard Contractual Clauses for Data-Processing Services Agreements.
European Business Wallets
Finally, the proposed Regulation on European Business Wallets promises to ease cross-border interactions between companies and governments, including new possibilities for signing official documents.
