EU proposes to simplify data protection and AI regulation to save costs and boost innovation
Share
The European Commission has presented a legislative initiative to simplify and harmonize the complex European digital regulatory framework. The goal is clear: reduce administrative burdens, facilitate regulatory compliance and accelerate innovation in areas such as artificial intelligence, cybersecurity and data management.
The legislative initiative, known as “Digital Omnibus”, is composed of the following simplification rules:
The Digital Omnibus is currently in public consultation phase until January 23, 2026 and subsequently, it must be presented to the European Parliament and the Council for legislative debate and subsequent approval.
1. Cookies: fewer banners and more clarity for administrations
The proposal incorporates specific modifications to the RGPD and the privacy regulations that seek:
Reduce cookie banners with clearer and unified consent options.
Allow managing preferences directly from the browser, simplifying user interaction.
This approach reinforces a key idea for public administration: Administration websites do not need consent cookies if they do not provide personal traceability. A practice that the AOC has been promoting for years.
2. IA Act: it is proposed to postpone the implementation of high-risk obligations
The development of standards, technical guides and tools to support the European AI regulation (AI Act) is progressing more slowly than expected. Therefore, the Commission is proposing adjust application schedules of high-risk AI systems obligations.
The proposed changes include:
Linking the “effective” entry into force (application) from the obligations to the effective availability of standards and tools.
Provide a margin of up to 16 additional months to facilitate compliance.
Establish clear maximum limits:
2 of December of 2027 for high-risk systems in Annex III (Art. 6.2).
August 2, 2028 for high-risk systems in Annex I (Art. 6.1).
This adjustment aims to prevent companies and administrations from having to assume high costs without having definitive guides and technical specifications.
3. Simplification of the data protection, cybersecurity and data framework
The Digital Omnibus also proposes actions in three other key areas:
Data protection (GDPR)
The concept of personal data is modified to incorporate the doctrine of the Court of Justice of the European Union on pseudonymized data and its consideration as personal data.
Included as new exceptions to the prohibition on processing specially protected data are: the use of data for AI control purposes and for biometric verification.
The exceptions to compliance with the information obligation are modified.
It integrates part of the ePrivacy Directive, regulating in the GDPR everything related to cookies and other online user tracking technologies.
The deadline and method for notifying security breaches is modified, going from 72 to 96 hours.
Cybersecurity
Creating a single point of incident notification which will avoid having to report the same fact to multiple regulations (NIS2, GDPR, DORA...).
Data Access and Governance (Data Act)
The proposal includes:
Simplification of the legal framework and strengthening of regulatory coherence.
Exemptions and simplifications for SMEs and medium-sized companies.
New models of contractual clauses and guides to facilitate access and use of data.
Measures to promote access to high-quality data to train and test AI.
4. EU Business Wallet: towards a European digital wallet for businesses
Another of the outstanding pieces is the proposal to create theEuropean Business Wallet (which would be based on the EUDI Wallet framework for individuals), a secure digital wallet that would allow:
Sign and exchange verified documents.
Carry out procedures and communications with administrations of any member state.
Simplify processes such as operating in another country, paying taxes or submitting documentation.
If adoption is high, the Commission estimates that it could generate savings of up to 150.000 billion euros per year for reduction of procedures.
5. Regulatory derogations
The EU's Digital Omnibus legislative initiative aims to simplify and harmonise the European digital regulatory framework. This proposal integrates and amends key provisions of several existing rules, including the repeal of Regulation (EU) 2018/1807 on the free flow of non-personal data, Regulation (EU) 2022/868 on data governance and Directive (EU) 2019/1024 on open data. The relevant provisions are incorporated within a single framework that also adapts the Data Act and other digital regulations, with the aim of reducing fragmentation and establishing more coherent and transversal regulation.
6. And now, what?
In the coming months, the public consultation will have to be concluded and the European Parliament and the Council will have to:
Discuss the content.
Introduce amendments.
Approve (or not) the different elements of the package.
Meanwhile, the AOC will continue to analyze the implications of this proposal, especially with regard to the implementation of the AI Act, the data governance, the cookie management and the EU Business Wallets opportunities for the public sector.
