The EU proposes to simplify data protection and AI regulation to save costs and boost innovation

The European Commission has presented a legislative initiative to simplify and harmonize the complex European digital regulatory framework. The goal is clear: reduce administrative burdens, facilitate regulatory compliance and accelerate innovation in areas such as artificial intelligence, cybersecurity and data management.

The legislative initiative, known as “Digital Omnibus”, is composed of the following simplification rules:

Proposal for a Digital Omnibus Regulation
Proposal for a Digital Omnibus regulation on Artificial Intelligence
Proposal for a Regulation on the establishment of European business wallets
Data Union Strategy: Unlocking Data for AI
Draft Recommendation on non-binding model contractual clauses on access to and use of data and non-binding standard contractual clauses for cloud computing contracts

The Digital Omnibus is currently in public consultation phase until January 23, 2026 and subsequently, it must be presented to the European Parliament and the Council for legislative debate and subsequent approval.

1. Cookies: fewer banners and more clarity for administrations

The proposal incorporates specific modifications to the RGPD and the privacy regulations that seek:

Reduce cookie banners with clearer and unified consent options.
Allow managing preferences directly from the browser, simplifying user interaction.

This approach reinforces a key idea for public administration: Administration websites do not need consent cookies if they do not provide personal traceability. A practice that the AOC has been promoting for years.

2. IA Act: it is proposed to postpone the implementation of high-risk obligations

The development of standards, technical guides and tools to support the European AI regulation (AI Act) is progressing more slowly than expected. Therefore, the Commission is proposing adjust application schedules of high-risk AI systems obligations.

The proposed changes include:

Linking the “effective” entry into force (application) from the obligations to the effective availability of standards and tools.
Provide a margin of up to 16 additional months to facilitate compliance.
Establish clear maximum limits:
- 2 of December of 2027 for high-risk systems in Annex III (Art. 6.2).
- August 2, 2028 for high-risk systems in Annex I (Art. 6.1).

This adjustment aims to prevent companies and administrations from having to assume high costs without having definitive guides and technical specifications.

3. Simplification of the data protection, cybersecurity and data framework

The Digital Omnibus also proposes actions in three other key areas:

Data protection (GDPR)

The concept of personal data is modified to incorporate the doctrine of the Court of Justice of the European Union on pseudonymized data and its consideration as personal data.
Included as new exceptions to the prohibition on processing specially protected data are: the use of data for AI control purposes and for biometric verification.
The exceptions to compliance with the information obligation are modified.
It integrates part of the ePrivacy Directive, regulating in the GDPR everything related to cookies and other online user tracking technologies.
The deadline and method for notifying security breaches is modified, going from 72 to 96 hours.

Cybersecurity

Creating a single point of incident notification which will avoid having to report the same fact to multiple regulations (NIS2, GDPR, DORA...).

Data Access and Governance (Data Act)

The proposal includes:

Simplification of the legal framework and strengthening of regulatory coherence.
Exemptions and simplifications for SMEs and medium-sized companies.
New models of contractual clauses and guides to facilitate access and use of data.
Measures to promote access to high-quality data to train and test AI.

4. EU Business Wallet: towards a European digital wallet for businesses

Another of the outstanding pieces is the proposal to create theEuropean Business Wallet (which would be based on the EUDI Wallet framework for individuals), a secure digital wallet that would allow:

Sign and exchange verified documents.
Carry out procedures and communications with administrations of any member state.
Simplify processes such as operating in another country, paying taxes or submitting documentation.

If adoption is high, the Commission estimates that it could generate savings of up to 150.000 billion euros per year for reduction of procedures.

5. Regulatory derogations

The EU's Digital Omnibus legislative initiative aims to simplify and harmonise the European digital regulatory framework. This proposal integrates and amends key provisions of several existing rules, including the repeal of Regulation (EU) 2018/1807 on the free flow of non-personal data, Regulation (EU) 2022/868 on data governance and Directive (EU) 2019/1024 on open data.
The relevant provisions are incorporated within a single framework that also adapts the Data Act and other digital regulations, with the aim of reducing fragmentation and establishing more coherent and transversal regulation.

6. And now, what?

In the coming months, the public consultation will have to be concluded and the European Parliament and the Council will have to:

Discuss the content.
Introduce amendments.
Approve (or not) the different elements of the package.

Meanwhile, the AOC will continue to analyze the implications of this proposal, especially with regard to the implementation of the AI Act, data governance, cookie management and the EU Business Wallets opportunities for the public sector.

For more details, you can consult the official press release of the European Commission:
Simpler EU digital rules and new digital wallets to save billions for businesses and boost innovation

EU proposes to simplify data protection and AI regulation to save costs and boost innovation