Digital Omnibus: simplification starts, but businesses still need clarity

The Digital Omnibus, proposed by the European Commission in November 2025, aims to streamline and simplify the digital rulebook to boost competitiveness and ease Artificial Intelligence (AI) development in Europe. It is a package of two regulations introducing amendments to several existing laws on Artificial Intelligence (the “AI Omnibus”) and on data (“Digital Omnibus” or “Data Omnibus”).

The proposal aims to facilitate data use for AI by adapting the definition of personal data to current jurisdiction and by clarifying that AI training and development can be a “legitimate interest” under the General Data Protection Regulation (GDPR). It also introduces a single-entry point for reporting cybersecurity breaches across various directives (GDPR, NIS2, DORA) to reduce administrative burden. 

From the business perspective, the Digital Omnibus does not deliver the relief and clarity that companies hoped for. It partly simplifies the EU's digital body of law, but crucial structural reforms are needed to genuinely strengthen the EU’s competitiveness. The Commission wanted to "bring immediate relief to businesses, public administration and citizens alike", but the current proposal can only be considered as a first step to update the EU's digital rulebook. 

Simplification

In our Opinion we state that Europe must strengthen its innovation capacity and global competitiveness by streamlining administrative processes, eliminating duplicative obligations or additional national requirements undermining the single market. At the same time, we recognise that Europe should uphold its social, environmental and consumer standards. In fact, outdated and overlapping rules can be repealed without lowering standards. Only more clarity can provide legal certainty for everyone and reduce the risk of lengthy and costly litigation. In particular, we call for clear definitions of ‘personal data’, ‘data holder’, ‘user’, ‘data processing service’ and ‘placing on the market’ across all relevant acts.

Artificial Intelligence

For Artificial Intelligence, we call for risk-based, proportionate regulation, which should be lighter for industrial and B2B uses. A risk-based approach to regulation is essential to balance innovation with the protection of fundamental rights. By tailoring obligations to actual risk, the EU can foster responsible innovation, support Small and Medium-sized Enterprises (SMEs) and Small Mid-Caps (SMCs), and ensure that safety and fundamental rights are not compromised. This includes, for instance, simple solutions for AI use in an internal corporate environment. The protective measures mandated by the AI Act are mostly designed to address risks associated with public and consumer-facing services. A corporate privilege could be introduced whereby the AI Act only applies in certain intra-group scenarios. The EESC also acknowledges the need to simplify the regulatory framework applicable to SMEs and SMCs and supports the establishment of regulatory sandboxes.

The Single-Entry Point

As far as the Digital or Data Omnibus is concerned, we welcome the proposed interoperable EU Single-Entry Point’ (SEP). This will also improve situational awareness and enable faster, more coordinated responses to threats. In addition to the language of the Member State concerned, the system should enable English‑language submissions and the reuse of previously submitted information and should also apply strict ‘need‑to‑know’ access controls for authorities.

Personal Data

The definition of personal data is decisive in determining the scope of application of the GDPR. In particular, the use of anonymised data is an instrument of great significance for industry (e.g. for AI training), while also providing a mechanism to balance innovation with strong data protection and privacy safeguards. Clarifying when pseudonymised data can be considered anonymised is critical for legal certainty and innovation. Regarding the ePrivacy Directive, the EESC encourages the co-legislators to explore options for simplifying consent requirements in low-risk contexts. Overly rigid rules can unintentionally hinder innovation, for example in vehicle safety and autonomous driving. 

Finally, time is of the essence: the application deadlines for high-risk AI systems will come into force in August 2026. We therefore urge the co-legislators to prioritise the timely conclusion of negotiations on the AI Omnibus, ensuring that all stakeholders have clarity and sufficient time to adapt before high-risk AI obligations become binding.

By Heiko Willems, EESC Employers' Group member and Rapporteur of Opinion INT/1108 Digital Omnibus.