"Simplifying to Compete: Redefining the EU’s Digital Framework"
In recent years, Europe has been busy developing one of the world’s most ambitious digital regulatory frameworks, covering matters such as data protection and sharing, artificial intelligence (AI), and operational resilience. The result is a robust framework, but also one that is complex and, at times, fragmented. However, since 2023—with the rise in popularity of tools such as ChatGPT—and amid heightened geopolitical tensions, there has been mounting criticism of an approach that is sometimes seen as overly regulatory and as one of the causes of the EU’s technological gap relative to other regions.
In response, the European Commission has placed investment in technology and regulatory simplification firmly at the center of its agenda. The objective is clear: to reduce burdens, eliminate regulatory inconsistencies, and enable access to data and innovative technology, while maintaining high levels of protection. The Digital Omnibus Regulation, unveiled in November 2025 and currently under negotiation, is the clearest example of this priority and of the urgency to deliver on it.
This package revises several key rules governing the way data are processed and accessed. First, it amends the European Data Act to consolidate scattered rules, reduce certain obligations to share information with public authorities, and prevent new barriers to the flow of non-personal data within the EU.
The objective is clear: to reduce burdens, eliminate regulatory inconsistencies, and enable access to data and innovative technology, while maintaining high levels of protection
In the realm of data protection, the proposal ushers in significant changes to the General Data Protection Regulation (GDPR), aiming to narrow the definition of what qualifies as personal data and to facilitate the processing of sensitive data, with the goal of fostering AI development. However, the European Data Protection Board and the governments of several Member States are questioning the proposal not to treat data as personal when the company processing it is unable to identify the data subject.
The Omnibus also introduces changes regarding cookies, with the relevant rules shifting from the ePrivacy Directive to the GDPR. Among the planned changes, individuals would be able to set their default preferences, thus reducing the number of cookie consent requests they see when visiting websites and improving the browsing experience. Moreover, a single point of contact for reporting cybersecurity incidents would be set up, simplifying obligations currently spread across multiple frameworks (NIS2, DORA, eIDAS, GDPR).
When it comes to AI, the proposal would delay when requirements for high-risk systems take effect—such as those used in human resources and creditworthiness assessments—until, at the latest, December 2027. It would also extend certain exemptions currently available to SMEs to larger mid-sized companies (small mid-caps), and enable the use of sensitive data to detect bias.
Overall, the approach appears to be reasonable. Ultimately, it preserves the high standards of protection for which the EU is known, while acknowledging the need to reduce complexity, compliance costs, and legal uncertainty in the current framework.
The integration of the cookie regime into the GDPR, the streamlining of data-related obligations, and the easing of burdens under the AI Regulation—by ensuring that requirements for high-risk systems do not enter into force before their implementing rules are finalized—point to a more orderly and proportionate approach, rather than a radical overhaul of the existing framework. The fact that the proposal is not a major overhaul is also reflected in the legislative process itself: in order to maintain momentum—particularly in the case of the AI Omnibus, which must be adopted before August 2026—the Council and the European Parliament are already removing or modifying the most sensitive provisions on which a swift agreement appears unlikely. In parallel, the Council is also looking to introduce an additional ban on applications that can be used to create sexualized images without consent, responding to a clear societal concern, but which is undoubtedly not a simplification measure.
Issues such as the definition of personal data, the interpretation of the “necessity” requirement in automated decision-making, the scope of alternatives to automated processing, and the easing of certain record-keeping obligations for AI systems will be decisive in determining whether the simplification process is genuine rather than merely cosmetic. It will also be crucial to ensure that the single incident reporting point is backed by substantive harmonization of criteria and timelines across sectoral and cross-sector frameworks.
The integration of the cookie regime into the GDPR, the streamlining of data-related obligations, and the easing of burdens under the AI Regulation point to a more orderly and proportionate approach, rather than a radical overhaul of the existing framework
In short, the Digital Omnibus promises to be a meaningful first step toward a more coherent and competitive digital framework. However, if Europe wants simplification to be more than just a temporary initiative, it will need to embed this approach as a structural component of its broader regulatory policy. It’s not just about approving the package; it’s about ensuring its effectiveness in fostering innovation without sacrificing legal certainty or the protection of rights.