Europe’s latest digital reform package arrives at a moment of strategic self-reflection. After years of increasingly complex legislative layers and growing concerns that the EU is falling behind the United States and China in the race to develop and scale Artificial Intelligence, the European Commission now appears determined to reposition the Union as a competitive, innovation-driven power. The newly published Digital Omnibus Regulation, released quite literally ‘’fresh out of the oven’’ on 19 November 2025, signals a decisive shift: Europe wants to simplify, consolidate and modernise its digital rulebook so that it can compete in a global environment where the fastest-moving jurisdictions, particularly the US and China, have already deployed the most advanced and commercially dominant AI models.

Unsurprisingly, the proposal has already sparked significant debate, with strong positions both in favor of the long-awaited simplification and against the perceived risk that the EU may be weakening safeguards in the name of competitiveness. Industry stakeholders, academics and digital-rights advocates have already begun circulating early analyses, and several official reactions from Brussels and national authorities underline just how pivotal this reform may prove to be for the next decade of EU digital governance.

Beyond the legal and structural reforms, the Commission emphasises that the Digital Omnibus is also an economic measure designed to reduce administrative burdens and stimulate innovation across the Union. According to the Commission’s impact estimates, the simplification measures could generate up to €5 billion in reduced compliance costs by 2029.

The first pillar focuses on the Data Act, introducing targeted amendments and consolidating several existing data-governance instruments to create a more coherent and less burdensome framework for data access, reuse and interoperability.

The second pillar, presented as the Digital Simplification Package, proposes broader reforms to the GDPR, ePrivacy rules and the AI Act, aiming to modernise key definitions, streamline compliance obligations and enable responsible AI development through clearer legal bases and harmonised oversight.

I. Key adjustments to the Data Act

• Stronger trade-secret protection - data holders may refuse access where there is a substantial, demonstrable risk that trade secrets could be unlawfully acquired or disclosed in third countries with weaker legal safeguards;
• Narrower B2G access - mandatory data sharing by companies would be limited to public emergencies, replacing the vague concept of “exceptional need”. SMEs would be entitled to compensation for compliance during such emergencies;
• Legislative consolidation - three instruments: the Free Flow of Non-Personal Data Regulation, the Data Governance Act, and the Open Data Directive would be merged into a unified rulebook under the Data Act;
• Voluntary data-intermediary regime - the mandatory framework becomes voluntary, with a public EU register for recognized intermediaries to enhance transparency and trust;
• Clarifications on smart contracts and cloud switching - the proposal removes the existing essential-requirements regime for smart contracts, eliminating a source of legal uncertainty and giving providers greater flexibility in structuring data-sharing arrangements. The Omnibus also introduces lighter switching obligations for custom-made services and for SMEs operating under contracts concluded before September 2025, including a clearer allowance for early-termination fees.

II. Key revisions to the GDPR, ePrivacy and AI Framework

• Clarified boundary between personal and non-personal data – information is not considered personal data for a controller where the controller cannot identify an individual by means reasonably likely to be used, reducing over-classification of technical or device-level data;
• New lawful ground for AI model development – controllers may process personal data, including certain special categories under strict safeguards, when strictly necessary for the development, training or operation of AI systems;
• Compatibility for research and archiving purposes – processing for scientific, statistical, historical or archiving purposes is deemed inherently compatible with the original purpose, removing the need for additional compatibility assessments;
• Adjusted transparency and access-rights obligations – controllers may refuse abusive or manifestly unfounded access requests, while certain low-risk scenarios benefit from simplified information duties;
• Extended breach-notification period and unified reporting – the notification deadline increases from 72 to 96 hours, and the Commission aims to establish a single EU reporting point covering incidents under the GDPR, NIS2, DORA and the upcoming CER Directive;
• Revised ePrivacy rules and cookie framework – machine-readable consent/refusal signals at browser or OS level must be honoured by service providers; certain low-risk cookies (e.g., aggregated audience measurement, essential security functionalities) would be exempt from consent; enforcement would align with GDPR-level sanctions.

As with any major EU reform, the next stage will be the full legislative process, during which the European Parliament and the Council will examine the proposal, develop their respective positions and ultimately enter trilogue negotiations with the Commission. Although final adoption is expected around mid-2026, the timeline could accelerate if the Parliament opts for the urgent procedure, potentially bringing the final text forward to early 2026.

As the proposal advances through the legislative process, attention naturally shifts from procedure to substance. Even though the final contours of the reform are not yet known, it is already clear that the package represents one of the EU’s most ambitious attempts in recent years to modernise and simplify its digital framework, particularly in areas involving data and AI. Given the scope and complexity of the proposals, each component will need to be assessed individually to fully understand its practical implications, and we will continue to monitor and analyse the package as the negotiations progress.