The European Commission has taken a delicate turn in its digital policy. After years framing the GDPR and the upcoming AI Act as the barricades against excesses by Big Tech, Brussels has introduced an omnibus legislative package that, in practice, softens timelines, obligations, and limits for companies handling data and developing AI systems.
Officially, the goal is clear: reduce bureaucracy, facilitate economic growth, and cut up to €5 billion in administrative costs by 2029, as well as open the door to potential savings of up to €150 billion annually through the digitalization of business procedures. However, digital rights organizations, legal experts, and parts of the critical ecosystem towards Big Tech are already talking about a concession to pressure from major tech corporations — both U.S. and European — and governments eager for more data to train AI models.
An omnibus package to “simplify” digital regulation
The new package, dubbed digital omnibus, groups changes across three main areas: artificial intelligence, cybersecurity, and data protection. It is accompanied by a Data Union Strategy — designed to unlock large volumes of quality data — and a proposal for a European Business Wallet, a kind of “digital wallet” for businesses and public administrations across the 27 EU countries.
In the area of AI, the Commission proposes linking the implementation of rules applicable to high-risk systems — those that can impact health, safety, or fundamental rights — to the availability of “support tools” and clear technical standards. Practically, this means that these obligations wouldn’t apply automatically on the planned date, but up to 16 months later after Brussels certifies that sufficient standards and tools exist for companies to comply.
The official narrative is that this aims to prevent companies, especially SMEs, from facing laws that are difficult to implement in practice. Critics, however, highlight the obvious risk: a longer period during which potentially dangerous AI systems will operate with fewer requirements, right at a time when the race for generative AI is accelerating.
AI and personal data: more room to train models
One of the most sensitive points of the omnibus package concerns proposed changes to the GDPR. The Commission insists that the “core” of the regulation remains intact but introduces “targeted” modifications to harmonize, clarify, and simplify certain rules.
Among other things, it facilitates the sharing of anonymized or pseudonymized personal data between companies and opens the door for AI firms to use certain personal data to train models, provided that the training process and subsequent use adhere to GDPR principles.
Practically, this provides a somewhat more flexible framework for companies wishing to feed their models with data from European users, in exchange for strengthening documentation, technical guarantees, and impact assessments. Tech companies see it as an opportunity window; those wary of algorithmic surveillance view it as a step back in a text that was until now considered the “gold standard” for privacy.
Lighter cookies… but more power for browsers and systems
Another flagship measure is the promise to eliminate cookie banner fatigue. The Commission plans to modernize consent rules to reduce pop-up windows and allow users to manage their preferences centrally from the browser or operating system.
The aim is for people to accept or reject cookie categories “in a single action” and for that setting to be applied consistently across all websites. Certain cookies considered “high-risk” would be excluded from granular consent options.
From a user experience standpoint, this may seem like an improvement. However, some experts warn that this shifts even more power to major browsers and operating systems, many of which are controlled by the same large tech companies whose tracking and advertising practices are meant to be limited from the outset.
Less paperwork in cybersecurity and more data for AI
In cybersecurity, the package introduces a single incident notification point, so firms won’t need to report the same incident under multiple legal frameworks — such as NIS2, GDPR, or DORA — through different channels. This single access point aims to reduce administrative burden without lowering notification obligations.
The other major element is the Data Union Strategy, aiming to unlock more quality data for training AI models and support innovation in key sectors. Measures announced include:
- The consolidation of various provisions related to the Data Act into a more integrated text;
- Specific exemptions for SMEs regarding cloud provider switching rules;
- Standard contract models to facilitate data access and usage agreements;
- A “toolbox” to prevent leaks of sensitive data and measures to reinforce European sovereignty over non-personal data.
In theory, this seeks to prevent European data from ending up uncontrolled in jurisdictions with weaker protections, while creating a more friendly environment for European AI companies to access broad and updated datasets.
A “digital wallet” for companies across the EU
The third pillar of the package is the European Business Wallet, a digital tool that would provide companies and public organizations with a shared identity and environment to operate within all 27 member states.
With this wallet, businesses could:
- sign, date, and seal documents digitally;
- Create, store, and exchange verified documents;
- Communicate securely with administrations and other companies throughout the EU.
Brussels estimates that if widely adopted, this could save up to €150 billion annually in procedures and paperwork, by streamlining cross-border expansion, tax payments, and interactions with authorities without the need for in-person processes.
Competitiveness vs. rights: an increasingly tense balance
The vice presidents and commissioners responsible for the package emphasize the same point: Europe has talent, infrastructure, and a market, but its companies — especially smaller ones — are trapped in excessive regulatory rigidity. Easing burdens, simplifying obligations, and delaying certain requirements is seen as the key to closing the innovation gap with other powers.
However, civil society and part of the legal community perceive another message: the EU is beginning to yield on what made it distinctive, particularly its rigorous privacy protections and cautious approach to AI.
Allowing more flexibility to use personal data for training, delaying high-risk system rules, and centralizing cookie consent controls in a few large tech players are, according to critics, risky moves amid growing digital power concentration.
What comes next: Parliament, Member States, and a “physical review”
The omnibus package and related proposals now head to the European Parliament and the Council, where a qualified majority of Member States will be needed to pass them. The process will take months, and amendments and adjustments are likely as political negotiations and interest groups exert pressure from both sides.
Simultaneously, the Commission has launched a Digital Fitness Check, a review of the entire digital regulatory framework, including an open public consultation until March 2026. The idea is to put current rules to a sort of “stress test” to see if they support or hinder competitiveness.
What’s clear is that the debate over how much the GDPR and AI Act should be flexible — without eroding European citizens’ rights — has reignited with vigor. And, this time, the European institutions themselves are at the center of the controversy.
Frequently Asked Questions
What changes does the European Commission propose for the GDPR with this digital package?
The Commission suggests targeted modifications to harmonize and simplify GDPR application, especially regarding the sharing of pseudonymized or anonymized data between companies and the use of certain personal data for AI training, all while adhering to the regulation’s principles. The core of GDPR remains unchanged, but a more flexible framework is introduced for certain data uses in innovative contexts.
How will the simplification of cookie banners affect users?
The aim is for users to see fewer pop-ups and to manage their cookie preferences from a centralized panel in their browser or operating system. This could improve browsing experience, but also concentrates control over online tracking in the hands of browser and system developers, many of whom are large tech firms.
What is the European Business Wallet, and what benefits will it bring to SMEs?
The European Business Wallet is a shared digital platform for businesses and public entities across the EU. It will enable signing, sealing, and sharing verified documents, and secure communication with authorities and other enterprises within the 27 member states. For SMEs, it could streamline procedures, speed up cross-border expansion, and reduce bureaucratic costs.
Why is the delay in implementing rules for high-risk AI systems controversial?
Because these systems can have the most significant impact on health, safety, and fundamental rights. Delaying full implementation by up to 16 months — depending on the availability of standards and tools — provides companies more time to adapt but also extends the period during which such systems operate with less oversight and fewer strict obligations.
Source: European Union