EU Digital Omnibus: simplification or new complexity for digital and AI regulation?

What has happened and why does it matter?

The European Commission has proposed a Digital Omnibus Regulation to streamline elements of the EU’s digital legislative framework, including amendments to the GDPR, ePrivacy Directive, NIS2 and the Data Act, while repealing several existing measures and consolidating the data acquis into fewer instruments. The accompanying Staff Working Document estimates annual administrative cost savings for businesses of over EUR 1.3bn once implemented, with further one-off savings. Financial Times coverage has framed the package as a politically important attempt to “tidy up” an increasingly dense digital rulebook.

For operators, platforms, AI developers and investors, however, the package is only a proposal and sits on top of an already crowded EU digital landscape. It is legally and technically complex, will be heavily negotiated in Council and Parliament, and its final shape – and implementation timelines – remain uncertain. Against that backdrop, the UK’s principle-based AI and digital governance model, driven by regulators under cross-cutting statutory duties, currently looks more predictable and operationally navigable.

Regulatory background

The EU Digital Omnibus is presented as part of a broader Commission agenda to “stress-test” and simplify EU law to support competitiveness and reduce regulatory burdens. In digital, that agenda focuses on the cumulative effect of successive instruments: GDPR, the Data Act, Data Governance Act, Open Data Directive, Free Flow of Non-Personal Data Regulation, ePrivacy rules, the AI Act, NIS2, the Cyber Resilience Act, the European Health Data Space and platform rules such as the DSA and DMA.

The proposal, COM(2025) 837 final, would amend, among other measures:

• Regulation (EU) 2016/679 (GDPR)
• Regulation (EU) 2018/1724 (Single Digital Gateway)
• Regulation (EU) 2018/1725 (EU institutions’ data protection regime)
• Regulation (EU) 2023/2854 (Data Act)
• Directive 2002/58/EC (ePrivacy)
• Directive (EU) 2022/2555 (NIS2)
• Directive (EU) 2022/2557 (Critical Entities Resilience)

It would also repeal four existing instruments, including the Free Flow of Non-Personal Data Regulation, the Platform-to-Business Regulation, the Data Governance Act, and the Open Data Directive. Its stated aim is to consolidate the data acquis into essentially two core texts – GDPR and the Data Act – and to rationalise overlapping reporting and compliance obligations, notably through a single entry point for cybersecurity incident reporting.

The Staff Working Document accompanying the proposal records extensive consultations and acknowledges that many stakeholders see the digital rulebook as “overly complex”, calling for harmonised definitions, clearer interaction between regimes (especially GDPR/AI Act/Data Act) and reduced duplication.

By contrast, the UK has deliberately adopted a non-omnibus approach. The 2023 AI Regulation White Paper set out five cross-cutting AI principles – safety, transparency, fairness, accountability and contestability – to be implemented by existing regulators rather than through a single AI statute. Subsequent guidance directs regulators on implementing those principles within existing sectoral mandates. The ICO and Ofcom have now both published strategic AI approaches under that framework.

Analysis: what the EU Digital Omnibus does in practice

Although branded as simplification, the EU Digital Omnibus is highly technical and makes changes across four main areas: data, data protection and privacy, cybersecurity, and platform rules.

Data acquis and data sharing

The proposal would:

• Consolidate aspects of the data acquis by folding elements of the Data Governance Act, Open Data Directive and Free Flow of Non-Personal Data Regulation into the Data Act and GDPR, with a view to “only two legal acts” governing the availability and use of data.
• Adjust rules on data intermediation services, trade secrets protections and business-to-government (B2G) data requests, and refine switching obligations for cloud/data processing services.

The Commission argues this will reduce fragmentation and support data re-use and access in support of trustworthy AI development and deployment. However, in the short term, businesses operating data spaces or data-driven services will need to track and implement detailed textual amendments across multiple instruments, while interpreting transitional rules and repeals.

GDPR and ePrivacy adjustments

Stakeholder feedback highlighted consumer-reported “cookie fatigue”, fragmented consent rules and calls from businesses and several supervisory authorities for better alignment between GDPR and ePrivacy Article 5(3), while many NGOs resisted any perceived lowering of privacy standards. The Omnibus responds with targeted adjustments designed to:

• Streamline cookie consent and clarify lawful grounds for certain low-risk uses (e.g. audience measurement), and
• Clarify interplay between GDPR and other acts, including the AI Act and Data Act.

These changes aim to reduce banner proliferation and align legal tests more closely with risk-based GDPR concepts. The practical effectiveness will depend on how precisely the final text draws the line between exempted and consent-requiring processing and how national DPAs interpret and enforce the changes.

Cybersecurity and incident reporting

The EU Digital Omnibus addresses well-founded complaints about duplicated incident reporting under overlapping frameworks (NIS2, sector–specific rules, data breaches under GDPR and others). Stakeholders had identified duplicative reporting as a clear and unnecessary burden.

The proposal moves towards a single entry point for cybersecurity and related incident notifications. If implemented coherently at EU and national levels, this could be a genuine simplification for operators of essential and important entities, including telecoms and cloud providers, although it will require considerable implementation work by Member States and supervisory bodies.

AI Act and platform rules under the EU Digital Omnibus

Associated Omnibus measures amend the AI Act to ease practical implementation, responding to concerns about compliance cost, uncertainty over scope, and interplay with other regulations. Stakeholder “reality checks” identified costs of at least EUR 100,000 per high-risk system, an absence of harmonised standards and complex interactions with GDPR and other regimes.

On platforms, the Commission notes that the DSA and DMA now largely supersede the older Platform-to-Business (P2B) Regulation and therefore proposes its repeal to remove overlap.

Commercial and operational implications

For businesses, the immediate implications are less about concrete obligations and more about regulatory trajectory and uncertainty.

First, the Omnibus will trigger a multi-year EU legislative process. Even assuming the Commission’s objective of simplification, trilogue negotiations are likely to re-open politically sensitive questions around cookies, data re-use, trade secrets, B2G access and the balance between enforcement efficiency and fundamental rights. The text is likely to evolve, possibly substantially, before adoption.

Secondly, the compliance effort required to map, interpret and implement cross-amendments should not be underestimated. Digital-first businesses already face overlapping programmes for GDPR, the Data Act, DGA, DSA/DMA, NIS2, CRA and the AI Act. The Omnibus may reduce medium-term duplication, but in the short-term it adds another layer of legal analysis, redrafting of policies, contracts and governance frameworks and systems changes.

Thirdly, stakeholder feedback – as summarised in the Staff Working Document – underlines that regulatory uncertainty, difficulty identifying applicable rules, overlapping requirements and divergent national application are already key obstacles to investment and deployment, particularly in AI. That uncertainty will continue until the EU Digital Omnibus is agreed and interpreted (including by regulators, the EDPB and the courts).

By contrast, in the UK, the AI and digital governance model is increasingly anchored in:

• High-level statutory data protection and security frameworks (UK GDPR, DPA 2018, sectoral legislation);
• A principles-based AI framework implemented by existing regulators rather than a dedicated AI Act; and
• Regulator-specific strategies such as the ICO’s AI approach and Ofcom’s strategic AI plan for broadcasting, online safety and telecoms.

This provides UK-based businesses with a reasonably stable baseline: obligations are still significant, but changes are channelled primarily through regulator guidance and enforcement practice rather than frequent large-scale legislative amendment. That can make internal compliance planning simpler and more predictable, even if the rules are at times less granular than their EU counterparts.

For cross-border operators, the foreseeable model is therefore:

• EU operations are subject to a highly codified, evolving Omnibus framework, with potentially meaningful simplification in the medium term, but significant transition costs;
• UK operations are subject to a principles-based model where the primary legal text changes more slowly, with agility delivered via regulator guidance and coordination (including the Digital Regulation Cooperation Forum).

Our view of the EU Digital Omnibus

The Commission is candid that the digital rulebook has become dense and that the accumulation of rules can damage competitiveness. The EU Digital Omnibus is an legally coherent attempt to rationalise that acquis and, within its stated objectives, it contains sensible measures: consolidation of the data acquis, a move towards single-entry incident reporting, and the retirement of obsolete platform rules in favour of newer regimes.

However, for businesses, simplification on paper does not automatically translate into simplicity in implementation. The proposal measures success partly in estimated aggregate cost savings, yet those savings rely on rapid agreement, effective coordination of national supervisory authorities and harmonised national transposition where directives are amended. The very fact that such a technical Omnibus is needed underscores the overall complexity of the EU’s digital and AI framework.

By contrast, the UK’s principles-based AI and digital governance framework – with regulators implementing five cross-cutting principles within existing mandates – looks, for now, comparatively light on legislative churn and more focused on outcomes and proportionality. For boards planning multi-year digital and AI programmes, that stability and regulator-led guidance may be easier to operationalise than another wave of tightly drafted EU legislation whose final form is uncertain.

A strong counter-argument is that once the Omnibus has bedded in, EU businesses may enjoy a clearer, more consolidated digital code, with fewer duplicative obligations than today. The UK, for its part, will still need to manage coordination across multiple regulators and may ultimately be driven towards more formal codification in certain areas. For the present, however, the EU Digital Omnibus highlights a widening contrast between the EU’s legislative, code-based approach and the UK’s principles-first model.