ARTICLE
26 November 2025

Europe's Digital Rulebook Is Being Rewritten

WF
William Fry

Contributor

William Fry logo
William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
Explore Firm Details
The European Commission has released its Digital Omnibus Package, a reform that overhauls significant parts of the EU's digital regulatory framework.
Ireland Technology
Barry Scannell
Your Author LinkedIn Connections
Barry Scannell’s articles from William Fry are most popular:
  • with Senior Company Executives and HR
  • with readers working within the Aerospace & Defence industries

The European Commission has released its Digital Omnibus Package, a reform that overhauls significant parts of the EU's digital regulatory framework.

It is presented as a simplification, introducing important changes across data law, cybersecurity, digital identity and the Artificial Intelligence Act. The package promises efficiency and lower compliance costs, but it also injects new uncertainty into the EU's most ambitious technology law. Nowhere is that more visible than in the future of high-risk AI.

A Floating Start Date for High-Risk AI

The AI Act originally set a clear timetable: high-risk systems were due to fall under binding obligations in 2026 and 2027. The Omnibus breaks that certainty. The new rules will only apply once the Commission adopts a formal decision confirming that harmonised standards, common specifications and support tools are available. Annex III systems, covering areas such as employment, law enforcement and access to public services, will apply six months after that decision. Annex I systems, including medical devices and other product-based AI, will apply twelve months after the decision. If the Commission delays, the regime will not start until longstop dates of December 2027 for Annex III and August 2028 for Annex I. Europe now has a flagship law whose most important chapter begins only when Brussels declares the supporting infrastructure ready.

Amendments to the GDPR

The General Data Protection Regulation (GDPR) is amended in several specific ways. The definition of personal data is clarified, codifying the Court of Justice case law on identifiability and pseudonymisation. The proposal outlines the circumstances under which a dataset can be shared with a third party that does not have the means to reidentify individuals. The rules on data protection impact assessments are clarified, and the conditions for breach notification are streamlined. The text clarifies the use of legitimate interest as a basis for training AI models, provided GDPR safeguards are observed and individuals can object. Cookie rules are modernised. Users will be able to refuse non-essential cookies with one click and set preferences centrally at the browser level. Cookies used solely for low-risk analytics will no longer require banners. Enforcement of cookie obligations will fall under GDPR penalty levels.

Reforms to the Data Act

The Omnibus makes targeted but commercially significant adjustments to the Data Act. Exemptions are introduced for cloud-switching duties where services are provided by SMEs, small mid-caps or through custom-made data processing solutions. The mandatory registration and labelling regime for data intermediation services is abolished. The data altruism framework is simplified to lower barriers for voluntary data sharing. Business-to-government data access is limited to genuine emergencies such as natural disasters or pandemics, preventing routine requests for private-sector data. Rules governing the reuse of public-sector data are consolidated to create a more coherent access framework.

Cybersecurity Reporting Is Centralised

The package introduces a single-entry point for cybersecurity incident reporting. Companies currently face overlapping reporting obligations under NIS2, GDPR, DORA, the Critical Entities Resilience Directive and the EU Digital Identity Regulation. The new system, operated by ENISA, will enable one submission to fulfill several obligations simultaneously. Reporting duties remain unchanged, but the administrative process is consolidated. The Commission expects this to cut reporting effort for many organisations by roughly half.

Governance and Oversight Under the AI Act

Beyond timelines, the Omnibus reshapes the governance architecture of the AI Act. Oversight of AI systems built on general-purpose models will be centralised in the AI Office. The same office will supervise AI systems embedded in very large online platforms and search engines. Simplified compliance measures previously reserved for SMEs will be extended to small mid-caps, including reduced technical documentation requirements. The requirement for a harmonised post-market monitoring plan is removed. Registration duties are reduced for AI systems performing non high-risk tasks in high-risk sectors. Sandboxes and real-world testing programmes are being expanded, with an EU-level sandbox planned from 2028. Providers and deployers may process special-category data for bias detection and correction under strict safeguards.

A New Digital Identity for Business

The European Business Wallet is introduced as a cross-border digital identity system for companies. Businesses will be able to sign, seal, store and exchange official documents with full legal value across all Member States. Licences, certificates and regulatory filings can be transmitted digitally through a unified infrastructure. The Commission expects substantial reductions in administrative costs once the system is widely adopted.

The Data Union Strategy

Parallel to the Omnibus, the Commission has launched a Data Union Strategy aimed at enhancing access to high-quality data for AI. Data labs will provide companies, including SMEs, with controlled environments to access datasets and receive support on privacy-preserving techniques. Further guidance and a Data Act helpdesk will assist with compliance. The strategy also sets out a stronger position on international data flows to safeguard sensitive non-personal EU data.

A Simplification Exercise That Creates Strategic Uncertainty

The package is presented as an effort to simplify and save businesses billions. Many of the reforms achieve that goal. Yet the core uncertainty introduced by the floating start date for high-risk AI is significant. Businesses are uncertain whether their most stringent obligations will apply in 2026, 2027 or 2028. That uncertainty shapes investment decisions, product design, compliance planning and the strategic positioning of AI development across Europe. The EU has set out to refine its digital rulebook. It has also created a regulatory horizon that is more efficient on paper, but less predictable in practice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Barry Scannell
Barry Scannell
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More