ARTICLE
26 November 2025

The EU Digital Omnibus: Targeted Simplification Of AI, Cybersecurity, And Data Rules

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
The European Commission's Digital Omnibus, published on 19 November 2025, proposes a number of targeted legislative adjustments to the EU's digital rulebook...
European Union Technology
Roch Glowacki and Fiona Vickerstaff
Your Author LinkedIn Connections
Lewis Silkin are most popular:
  • within Cannabis & Hemp, Law Practice Management and Privacy topic(s)
  • with readers working within the Retail & Leisure industries

The European Commission's Digital Omnibus, published on 19 November 2025, proposes a number of targeted legislative adjustments to the EU's digital rulebook aimed at "simplifying rules, streamlining procedures, offering one-stop solutions, and removing overlaps and outdated provisions". The Omnibus focuses on three key areas: AI, cybersecurity, and data.

AI

The Omnibus on AI introduces narrowly scoped changes to the AI Act, focused on five areas:

  • Implementation timing Linking the application of the rules for high-risk AI to the availability of support tools like standards by adjusting the timeline for such application. The proposals mean that the rules for high-risk AI systems will apply a maximum of 16 months later than originally envisaged. This proposal acknowledges the "challenge that the delay of standards and other support tools cause for the implementation of the AI Act".
  • Simplification
    • Extending certain simplifications (such as simplified technical documentation) to small mid-cap companies (SMCs), as well as SMEs.
    • Requiring the Commission and Member States to promote AI literacy and ensure continuous support to companies.
    • Removing the prescription of a harmonised post-market monitoring plan, giving businesses more flexibility.
    • Reducing the registration burden for AI systems used in high-risk areas for tasks that are not considered high-risk.
  • Governance clarity
    • Giving the AI Office oversight of AI systems built on general-purpose AI models, as well as AI embedded in very large online platforms and search engines.
  • Support compliance
    • Allowing providers and deployers to process special categories of personal data for ensuring bias detection and correction, subject to appropriate safeguards.
    • Broadening the use of AI regulatory sandboxes and real-world testing so more innovators can benefit from these tools (including setting up an EU-level regulatory sandbox from 2028 to support real-world testing).
  • Procedural operability Clarifying the interplay between the AI Act and other EU laws.

But "why" you might ask? Well, the Commission believes that "the proposals presented today will help businesses meet their obligations. They also open up more opportunities to innovate in the EU, further facilitating the roll-out of the regulatory framework that is designed to create a single market for trustworthy AI".

Cybersecurity

On cybersecurity, the Omnibus addresses a well-documented pain point: overlapping incident reporting under NIS2, GDPR, DORA, CER, eIDAS, and sectoral instruments. It introduces a single-entry point for incident notifications (to be established and maintained by ENISA) which will allow organisations "to submit notifications via a single interface and ensure that a single piece of information can simultaneously contribute towards fulfilling an entity's reporting obligations under multiple Union legal acts, where these require the notification of comparable and often overlapping information".

Data, privacy, and platform adjustments with compliance effects

The changes to data rules introduced by the Omnibus affect two key pieces of legislation: the GDPR and the Data Act. For the purposes of this article, we'll focus on the latter.

The Omnibus proposes to merge the Data Governance Act, Free Flow of Non-Personal Data Regulation, and Open Data Directive into the Data Act to:

  • Target exemptions to cloud-switching rules for SMEs and SMCs and for providers of custom-made data processing services.
  • Remove mandatory registration and label for data intermediation service providers, thereby lowering entry barriers to the market of data intermediation services.
  • Reduce complexity of the data altruism framework to make sharing data for the public good easier.
  • Consolidate rules on data held by the public sector.
  • Limit and clarify the scope of the business to government sharing provisions.

Next steps

It's worth noting that, alongside the Digital Omnibus, the Commission has also made proposals to repeal the Platform-to-Business Regulation, and for a Data Union Strategy (which "proposes measures that unlock data for AI across Europe") and European business wallets (which "are digital tools that will make it easier for companies of all sizes to interact and communicate securely with public authorities and other businesses anywhere in the EU").

Together, all of these legislative proposals will now go to the European Parliament and Council for adoption. Meanwhile, the Commission will conduct a Digital Fitness Check to assess the "cumulative impact of the digital rules, test how they support the EU's competitiveness and where further adjustments will need to be proposed in the second half of the legislative mandate".

Our thoughts

The live question is whether this is evidence for the famed "Brussels effect" giving way to a "Washington effect", with the Omnibus proposals signalling a broader deregulatory turn. That framing overstates it. The package is narrower and more technical than some commentary suggests and, crucially, is still in proposal form (requiring approval from the European Parliament and the Council of the EU, hopefully in the coming months).

On AI, the more convincing reading is calibration, not capitulation. The changes look like procedural housekeeping and phased operability rather than a strategic retreat. In practice, heavy‑duty enforcement was never going to bite overnight: core standards, codes and guidance are still yet to be finalised, national authorities must hire and upskill case handlers while experience from GDPR shows that headline penalties arrive only after investigations mature. Against that backdrop, the changes, including in particular stretching the application dates for high‑risk AI obligations to align with the availability of standards and support tools reads as procedural slippage, and tinkering around the edges rather than substantive retreat or a rethink of the Act's core architecture.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Roch Glowacki
Roch Glowacki
Photo of Fiona Vickerstaff
Fiona Vickerstaff
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More