- within Technology topic(s)
- with readers working within the Utilities industries
- within Technology, Transport and Environment topic(s)
- in United States
On 19 November, the European Commission (the Commission) unveiled its proposed Digital Package (the Package), an initiative aimed at boosting technological competitiveness and digital innovation in the European Union's (EU) business sector while significantly reducing regulatory compliance costs. This proposal follows recommendations from the Letta and, in particular, Draghi reports published in 2024, which stressed the urgent need for the EU to close the gap on global leaders in digital technology and artificial intelligence (AI).
The Package rests on three core pillars:
- a "digital omnibus" designed to streamline and simplify rules on data, cybersecurity and artificial intelligence;
- unlocking high-quality data for AI training through the creation of data labs and the development of common European data spaces, clearer and more efficient data rules, and measures to bolster the EU's position in international data flows; and
- the introduction of a business wallet, a unique digital tool - similar to the citizen digital identity wallet - that will allow companies to interact seamlessly and securely with public administrations and other businesses across Member States, using a legally recognised digital identification tool to process documents.
In essence, this initiative reflects efforts, particularly in light of the Draghi report, to drive innovation and, above all and particularly with the Omnibus, to simplify the EU's extensive digital regulatory framework - according to this same report, comprising approximately 100 separate regulations.
We now describe the specific measures contained in the Digital Omnibus:
Simplification of data protection rules
The Package proposes consolidating the provisions currently spread across five regulations into two main instruments: the Data Act and the General Data Protection Regulation (GDPR). The goal is to draw a clear distinction between rules that promote the free circulation and use of data vis-à-vis those that safeguard privacy, ie, personal data protection. Therefore, provisions on the free flow of non-personal data and on the use of public-sector information would be grouped under the Data Act, set to apply from September 2025. Meanwhile, the latter aims to consolidate the highly dysfunctional disparity in the regulation of cookies –currently regulated by the ePrivacy directive, within the GDPR.
The revised Data Act, resulting from the Package, introduces significant changes for EU businesses. Firstly, it includes an exemption for SMEs and medium-sized companies (with less than 749 employees) from certain obligations related to switching cloud service provider, reducing the burden of contract renegotiation. In addition, it also enhances protections for trade secrets and clarifies obligations on the sharing of data with authorities in emergency scenarios – a critical issue for industries generating data that must be shared under the Regulation, particularly in software and AI sectors traditionally advocating for digital openness.
Three fundamental amendments to the GDPR have been envisaged. Firstly, the definition of personal data would be clarified, excluding pseudonymised datasets when the controller or processor does not have the capacity to re-identify individuals, thereby codifying the recent case law of the Court of Justice (Case C-413/23), examined in our September Digital Update. This amendment is of particular interest in that the judgment equates pseudonymisation with anonymisation of personal data under these conditions, therefore directly removing such data from the scope of the GDPR. Secondly, as mentioned, cookie regulation is integrated in the GDPR, simplifying the mechanisms for providing consent and establishing a whitelist of potentially less intrusive purposes, such as statistics. The clear goal is to reduce what is known as "consent fatigue", which has hampered the functionality of websites subject to European regulation. Third, it would clarify lawful bases for processing personal data by AI system developers or operators, allowing processing under legitimate interest, except where European or national law is violated, or where such laws expressly require the data subject's consent. It is important to highlight the importance of this amendment for algorithm training. Equally as important is the possibility given to controllers to process sensitive personal data in the training and output of AI models, provided that they have done their best to avoid this initially or where deleting that data to ensure that they cannot be used to infer results or be disclosed would be disproportionate.
Simplification of cybersecurity incident reporting
The Package also proposes the establishment and maintenance of a centralised platform for incident or breach reporting required by the various different regulations, ranging from data legislation to provisions on system and network security, to regulations specifically applicable to financial institutions (DORA). This would allow one report to satisfy multiple obligations, thus avoiding duplication and the risk of significant administrative sanctions. Although the Commission initially considered standardising the content of reports, it seems that simplification will for now be limited to having a reporting single-entry point – the European Network and Information Systems Security Agency (ENISA) will work on this aspect.
Proposed amendments to the AI Act
The Commission is proposing targeted adjustments to Regulation (EU) 2024/1689 (AI Act) to ensure that its implementation is "clear, simple and innovation-friendly". The AI Act entered into force on 1 August 2024, with staggered application of obligations: AI literacy prohibitions and obligations from 2 February 2025; governance rules and obligations for general-purpose AI models from 2 August 2025 and – according to the original timetable – obligations for high-risk AI systems in Annex III (eg, employment or law enforcement) from 2 August 2026, and in the case of Annex I high-risk systems embedded in regulated products (such as medical devices) from 2 August 2027.
The Package now links the applicability of these high-risk obligations to the effective availability of technical standards and other supporting tools: the obligations will only become enforceable once the Commission adopts a decision confirming their availability. A transitional period of six or 12 months will follow, depending on the system type. However, cut-off dates have been set: if a decision has not been made in time, obligations for high-risk systems under Annex III will fall due by 2 December 2027 at the latest, and those under Annex I by 2 August 2028 at the latest as well.
In effect the clock has been paused for the core elements of the AI Act, ie, the regulation of high-risk systems. As there has been widespread concern among companies, both developers and deployers of this type of systems, the Commission's realistic approach in proposing the suspension is to be welcomed.
The proposal also extends simplified compliance options, which were originally designed for SMEs, to small mid-caps, including streamlined technical documentation. The role of the AI Office has also been bolstered by centralising the supervision of general-purpose model-based systems and AI embedded in very large online platforms and search engines (for the purposes of the Digital Services Regulation). A specific transitional period of six months has also been established for providers to retroactively implement technical solutions for detecting synthetic content generated by generative AI systems – systems launched on the market before 2 August 2026 will have to comply with this obligation by 2 February 2027 at the latest. Many will welcome this latest deadline extension given the difficulty in implementing detectability mechanisms, especially as tools to bypass them have become easily accessible on the market.
The next steps
The Package's various legislative proposals are now being sent to the European Parliament and the Council for consideration and possible adoption under the ordinary legislative procedure.
At the same time, the Commission has launched a "Digital Fitness" check – in the form of a public consultation process open until 11 March 2026 – to evaluate the current EU digital acquis, with a view to identifying and implementing further opportunities for simplification and streamlining.
Given the urgency surrounding implementation of the AI Act, it is to be expected that the AI-related components of the Omnibus will be among the first to be negotiated and ultimately adopted.
Final assessment
It has been pointed out since the publication of the Digital Package that it is the result of pressure from the current US government and large technology companies seeking a more flexible application of the European digital acquis.
It is no secret that the US government has been exerting clear pressure on the European authorities with that goal, including the full repeal of some of the key provisions of this acquis, such as the Digital Services Regulation, the Digital Markets Regulation, or the AI Act itself. It is also clear that the large technology companies would operate more comfortably under provisions that are less stringent than the EU's.
However, it is equally clear that the Digital Package embraces simplification for the sake of boosting European digital competitiveness as fundamentally proposed by the Draghi report. This report also underscored the digital divide is the primary reason why disposable income per capita in the US has increased twice as much as in the EU over the past 25 years.
Importantly, the measures will not only benefit large technology companies, especially those from the United States or China, but also European companies – some of which are highly competitive. For example, France's Mistral has emerged as a leading AI player, while Spain's Multiverse Computing has recently improved the efficiency of the Chinese DeepSeek model via interesting algorithmic rationalisation techniques. Ultimately, it is Europe's digital ecosystem – comprising both global hyperscalers and through homegrown companies – that will ultimately gain from these reforms. Economic studies show that, although the technology to be deployed should ideally be developed domestically, the real priority is ensuring its widespread and intensive use.
The Commission clearly recognises this, which is why further reforms aimed at simplification and increased EU competitiveness can be expected in the coming months, and even years.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
