The EU has long been regarded as the benchmark for digital regulations, be it the GDPR or the AI Act. However, there have been criticisms on how the excessive regulations have hampered the EU’s innovation ecosystem and increased the difficulty of doing business. Today, the European Commission has proposed a digital package that includes a digital omnibus aimed at streamlining rules on AI, cybersecurity, and data, a Data Union Strategy, and European Business Wallets. This package aims to simplify regulatory compliance for businesses, promote innovation, and reduce compliance costs.
The digital omnibus consists of 3 sections - AI, cybersecurity, and data. On AI, the Commission plans to link the application of high-risk AI system rules to the availability of support tools and standards, allowing companies to have necessary resources before compliance begins. The timeline for applying these high-risk rules may be extended by up to 16 months.
The EU AI Act defines high-risk AI systems as those used as safety components of products covered by EU rules or listed in specific high-risk categories like biometric identification, critical infrastructure, employment, law enforcement, and access to essential services.
Furthermore, targeted amendments aim to ease burdens on small and mid-sized enterprises by simplifying technical documentation. Compliance frameworks will expand to let more innovators use regulatory sandboxes, including an EU-level sandbox from 2028 for real-world testing. Powers of the AI Office will also be strengthened with centralised oversight of general-purpose AI models.
Given the current fragmentation of cybersecurity laws in the EU (including but not limited to the NIS2 Directive, the GDPR, and the Digital Operational Resilience Act (DORA)), the omnibus streamlines incident-reporting obligations by proposing a single-entry point.
The data-related amendments aim to reduce repeated consent and cookie banners and make it easier for users to manage preferences with one-click options and centralised settings. Improved data access for innovation is another goal of the omnibus and through the Data Act, aims to consolidate multiple laws for greater legal clarity and offer targeted exemptions for small and medium-sized enterprises (SMEs). Additionally, having standard contract templates for businesses on how to share and use data fairly and clearly, making sure all parties know their rights and duties, is proposed.
The digital omnibus is complemented by the Data Union Strategy, which focuses on expanding access to high-quality datasets for AI innovation as well as strengthening Europe’s data sovereignty. On the latter, it proposes an anti-leakage toolbox, measures to protect sensitive non-personal data, and guidelines to assess fair treatment of EU data abroad.
Of these proposed changes, what is likely to be most harmful are the recommendations pertaining to high-risk AI systems in the AI Act. Civil society organisations such as Access Now have highlighted significant concerns with the proposed amendments, particularly one that removes the registration requirement from providers that exempt themselves from high-risk AI system regulations under Article 6(3) of the AI Act.
Article 6(3) of the AI Act allows the provider of a high-risk AI system to exempt themselves from all obligations if they meet four broad criteria, such as the system only being used for narrow or procedural tasks.
Moreover, as part of their proposed changes for access to EU data outside the EU, it has been made easier for companies to legally share anonymised and pseudonymised personal datasets, and use the same to train AI models, as long as that training complies with other GDPR requirements. It is well known that anonymisation and pseudonymisation are not foolproof methods to protect data from being traced back to the individual that it pertains to.
The key question that remains is whether the European Commission has been able to balance privacy with innovation or risked opening a can of worms (read: loopholes).