In November 2025, the European Commission introduced a digital omnibus package with the aim of simplifying cybersecurity compliance processes for European companies.
In a series of Frequently Asked Questions (FAQs), the Commission stated that the overall intent of the digital package is “to boost tech competitiveness and save money for EU businesses by simplifying rules, streamlining procedures, offering one-stop solutions, and removing overlaps and outdated provisions.”
The core elements of the European Commission’s digital package include:
- A proposal to consolidate all data rules into two laws: the Data Act and the General Data Protection Regulation (GDPR)
- A plan to simplify cybersecurity incident reporting
- A proposal to amend the AI Act
The digital package also encompasses a Data Union Strategy and European Business Wallets. According to the Commission, the Data Union Strategy will “unlock high-quality data for AI,” while European Business Wallets “will offer companies a single digital identity to simplify paperwork and make it easier to do business across EU member states.” Additionally, the package features a public consultation on the “Digital Fitness Check.”
Below is a summary description of each of the core elements, exploring how the digital package proposes to address data, cybersecurity, and amendments to the AI Act.
The Commission has stated that the digital package aims to improve data access by simplifying data rules for European companies by:
- Introducing targeted exemptions to certain of the Data Act’s cloud-switching rules for small- and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs)
- Removing mandatory registration and label for data intermediation service providers
- Making the sharing of data easier
- Consolidating rules on data held by the public sector
- Limiting and clarifying the scope of the business to government-sharing provisions to ensure that governments can have sufficient data in emergency situations (e.g., during a natural disaster or a pandemic)
How the European Commission’s digital package affects impacts GDPR and cookie rules
The new digital package would amend the GDPR “to provide legal clarity and reduce the compliance burden for businesses,” according to the Commission.
For example, the Commission proposes to:
- Clarify the definition of personal data, while keeping the highest level of protection of personal data;
- Encourage the development and use of responsible AI solutions by giving legal clarity on the use of personal data for AI;
- Simplify certain obligations for businesses and organizations – for instance, by clarifying when they must conduct a data protection impact assessment (DPIA) and when and how to notify supervisory authorities of data breaches.
Additionally, cookie rules would be modernized. The amendments would reduce the number of times that cookie banners pop up, alleviating cookie banner fatigue.
“Users would remain in control of who can access their devices, with a one-click consent and central settings of preferences for how they want their data to be shared and processed,” the Commission explained in the FAQs. The Commission estimated that this change will help businesses realize more than €800 million in savings annually.
Aligned with GDPR protections, any infringement to users’ rights could lead to a fine of up to 4% of the global turnover of the company.
How the European Commission’s digital package impacts the AI Act
The Commission highlighted that guidance and support are essential for the proper roll out of the AI Act. As part of this initiative, the timeline for applying the rules governing high-risk AI systems is adjusted to a maximum of 16 months, so the rules would start to apply once the Commission confirms the necessary standards and support tools are available.
The Commission is also proposing amendments to the AI Act that would:
- Simplify technical documentation requirements
- Reinforce the AI Office’s powers and centralize oversight of AI systems built on general-purpose AI models, reducing governance fragmentation
- Concentrate oversight of AI embedded in large online platforms and search engines at Commission level by assigning this oversight to the AI Office
The Commission also proposes to allow providers and deployers to process special categories of personal data for ensuring bias detection and correction, subject to appropriate safeguards. Additionally, it would broaden compliance measures to enable more innovators to use regulatory sandboxes, including an EU-level sandbox and more real-world testing.
How does the EU Commission’s digital package simplify cybersecurity incident reporting?
Currently, numerous laws require companies to report cybersecurity incidents. Such laws including GDPR, the NIS2 Directive, and the Digital Operational Resilience Act (DORA), among others.
Moving forward, the Commission’s digital package would simplify cybersecurity incident reporting into a single-entry point interface, where companies can meet all their incident-reporting obligations. “The interface will be developed with robust security safeguards and will undergo comprehensive testing to ensure its reliability and effectiveness,” the Commission stated.
What is the Data Union Strategy?
A newly established Data Union Strategy would help to unlock more high-quality data for AI. One example would be the formation of data labs. The Commission described data labs as specialized facilities designed to give companies, including SMEs and researchers, access to diverse datasets for AI.
This strategy also would introduce a Data Act legal helpdesk, as well as guidance and templates to help companies comply with data rules.
Another part of the Data Union Strategy is to strengthen Europe’s data sovereignty through a strategic approach to international data policy. This includes an anti-leakage toolbox, measures to protect sensitive non-personal data, and guidelines to assess fair treatment of EU data abroad.
What are European Business Wallets?
European Business Wallets aim to make it easier for European companies of all sizes to interact and communicate securely with other businesses or public administrations anywhere in the EU with a unified digital tool.
To reduce administrative burden, European Business Wallets will enable companies to digitalize operations and interactions that, in many cases, are still being done in person. For example, businesses will be able to digitally sign, timestamp and seal documents; and securely create, store and exchange verified documents.
What happens next?
The digital omnibus legislative proposals now head to the European Parliament and the Council for adoption.
As a follow-up step, the Commission also has launched a consultation on the Digital Fitness Check, which is open until March 11, 2026. “The Fitness Check will stress test how the rulebook delivers on its competitiveness objective, and examine the coherence and cumulative impact of the EU’s digital rules,” the Commission stated.
Find out more about how NAVEX One solutions can help your company with the new and amended requirements of Europe’s digital package now.
GDPR Compliance Requirements | NAVEX
