Digital Omnibus: How the EU finally wants to simplify the regulatory framework (Cyber, AI, Data)
Faced with the "regulatory jungle" often criticized by European companies, the European Commission reacted. In November 2025, Brussels unveiled its " Digital Omnibus", a series of measures aimed at reducing the administrative burden weighing on digital players.
After the Draghi report highlighting the urgent need for competitiveness, Europe is trying to reconcile security and agility. Here are them 5 big new features takeaways to understand how the EU plans to simplify compliance in Cybersecurity, Artificial Intelligence and Data.
1. Cybersecurity: towards a one-stop shop for reporting
This is undoubtedly the measure most awaited by CISOs and DPOs. Until now, a company victim of a cyberattack had to juggle between several notifications (CNIL for the GDPR, ANSSI for NIS 2, financial authorities for DORA, etc.).
The simplification project introduces a single reporting mechanism. The objective is clear: to allow companies to report an incident via a centralized interface, which will then be responsible for distributing the information to the competent authorities. No more administrative duplication in the midst of crisis management.
2. IA Act: a reprieve for "High Risk" systems
The entry into force of l’AI Act raised many concerns about compliance deadlines. Hearing the criticism, the Commission proposes to relax the timetable.
Concretely, companies developing AI systems classified as "high risk" could benefit from additional time (pushing the deadline to the end of 2027 instead of 2026). This "grace period" aims to give technological players time to adapt to harmonized technical standards, which are still being defined.
3. Data & GDPR: clarifying the boundary of anonymization
The connection between the new data laws (Data Act) and the historical regulations (GDPR) remains a source of legal friction. One of the key new features concerns the clarification of data status.
The EU wants to define more precisely when data is truly considered anonymized (and therefore outside the scope of the GDPR). This technical legal measure is crucial: it must free up industrial data sharing without companies constantly fearing violating privacy rules.
4. Cookies: the end of consent fatigue?
The "Digital Omnibus" also tackles a daily irritant for users and publishers: cookie banners. The Commission wishes to simplify the management of consent, by encouraging technical solutions which avoid requiring the user's consent again on each visit, while respecting their privacy. A rationalization that could finally reconcile user experience and ePrivacy compliance.
5. Legislative harmony: cleaning up text conflicts (DSA, DMA, AI)
Finally, the last measure concerns the "cleaning" of inconsistencies between the different texts (DSA, AI Act, Cyber Resilience Act). The legislative package plans to remove unnecessary overlaps and harmonize definitions. The idea is to prevent the same obligation (such as transparency of algorithms) from being requested twice in different formats by two separate regulations.
Conclusion
With these 5 measures, the European Union is sending a strong signal: regulation must not stifle innovation. Although these texts still need to be validated by the Parliament and the Council, they mark a turning point towards a more pragmatic, or "Business Friendly", approach to digital compliance.
To go further:
Is your business ready for these changes? Do not hesitate to consult our experts to audit your Cyber and Data compliance.
Download our ebook "Digital Omnibus : Understand everything about simplifying the digital regulatory framework
