Digital Omnibus: Europe’s big regulatory clean-up, or a quiet rollback?

© Photo: Guillaume Périgois – Unsplash

In Brussels, on 19 November 2025, the European Commission unveiled the so-called “Digital Omnibus”, a package intended to simplify the EU’s digital regulatory framework, aimed at reducing compliance burdens, harmonising rules across Member States and strengthening Europe’s competitiveness in the digital economy; however, involving EU institutions, industry, and academia, the initiative has sparked significant controversy, as critics warn that regulatory streamlining may dilute data-protection safeguards and weaken oversight of artificial intelligence, potentially favouring large technology firms, with the ultimate impact depending on how the rules are negotiated and implemented.

Why the Commission says simplification is necessary

Over the past years, the EU has built one of the most comprehensive digital regulatory frameworks in the world. Laws like the General Data Protection Regulation (GDPR), the Data Act, the ePrivacy Directive, cybersecurity rules and the EU AI Act were meant to guarantee data protection, foster innovation under clear constraints, and protect consumers’ rights. 

Yet, the complexity soon turned into a burden. Different laws overlapped, definitions clashed, compliance procedures multiplied, and companies (specially small and medium sized, especially small- and medium-sized, found themselves under heavy administrative strain. 

The Digital Omnibus aims to relieve that burden. The idea is to harmonise laws, consolidate overlapping regulations and streamline procedures. According to the Commission, the result should be fewer hours spent on paperwork and more effort available for actual digital innovation. 

Concretely, the proposal would merge some aspects of the ePrivacy rules into the GDPR, clarify when data counts as “personal”, and integrate several more sector-specific regulations under the broader umbrella of the Data Act. For cybersecurity and compliance, it would create a single entry point for incident reporting instead of different reporting channels under multiple laws, making the system more coherent for businesses operating across Europe.

Start-ups and mid-sized firms, they argue, struggle to scale or even survive in a regulatory environment fragmented across Member States, where differing national rules increase costs and disproportionately burden smaller players. By easing red tape, the Omnibus could give them a better chance to scale and innovate. 

What critics warn

But the simplification pitch has drawn fierce opposition from privacy activists, civil rights organisations and parts of the political spectrum. 

One of the most controversial points concerns the proposed revisions to the GDPR. The Omnibus suggests redefining “personal data” in a way that could allow companies to use more data for AI training, even sensitive data, based on a more flexible interpretation of “identifiability”. 

Combined with changes to cookie rules and consent regimes, critics fear a drift towards greater corporate access to user data, potentially undermining two decades of data-protection advances under GDPR.

Another flashpoint is the proposed delay for the “high-risk AI” provisions under the AI Act. Systems that rely on sensitive data, such as biometric identification, credit scoring or AI for law enforcement or healthcare, would see their compliance obligations postponed from August 2026 to at least December 2027. This has triggered concern that vulnerable users may be exposed to under-regulated or poorly audited AI systems for longer.

Moreover, some digital rights organisations and privacy advocacy groups argue that these changes amount to a “massive rollback of digital protections.” Notably, an open letter by dozens of civil-society organisations described the Omnibus as the largest retreat on digital rights in EU history, especially if adopted with minimal amendments. 

The competitiveness question

Behind the technical language of the Digital Omnibus lies a far more political concern: Europe’s struggle to remain competitive in the global tech race. For years, EU policymakers have warned that European companies are falling behind their American and Chinese counterparts, not only in artificial intelligence but also in cloud services, data infrastructure and platform-based innovation.

A two-year delay in high-risk AI compliance, for example, allows global giants to consolidate their market position and expand their datasets before stricter rules kick in, while smaller European firms, which depend on strong regulation to level the playing field, lose the advantage of early enforcement. 

Similarly, simplifying consent rules by narrowing what counts as “personal data” might reduce compliance costs for cloud providers and data-intensive platforms. But it also expands the reservoir of data available to the biggest firms, which already dominate data-driven markets. For European start-ups attempting to enter sectors like language models or predictive analytics, this asymmetry does not enhance competitiveness, as it crystallises the existing imbalance.

The core question, then, is not whether simplification helps businesses. It unquestionably does in a procedural sense. The deeper issue is who benefits structurally. If the Omnibus makes compliance cheaper but simultaneously broadens data access and delays AI oversight, the gains flow mainly to firms with the largest infrastructures, many of which are not European. That tension sits at the heart of the competitiveness debate: whether the Omnibus strengthens Europe’s digital ecosystem or simply lowers guardrails in ways that reinforce the dominance of global incumbents.

What’s next

At present, the Omnibus remains a proposal. Before it becomes law, it must be debated and approved by the European Parliament and the national governments of the 27 EU member states. Given the volume and sensitivity of the changes, the negotiations promise to be complicated and potentially lengthy.

Civil-society groups have already mounted pressure campaigns; lawmakers in some countries have voiced concern that privacy and consumer protections should not be sacrificed for competitiveness. In parallel, business associations and tech-industry players argue for the urgency of change.

In this tug-of-war, the final shape of the Omnibus will matter. If the core simplification efforts stick, without diluting protection standards, the result could be a cleaner, more usable digital rulebook. If not, Europe risks swapping clarity for laxity.

Clarity is not enough, substance matters 

In the end, the Digital Omnibus is more than a bureaucratic clean-up. It may decide the direction of Europe’s digital future. The proposal, as it stands, tries to strike a balance: ease compliance burdens for businesses while keeping fundamental rights and protections intact.

But its success depends on the diligence of lawmakers, the engagement of civil-society, and the resolve to defend core values. Because in digital regulation, clarity and simplicity are desirable, but not at the cost of privacy, fairness or accountability.

Only time will tell if the Omnibus will be a new dawn for European tech or a quiet retreat from two decades of digital protections.