European Commission opts for simple with new set of digital rules

A new digital package launched Wednesday by the European Commission (the Commission), the executive branch of the European Union, includes what it terms a digital omnibus, which EU officials said is designed to streamline rules on artificial intelligence, cybersecurity, and data. It will, the Commission said, consolidate EU data rules by merging four pieces of legislation into one.

The legislative offering, which still must be submitted to the European Parliament and the Council of the European Union for approval, also contains a new Data Union Strategy, which, a release stated, is designed to “unlock high-quality data for AI,” as well as an initiative called the European Business Wallet.

The latter, the release said, “will provide European companies and public sector bodies with a unified digital tool, enabling them to digitalize operations and interactions that in many cases still need to be done in person.”

Europe’s businesses, it stated, “will spend less time on administrative work and compliance and more time innovating and scaling up.”

Henna Vikkunen, Commission executive vice president for tech sovereignty, security, and democracy, said, “[the Commission] today is putting forward a package of measures with a clear and determined goal: to give a boost to EU competitiveness. From factories to startups, the digital package is the EU’s answer to calls to reduce burdens on our businesses.”

The EU, she said, must move from “rulemaking to innovation-building. Our rules should not be a burden, but an added value. For this, we need immediate steps to get rid of regulatory ‘clutter’ where there is any, and focus instead on clear and predictable rules, and solid enforcement.”

The first step, Vikkunen said is “cutting all unnecessary administrative costs for compliance by at least €5 billion [about $5.8 billion] by 2029 through the digital omnibus, and saving companies at least €150 billion [about $173 billion] per year with our European Business Wallets.”

Commissioner Valdis Dombrovskis added, “we estimate that the digital omnibus could result in at least €1 billion [about $1.15 billion] in annual savings for our businesses, public administrations and citizens from the moment of their entry into force. That brings the total annual administrative savings stemming from the omnibus proposals and other simplification initiatives already presented to €9.6 billion [about $11 billion].”

The release added that the omnibus “also introduces a single entry point where companies can meet all incident reporting obligations.”

Currently, it said, “[organizations] must report cybersecurity incidents under several laws, including among others the NIS2 Directive, the General Data Protection Regulation (GDPR), and the Digital Operational Resilience Act (DORA). The interface will be developed with robust security safeguards and will undergo comprehensive testing to ensure its reliability and effectiveness.”

New laws could ‘free up budgets for innovation’

Phil Brunkard, an executive counselor at Info-Tech Research Group Europe, described the digital omnibus and the Data Union Strategy as being “among the most significant simplifications of EU tech regulation in years.”

For enterprise IT, he said, “this is mostly positive news, as simplified GDPR rules, a unified cybersecurity reporting portal, and the European Business Wallet all point to less administrative friction and faster compliance cycles. Even if just part of the projected €5 billion (about $5.8 billion) in savings by 2029 materializes, it will free up budgets for innovation instead of paperwork.”

According to Brunkard, “the single entry point for incident reporting across GDPR, NIS2, and DORA could be a game changer for CIOs and CISOs. Right now, reporting is fragmented, so this would streamline that process considerably. Similarly, linking high risk AI compliance timelines to the actual readiness of support tools should make the AI Act more workable in practice, especially for small and mid-sized orgs.”

However, the real challenge here, he said, will be in maintaining consistency. “Simplification doesn’t mean relaxation, and enterprises will still need to demonstrate that privacy, AI safety, and cybersecurity are embedded by design.”

The European Business Wallet and the broader Data Union Strategy, he added, “will also expand the amount of sensitive data flowing between borders, which means IT departments will need to strengthen their identity, encryption, and access-control frameworks before these tools go live.”

Sanchit Vir Gogia, the chief analyst, founder and CEO of Greyhound Research, had a different view, stating that the EC’s digital omnibus reform “may appear to reduce complexity for enterprise IT, but in truth, it simply reassigns that complexity inward.” He noted that Greyhound’s CIO Pulse 2025 revealed that 74% of European CIOs report regulatory ambiguity as the primary barrier to AI deployment, “far above concerns about budget or talent.”

‘A redistribution of regulatory risk’

This reform “shifts the source of that ambiguity,” he said. “It offers what looks like breathing space — fewer cookie banners, broader permissions for AI model training, a promise to harmonize compliance — but leaves the door wide open to interpretive chaos within the enterprise.”

This, Gogia pointed out, is not deregulation, but instead a “redistribution of regulatory risk. Enterprises will find themselves building thicker internal scaffolding to prop up the façade of simplicity. If the Commission is outsourcing trust, CIOs must insource governance. There is no free pass, just a new venue for accountability.”

Describing the legislation as a “tectonic shift in the EU’s regulatory philosophy,” he said, “it trades regulatory scaffolding for self-certification and assumes that enterprises will not only police themselves, but also act in the interest of the individual. The problem is not intent. It is enforceability.”

By shifting cookie compliance from consent to legitimate interest, narrowing what counts as sensitive data, and allowing personal data to be swept into AI training pipelines with broad justifications, Gogia said, “[the Commission] has placed an extraordinary burden on enterprise integrity. Technology leaders must now build new internal architecture (policies, protocols, and review mechanisms) that were previously anchored by law.”

This shift “demands that CIOs act as both executional technologists and ethical sentinels. It turns privacy and data use from a compliance question into a brand question. Enterprises must ask not just what is allowed, but what is defensible in public. The legislation empowers, but it also exposes,” he said.

Brunkard, on the other hand, described the legislation as “EU’s attempt to balance innovation with governance. It gives enterprise IT leaders more room to move, but also makes accountability more visible. The winners will be those who treat this regulatory reset as an opportunity to modernize compliance and data management.”