On November 19, the Commission unveiled the Digital Omnibus package, which has taken shape in two proposed Regulations: the Digital Omnibus and the Digital Omnibus on Artificial Intelligence. Along with it came the European Data Union Strategy through which the Commission aims to provide high-quality data for AI development and be more competitive in global markets, helping in the completion of the Single Market for data. Finally, the Digital Fitness Check presents an opportunity for the Commission to evaluate the digital legislative framework for further future simplifications.
European Data Union Strategy
The European Data Union Strategy is composed of three pillars. Firstly, the increase of data availability for AI development, through the launch of data labs that will link data spaces and AI ecosystems or the investment of €100 million in common European data spaces. The second pillar consists of streamlining data rules, as proposed in the Omnibus regulation, as well as investing in one click compliance. Finally, the third pillar of the plan consists of strengthening the EU’s global position on international data flows. For this, the Commission will issue guidelines on the fair treatment of EU data abroad (Q2 2026), create a toolbox to counter unjustified localisation, exclusion, weak safeguards, and data leakage (Q2 2026) and adopt measures to protect sensitive non-personal data (Q3 2026).
Digital Omnibus
The Digital Omnibus was first announced by the European Commission on 11 February 2025 with its 2025 Commission Work Programme and its “A simpler and faster Europe” communication. After that vow to simplification, the Commission presented several Omnibus packages to carry it out in many fields, with the latest being this Digital Omnibus. Additionally, to draft their proposal for the package, the Commission consulted stakeholders through a Call for Evidence that closed on 14 October 2025. The package was then released a little over a month later by Executive Vice-President Virkkunen, on 19 November. Soon after the adoption of the Package, on 21 November, the Commission launched a public consultation on it to gather feedback on the proposal.
On the one hand, the Omnibus Package on AI, proposes delaying the entry into force of the rules for high-risk AI systems, amends the AI Act, broadens compliance measures to make regulatory sandboxes more accessible, and reinforces the AI Office to avoid governance fragmentation. On the other, the Digital Omnibus on the digital acquis includes amendments to the General Data Protection Regulation (GDPR), the ePrivacy Directive, and several data laws, on top of repealing the Platform to Business (P2B) regulation.
The Digital Omnibus on the digital acquis presents some targeted amendments to the GDPR, including the alignment of the definition of personal data to a recent Court of Justice of the EU judgement (EDPB v. SRB). The processing of special categories of data remains prohibited, but there is two new exemptions for sensitive data to develop and run AI systems under certain safeguards, and for biometric data necessary to confirm someone’s identity if the person fully controls their data. Additionally, the proposal will provide a single EU-level list of processing operations that require, or not, a Data Protection Impact Assessment (DPIA). The Digital Omnibus also clarifies that the notification of data breaches will be required only in case of possible high risks to the subject’s rights.
The ePrivacy Directive will be tweaked too, with some of its aspects being transferred into the GDPR. The cookie rule is added to the GDPR, but user consent will remain as the sole basis, contrary to what is mentioned in the Data Union Strategy stating that the 6 GDPR legal bases should be extended to cookies and similar tracking technologies. Users will be allowed to refuse through a single click button, and controllers will not be able to ask for consent again for 6 months. Large web-browser providers will have to buy tools to allow users to easily refuse to consent and object.
Furthermore, the Digital Omnibus will establish a new Single-Entry Point for incident reporting, which will be used under the Network and Information Systems Directive (NIS2 Directive), the eIDAS Regulation, Digital Operational Resilience Act (DORA), Critical Entities Resilience (CER) Directive, and data breach reporting under the GDPR. Finally, the Digital Omnibus streamlines and repeals several files. The Data Governance Act, the Open Data Directive, and the Free Flow of Non-personal data Regulation are repealed, with some of their provisions streamlined into a restructured Data Act. The Platform to Business (P2B) Regulation, which regulated transparent and predictable business environments for small companies and traders in online platforms, is repealed, being considered irrelevant with the Digital Markets Act (DMA) and Digital Fairness Act (DSA) in place.
Digital Fitness Check
As a second step in the simplification process started by the Omnibus, the first step to prepare the Digital Fitness Check also came on 19 November. The Commission opened a Call for Evidence and a Public Consultation that seek to assess the coherence and overlaps of all EU digital regulations, and their day-to-day effects on businesses. The executive seeks to analyse the consistency of legal definitions and obligations, the alignment of scopes and regulatory logic, on top of evaluating cooperation between EU-level bodies and practices for more leal clarity. The Call for Evidence and Public Consultation will be open until 11 March, but the Commission will likely organise other consultation activities, such as implementation dialogues and reality check sessions. The Digital Fitness Check is expected for the first quarter of 2027.