On 19 November 2025, the European Commission published a legislative initiative with the aim of simplifying the EU’s digital regulations, known as the EU Digital Omnibus Package (the “Digital Omnibus Package” or the “Omnibus Package”). The Digital Omnibus Package aims to simplify rules, reduce bureaucracy and harmonise various legal acts, with a focus on AI, GDPR, data and cybersecurity incident reporting. According to the press release, Europe’s businesses, from factories to start-ups, will spend less time on administrative work and compliance and more time innovating and scaling-up, thanks to the European Commission's new digital package.
The Digital Omnibus Package includes proposed changes to different regulations e.g., on the development and operation of AI, including:
• Postponing the point in time in which the rules for AI systems classified as high risk under the EU AI Act shall start to apply. The Commission proposes that the timeline for applying the high-risk rules is adjusted for a maximum additional period of 16 months, and that the rules will start to apply once the Commission confirms that the required standards and support tools are available.
In practice, this means that the rules could at the latest start to apply in December 2027 but potentially before this date, depending on if the Commission before such date decides that the relevant standard and tools are in place.
• The article on AI literacy has been proposed to be changed from imposing an obligation on each individual provider and deployer of an AI system to instead imposing an obligation on the Commission and the Member States to encourage providers and deployers to provide a sufficient level of AI literacy of their staff and other individuals dealing with the operation and use of AI systems on their behalf.
• Simplifying certain rules which previously only applied to small and medium-sized enterprises (SME) to apply also to small mid-cap enterprises (so-called “SMCs”).
• Amending the GDPR and the AI Act to allow deployers and providers of all AI systems, not just high-risk ones, to process special categories of personal data under certain conditions and appropriate safeguards; and
• Clarifying how the legal basis for processing personal data under the GDPR can be applicable to AI systems.
The Omnibus Package also include proposals for regulations that do not focus on AI, such as the newly enacted EU Data Act (2023/2854) and other changes to the GDPR 2016/679. The proposal also aims to modernise cookie rules and implement a single point of entry for reporting cybersecurity incidents under several laws.
In addition to the Digital Omnibus Package, the Commission also published a Data Union Strategy, which sets forth additional measures for unlocking high quality data for AI, and European Business Wallets that will offer companies a single digital identity to simplify paperwork and make it much easier to do business across EU Member States.
The proposal for the Commission’s Digital Omnibus Package can be reviewed in full here
The Digital Omnibus Package is a proposal which now will be submitted to the EU Parliament and the EU Council for review, amendment and adoption.
Vinge will continue to monitor the development of the Digital Omnibus Package closely. Please feel free to get in touch with the Vinge team directly should you have any questions. Mathilda Persson, Therese Baltzarsson, Eva Fredrikson and Nicklas Thorgerzon
