The European Commission has unveiled its Digital Omnibus on November 19, 2025, aiming to refine the EU’s digital regulatory framework. This initiative seeks to “simplify rules, streamline procedures, offer one-stop solutions, and remove overlaps and outdated provisions,” with a concentrated focus on three pivotal areas: AI, cybersecurity, and data.
Key Changes to the AI Framework
The proposed adjustments to the AI Act are particularly noteworthy. The Omnibus outlines changes across five primary areas:
- Implementation Timing: The application of regulations for high-risk AI systems will be delayed by a maximum of 16 months. This adjustment recognizes the “challenge that the delay of standards and other support tools cause for the implementation of the AI Act.”
- Simplification:
- Extending certain simplifications, such as streamlined technical documentation, to small and mid-cap companies (SMCs) alongside SMEs.
- Mandating the Commission and Member States to promote AI literacy and ensure ongoing support for businesses.
- Removing the requirement for a harmonized post-market monitoring plan, thereby granting businesses greater flexibility.
- Reducing the registration burden for AI systems deployed in high-risk sectors for functions deemed non-high-risk.
- Governance Clarity: The AI Office will gain oversight of AI systems developed using general-purpose models, as well as those integrated into very large online platforms and search engines.
- Support Compliance:
- Allowing providers to process special categories of personal data for bias detection and correction, with appropriate safeguards.
- Expanding the use of AI regulatory sandboxes and real-world testing, including the establishment of an EU-level regulatory sandbox by 2028 to aid in practical testing.
- Procedural Operability: Clarifying how the AI Act interacts with other EU legislation.
The Commission asserts that these proposals will assist businesses in fulfilling their obligations while fostering innovation within the EU, thus facilitating the creation of a single market for trustworthy AI.
Cybersecurity Developments
On the cybersecurity front, the Omnibus tackles a prominent issue: the overlapping incident reporting requirements under laws such as NIS2, GDPR, and DORA. The introduction of a single-entry point for incident notifications—managed by ENISA—will enable organizations to submit notifications through one interface, ensuring that one set of information meets multiple reporting obligations.
Data Regulation Adjustments
In terms of data regulations, the Omnibus proposes significant modifications to the GDPR and the Data Act. Notably, it consolidates the Data Governance Act, the Free Flow of Non-Personal Data Regulation, and the Open Data Directive into a single Data Act. This consolidation aims to:
- Target exemptions from cloud-switching rules specifically for SMEs and SMCs, as well as custom data processing service providers.
- Eliminate mandatory registration and labeling for data intermediation service providers, thereby lowering market entry barriers.
- Simplify the data altruism framework to facilitate easier sharing of data for the public good.
- Streamline rules governing public sector data.
- Clarify and limit the scope of business-to-government data sharing provisions.
Additionally, alongside the Digital Omnibus, the European Commission proposed to repeal the Platform-to-Business Regulation and introduce a Data Union Strategy designed to enhance data accessibility for AI across Europe. The establishment of European business wallets is also part of this initiative, aiming to simplify secure interactions between companies and public authorities across the EU.
Looking Ahead
These legislative proposals will now advance to the European Parliament and Council for approval. Concurrently, the Commission will conduct a Digital Fitness Check to evaluate the cumulative impact of these digital regulations and how they affect the EU’s competitiveness.
The current discourse raises the question of whether this is indicative of a shift from the “Brussels effect” to a “Washington effect,” suggesting a broader deregulatory trend. However, this interpretation may overlook the nuanced and technical nature of the proposals, which remain in their early stages pending approval. The adjustments primarily appear to be procedural refinements rather than a fundamental rethinking of the core architecture of the AI Act.
Ultimately, the adjustments signal a recognition of the complexities surrounding the implementation of AI regulations, acknowledging that robust enforcement will require time and a measured approach.
Retail Cyberattacks Surge 10% in Q2 2025: How to Fortify Your Defenses Now
CrowdStrike Boosts Growth with New AI Partnerships Driving 95% SIEM Revenue Surge
AI-Driven Cyberattacks Surge, Exploiting Vulnerabilities in Hours, Experts Warn
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
