Joint Article | Too fast and too short-sighted: What the Digital Omnibus is missing

By Sarah Bäumchen, Managing Director of ZVEI, and Cecilia Bonefeld-Dahl, Director General of DIGITALEUROPE 

The EU Council Presidency is pushing ahead with the Digital Omnibus at speed. In principle, this should be a reason to be pleased, as it at least shows that in Brussels and Luxembourg the signs of the times have been recognized: Europe needs to get moving if it does not want to jeopardize its technological sovereignty and competitiveness. However, in its current form, the Digital Omnibus clearly fails to achieve this strategic goal. 

Instead of forcing the Council’s position on the Digital Omnibus across the finish line at all costs before July 1—and the end of the Cypriot Council Presidency that comes with it—it would be necessary to eliminate the underlying weaknesses. 

Take the Data Act, for example. A great deal is at stake for industry, as data are is crucial for the development of modern products: the more data are is available, the better the models and services that can be developed. Yet this is precisely where the Data Act disadvantages European manufacturers. It compels them to share their product data with European or non-European competitors if their customers request it. This applies even when the data contain trade secrets, which largely undermines the very concept of intellectual property. 

Unintentionally, this not only strengthens international competitors but also removes incentives for European manufacturers to invest in high-risk product development. Instead of obliging companies to share data, as envisaged in the Data Act, it would make more sense—within the framework of the Digital Omnibus—to rely on a voluntary model for secure data exchange. This would strengthen existing data partnerships that are already established today. At the same time, it would protect the trade secrets of European manufacturers. 

In addition, there is a need in some areas for noticeable relief from unnecessary bureaucracy and regulatory ambiguity. This includes, for example, the application of the GDPR. According to Deloitte, compliance costs for per companies company average €1.5 million per year. This money is lacking elsewhere, where it might be put to better use. What is needed are clearer and more innovation-friendly rules on personal data relevance, pseudonymization, and the use of data for research, development, and artificial intelligence. 

The latter in particular is already significantly hindered by the GDPR due to its complex and partly innovation-inhibiting requirements. Training AI systems requires large volumes of data, which are significantly restricted by unclear legal provisions on the further processing and change of purpose of existing datasets. This, too, is a problem that existing data partnerships and secure data spaces could address, making it easier to develop new business models in Europe. 

The interaction between the NIS2 Directive and the Cyber Resilience Act can hardly be described as smooth either. Here as well, the Digital Omnibus falls short. Deadlines, reporting channels, and thresholds for security incidents must be designed coherently. At present, a single cybersecurity incident can trigger multiple reporting obligations under different EU regulations. This creates unnecessary complexity precisely at the moment when companies should be focusing on defending against threats. A genuine European central access point (“single entry point”) for reporting cyber incidents would reduce administrative burdens and improve efficiency for both companies and authorities. 

The Digital Omnibus offers the opportunity to harmonize Europe’s digital rules, support innovation, and strengthen industrial competitiveness. We should not squander this opportunity by having the Council finalize its position under time pressure just before the end of the current Council Presidency.