Digital omnibus: a first step and what must come next, now

The digital omnibus is Europe’s first attempt to move its digital rulebook from expansion towards simplification. DIGITALEUROPE welcomes this shift. The proposal responds to several issues that industry has raised for years: fragmentation of the data acquis, uncertainty around pseudonymisation or the proliferation of incident-reporting portals. It is a necessary first step at a critical moment for Europe’s competitiveness.

As it stands, however, the omnibus is still largely an administrative clean-up. The rules that will decide whether European manufacturers and service providers can build viable data-driven and AI-enabled business models are mostly left intact. Our June 2025 simplification recommendations remain valid. This paper reacts to the Commission’s proposal by restating the main missing elements that must be added by the Council and Parliament as a priority, and by analysing new elements that were not covered in our original asks.

On the Data Act, consolidation is helpful, but the core issues for businesses remain untouched. Mandatory, horizontal data-sharing obligations risk hollowing out Europe’s emerging data-driven business models, especially in manufacturing, health and energy.

To rebalance the framework, the omnibus must:

• Make the Data Act voluntary by default, built on sectoral codes of conduct recognised by the Commission and used where access genuinely supports innovation and safety;

• Fully exclude platform- (PaaS) and software-as-a-service (SaaS) from cloud-switching obligations, which are structurally incompatible with software- and platform-based models that are Europe’s competitive strength; and
• Make trade-secret safeguards more robust and effective, clarify temporal scope and remove duplicative data transfers provisions.

On the GDPR, the proposal broadly gets it right. The clarified personal-data definition and the new provisions on special categories and scientific research codify long-needed interpretations that support responsible innovation without weakening protections. The GDPR remains a fit-for-purpose framework.

The real structural problem sits in ePrivacy. Keeping a parallel consent-centred regime for terminal-equipment data, whilst expanding exceptions, recreates the failures of past reforms and introduces new inconsistencies. The only coherent solution is to bring all terminal-equipment processing fully under the GDPR legal bases.

On cyber, a single entry point for incident reporting is a positive step, but simplification cannot stop at the portal. The final omnibus must:

• Deliver a genuinely single entry point, covering NIS2, the Cyber Resilience Act (CRA), DORA, the Critical Entities Resilience (CER) Directive, eIDAS and the AI Act, using the CRA single reporting platform;
• Mandate one harmonised reporting template, aligned with international standards, and fix fragmented reporting timelines, which force companies to file premature updates rather than fix incidents. Converging around a 72-hour substantive deadline and harmonising the trigger point, ensuring the clock starts ticking only when an incident is confirmed, would improve both compliance and security; and
• Simplify the CRA now, by aligning application dates with the availability and citation of harmonised standards, allowing transitional self-assessment where appropriate, limiting reporting to the declared support period and excluding inherently low-risk products.

The Commission has started the simplification agenda; now the co-legislators must finish it. Deferring substantive corrections to future fitness checks risks losing the momentum that European industry urgently needs. The opportunity for real simplification exists, and must be seized, now.