The Digital Omnibus: Simplifying Europe’s Digital Rulebook and Its Impact on Ireland

10–16 minutes

As part of its drive for simplification, the European Commission has announced plans for a Digital Omnibus package. Its primary aim is to reduce bureaucratic reporting obligations for businesses and harmonise the EU’s increasingly complex digital regulatory landscape.

The European Commission’s Digital Omnibus Regulation represents a landmark effort to simplify and modernise the EU’s digital regulatory framework. In an era where digital technologies underpin nearly every facet of economic and social life, regulatory complexity has become a significant barrier to innovation and competitiveness. The Omnibus seeks to address this by consolidating overlapping rules, reducing administrative burdens, and creating a more coherent legal environment for businesses and public administrations.

For Ireland, a country deeply embedded in Europe’s digital economy, the implications are substantial. From tech giants headquartered in Dublin to small and medium-sized enterprises (SMEs) across the regions, this reform promises cost savings, legal clarity, and new opportunities for growth. At the same time, it reinforces the EU’s commitment to fundamental rights, ensuring that simplification does not come at the expense of privacy or fairness.

The Digital Omnibus package is expected to introduce several adjustments to the AI Act and the GDPR, with draft proposals already circulating. While these details may evolve before the final text is published, expectations include clarified definitions, streamlined compliance obligations, and new provisions for AI governance, all of which could reshape Europe’s approach to digital innovation and rights protection.

What is the Digital Omnibus?

The Digital Omnibus is part of the Commission’s Digital Package on Simplification, responding to calls from the European Council and Parliament for a “simpler and faster Europe.” It proposes to amend and consolidate several key legislative instruments, including:

It also intends to repeal outdated acts, such as:

The overarching goal is to reduce complexity without lowering standards, preserving the EU’s high level of protection for privacy, cybersecurity, and consumer rights.

Why Simplification Matters

The EU’s digital acquis has grown incrementally over the past decade, creating a patchwork of rules that often overlap or conflict. Businesses, especially SMEs, have struggled with compliance costs and legal uncertainty.

The Draghi Report on European competitiveness had highlighted that, despite its laudable objectives, the GDPR has become excessively complex, hindering innovation and undermining the competitiveness of European businesses. To address these challenges, the report recommended that the Commission revise the GDPR to simplify requirements, reduce administrative burdens, and harmonise the application of data protection laws across Member States.

Rather than providing legal certainty, the proliferation of new EU regulations has only deepened complexity within the digital economy. The Letta Report also underscores that the accumulation of rules has, at times, had a detrimental impact on competitiveness.  The Commission considers that swift and tangible improvements are essential for both citizens and businesses. This requires a more cost-effective, innovation-friendly approach to implementing existing rules, while continuing to uphold the EU’s high standards and agreed objectives.  To ensure the Omnibus Package delivers meaningful simplification, a holistic approach is required, one that standardises terminology, harmonises reporting obligations, and eliminates legal ambiguities.

According to Commission estimates, the Omnibus could generate €1 billion in annual recurring savings and €1 billion in one-off savings, amounting to a total of at least EUR 5 billion over 3 years by 2029.

For Ireland, where the ICT sector is a major contributor to GDP and employment, these savings could translate into enhanced competitiveness and greater capacity for innovation.

Key Changes in the Digital Omnibus

1. Consolidation of Data Rules

The Omnibus consolidates the Data Governance Act, Open Data Directive, and Free Flow of Non-Personal Data Regulation into the Data Act, repealing the previous instruments and creating a single, directly applicable framework. This alignment harmonises definitions, strengthens safeguards for trade secrets, and retains the prohibition of data localisation requirements.

Key benefits include:

  • Simplified compliance: One coherent set of rules for data sharing and re-use.
  • Enhanced access to public sector data: Including high-value datasets and research data to drive innovation.
  • Support for SMEs and small mid-caps: Extended exemptions and lighter regimes reduce barriers to entry.
  • Fair competition: Public bodies may apply special conditions and proportionate fees for very large enterprises and gatekeepers.

For Irish businesses, this means easier participation in data spaces, improved interoperability, and reduced legal ambiguity.

Targeted changes include:

  • Exemptions from cloud-switching rules for SMEs, small mid-caps and bespoke services, including flexibility on early termination penalties.
  • Removal of mandatory registration and labelling for data intermediation services.
  • Streamlined data altruism framework with lighter obligations.
  • Limiting business-to-government data access to genuine public emergencies.
  • Consolidation of public-sector data re-use rules, including harmonised principles on charging, non-discrimination, and standard licences.

2. GDPR Adjustments

While the GDPR remains a strong framework, the Digital Omnibus introduces targeted clarifications and simplifications to reduce compliance burdens while preserving high standards of protection:

  • Clarification of definitions: Personal data is not considered such for an organisation if it lacks means reasonably likely to identify the individual, reflecting recent Court of Justice case law. A formal definition of “scientific research” is added, and further processing for research purposes is confirmed as compatible with the original purpose.
  • Special category data: New derogations allow limited processing for AI development and biometric verification, provided robust safeguards apply. Controllers must implement measures to avoid collecting sensitive data and remove it where identified.
  • Reduced consent fatigue: Cookie banners will be phased out in favour of automated, browser-based signals. Users will be able to reject cookies with one click and set preferences centrally. A limitative list of low-risk purposes (e.g., service provision, security, audience measurement) will not require consent. Controllers must respect machine-readable choices once standards exist, and browsers will be obliged to support these settings within 48 months.
  • AI compliance clarity: Legitimate interest may serve as a legal basis for processing personal data in AI training and development, subject to safeguards such as enhanced transparency and an unconditional right to object.
  • Transparency: The derogation on transparency obligations is extended to situations where the processing is not data-intensive and unlikely to result in a high risk, within a clear and circumscribed relationship, such as in craftsman and client or membership in associations and sport clubs, and it is reasonable to assume that the data subject knows the key information.
  • Data subject rights: Controllers may refuse or charge for a request where a data subject abuses their rights under the GDPR for purposes other than the protection of their data.
  • Automated decision-making: Clarification that decisions based solely on automated processing are permitted for contract performance even if a human alternative exists, provided safeguards are in place.
  • Breach notification and DPIAs: The threshold for notifying data breaches is raised to cases involving a high risk to individuals, with a 96-hour deadline. Harmonised EU-wide templates and lists for DPIAs and breach notifications will be introduced to ensure consistency.
  • Alignment with ePrivacy: Rules for accessing personal data on terminal equipment move fully under GDPR, eliminating the dual regime and simplifying compliance.

These changes will help Irish organisations, particularly those in AI, analytics and digital services, navigate compliance more efficiently while maintaining trust and legal certainty.

3. Cybersecurity and Incident Reporting

The Omnibus introduces a single-entry point for incident reporting, developed and maintained by ENISA, covering obligations under NIS2, GDPR, DORA, eIDAS, the Critical Entities Resilience Directive, and other sectoral frameworks. This “report once, share many” principle will:

  • Cut administrative costs for businesses operating across multiple sectors by eliminating duplicate reporting.
  • Improve regulatory oversight through harmonised templates and streamlined workflows.
  • Encourage compliance by simplifying processes and enabling entities to retrieve previously submitted reports.

The platform will be piloted and assessed before full rollout, with an 18-month implementation period (extendable to 24 months). ENISA must ensure the system is secure, interoperable with national platforms, and supports APIs and machine-readable standards for integration. It will also align with the Cyber Resilience Act and European Business Wallets for authentication.

For Irish financial institutions and critical infrastructure providers, this is a game-changer in managing cybersecurity obligations efficiently and consistently.

4. Fair Competition Measures

To prevent market concentration and ensure fair access to public data, the Omnibus empowers public sector bodies to impose higher fees or special conditions on very large enterprises, particularly gatekeepers under the Digital Markets Act, when reusing public data. These measures will:

  • Level the playing field for SMEs, small mid-caps and start-ups.
  • Promote innovation by reducing the risk of dominant players leveraging their market power.
  • Ensure charges and conditions are transparent, proportionate and based on objective criteria, such as economic power and ability to acquire data.

This applies to the re-use of open government data and certain categories of protected data. Public bodies must also provide online payment options and standard licences in digital format, further simplifying access.

Irish SMEs stand to benefit from fairer access to data resources, fostering a more competitive and dynamic digital ecosystem.

5. AI Act

The Omnibus introduces significant adjustments to the AI Act to provide legal certainty and ease compliance:

  • Delayed application of high-risk requirements: Obligations for high-risk AI systems listed in Annex III (e.g., employment, credit scoring, law enforcement) will not apply until the Commission confirms that harmonised standards, common specifications and support tools are available. Once confirmed, these rules will apply six months later. For Annex I systems (such as medical devices and other product-based high-risk AI), obligations will apply 12 months after confirmation. If readiness is delayed, longstop dates of December 2027 (Annex III) and August 2028 (Annex I) ensure predictability.
  • Simplified compliance: Measures previously limited to SMEs are extended to small mid-caps, reducing burdens for a wider range of businesses. The requirement for a harmonised post-market monitoring plan is removed, and registration obligations for non-high-risk AI systems are streamlined.
  • AI literacy: The obligation for organisations to provide AI literacy training is removed. Instead, EU and Member States must promote AI literacy, for example by offering training opportunities and accessible informational resources.
  • Governance and oversight: Responsibility for general-purpose AI systems is centralised within the AI Office, which will also coordinate standards development and guidance across the Union.  EU-wide centralised market surveillance extended to AI systems embedded in very large online platforms or very large online search engines.
  • Innovation support: Regulatory sandboxes are expanded, including an EU-level sandbox from 2028, enabling cross-border testing and experimentation.
  • Fairness and safeguards: The Act permits processing of special category data for bias detection and correction, subject to strict technical and organisational safeguards.

These changes aim to balance innovation with accountability, giving Irish businesses, particularly in AI and technology, greater clarity and flexibility while maintaining high standards of safety and fairness.

Impact on Irish Organisations and Businesses

Opportunities

  • Cost savings: Lower compliance costs free up resources for innovation.
  • Legal certainty: Clearer rules reduce litigation risk and facilitate cross-border operations.
  • Data-driven growth: Easier access to public sector and high-value datasets supports new products and services.

Challenges

  • Transitional compliance: Businesses must adapt to new frameworks and reporting systems.
  • Technical readiness: Implementing machine-readable consent signals and integrating with the single-entry point may require investment.
  • Strategic planning: Organisations must reassess data-sharing strategies in light of new rules on trade secrets and public emergencies.

Fundamental Rights at the Core

The Omnibus is designed to uphold the Charter of Fundamental Rights, ensuring:

  • Right to conduct a business: By reducing regulatory burdens and fostering innovation.
  • Right to privacy and data protection: Through harmonised standards and enhanced safeguards.
  • Freedom of expression and media pluralism: By exempting media service providers from certain automated consent obligations.

This balance between simplification and rights protection is critical for maintaining public trust in digital services.

Stakeholder Consultations and Civil Society Concerns

Stakeholders called for simpler, more coherent digital rules and lower compliance costs. They supported streamlining the data acquis, targeted GDPR changes, and reducing cookie banner fatigue. Businesses also requested deeper analysis of rule interactions via the upcoming digital fitness check.

Concerns over duplicate incident reporting led to the proposal for a single-entry reporting point. On the AI Act, stakeholders stressed the need for legal certainty and standards before implementation, addressed in a separate Omnibus proposal.

Civil society campaigners and privacy groups argue that the Commission is pushing major changes without sufficient evidence, impact assessments, or meaningful consultation, risking conflict with the Charter of Fundamental Rights. The Call for Evidence closed just five weeks before publication, and Omnibus procedures limit parliamentary scrutiny, concentrating power in the Commission and undermining democratic oversight.

According to organisations such as noyb and European Digital Rights (EDRi), the Omnibus represents the largest rollback of digital rights in EU history, under the guise of “technical streamlining”.

Key concerns include:

  • Weakening GDPR protections: Proposals introduce a subjective definition of personal data, creating loopholes for sectors like advertising and data brokerage. This could make enforcement nearly impossible and erode the principle of informational self-determination.
  • Expansion of intrusive data practices: Changes to ePrivacy would allow broader access to data on personal devices, undermining confidentiality of communications.
  • AI-driven data exploitation: The Omnibus would permit Big Tech to use highly personal data including years of social media content for AI training, despite strong public opposition and impractical opt-out mechanisms.
  • Curtailment of user rights: Access rights could be limited to “data protection purposes” only, contradicting CJEU case law and restricting individuals’ ability to challenge errors or assert rights in employment and credit contexts.

Political backing is weak: most Member States opposed reopening GDPR, and leaked texts sparked strong resistance from Parliament’s centre-left groups. Civil society is also critical, with 127 organisations, including Amnesty International, Access Now and the Irish Council for Civil Liberties, condemning the proposals as a threat to Europe’s digital rights framework.

Campaigners warn that these changes could benefit Big Tech while offering little relief for SMEs, increase legal uncertainty, and undermine trust in the EU as an evidence-based regulator. They have called on the Commission to halt attempts to reopen core digital rights laws, reaffirm rights-based governance, and restore democratic safeguards.

Conclusion

The Digital Omnibus is more than a regulatory clean-up; it is a strategic initiative to future-proof Europe’s digital economy. For Ireland, it offers a unique opportunity to strengthen its position as a digital leader while ensuring fairness, security, and respect for fundamental rights. By embracing these changes proactively, Irish organisations can unlock new growth avenues and contribute to a more competitive and innovative European digital market.

References

Draghi Report on European competitiveness (2024)

Enrico Letta – Much more than a market (April 2024)

Digital Omnibus 2025 | Bitkom e. V.

Digital Omnibus: Simplifying the EU’s Digital Rulebook – EU Digital Compliance Tracker (Snellman)

EU Digital Omnibus Resetting Europes digital rulebook – Bird & Bird

Digital Omnibus: EU Commission wants to wreck core GDPR principles

123

More ICS News

Read more ICS News

Become a Member
ADPO News
HISI News
IASA News
itSMF News
Irish Digital Skills & Jobs Coalition News
EU Tech Policy News
AI Policy News

Discover more from Irish Computer Society

Subscribe now to keep reading and get access to the full archive.

Continue reading