EUROPEAN COMMISSION

Brussels, 19.11.2025

SWD(2025) 836 final

COMMISSION STAFF WORKING DOCUMENT

Accompanying the documents

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework, and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus)



















Amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI)

{COM(2025) 837 final}
{COM(2025) 836 final}

Table of Contents

Introduction    

1.1.    Context    

1.2.    The Commission’s digital simplification agenda    

1.2.1.    The Digital Omnibus: a first step, with targeted amendments    

1.2.1.    The European Business Wallet    

1.2.2.    The Digital Fitness Check: a second step to ‘stress test’ the digital legislation    

1.2.3.    Guidelines and supporting actions    

1.3.    Outline and supporting consultations    

1.    The Data Acquis    

1.1.    One Data Act    

1.1.1.    Analysis of problems and opportunities    

1.1.2.    Simplification measures and impacts    

1.1.2.1.    Free Flow of Non-Personal Data Regulation    

1.1.2.2.    Creating a single legal instrument for re-use of public sector documents    

1.1.2.3.    Clarifications and streamlining of rules on data intermediation services    

1.1.2.4.    Preventing trade secrets leakage to third countries    

1.1.2.5.    Narrowing down the scope of B2G only to public emergencies    

1.1.2.6.    Switching between data processing services    

1.1.2.7.    Removing essential requirements regarding smart contracts for executing data sharing agreements    

1.1.2.8.    Extending SME exceptions to small midcaps for access to public sector data under the Data Governance Act and the Open Data Directive    

1.1.3.    Preserving the objectives of the rules and other impacts    

1.2.    Adjustments to the data protection rulebook    

1.2.1.    Analysis of the problems and opportunities    

1.2.2.    Simplification measures and impacts    

1.2.2.1.    The definition of personal data    

1.2.2.2.    Mechanism to give greater legal clarity on anonymisation and pseudonymisation techniques    

1.2.2.3.    The processing of personal data for scientific research purposes    

1.2.2.4.    The processing of personal data for the development and operation of AI    

1.2.2.5.    The exercise of the individual’s right of access    

1.2.2.6.    Controller’s information requirements    

1.2.2.7.    Requirements for automated individual decision-making    

1.2.2.8.    Data breach notification to supervisory authorities    

1.2.2.9.    Notion of high risk and the lists of processing activities requiring and not requiring data protection impact assessment    

1.2.3.    Estimated impacts    

1.3.    Modernising the cookies policy: addressing consent fatigue and better alignment with data protection rules    

1.3.1.    Analysis of the problems and opportunities    

1.3.2.    Simplification measures and impacts    

1.3.2.1.    Consent fatigue and cumbersome cookie banners    

1.3.2.2.    Express choices with one click    

1.3.2.3.    Standards for machine-readable preferences    

1.3.2.4.    Browsers signals    

1.3.3.    Estimated impacts    

1.3.4.    Preserving the objectives of the rules and other impacts    

2.    Incident reporting    

2.1.    Analysis of the problems and opportunities    

2.2.    Simplification measures and impacts    

2.3.    Estimated impacts    

2.4.    Preserving the objectives of the rules and other impacts    

3.    Targeted amendments to the Artificial Intelligence Act    

3.1.    Analysis of the problems and opportunities    

3.2.    Simplification measures and impacts    

3.3.    Estimated impacts    

3.4.    Preserving the objectives of the rules and other impacts    

4.    Repeal of the Platform-to-Business Regulation    

4.1.    Analysis of the problems and opportunities    

4.2.    Simplification measures and impacts    

4.3.    Estimated impacts    

Conclusion    

ANNEXES    

Annex I - Stakeholder consultations    

Annex II – Summary of cost savings estimates    

Annex III - Competitiveness Check    

Annex IV - SME Check    

Annex V - Detailed list of reporting obligations in the digital acquis    

Introduction

1.1.Context

In its Communication on implementation and simplification (“A simpler and faster Europe” 1 ), the Commission presented its approach to adapting the Union’s regulatory framework to a more volatile world: a new drive to simplify, clarify and improve our common acquis.

This vision reflects the broader plan for Europe’s competitiveness laid out by Commission President von der Leyen in her political guidelines for the 2024-2029 term 2 . As also highlighted in the Draghi 3 and Letta 4 reports, the accumulation of rules has sometimes had an adverse effect on competitiveness. Fast and visible improvements are needed for people and businesses, through a more cost-effective and innovation-friendly implementation of our rules – all the while maintaining high standards and agreed objectives.

The European Council Conclusions of 20 March 2025 further called for the Commission to “keep reviewing and stress-testing the EU acquis, to identify ways to further simplify and consolidate legislation” 5 . It also stressed the need to follow up with new sets of simplification initiatives. In its Conclusions of 26 June, the European Council underlined the importance of “simplicity by design” legislation, “without undermining predictability, policy goals, and high standards” 6 . The European Council Conclusions of 23 October 2025 reaffirmed “the urgent need to advance an ambitious and horizontally-driven simplification and better regulation agenda at all levels – EU, national and regional – and in all areas to ensure Europe’s competitiveness”, and called on the Commission to “swiftly bring forward further ambitious simplification packages among others […] on digital” 7 .

In its resolution on “the implementation and streamlining of EU internal market rules to strengthen the single market”, voted on 11 September in plenary 8 , the European Parliament emphasised the need for simplification to facilitate business compliance without compromising the EU’s core policy objectives.

1.2.The Commission’s digital simplification agenda

With a value added of €791 billion across the European Union in 2022 9 , and permeations that extend to most strands of the economy, the ICT sector holds an increasing part in this simplification effort. Stakeholders of different nature have been calling for targeted amendments of certain rules, to both streamline compliance costs and clarify interplays in their sector.

The Commission is committed to a comprehensive ‘stress-test’ of the digital rulebook throughout the legislative mandate. The aim is very clear: to ensure that the rules continue to be fit for supporting innovation and growth, they deliver on their objectives and are a driver for competitiveness. Throughout this process, the Commission will seek to provide compelling solutions to simplify, clarify and solidify the effectiveness of the rules and their enforcement through all available instruments, be it regulatory adjustments, enhanced cooperation across authorities, promoting digital solutions that simplify ‘by design’ regulatory compliance, or other accompanying measures.

1.2.1.The Digital Omnibus: a first step, with targeted amendments

The Digital Omnibus proposal is a first step to optimise the application of the digital rulebook. It includes a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness. The immediate objective is to ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and brings in itself a competitive advantage to responsible businesses. The amendments were prioritised building on the consultations with stakeholders and first implementation dialogues conducted by Executive Vice-President Henna Virkkunen and Commissioner Michael McGrath.

For these reasons, the amendments focus on unlocking opportunities in the use of data, as a fundamental resource in the EU economy, not least in view of supporting the development and use of trustworthy artificial intelligence solutions in the EU market. Targeted amendments to the data protection and privacy rules support this objective and provide immediate simplification measures for businesses and individuals, strengthening their ability to exercise their rights.

In addition, the amendments to the Regulation (EU) 2024/1689 (the Artificial Intelligence Act), presented in a separate legal proposal part of the Digital Omnibus, seek to facilitate the smooth and effective application of the rules for safe and trustworthy development and use of AI.  

The Digital Omnibus also proposes a very clear solution for streamlining cybersecurity incident reporting, bringing under the umbrella of a single reporting mechanism all related reporting obligations.

Finally, the proposal repeals outdated rules in the area of platform regulation, superseded by more recent regulations.

The amendments seek to streamline the rules, reducing the number or laws and harmonising provisions. They cut administrative costs by simplifying provisions and procedures. They relieve small mid-caps from certain obligations across the data acquis and Regulation (EU) 2024/1689 (the Artificial Intelligence Act), in addition to small and micro-enterprises already covered by a special regime. They also stimulate opportunities for a vibrant business environment, creating more legal certainty and opportunities, in particular in sharing and re-using data, in processing personal data or training Artificial Intelligence systems and models.

At the same time, the proposed amendments remain technical in their nature, seeking to adjust the regulatory framework but not to amend its underlying objectives. The measures are calibrated to preserve the same standard for protections of fundamental rights.

1.2.1.The European Business Wallet

Together with the Digital Omnibus, the Commission is also tabling its proposal for a European Business Wallets Regulation, as a cornerstone initiative to simplify regulatory compliance and reduce administrative burdens for businesses.

The Business Wallets will be designed as secure digital tools for businesses, acting as a single platform to simplify their interactions across the EU. By implementing a unique and persistent identifier, businesses will be empowered to digitally verify identities, sign documents, timestamp, and exchange verified digital information seamlessly across borders through the use of a single solution. By adopting European Business Wallets, companies, especially SMEs, will be able to navigate compliance with ease, freeing up vital resources that can be redirected toward growth and innovation.

1.2.2.The Digital Fitness Check: a second step to ‘stress test’ the digital legislation

As a second step in the commitment to ‘stress-test’ the digital rulebook, the Commission is also conducting a Digital Fitness Check. Whereas the Digital Omnibus proposals are immediate and targeted, the analysis the Commission will undertake in the Digital Fitness Check will focus on cumulative impact of the digital rules, seeking to test how they support the EU’s competitiveness and where further adjustments will need to be proposed in the second half of the legislative mandate.

The Digital Fitness Check is launched at the same time as the Omnibus proposal, with a wide public consultation. The Commission seeks to engage with all stakeholders and consult broadly. The objective is to follow up with an overview and a wide mapping of how the digital rulebook covers strategic sectors of the EU’s industry, and address the how the cumulative effect of the rules impacts their competitiveness. On this basis, the analysis will go deeper in a second step on the synergies and areas that could be further aligned, ranging from definitions and legal concepts, to the effectiveness and interplay of the governance systems and other supporting measures.

The ‘stress-test’ of the digital acquis will also continue through implementation dialogues, as well as with evaluations of all of the main legal instruments. In the current planning, among other initiative, the Commission is expecting to publish in 2026 a review of the Digital Markets Act, of the Digital Decade Policy Programme, the Chips Act, the Audiovisual Media Services Directive, and an evaluation of the Copyright Directive. For 2027, the acts expected to be evaluated include, among others, the Cyber Solidarity Act, the Open Internet Regulation, NIS2 and the Digital Services Act. In 2028, the Commission should evaluate the European Media Freedom Act and the Data Act, for example, followed by evaluation of the AI Act in 2029 and an evaluation of the sunset clause of the Regulation establishing the European Cybersecurity Competence Centre and Network.

1.2.3.Guidelines and supporting actions

Stakeholders have stressed repeatedly that, in many instances, the simplification effort is less about modifying the rules, and more about providing clarity on their application. The Commission is prioritising a series of guidelines aimed at supporting the uniform application of the rules, without prejudice to the interpretations of the Court of Justice.

As regards the data acquis, the Commission announced its prioritisation in the Data Union Strategy, notably focusing on guidelines on reasonable compensation to clarify what can be charged for data sharing, providing legal certainty to both data holders and data recipients. In addition new guidance is envisaged regarding clarifications of selected definitions in the Data Act.

To support the application of the Artificial Intelligence Act, the Commission continues to prioritise issuing further guidance, focusing on offering clear and practical instructions to apply the AI Act in parallel with other EU legislation. This includes:

·Guidelines on the practical application of the high-risk classification

·Guidelines on the practical application of the transparency requirements under Article 50 AI Act

·Guidance on the reporting of serious incidents by providers of high-risk AI systems

·Guidelines on the practical application of the high-risk requirements

·Guidelines on the practical application of the obligations for providers and deployers of high-risk AI systems

·Guidelines with a template for the fundamental rights impact assessment

·Guidelines on the practical application of rules for responsibilities along the AI value chain

·Guidelines on the practical application of the provisions related to substantial modification

·Guidelines on the post-market monitoring of high-risk AI systems

·Gudelines on the elements of the quality management system which SMEs and SMCs may comply with in a simplified manner

·Guidelines on the AI Act’s interplay with other Union legislation, for example joint guidelines of the Commission and European Data Protection Board on the interplay of the AI Act and EU data protection law, guidelines on the interplay between the AI Act and the Cyber Resilience Act, and guidelines on the interplay between the AI Act and the Machinery Regulation

·Guidelines on the competences and designation procedure for conformity assessment bodies to be designated under the AI Act

In particular, stakeholder consultations reveal the need to offer guidance on the practical application of the AI Act’s research exemptions under Article 2(6) and (8), including how they apply in sectoral contexts like in the pre-clinical research and product development in the field of medicinal products or medical devices, which the Commission will work on with priority.

1.3.Outline and supporting consultations

This Staff Working Document (SWD) presents the supporting analysis for each of the Digital Omnibus’ proposed simplification measures. It is structured in four sections: the Data acquis (including the data protection and ePrivacy frameworks), Artificial Intelligence, Cybersecurity, and Platform rules. For each section, it describes the issues observed and related stakeholder views, presents the solutions put forth in the Digital Omnibus and illustrates the benefits and costs, as well as stakeholder views on the solutions.

It provides estimated cost savings, where feasible and proportionate. Provided the proposal enters into force by early 2027, the Digital Omnibus could amount to at least EUR 5 billion in administrative cost savings for businesses by the end of the Commission mandate in 2029, as well as a further EUR 1 billion for public authorities. This estimate does not include measures that were not immediately quantifiable on the basis of available data, but are expected to deliver important added value for all types of stakeholders, nonetheless.

Several consultations were carried out in the preparation of the proposal. Each were conceived as complementary to one another, addressing either different topical aspects or different stakeholder groups. Three public consultations and calls for evidence were published on initiatives related to the key pillars of the proposal in the spring of 2025. A consultation ran on the Apply AI Strategy from 9 April to 4 June 10 , another on the revision of the Cybersecurity Act from 11 April to 20 June 11 , and finally another on the European Data Union Strategy from 23 May to 20 July 12 . Each questionnaire had a dedicated section (or at times multiple) on implementation and simplification concerns, directly related to the reflexions on the Digital Omnibus. Taken together, 718 unique responses were obtained as part of this first consultation stream.

A Call for Evidence on the Digital Omnibus was further published from 16 September to 14 October 2025 13 . Its aim was to give the opportunity to stakeholders to comment on a consolidated proposal for the scope of the Digital Omnibus. 512 responses were received, submitted by diverse stakeholder groups, not least businesses and business associations, civil society, academics, authorities as well as individual contributions from citizens.

Executive Vice-President Henna Virkkunen hosted two implementation dialogues on the key topics addressed in the Digital Omnibus: the first on data policy 14 (1 July 2025), and the second on cybersecurity policy 15 (15 September). Commissioner McGrath hosted an implementation dialogue on the application of the General Data Protection Regulation 16 (16 July 2025).

The Commission’s services also conducted several ‘reality checks’ - deep-dive focus groups with businesses and representatives of civil society organised between 15 September and 6 October 2025 to discuss the practical implementation challenges experienced on a day-to-day basis and estimate compliance costs.

With a view of consulting specifically small and medium-sized enterprises (SMEs), and collecting their feedback, a dedicated SME Panel was run via the Enterprise Europe Network (EEN) 17 between 4 September to 16 October 2025.

Finally, the Commission’s services received numerous position papers and hosted bilateral meetings with a variety of stakeholders. The Commission’s services also engaged with Member States in roundtables or in the context of various Council Working Parties.

A detailed overview of these stakeholder consultations is included in Annex I. Annex II presents a summary of the cost savings estimates for the proposals. Additionally, an SME Check (Annex III) and Competitiveness Check (Annex IV) underline more specific impacts on small and medium-sized enterprises and European competitiveness altogether. Last, Annex V presents a detailed list of reporting obligations identified in the entirety of the digital acquis, used as starting point for the scoping of the simplification measures.

1.The Data Acquis

Data is a key enabler of competitiveness in the digital economy. Data availability and access are decisive for innovation, developing new technologies, analysing trends as well as identifying gaps and shortcomings to enhance efficiency across industries and in all sectors. The recent technological advancements including in the area of AI have shown that Europe must have in place solid, consolidated data governance structures and rules to achieve this goal. The applicable rules must be tailored to enhance competitiveness and innovation. They need to be clear, applied in a coherent and consistent manner, and their interplay needs to leave no room for ambiguity.

Yet, the data acquis is fragmented across multiple laws. The Digital Omnibus seeks to pull into one coherent law the rules supporting a competitive single market for data sharing and use.

The General Data Protection Regulation is the cornerstone for the protection of personal data. It can be a powerful tool for supporting data-driven innovation while ensuring the highest level of data protection. The Digital Omnibus includes a series of amendments to give further legal clarity in this regard and to modernise the rules, where needed. It also brings practical solutions to the long-overdue issue of consent fatigue and costly cookie banners.

1.1.One Data Act

Diverse stakeholders across sectors such as civil society, health, energy, manufacturing and mobility 18 have underlined that in recent years, the EU has created many legislative acts related to data sharing which has led to uncertainties about how the acts interact with each other. This feedback echoes the findings from an assessment of the implementation of the rules, to an extent that a consolidation of at least some of them appears warranted. In the Digital Omnibus, the single market rules on data are consolidated in one legal act – the Data Act. Further simplification measures are also proposed, including for giving legal certainty and stimulating data-driven innovation.

1.1.1.Analysis of problems and opportunities

Free Flow of Non-Personal Data Regulation (FFDR)

The rules. The FFDR aims to ensure the free flow of data other than personal data within the Union by laying down rules relating to data localisation requirements, the availability of data to competent authorities and the porting of data for professional users. The Regulation inter alia prohibits unjustified data localisation requirements and encourages switching as well as data portability between data-processing services through self-regulatory codes of conduct. In addition, each Member State designates a Single Information Point and a Point of Contact for cross-border cooperation.

The main issues. The FFDR has applied since 28 May 2019, with limited uptake and modest stakeholder interest. While it sought, among other things, to facilitate cloud switching through self-regulatory codes, these mechanisms have been superseded by the binding framework in the Data Act.

Although the FFDR envisages Single Points of Contacts and Single Information Points as an information/coordination backbone, awareness of the FFDR and such tools is uneven. About half of the respondents to the public consultation for the Data Union Strategy report only some, little or no familiarity, and uncertainty dominates assessments 19 . Moreover, 62 % of respondents to the public consultation (comprising companies, including SMEs, non-governmental organisations and national public authorities) stated that they did not know whether the rules of the FFDR needed to be modified in order to reduce data localisation requirements. Public authorities showed particularly strong uncertainty relative to the other stakeholder groups. This general uncertainty is mirrored by the fact that fewer than 4 in 10 respondents to the public consultation see any FFDR objective already fully met; the weakest scores concern trust in/security of (cross-border) data storage/processing and practical switching/porting.

Respondents have reported low visibility of monitoring and enforcement, calling for communication channels with more visibility. More than two-thirds (ca. 68 %) however could not judge whether enforcement was sufficient. Only about one in five explicitly considered the set-up adequate, echoing the limited visibility reality check. In an SME Panel consultation led by Commission services in September-October 2025, responding SMEs expressed similar lack of awareness with the FFDR 20 .

Additionally, stakeholders have experienced several practical issues with the FFDR. First, the implementing public authorities claim low user demand for the application of the FFDR. No publicly reported cases appear under Article 5(2) FFDR’s cooperation mechanism nor under Article 5(4) FFDR’s penalty mechanism. Secondly, Chapter VI of the Data Act has introduced a modern horizontal legal framework addressing switching between data processing services. It has rendered Article 6 FFDR practically obsolete.

The objectives. Cutting all outdated rules to reduce legal uncertainties and supporting, through core principles for the single market for data, the growth of innovative companies and their competitiveness.

Data Governance Act (DGA)

The rules. The Data Governance Act seeks to increase trust in data sharing, strengthen mechanisms to increase data availability by setting out common rules for data intermediation and altruistic data sharing. Additionally, the Data Governance Act establishes safeguards for international access and transfer of data.

Rules for data intermediation services focus on neutrality and transparency, ensuring individuals and companies control how their data is shared. Providers must operate through a separate legal entity, complete a notification procedure, and may use an official label once approved.

For data altruism - voluntary data sharing for public-interest purposes - organisations can register and use a trust label if they are non-profit, transparent, and provide safeguards for data providers. They are supposed also respect a forthcoming rulebook and comply with national arrangements supporting data altruism.

The Data Governance Act further established the European Data Innovation Board (EDIB) as an expert body to provide guidance and expert opinions on data sharing and to foster exchanges between Member States to share best practices. The EDIB is equally tasked under the Data Act to assist in developing consistent enforcement for B2C, B2B and Business to government data sharing.

The main issues. While common rules for data intermediaries are important for stimulating the re-use and sharing of data in trusted environments, current requirements and obligations have not led to the market stimulation that was initially expected. According to the Impact Assessment and support study accompanying the Proposal for a Regulation on Data Governance, the European market was expected to include 100–150 data intermediation service providers; however, only 27 have registered to date 21 .

While the delayed set up of competent authorities in a range of Member States 22  can partially explain the low level of uptake, feedback from the implementation of the rules shows that certain rules need targeted amendments to increase their effectiveness and facilitate scaling up of data intermediaries. For instance, stakeholders express the need to clarify (e.g. the commercial element in the definition of data intermediation service, the interplay between the definition in Article 2(11) and Article 10, the exemption of ‘closed groups’) and streamline definitions, including with regard to the Data Act. Furthermore, as highlighted in an evaluation conducted on behalf of the European Commission covering the DGA, ODD and FFDR, which is expected to be published by the end of the year, the DISP (data intermediation service provider) market remains immature and awareness of this type of service is limited. Surveyed DISPs for the forthcoming study indicate that some provisions are burdensome and weigh on business-model sustainability. While neutrality and user trust are acknowledged as essential, prohibitions on data enrichment and cross-sector analytics, notably under Article 12(c) and (e), are reported to constrain innovation and commercial viability 23 . 

When it comes to data sharing mechanisms under the Data Governance Act, the rules on data intermediation services were thus especially singled out for being able to benefit from greater alignment, simplification and clarity to increase their uptake.

In the context of an EDIB meeting to discuss these matters, 50% of respondents reported that the requirement of providing data intermediation services through a separate legal person was especially burdensome, triggering costs and a hindrance to finding a viable business model. Moreover, according to respondents to the public consultation on the Data Union Strategy, the biggest obstacle to altruistic data sharing is administrative or legal complexity followed by low trust and financial sustainability. This highlights that the current conditions can be amended to further facilitate the uptake of those provisions.

Regarding the EDIB, the current rules are considered very rigid, not providing enough strategic flexibility to reap the full potential of the expert body. This was notably put forward by a number of public authorities in response to the Call for Evidence for the Digital Omnibus.

The objectives. The proposed amendments are expected to overcome identified issues in the current implementation of the Data Governance Act. They should help reaching the policy objectives fully by stimulating the emerging market of data intermediation and, implicitly, value creation through the reuse of data. In addition, the governance system for the rules should be leaner and more effective, allowing for strategic discussions and quicker responses to emerging issues within the EDIB.

Re-use of public sector data under the DGA and the Open Data Directive (ODD)

The rules. The rules for the access to and re-use of information held by the public sector across the Union are currently fragmented as they are regulated by two different horizontal instruments:

·The Open Data Directive sets out rules for public sector bodies to share information for re-use. However, information that is subject to intellectual property rights of third parties, that is protected due to statistical confidentiality or that cannot be shared because of data protection concerns (“protected data”) is out of scope.

·The DGA (Chapter II) aims at increasing the availability of such data by setting out a common set of rules when a public sector body decides to share such protected data. Thus, two instruments, containing the same principles to a certain extent, currently govern the re-use of public sector information.

The main issues. Both regimes set out rules for the re-use of information held by public sector bodies. Their scope and the corresponding rules differ however, with the interplay between those rules sometimes not clear. For example, it is not clear which rules apply to data that is anonymised under the rules for protected data, after anonymisation. Furthermore, the Open Data Directive applies to documents, including data, whereas the Data Governance Act applies to protected data only, without including non-digital information.

This regime leads to confusion, creates unnecessary complexity resulting in increased compliance costs for public sector bodies when making such information available as they will first need to assess what legal regime is applicable to the request. The majority of Member States and representatives from competent bodies called for an alignment of the rules of the two instruments. At the same time, businesses and research organisations across industries and irrespective of size also need to navigate within this dual and in some cases overlapping regime.

The results of the public consultation on the Data Union Strategy have shown that more than half of the respondents wished that the public sector makes “more efforts to allow processing of confidential data”. This shows that the rules of the Data Governance Act should be maintained and enforced. According to an assessment of the Data Governance Act conducted in Q2-3 of 2025 in the context of an EDIB meeting, (designated) competent public sector bodies in Member States perceive the current regime of having two legal instruments regulating the re-use of information held by public sector bodies as burdensome and creating unnecessary complexity. Roughly 70% of the answers received by participants explicitly advocated for creating a single regulatory regime to clarify for data holding public sector bodies what requirements apply to them. This indicates that the current framework is perceived as complex and burdensome. The assessment revealed that national public sector bodies perceive that without alignment between the two instruments, the data landscape will remain fragmented with inconsistent conditions for re-use.

Start-ups, small enterprises, enterprises that qualify as medium-sized enterprises and enterprises from sectors with less-developed digital capabilities struggle to re-use data and documents. At the same time a few very large players have emerged with considerable economic power in the digital economy, including through the accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. Recent data from a Commission study indicates that larger enterprises are more strongly driven by open data and use those data more frequently, despite them being available to everyone. For example, whereas only 5% of Small Enterprises with 10 to 49 employees performed data analytics on government authorities’ open data, 11% of Medium-sized Enterprises with 50 to 259 employees did so and even 22% in the case of Large Enterprises with more than 250 employees. 24 The costs and burdens relating to re-use of data and documents held by public sector bodies (lodging and pursuing requests for data, setting up APIs, paying fees, data cleaning etc.) are mainly the same for all re-users regardless of their size, however. for all re-users, however.

Furthermore, given the rules for the re-use of public sector data are currently largely governed in a Directive, the national transposition rules differ across Member States. Stakeholders, including representatives of public sector bodies, ministries and competent bodies as well as companies wanting to re-use data and documents have identified the lack of harmonisation as a factor that makes re-use more complicated and burdensome, even more so in cross-border scenarios. Namely, charging practices differ across Member States, as well as their transposition of what data cannot be made openly available due to personal data protection concerns. This was underlined for example by participants to the reality check on the re-use of public sector data organised by the Commission’s services 25 .

The objectives. The objective is to harmonise and bring under a single instrument the rules on the re-use of data and documents held by public sector bodies, currently regulated under the Open Data Directive and Chapter II of the Data Governance Ac for protected data. Public sector bodies and re-users should be provided with more clarity with streamlined definitions. Moreover, to prevent a reinforcement of existing market imbalances, public sector bodies shall receive the possibility to introduce specific conditions for the re-use of information by very large entities.

The Data Act

The rules. The Data Act entered into application on 12 September 2025. The Data Act introduces mandatory data sharing obligations to boost greater and fairer data availability, while preserving the rights and interests of those who invest in data generation technologies. Given the Act’s recent applicability, evidence of its effects is not yet available.

The main issues. Stakeholders generally express broad support for the objectives and mechanisms of the Data Act. Due to the recent entry into application of the Data Act, extensive evidence on its practical effects is not yet available. However, ex ante evidence sources and early stakeholder perceptions (in particular from data holders) signal some areas that could warrant targeted adjustment for an optimal implementation. Strong concerns have notably been voiced on four core aspects:

·Chapter II of the Data Act mandates data holders to provide access to data, including trade secrets with appropriate confidentiality measures, to users and third parties within the EU. However, there are significant concerns about the potential leakage of trade secrets to entities in third countries. Participants in sectoral workshops frequently expressed fears of unlawful access and misuse by third-country entities, and many were specifically worried about trade secret exposure. A key issue involves the lack of clarity on foreign legal environments, compelling many stakeholders to have to assess these frameworks to determine how to protect confidential data. This concern was echoed by 42% of the respondents in the Data Union Strategy public consultation. Additionally, 86% of the respondents emphasized the importance of maintaining EU-level protection and 84% called for the EU to prioritize safeguards against unauthorized access from third countries.

·Chapter V of the Data Act requires data holders to make data available to public sector bodies, the Commission, the European Central Bank, or Union bodies when an ‘exceptional need’ arises. However, data holders argue that the scope of ‘exceptional need’ is overly broad, leading to a lack of clear and proportionate pathway for public sector access to business data. Rather, the focus should lay on public emergencies. This was particularly reflected in contributions from large companies and business associations in the Call for Evidence to the Digital Omnibus.

·Chapter VI of the Data Act empowers users of data processing services to switch between providers of data processing services. The absence of vendor lock-in, including contractual barriers to switching, allows users to freely choose the services that best meet their needs and permits providers to compete for a larger pool of potential customers. However, small providers and providers of tailored solutions highlight that the potential benefits of switching accruing to the users are outweighed by the administrative burden accruing on these stakeholders of having to review existing contracts in a way that ensures compliance with the Data Act.

·Chapter VIII of the Data Act aims to ensure, under Article 36, that smart contracts used to automate data-sharing agreements were interoperable, secure and trustworthy. It established essential requirements for vendors who create or integrate smart contracts for others, while remaining technologically neutral and allowing a presumption of conformity when harmonised standards were followed. However, industry stakeholders criticise these provisions as unclear in scope, potentially capturing a wide range of software and running the risk of constraining innovation opportunities.

The objectives. The proposed amendments are designed to address key concerns raised in the early implementation of the Data Act by providing clarity and precision to definitions and rules, while keeping the core policy objectives of unlocking data and boost innovation in data sharing tools for a flourishing digital single market. This concerns the rules on trade secret protection, business to government data sharing, cloud switching, and smart contracts for executing data sharing agreements. This will help harness the Data Act’s full potential.

1.1.2.Simplification measures and impacts

1.1.2.1.Free Flow of Non-Personal Data Regulation

To address the described practical issues, the Omnibus proposes to repeal the FFDR, while upholding the principle of free flow of non-personal data within the Union enshrined in the FFDR. The principle remains paramount for a digital single market and the data economy in the Union. It should thus be maintained and included in the Data Act as a horizontal regulation that covers rules on non-personal data.

Cost savings. This measure preserves the main cost-saving channel for businesses, i.e. the ability to place non-personal data in the most efficient EU location. This reduces parallel legal analysis and thus lowers costs even though it is to be noted that the instrument has not been effectively used. However, public authorities would be relieved from burdensome monitoring activities that do not meet any demand (Single Information Point and Single Point of Contact). Using an EU-wide central cost assumption of EUR 62,712 per FTE (derived from Eurostat’s 2024 hourly labour cost 26  and an assumption of 1,872 annual productive hours 27 ), this leads – assuming a saving of 0.5 FTE from the monitoring relief, based on Commission estimates – to savings for public authorities of EUR 31,356 per Member State annually and EUR 846,612 annually across the EU. Table 1 outlines the anticipated cost savings and underlying assumptions for the calculations.

Table 1: Estimated cost savings for changes to the Free Flow of Non-Personal Data Regulation

Moreover, the simplification of switching rules strengthens the freedom to conduct a business and the free movement of services that build on non-personal data.

1.1.2.2.Creating a single legal instrument for re-use of public sector documents

The proposal brings all rules on the re-use of information held by public sector bodies under the same instrument by integrating Chapter II of the Data Governance Act and the Open Data Directive into a new coherent chapter for the re-use of public sector information in the Data Act. Changes include aligning definitions between the two acts, such as ‘data’ and ‘documents’ and creating common provisions. The principles of the two instruments will remain unchanged to guarantee that Europe does not experience a set-back when it comes to the achievements made for open data. For example, principles inherent to both instruments, such as non-discrimination, prohibition of exclusive agreements or information on means of redress can be streamlined and included as general principles for the re-use of public sector information. General principles relating to charging can be established, extending the possibility to pay charges online through widely available cross-border services for re-use of documents covered under the Open Data Directive to modernise the law. The scope of the current Chapter II DGA of “data” will be enlarged to “documents”, thus bringing in scope non-digital information.

The current rules on the conditions of re-use under the DGA can be further aligned, clarified and streamlined to be more user friendly. This includes reducing redundancies, aligning definitions and clarifying the applicable regime in case of anonymisation of personal data. In addition, the current rules on transfers of non-personal data to third countries international transfers should be moved into a new dedicated Article.

In the spirit of fostering innovation and maintaining fair competition within the Union’s digital market, it is imperative to ensure that access to and reuse of public sector data benefit a wide range of market participants and do not inadvertently reinforce existing dominant positions. In particular very large enterprises, hold significant power and influence over the internal market. To prevent such entities from leveraging their substantial market power to the detriment of fair competition and innovation, public sector bodies shall be able to set out special conditions to the re-use of data and documents by such entities. For example, they should be able to demand higher charges and fees, based on objective criteria, and taking into consideration an entity’s economic power, ability to acquire data or the designation as a gatekeeper under Regulation (EU) 2022/1925. 

This way, opportunities for smaller businesses and new market entrants to innovate and compete in the digital economy are safeguarded. The online public consultation on the Data Union Strategy also inquired whether it is advisable to exclude some undertakings, designated as gatekeepers, as defined under Article 3 of Regulation (EU) 2022/1925, from benefiting from certain conditions for the reuse of public sector data, as set out in the Open Data Directive. The objective would be to prevent such entities from leveraging their substantial market power to the detriment of fair competition and innovation.

Finally, the transformation of the rules of the Open Data Directive into a directly applicable Regulation means creating a legal framework uniformly applicable across all EU Member States, eliminating the need for national transposition. It is important to note that a significant part of public sector data is already today subject to the directly applicable Implementing Regulation on high-value datasets. This solution presents numerous benefits for public administrations holding public sector data as well as for re-users, as they can streamline processes and reduce the administrative burden associated with interpreting and implementing diverse national laws. This shift could lead to improved data quality and standardisation, enabling better data management and enhancing interoperability for efficient cross-border data sharing. A reduced legal fragmentation could stimulate EU-wide data-driven markets by making it easier for businesses to develop and offer cross-border services and products. Enforcement of directly applicable rules will likely become more consistent. Stakeholders participating in the reality check on re-use of public sector data 28 also highlighted that a transformation into a Regulation would improve awareness about the opportunity to re-use such data. The proposal does not change national access regimes and aims at providing enough flexibility for national solutions – an important factor underlined by Member States.

Overall, this proposal expected to reduce search and compliance costs for re-users by providing a single, clearer, directly enforceable procedural framework; shorten time to access through more predictable and harmonised conditions; improved data management and quality across borders.

1.1.2.3.Clarifications and streamlining of rules on data intermediation services

The proposed amendments will turn the mandatory regime applicable today into a voluntary, streamlined scheme that should enhance trust, while cutting costs and stimulating the business model. The amendments will further clarify the notion of ‘data intermediation service provider’ (DISP). The notification and use of the label will be made voluntary. The requirement to provide the service via a separate legal entity will be removed.

Certain provisions that have proven to be ineffective, such as the obligation for Member States to establish national arrangements for data altruism, or that are potentially overly burdensome, such as the mandate to develop a rulebook for data altruism organisations, will be repealed. Alongside potential savings, the measure could lead to reduced regulatory oversight, lower market transparency and diminished user trust. However, these effects are likely limited in scope at this stage due to the market’s small scale and early level of development.

Cost savings. The proposed amendments consist of several factors that can lead to savings: First, data intermediation services can choose not to register their services which will save them administrative fees with the competent authority.

Secondly, the deletion of the requirement for data intermediation service providers to offer services through a separate legal entity is expected to create the biggest impact. This can be broken into one-off costs and recurrent overhead costs.

In terms of one-off costs, the current average formation cost alone (without taking into account the often-required original share capital) across the EU varies between EUR 250- EUR 4,000. 29  An average of EUR 2,125 across the EU can thereby be assumed.

Annual overhead costs result from separate corporate overhead structures (board, HR, IT, accounting) and the resulting labour costs as well as other fixed costs (office space, IT equipment). These can also be avoided. The impact can only be approximated as it will depend on a wide range of factors, not least the size of the company and labour costs. Taking into account conservative estimates for the above factors, the annual overhead costs for setting up a company with 50 employees, which is believed to be the typical size of a data intermediation service provider, can be estimated to amount up to EUR 40,000. 30

Assuming a potential total maximum of 150 data intermediaries in the EU according to the Impact Assessment accompanying the Data Governance Act, this could result in savings up to EUR 318,750 of one-off costs and in terms of recurrent costs up to EUR 6,000,000. Table 2 presents the cost savings and underlying assumptions.

Moreover, the proposed amendment could incentivize new players to provide data intermediation services by reducing market-entry barriers, thereby accelerating the development of this ecosystem of providers. Estimating that the average fixed cost of operating a data intermediation service amounts to around EUR 250,000 per year 31 , removing the requirement to provide such services through a separate legal entity would therefore lower fixed operating costs by roughly 17% (40,000 in annual overhead costs + 2,125 in one-off formation cost)/250,000 = 0.1685). To approximate the potential market impact, a range of entry-cost elasticities could be applied, reflecting how the number of market entrants typically reacts to changes in fixed costs. In digital and professional-service markets, where barriers are mostly related to administration rather than infrastructure, companies tend to be more receptive. On this basis, a cost elasticity range of -0.8 to -1.4 is assumed, meaning that a 10% cost decrease could raise entry by about 8-14 %. Applied to a 17% cost reduction, this implies an increase in entrants of around 13-22 % bringing the total from the DGA baseline of 150 to roughly 171–186 DISPs, or an additional 21 to 36 new providers EU-wide.

Table 2: Estimated cost savings for changes to the Data Governance Act

In addition, the proposed amendments would also help to clarify and streamline definitions, thus resulting in a more harmonised acquis and facilitating the user friendliness of the instruments. This should support affected entities to understand the rules faster and reduce burden.

For altruistic data sharing, further clarifying the definition would help organisations find a viable business model and foster the uptake of such mechanisms. In addition, the deletion of the specific rulebook for data altruism organisations will save the latter from additional compliance burden and thus make data sharing more attractive. In addition, the Article on national arrangements for data altruism (Article 16 DGA) requiring Member States to report national policies to facilitate data altruism should be deleted as it has proven ineffective and puts further reporting obligations on Member States. By deleting this provision, costs related to reporting will be saved while it will still be possible for Member States to develop national policies on data altruism.

1.1.2.4.Preventing trade secrets leakage to third countries

The Digital Omnibus will introduce an amendment in the Data Act to create a rule that data holders can refuse disclosure of trade secrets when they estimate there is a high risk of unlawful disclosure to entities that are subject to third country jurisdictions with weaker or non-equivalent protection compared to that of the EU. The intention is to prevent situations where (a) an EU entity leaks trade secrets to non-EU entities and (b) non-EU entities established in the EU, who are directly or indirectly controlled by a foreign entity and may be subject to extraterritorial rules or otherwise, leak trade secrets outside of the EU. This rule does not affect the position of EU stakeholders as potential recipients, and especially SMEs, established in the EU, and is therefore aligned with the Data Act’s objective to support European and smaller market players.

The proposed rule provides a robust framework for data holders to safeguard against significant losses from unlawful trade secret disclosure to third country entities. By strengthening the protection of trade secrets, the proposal fosters trust in the EU data economy and reinforces legal predictability. The EU’s framework serves as a benchmark for data sovereignty, minimizing confidentiality breaches and mitigating the risk of data exploitation by third country free riders or the largest global tech companies. These entities may capitalize on weaker legal regimes abroad to improperly access trade secrets, possibly without adequate oversight or repercussions, and thus disadvantage other market actors.

Cost savings. While calculating the cost of trade secret leakage under the Data Act is challenging due to several factors, such as the specifics of the trade secret being compromised, the identity of the recipient, and how the information is subsequently utilized, the proposed rule is designed to effectively prevent abuse of trade secrets that could severely impact data holders. Moreover, it is expected to yield cost and time savings for companies. For instance, according to a study 32 , large firms spend around EUR 1 million annually on data management agreements and relevant administrative and legal overhead. Additionally, the cost of setting up application programming interfaces (APIs) 33 , which varies between EUR 30,000 and 2.5 million depending on their scope and complexity, is averaged at around EUR 50,000 34 . Legal risks related to being entangled in a litigation over the co-generated IoT data and non-agreement between the parties, could reach about EUR 1 million annually, as per interviewed stakeholders 35 . These risks escalate, or rights/claims could even become unenforceable, in cross-border litigation. By allowing data holders to refuse trade secret disclosure to third-country entities with weak protections, this rule alleviates burdens associated with data and trade secret preparation, sharing and protection.

Data holders might incur increased legal and compliance expenses as they need to assess the trade secret protection frameworks of foreign jurisdictions and demonstrate the risk of unlawful exposure. In its 2025 report on the protection and enforcement of intellectual property rights in third countries, the Commission found that “insufficient protection of trade secrets and the challenges in enforcing them in a number of countries, notably in China and India, also causes irreparable harm to European businesses 36 . When the Data Act entered into application (12 September 2025), the Commission announced that it would develop guidance on trade secret protection under the Data Act. This was reiterated in the Data Union Strategy. Such guidance may assist data holders in the assessment needed to apply the proposed rule. 

Importantly, EU users and data recipients remain safeguarded under the proposed rule, as the existing mechanism, including the need for data holders to substantiate refusals and notify competent authorities, remains intact. This ensures the Data Act’s balance is maintained and its policy objectives can be fully achieved.

1.1.2.5.Narrowing down the scope of B2G only to public emergencies

The Digital Omnibus proposes to narrow the scope of Chapter V of the Data Act from “exceptional need” to “public emergency”. The intention is to reduce the burden on businesses, addressing private sector concerns regarding the unclarity of the Chapter V’s business-to-government (B2G) data sharing regime. The proposal streamlines the B2G framework by concentrating exclusively on public emergencies. This focus reduces ambiguity concerning the interaction of various EU and national laws and strengthens stakeholders’ understanding of the B2G rules.

Cost savings. The revised B2G data sharing framework significantly reduces administrative and legal burdens on companies. While one-off costs, such as infrastructure setup, for instance an application programming interface (API) for public sector bodies to access data in an anonymised way (initially estimated at EUR 552,5 million EU-wide 37 ), and recurring costs, such as personnel and data management (estimated at EUR 98,5 million annually 38 ), remain relevant for addressing B2G requests for public emergencies, the new framework is designed to lessen these costs.

The exclusive focus on public emergencies minimises complexities such as the need to customise data infrastructure and extensive contract negotiations for a wider scope of situations, potentially affecting the estimates for one-off costs 39 . The same goes for the need for detailed data processing activities, such as cataloguing, metadata reporting, and quality assessments, which were more intensive under the broader B2G system. The shift to a more centralised and standardised approach streamlines these tasks, and companies need to put less effort in assessing and normalising data for public interest purposes, potentially reducing the anticipated costs of EUR 78,06 million for these activities 40 . In addition, under the previous broad nature of “exceptional need”, data holders were estimated to have to establish teams of 1 to 5 FTEs with technical and legal knowledge to deal with B2G requests, representing an annual cost at the EU level of EUR 20,5 million 41 . By restricting data requests to public emergencies, the framework alleviates the burden, particularly in verifying conditions such as market availability of data or whether the absence of other viable measures to obtain the data exist, thus reducing operational resources and time required for this verification. This translates into further cost savings and enhances legal certainty. All calculations and assumptions for the above are presented in Table 3.

Finally, this approach also leads to cost reductions for competent authorities. For instance, it simplifies the management of data sharing mandates across Member States, easing coordination, especially in complex cross-border scenarios that would otherwise require extensive communication between competent authorities to ensure compliance with diverse legal requirements.

Table 3: Estimated cost savings for changes to Chapter V of the Data Act

1.1.2.6.Switching between data processing services

The Digital Omnibus proposes to introduce a specific lighter regime for data processing services which are custom-made, i.e. where the majority of features and functionalities of the service has been adapted by the provider to the specific needs of the customer 44 . As opposed to off-the-shelf solutions, contracts on the provision of these custom-made services are usually the outcome of dedicated negotiations 45 . This is particularly relevant in the Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) segment. Where such contracts were concluded before the entry into application of the Data Act, costly re-negotiations may be required to bring them into compliance with the provisions on cloud switching.

While the right to switch providers of data processing services introduced in the Data Act remains untouched, this new specific lighter regime for custom-made data processing services takes account of the additional costs and administrative burden connected to the need to reopen and renegotiate contracts for the provision of custom-made services. This includes removing pre-commercial, commercial, technical, contractual and organisational obstacles, which, inter alia inhibit customers from terminating their contract after the notice period. This new specific lighter regime for custom-made data processing services would save providers the additional costs and administrative burden connected to the need to reopen and renegotiate contracts concluded before the entry into force of the Data Act. The Omnibus therefore proposes to exempt from the switching provisions custom-made services other than Infrastructure-as-a-Service (IaaS) if these are provided to a customer based on a contract concluded before 12 September 2025. For reasons of financial planning and certainty for investors, some providers of data processing services, especially SMEs and SMCs, may prefer to use fixed-term contracts. The customer’s right to switch, including when a service is provided based on a fixed-term contract could create the risk that a portion of such contracts are terminated prematurely. This could put the business model of SaaS providers, especially SMEs and SMCs, under significant financial strain and uncertainty. Therefore, the Digital Omnibus proposes to clarify that data processing services provided on the basis of fixed-term contract may include provisions for proportionate early-termination penalties as a way of recouping upfront investments in the case of early termination.

In addition, the Digital Omnibus proposes to create a specific lighter regime for data processing services, except IaaS, provided by SMEs and SMCs. Similarly, the need to renegotiate contracts to bring them into compliance with the provision on cloud switching creates a disproportionately high administrative burden for SMEs and SMCs compared to larger providers. The Omnibus thus proposes to exempt from the switching provisions PaaS and SaaS provided by SMEs and SMCs if these are based on a contract concluded before 12 September 2025. Moreover, the Omnibus explicitly exempts those providers from a possible need to renegotiate or amend those contracts before their expiry.

Finally, the Digital Omnibus clarifies that the obligation in Article 29 of the Data Act to first reduce and then remove switching charges, including egress charges, is excluded from those two specific lighter regimes. This preserves one of the key achievements that the Data Act brings for cloud customers. To avoid contract re-negotiations, the proposal clarifies that contractual provisions contrary to Article 29 would be considered null and void.

Cost savings. Based on stakeholder input, the proposed specific lighter regime for custom-made PaaS and SaaS can be expected to cover at least 100,000 contracts in the EU. If assuming an average cost of approximately EUR 10,000 for the re-negotiation of an individual contract, this would imply savings in the magnitude of EUR 1 billion due to non-incurred costs.

Regarding the specific lighter regime for SMEs and SMCs, the number of affected providers can be approximated by looking at the number of SaaS startups. In France alone, there are approximately 2600 SaaS startups. Enlarging this to SMEs and SMCs, a conservative estimation leads to at least 5,000 SMEs and SMCs EU-wide, which are active in the SaaS and PaaS segment. Assuming an average number of 50 contracts per provider in this bracket would lead to a total of 250,000 contracts for the provision of SaaS or PaaS by SMEs or SMCs. The calculations laid down in Table 4 below (also presenting the assumptions for the above estimated cost savings for custom-made data processing services) would thus lead to cost savings of around EUR 500 million if these contracts would not have to be re-opened.

Table 4: Estimated cost savings for changes creating a specific lighter regime for data processing services under the Data Act

1.1.2.7.Removing essential requirements regarding smart contracts for executing data sharing agreements

The Digital Omnibus proposes to delete Article 36 of the Data Act, which introduced specific requirements for smart contracts used in the context of data sharing. Article 36 was intended to ensure that automated data sharing execution mechanisms were interoperable, reliable, included proper access controls, and could safely be stopped or adjusted when needed. The objective was to provide legal certainty for emerging blockchain-based solutions that could facilitate data access and use.

Since the adoption of the Data Act, however, the development and use of smart contracts in data-sharing scenarios has remained at an early and experimental stage – also reflecting the relative recentness of the legislation. Market actors are testing different technical and governance models, and no common standards or practices have emerged. Industry stakeholders have raised concerns that the scope of Article 36 is unclear and may unintentionally capture a much broader set of distributed-ledger-technology (DLT)-based smart contracts, as well as ordinary built-in software features that merely automate data access, that were not meant to fall within the Data Act’s scope. Another strong criticism relates to the core characteristics of public blockchains. These systems rely on key features like immutability, decentralised control, and cryptographic transparency to ensure trust and security. If rules required these systems to include built-in options to stop their operation or give special access to a specific actor, those features would be weakened. This could make open, permissionless blockchains harder to build and discourage innovation in this area.

In this context, prescribing detailed regulatory requirements at Union level would risk locking in specific technological choices or stifling innovation in an area that continues to mature. Market actors are currently better placed to test, validate, and refine solutions adapted to their specific business models and technical environments.

Smart contracts remain a highly promising tool to foster secure, transparent and efficient data sharing, and there is strong support to develop them further and deploy them in the context of the Data Act. Removing Article 36 thus prevents regulatory complexity, reduces uncertainty, and maintains the flexibility needed to foster innovation in decentralised and automated data-sharing solutions, while preserving the overall coherence of the Data Act.

Cost savings. There are no reliable estimates of the costs or savings linked to Article 36, but its removal reduces administrative and technical burdens. Developers would no longer need to redesign smart contracts to meet specific requirements such as interruption or archiving functions, nor carry out conformity assessments and prepare related documentation.

The deletion of Article 36 also eases pressure on authorities, which would no longer have to oversee compliance for a still emerging market and technology. It also creates a more flexible environment for innovation, allowing market actors to experiment freely and develop new smart contract solutions, which in turn can stimulate further economic activity and technological progress. Overall, deleting Article 36 lowers costs for both businesses and regulators, while keeping the Data Act’s broader safeguards in place.

1.1.2.8.Extending SME exceptions to small midcaps for access to public sector data under the Data Governance Act and the Open Data Directive

Currently, the Data Governance Act and the Open Data Directive foresee special rules to support small and medium enterprises (SMEs) – approximately 26.1 million active entities in the EU 46 . These rules take into account the specific circumstances that these entities face – such as limited resources – and create a favourable environment to help them grow and be competitive at home and abroad. The Data Governance Act currently supports SMEs by exempting them from charges for the re-use of data made available under Chapter II. The Open Data Directive facilitates the re-use of public sector documents by recommending that public bodies apply a fee equivalent to the “marginal cost,” particularly when the requester is an SME and free of charge re-use is not possible.

However, when SMEs grow beyond 249 employees, they become “large enterprises” and become subject to greater compliance obligations. In this regard, the Draghi report calls for extending some mitigation measures, benefiting SMEs, to small mid-caps (SMCs) while the Letta report also advocates for distinguishing mid-caps from large corporations in EU regulations. According to a 2022 study 47 , one of the main difficulties for SMCs concerns complying with regulations and administrative requirements.

As many reports have highlighted, this transition in business size disproportionately affects SMCs across every sector, as they lose access to the exemptions available to SMEs, despite not yet having the resources of the largest companies. Consequently, compliance costs rise sharply as SMEs face the same obligations and enforcement standards as multinational corporations.

To address this “cliff-edge”, the Commission has introduced in the Omnibus IV simplification Package 48  a new category of companies (approx. 38,000 in the EU) – small mid-caps (250-749 employees, with an annual turnover not exceeding EUR 150 million or an annual balance sheet total not exceeding EUR 129 million) which should also benefit from the favorable environment created for SMEs. Accordingly, the Digital Omnibus will propose to extend some provisions currently applicable to SMEs to SMCs in the data acquis. 

Extending mitigating measures to a new, larger set of companies could create new incentives for SMEs to grow, as the current threshold regime may discourage companies from scaling up by delaying hiring or restructuring to avoid crossing the SME threshold. Reducing compliance costs would allow resources (legal and administrative) to be reallocated to core business activities such as R&D, product development and market expansion. Together, these factors would put EU SMEs in a more competitive position than SMEs in jurisdictions without such requirements.

The following measures are proposed to be extended to SMC privileges:

·The possibilities under the Data Governance Act for Member States to provide cheaper access to re-use of data from protected databases for SMEs and to establish separate, simplified information channels at the level of national single information points for SMEs should be extended to SMCs;  

·For the Open Data Directive, the provision that documents should be made available for re-use to start-ups and SMEs free of charge and, where charges are necessary, they should be in principle limited to the marginal costs (Recital 36) should be extended to SMCs; 

·Furthermore, the special focus on SMEs when identifying high-value datasets (Article 14 (2)(b)) and when evaluating the scope and social and economic impact of the Directive (Article 18 (2)(a)) should be extended to SMCs.  

Cost savings. According to the Commission’s impact assessment (SWD(2025) 501 final) 49 , based on a 2022 study 50 , around 38,000 companies would be SMCs defined as 250-749 employees.

The Impact Assessment for the Data Governance Act 51 assumed an average fee of around EUR 500 per application to re-use public sector data, with public sector bodies able to make the data available free of charge or at a discounted price. This fee could be waived for SMCs, depending on Member States’ implementation.

Assuming, on average, between 0.25 and 1 application per firm per year, this corresponds to potential savings of between EUR 125 and EUR 500 per company. Extending reduced-cost access to protected public sector databases from SMEs to all SMCs could therefore generate aggregate savings of between EUR 5 million and EUR 19 million per year across the EU, assuming approximately 38,000 SMCs. Data and assumptions are presented below in Table 5.

The assumption range follows a simplified approach derived from the methodology used in the Impact Assessment accompanying the Data Governance Act. These figures are indicative lower and upper-bound estimates, intended to reflect varying degrees of data-re-use activity across sectors and Member States.

By making SMCs eligible for reduced-cost access under the DGA, Member States could achieve annual savings within this range while broadening the number of organisations able to re-use protected public sector data and strengthening the overall uptake of data-sharing mechanisms.

Table 5: Estimated cost savings for SMCs under changes to the Data Governance Act

In addition, extending the existing Open Data Directive provisions to small mid-caps (SMC) companies is expected to further enhance data re-use and stimulate innovation, by making public sector information more accessible to a broader range of economic actors. This measure should therefore have a positive overall effect on data sharing and value creation across the EU data economy.

1.1.3.Preserving the objectives of the rules and other impacts

The planned measures under this section will preserve the original objectives of the Open Data Directive, the Data Governance Act and the Data Act: more easily accessible and re-usable data. The main objective of the Digital Omnibus Regulation is to streamline the number of data-related regulations into one coordinated Regulation, the Data Act, and to simplify the regimes. Therefore, most of the expected original impacts remain valid, and will in some cases even be strengthened. For example, merging the rules of the Open Data Directive with the rules of Chapter II Data Governance Act and including them into the Data Act will turn rules of the current Open Data Directive into a Regulation, contributing to greater harmonisation.

With the targeted amendments to the regime on data intermediation services providers and data altruism organisation, it should become more attractive to offer intermediation services or support data altruism. More voluntary data-sharing is expected, with more companies finding services that support them in this endeavour (e.g. offering match-making, contractual support, technical support with anonymisation or secure processing environments). Where such data-sharing is altruistic, in particular, it can lead to advancements in research on topics of general interest or societal goals (research on less common diseases, environmental protection, biodiversity) that cannot benefit from a strong commercial investment in research. However, the deletion of the requirement to register for data intermediation service providers may lead to reduced transparency and accountability of the market. Without registration, competent authorities would likely have more limited visibility over operators’ activities. User trust could also potentially be impacted. Nonetheless, these risks are considered limited, due to the intrinsic low risk associated to these types of activities. The overall stimulating impact on the data intermediation market, and positive externalities described above, are deemed on the whole beneficial to society.

Sharpening the trade secrets protection will make the Data Acts regime on sharing of data from connected devices more robust. This will strengthen know-how protection as an emanation of the fundamental freedom to conduct business (Article 16 of the Charter) and the right to protection of intellectual property (Article 17 para. 2 of the Charter).

The proposed reduction of scope of the Chapter V Data Act (business-to-government data sharing) by deleting the possibility for public sector bodies to demand access to privately held data where they have exhausted all other means (namely the purchase of non-personal data on the market, by relying on existing obligations to make data available or the adoption of new legislative measures), can theoretically reduce the social value created by the Data Act. That social value, however, comes at a high cost for a high amount of businesses who struggle to plan data sharing mechanisms on that basis as described above.

Last, while the changes to Chapter VI of the Data Act on contracts may have a light competition impact (due to the distinction made between contracts concluded before the entry into application of the Data Act, and after thereof), the latter are assessed as moderate since only covering a small segment of the market. The overall impact on the Data Act’s objectives is limited since the change would only apply to custom-made services. Customers will remain bound by the contract signed until its expiry, unless the contracts included a possibility for early termination.

For all of the above changes, the monitoring frameworks laid out in the initial respective Impact Assessments will continue to serve as the reference for the continuous assessment of their implementation.

1.2.Adjustments to the data protection rulebook

The GDPR is the cornerstone of EU digital legislation. Its risk-based, technology neutral approach means that businesses’ data protection obligations are tailored to the specific risks posed by their operations involving the processing of personal data. Stakeholders broadly share the view that the GDPR represents a balanced and sound legal framework on the protection of personal data. At the same time, businesses consider that further measures, including targeted legislative measures, could improve the application of the GDPR.

In this regard, stakeholders have raised in particular the need to provide more clarity to certain key GDPR concepts and to simplify certain obligations for data controllers, insisting on the respect of the GDPR risk-based principle, notably as regards AI and other new technologies. However, all stakeholders, including businesses, warn against the broad reopening of the GDPR, noting that they have invested in compliance and that fundamental changes to its framework would create unnecessary costs and legal uncertainty, contrary to the aim of simplification. All stakeholders also underline the need for more practical guidance and increased stakeholder engagement from the enforcers of the GDPR, the data protection authorities (DPAs) which, at EU level, come together within the European Data Protection Board (the EDPB). In addition, they call for more tailor-made support, such as templates and checklists, especially for SMEs.

While some of those concerns can be best tackled through non-legislative measures, as they do not concern the letter of the GDPR, and the work on them is already on-going 52 , others are more efficiently addressed by means of legislative adjustments in the GDPR. The targeted amendments proposed in the Digital Omnibus are based on specific feedback from stakeholders and aim to address the compliance challenges they have raised without undermining the GDPR policy objectives, including the high level of data protection. Where relevant, the amendments of the GDPR proposed in the Digital Omnibus are reflected in Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the EU institutions, bodies, offices and agencies in order to maintain a strong and coherent data protection framework in the Union and ensure a consistent interpretation.

1.2.1.Analysis of the problems and opportunities

The rules. The GDPR protects individuals when their personal data is processed. It is at the centre of the legal framework that guarantees the fundamental right to data protection, as enshrined in the Charter of Fundamental Rights of the European Union and in the Treaties. The GDPR has the dual function of protecting an individual’s right to data protection and ensuring the free movement of personal data within the Union, and it applies to organisations in both the public and the private sector.

Personal data means any information relating to an identified or identifiable individual. The GDPR gives individuals control over their personal data. The GDPR creates obligations for controllers and processors, the entities responsible for the processing of personal data. The GDPR includes also an obligation to maintain records of personal data processing with an exception for certain processing activities by small and medium-sized companies and organisations with less than 250 employees. The Commission has proposed to simplify this obligation for those entities as well as for small mid-cap companies and organisations with the same number of employees, as a part of its Omnibus IV proposal 53 , which is currently being discussed by the co-legislators.

The GDPR establishes key principles that apply to the processing of personal data, namely lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. Certain types of personal data, known as special categories of personal data, are afforded special protection under the GDPR.

Under the GDPR, the monitoring and enforcement of the application is a responsibility of national authorities, in particular data protection authorities and courts. The GDPR equips the independent data protection authorities with harmonised enforcement powers and establishes a cooperation and consistency mechanism for cases that concern cross-border processing. The EDPB, an EU body which is composed of the heads of the DPA of each Member State and the European Data Protection Supervisor, is responsible for ensuring the consistent application of the GDPR. To this end, it issues guidelines and opinions and also exercises a dispute resolution function between DPAs. In 2025, the co-legislators reached a political agreement on the Commission’s proposal for a GDPR procedural rules Regulation which will ensure better and faster cooperation between DPAs when enforcing the GDPR. The decisions and lack of action by national DPAs can be challenged in competent national courts.

The main issues. Complying with the GDPR involves both costs and benefits for businesses. In addition to initial implementation costs, companies encounter operational compliance costs, such as those related to monitoring, reporting 54 and training. The overall impact depends on the nature of the business model in question. 55 According to some reports 56 , the overall spending on data privacy around the world has remained relatively constant or even slightly increased over the past four years (2021-2024) for companies with more than 250 employees, while for companies with less than 250 employees it has generally decreased. In this context, it is noteworthy that 96% of respondents from the organisations surveyed have assessed that, overall, the benefits from privacy investment outweigh the costs. This has been explained by the fact that compliance with privacy laws is usually considered as a business advantage as it enhances the organisation’s reputation and customer trust. 57 However, it is in general difficult to quantify the benefits of the GDPR as they are not directly visible in the market. 58 Compliance with the GDPR may also have ”residual” positive effects. It has for instance been assessed that the GDPR has helped avoid between EUR 585 million and 1.4 billion in losses due to the fact that compliance with data protection rules contributes to combatting underinvestment in cybersecurity. These gains have been assessed to represent only a small portion of the total benefits of the GDPR in the field of cybersecurity. 59

The overall satisfaction with the effects of data protection laws is echoed in the feedback received from European stakeholders on the application of the GDPR. The participants of the Implementation Dialogue on the application of the GDPR, organised on 16 July 2025, were asked about challenges they have encountered in the application of the GDPR and suggestions for its improvement. The participants comprised of EU-level umbrella organisations representing different sectors of the industry and civil society, including members of the GDPR multi-stakeholder Expert Group ensuring a balanced representation of business and civil society 60 . The vast majority of stakeholders were of the opinion that the GDPR provides a balanced legal framework, which is, in principle, fit for purpose.

However, challenges were identified in particular in relation to the consistent interpretation and enforcement of the GDPR by supervisory authorities and stakeholders emphasised the need to reinforce legal certainty by introducing measures to reduce legal fragmentation and improve the consistent application of the GDPR. The need for greater consistency in the application and enforcement of the GDPR has been recognised also by data protection authorities and the European Data Protection Board. 61  In practice, the need for more harmonised and consistent interpretation of the GDPR is evidenced, for example, by the lack of fully harmonised lists established by DPAs at national level which stipulate when a Data Protection Impact Assessment is required and the low number of lists indicating when Data Protection Impact Assessment is not required (whitelists) 62 .

Stakeholders also called for more clarity to certain key aspects central to the interpretation of the GDPR, such as the definition of personal data 63  in light of the recent case law of the European Court of Justice, in order to ensure a common and harmonised understanding of this core concept throughout the EU.

In addition, many stakeholders considered that certain obligations placed on organisations are burdensome and unnecessary given the low risk the processing causes to data subjects. For example, the obligation to inform data subjects about the processing of their personal data, when the data subject has in practice already received relevant information, is not seen as necessary to data subjects concerned. Also, the obligation to notify the data protection authorities of a low-risk data breach was considered burdensome. Some GDPR obligations, in particular those mentioned above, were considered particularly challenging to fulfil for small and medium-sized enterprises and organisations due to their limited internal structures and expertise in data protection and overall resources. According to some surveys, the average number of data breach notifications to DPAs was 363 notifications per day from January 2024 to January 2025. 64 The number of notifications is particularly high in some Member States. 65  These numbers can be partly explained by the current relatively low threshold for notifications and they imply that the current obligation can create considerable resources implications also to GDPR enforcers.

Some of the concerns raised by stakeholders can be addressed through targeted legislative amendments to the GDPR. While it is not possible to calculate the exact cost savings to organisations of such amendments 66 , it can be generally assessed that enhancing legal certainty by clarifying certain GDPR key notions and further harmonising its application will bring direct benefits to organisations, for instance, due to reduced need for legal advice and consultancy and decreased non-compliance costs. Furthermore, it is possible to produce some direct cost savings for organisations by cutting administrative burdens through reduced ”reporting” obligations, when possible without undermining the high level of data protection under the GDPR, and by providing a centralised channel for ”reporting”. Finally, some legislative amendments could provide untapped opportunities to organisations by enhancing innovation and enabling a wider and more effective uptake of new technologies in their operations, while ensuring that individuals’ fundamental right to data protection is appropriately safeguarded.

The objectives. The proposed amendments aim to harmonise, clarify and simplify GDPR provisions, without affecting the core principles and requirements of the GDPR or undermining the high level of data protection. They would increase legal certainty and facilitate operators’ compliance, taking into account the need to support operators’ responsible use of personal data to boost economic growth and innovation and to maintain individual’s trust in and willingness to engage with digital technologies.

1.2.2.Simplification measures and impacts

1.2.2.1.The definition of personal data

The GDPR provides that personal data is any information relating to an “identified or identifiable” natural person (Article 4), having regard to the means reasonably likely to be used to identify the person. A person is considered to be identifiable where she or he can be identified directly or indirectly, having regard to the means reasonably likely to be used to identify the person. Stakeholders have indicated that there is a lack of clarity on when an individual is “indirectly identifiable”, and therefore whether the GDPR applies to certain data. This includes the situation where “pseudonymous” data are transmitted to a recipient. Taking into account the recent case-law of the Court of Justice of the European Union, the proposal clarifies that information is not to be considered personal data for a given entity where that entity does not have the means reasonably likely to be used to identify the natural person to whom the information relates. The proposal further clarifies that an entity for which the information is not personal data, in principle, does not fall within the scope of application of Regulation (EU) 2016/679, for the processing of that data. The proposed amendment would bring clarity to this GDPR key notion, also reflecting the recent case-law of the CJEU. It would increase legal certainty for operators in situations where pseudonymisation techniques are used and is also likely to encourage a broader uptake of techniques which protect the confidentiality of personal data and reduce the amount of personal data processed.

1.2.2.2.Mechanism to give greater legal clarity on anonymisation and pseudonymisation techniques

Uncertainty about GDPR-compliant anonymisation has been among the most pressing problems signalled by industry over the years. Companies would like to have more certainty about specific pseudonymisation techniques and criteria to be used for assessing risks of re-identification. 67  

To further support entities in their efforts to use pseudonymisation, the proposal puts forward a mechanism to further clarify the means and criteria to determine whether data resulting from pseudonymisation can be considered non-personal for certain entities. This will significantly increase legal clarity and certainty and reduce compliance burden, as companies will be able to use and rely on the implementation of such means and criteria as an element to demonstrate that data no longer constitutes personal data for them. This is especially true for innovative start-ups and SMEs that often do not have the resources to solicit expert legal advice. Using the means and criteria outlined in those implementing acts will, however, not release controllers from the ultimate responsibility to verify that data shared with other parties are non-personal or, where this is not the case, that the requirements under the GDPR are met. Considering that such assessments always come with a certain risk of an authority declaring the used technique non-compliant, the proposed amendment will seriously facilitate operations for businesses.

1.2.2.3.The processing of personal data for scientific research purposes

The research community has complained about the lack of clarity about conditions for GDPR-compliant scientific research despite the fact the GDPR affords specific status for such research by providing, for example, the possibility to rely on a broad consent and the presumption of compatibility for further processing.

Scientific advancement, strengthening the European technological basis, and encouraging the EU to become more competitive, including in its industry,  are objectives laid down in the EU’s Founding Treaties, in particular under Article 179(1) TFEU on achieving a European Research Area, in which researchers, scientific knowledge and technology circulate freely, while promoting all the research activities deemed necessary by virtue of other Chapters of the Treaties. Furthermore, Article 13 of the Charter of Fundamental Rights of the European Union provides that scientific research shall be free of constraint, and academic freedom shall be respected.

The proposed amendments would address the lack of clarity about the conditions for scientific research by providing a definition of scientific research (Article 4 GDPR), further clarifying that further processing for scientific purposes is compatible with the initial purpose of processing (Article 5(1)(b) GDPR), and by clarifying that scientific research constitutes a legitimate interest within the meaning of Article 6(1)(f) GDPR. It is also proposed to extend the exceptions from the information obligation for processing (Article 13), by stipulating that when the provision of information proves impossible or would involve a disproportionate effort or renders impossible or seriously impairs the achievement of the objectives of that processing, the controller does not need to provide the information. These changes would facilitate research and innovation in the Union.

1.2.2.4.The processing of personal data for the development and operation of AI

The proposal clarifies that the processing of personal data for the development and operation of AI models and systems may be carried out for purposes of a legitimate interest within the meaning of Article 6 of Regulation (EU) 2016/679, except where other Union or national laws explicitly require consent, such as requirements on gatekeepers designated under the Digital Markets Acts – notably Article 5(2) of Regulation (EU) 2022/1925. The proposed amendment would clarify when the controller may rely on Article 6(1)(f) GDPR to pursue a legitimate interest in the context of development and use of AI systems and models.

It also takes into account that the development of certain AI systems and AI models may involve the collection of large amounts of data, including personal data and special categories of personal data. Special categories of personal data may exist in the training, testing or validation data sets or be retained in the AI system or the AI model. In order not to disproportionately hinder the development and operation of AI and taking into account the capabilities of the controller to identify and remove special categories of data, the proposal introduces an exception from the prohibition on processing special categories of personal data for the development and operation of AI (Article 9 GDPR). The derogation should only apply where the controller does not aim to process special categories of personal data, but such data are nevertheless residually processed. The controller is still required to implement appropriate technical and organisational measures to avoid processing of special categories of personal data and is required to take such measures during the entire lifecycle of an AI system or AI model. It is required to remove such data once it is identified and to protect such data from being used to infer outputs, being disclosed or otherwise made available to third parties. The proposed amendment would clarify situations where it has previously been unclear whether such processing could be carried out in a lawful manner, in accordance with the requirements of Article 9(2) GDPR. It would therefore directly contribute to the objective to support innovation and develop European AI that is trustworthy and non-discriminatory, while maintaining a high level of data protection.

1.2.2.5.The exercise of the individual’s right of access

The GDPR provides individuals with the right to access their personal data (Article 15 GDPR). The right of access should allow the data subjects to be aware of, and to verify, the lawfulness of the processing and enable them to exercise their rights under the GDPR. In some cases, the right of access is used by data subjects in an abusive manner for purposes other than the protection of their personal data. This has frequently been raised as an issue for controllers who are required to dedicate significant resources to responding to abusive access requests. The abuse of the right would arise, for instance, where the data subject intends to cause the controller to refuse an access request in order to subsequently demand compensation, potentially under the threat of bringing a claim for damages. The proposal provides that, in such cases, the controller may refuse to comply with the request or may charge a reasonable fee. Moreover, controllers should bear a lower burden of proof to demonstrate that an access request was excessive. The proposed amendment would provide legal clarity to controllers on lawful options to handle situations where access requests are clearly abusive. This would allow controllers to allocate their resources more effectively and focus in a timely manner on genuine access requests and other requests contributing to the exercise of data subjects’ rights.  

1.2.2.6.Controller’s information requirements

The GDPR requires data controllers to provide the data subject with information on the processing of his or her personal data (Article 13). This information is typically provided in so-called privacy notices. Currently, the obligation to provide the required information does not apply where and insofar as the data subject already has the information. The proposal extends the derogation to situations where the processing is not likely to result in a high risk to the data subject, and where there are reasonable grounds to expect that the data subject already has the information. This would especially be the case when the relationship between the controller and the data subject is very clear and limited and the controller’s activity is not particularly data-intensive or high risk. Examples of this include the relationship between craftspersons and their clients, as well as the processing of personal data by associations and sport clubs to manage their membership, communicate with their members or to organise various activities. The proposed amendment would ease the information obligation in situations meeting this obligation would bring no genuine added value to data subjects and could therefore be considered unnecessary. The change would benefit in particular small operators, such as craftspersons and sport clubs, that carry out low-risk data processing to whom information obligations may cause disproportionate burden given that the processing of personal data is not their core activity.

1.2.2.7.Requirements for automated individual decision-making

The GDPR provides for rules governing the processing of personal data when the data controller makes decisions which have legal effects or similarly significant effects on the data subject, based solely on automated processing (Article 22). The provision clarifies the circumstances as to when decisions based solely on automated processing are permitted. In particular, it clarifies that when assessing whether a decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, the assessment of “necessity” should not require that the decision could be taken only by solely automated processing. This means that the fact that the decision could also be taken by a human does not prevent the controller from taking the decision by solely automated processing. Some controllers have reported that this is a reason which has prevented them from applying Article 22. The proposed amendments would clarify this scenario and provide greater legal certainty to controllers regarding when they can lawfully make use of automated individual decision-making and what are the conditions for it. The grounds for using automated decision-making , as well as the current requirements on suitable measures to safeguard the data subject’s rights, including the right to obtain a human review, as well as on processing of special categories of personal data by automated means would remain unchanged.

1.2.2.8.Data breach notification to supervisory authorities

The GDPR requires data controllers to notify a personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (Article 33). It is proposed that this threshold is aligned with that for communicating a personal data breach to the data subject (Article 34), so that one uniform threshold, namely that of ‘high risk’, applies. In the case of a data breach that is not likely to result in a high risk to the rights and freedoms of natural persons, the controller is not required to notify the competent supervisory authority. It is also proposed that controllers use a single-entry point, to be established by amending Directive (EU) 2022/2555, when they notify data breaches to the supervisory authority 68 . In addition, it is proposed that the European Data Protection Board prepare a common template for notifying data breaches to the competent supervisory authority and a common list of circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person. The proposed amendments would make it easier for controllers to notify a breach through a single channel, including in cases where a data breach is only one of the elements of a broader incident to be reported. They could also significantly reduce controllers’ administrative burden by not requiring them to notify data breaches which are likely to cause only a low risk to data subjects. Furthermore, they could alleviate the workload of data protection authorities, allowing them to concentrate their resources especially on high-risk data breaches. The changes would also harmonise at EU level the notion of “high risk” in the context of data breach notifications and thereby bring more clarity to controllers. 

1.2.2.9.Notion of high risk and the lists of processing activities requiring and not requiring data protection impact assessment

The GDPR requires controllers to conduct a data protection impact assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of a natural person (Article 35). Each supervisory authority is obliged to establish and make public a list of processing operations which require such impact assessment. In addition, the GDPR provides that supervisory authorities may establish and make public a list of the processing operations which do not require a data protection impact assessment. It is proposed that instead of national lists, a single list of processing operations be provided at EU level, introducing a common list throughout the EU and indirectly ensuring a common understanding of what constitutes “high-risk” processing throughout the EU. In addition, the publication of an EU-level list of the type of processing operations for which no data protection impact assessment is required would become mandatory. The lists of processing operations would be prepared by the Board and adopted by the Commission as an implementing act. It is also proposed that the Board is given the task to prepare a common template and a common methodology for conducting data protection impact assessments, to be adopted by the Commission as an implementing act. The proposed amendments would provide legal certainty to controllers by reducing fragmentation in the requirements of conducting a data protection impact assessment and clarifying the notion of “high risk”.

1.2.3.Estimated impacts

The proposed amendments would strengthen European competitiveness and support the uptake of new technologies. The changes would benefit operators that process personal data by simplifying GDPR rules and further harmonising their interpretation and application. This can be expected to bring operators direct regulatory gains through improved operational efficiency and risk mitigation as well as an improved environment for innovation and development. These gains would result in cost -savings, including through needing less time and resources to ensure GDPR-compliant data processing. While it is not possible to support these claims with precise figures, as explained above in section 1.2.1, the expected advantages can be described in qualitative terms, as done in section 1.2.2.

SMEs and other small operators would benefit from most or all of the proposed changes. For instance, greater clarity would be provided to SMEs as to when a data protection impact assessment is required and when it is not. The simplification of information requirements would greatly assist SMEs that are not engaging in data-intensive or high-risk processing activities, such as craftspersons, hairdressers or bakers, as they would be relieved of the requirement to prepare privacy notices. SMEs would also benefit from the change that low-risk data breaches do not need to be notified to the supervisory authority, reducing considerably their administrative burden. The proposed clarifications to the right of access would also reduce SMEs’ burden in situations where that right is used for purposes other than data protection. Previously, if this right was abused, a controller had little legal recourse to refuse to act on a request, even when replying to it required significant resources.

The proposed amendments to the GDPR would not negatively impact individuals’ fundamental rights, including their right to data protection. Instead, they would simplify requirements for low-risk processing, harmonise certain standards and clarify certain key GDPR concepts, which would allow controllers to better understand the requirements for the processing of personal data and could therefore lead to improved data protection. They would also allow controllers to implement more effective data protection policies and concentrate their resources towards more data-intensive or otherwise higher-risk activities for which the measures to protect personal data are most critical. Finally, by increasing legal certainty, the proposed changes would ensure a more harmonised application and enforcement of the GDPR, which would benefit also individuals.

Concerning the proposed amendments to the GDPR provisions directly concerning individuals’ data protection rights (Article 12 and 13), those changes would not affect the level of data protection provided, putting the individuals concerned at a disadvantage. The reduction of information requirements (Article 13) would only concern situations where the individual already has the information necessary to exercise his or her rights under the GDPR, based on the close relationship with the controller, and where the controller’s activity typically requires only limited processing of personal data with low risks – such as the processing of customer data by a craftsperson. In addition, individuals would be entitled to obtain additional information on the processing of their personal data through an access request based on Article 15 GDPR. Similarly, the proposed amendments to the conditions concerning the exercise of the right of access (Article 12) would not lower the level of data protection. Those clarifications are specifically designed to prevent the abuse of that right and they would not prevent individuals from exercising it for the purpose of protecting their personal data. In addition, in situations where an alleged abuse arises, it would be for the controller to prove that this is the case.

The proposed targeted amendments respond to specific concerns raised by stakeholders and Member States in the context of consultations referred to in the above sections.

1.3.Modernising the cookies policy: addressing consent fatigue and better alignment with data protection rules

Addressing the issue of cookie consent fatigue, caused by repetitive and often non-transparent cookie banners is long overdue. The Digital Omnibus proposes targeted amendments to address this and simplify users’ experience online, reducing the number of cookie banners that users are flooded with online. The proposal makes a targeted adjustment in the ePrivacy Directive, to allow for a more developed regulatory framework set under the GDPR to appropriately address the issue.

The withdrawal of the proposal for an ePrivacy Regulation leaves the current rules dating from 2009 on storing of and access to information stored on a device (“terminal equipment”), including by means of cookies or similar technologies in place. These rules require users’ or subscribers’ consent, except for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or when strictly necessary in order to provide an information society service explicitly requested by the subscriber or user. 69  These rules do not only cause a substantial burden for businesses, but have also caused “cookie consent fatigue” amongst users who are solicited with numerous cookie banners in their daily interactions online. The design of those banners, the presentation of the information and the frequency in which the banners are displayed often make it hard if not impossible for individuals to understand what will happen to their data. This hampers their ability to make a real choice over the use of their personal data. To address this, the proposal aims to closer align the rules for accessing personal data by placing cookies or similar technologies on terminal equipment with those of the GDPR, while maintaining the consent requirement as a rule. The package brings forward measures to  ensure that individuals stay in control over their data including by centrally setting their preferences, for example via a browser. This is done via a targeted amendment, relying on the strong protection standard of the GDPR.

1.3.1.Analysis of the problems and opportunities

The rules. The ePrivacy Directive (Directive 2002/58/EC) sets out a framework for privacy in the digital age, and more specifically for the confidentiality of communications and the protection of access to terminal equipment to protect the right to privacy of users. In this context, Article 5(3) ePrivacy Directive establishes rules on storing of information and the gaining of access to information already stored in the terminal equipment, including by use of cookies and similar technologies. The aim of the provision is to protect users’ devices (“terminal equipment”) and to protect any information (personal or non-personal data) stored on or accessed from the user’s device. As a general rule, Article 5(3) requires (i) clear and comprehensive information on and (ii) consent for storing information on or accessing stored information on the user's devices. While exemptions to this general consent requirement exist (e.g. no consent is needed for cookies that are strictly necessary to provide the service requested by the user or that are technically necessary for the provision of the service), consent of the user is necessary in most cases. These rules date from the early 2000s, were amended in 2009, and are a lex specialis to the GDPR when personal data is being processed. Article 5(3) only regulates access to the information (based on consent in most cases) on the user’s device (‘terminal equipment’), while processing of personal data obtained are governed by the GDPR (in line with Article 6 GDPR).

The main issues. Today, the rules on cookies laid out by the ePrivacy Directive are outdated and inadequate for contemporary privacy and data needs. To obtain the user’s consent, many entities currently use cookie banners to comply with the consent requirement. The design of these banners and their wide-spread use cause nuisance known as ‘consent fatigue’ among users.

From a privacy and data protection point of view, the design and presentation of the information on the banners is complex. Users are often overwhelmed with information and asked to give consent for a multitude of processing purposes, often lacking transparency and real control over what will be done with their data. According to industry studies, this leads to users feeling overwhelmed or bothered (“consent fatigue”) often randomly either accepting (54%) or rejecting (26% 70 ) all cookies, in order to access the content they would like to see, without making an informed decision, mindlessly accepting without proper consideration, thereby undermining the intended protection. Consumers generally do not feel fully in control of the online content they are shown and the decisions they make online. 71  In addition, the controllers often continue relying on consent for the subsequent processing of information collected via cookies even if that is not the most appropriate legal basis for processing under the GDPR.

Moreover, the effectiveness of the current regime is questionable. In a 2022 evaluation of the Directive, only 3 out of 30 competent authorities indicated that Art 5(3) functions "well", most (13/30) assessed it as "fair", and 3/30 as "poor". 72 In addition, enforcement of Article 5(3) ePrivacy Directive and the applicable GDPR provisions may be subject to different national authorities depending on the transposition by Member States. This leads to uncertainty and diverging practices across Member States but also between the different authorities within a Member State. Also on the business side, 62% stated that Article 5(3) ePrivacy Directive was a problem. 73 The consent requirement for placing or accessing information on terminal devices is seen as overly rigid, covering even non-intrusive practices such as creating statistics about the use of websites and mobile applications, audience measurement, preserving the security of the device or the offered service.

Most respondents to the Data Union Strategy consultation view the ePrivacy Directive as outdated and in urgent need of reform: around 45% of 101 respondents do not think that the current ePrivacy rules provide a good balance and reflect well the technical situation as regards processing of data on IoT devices in professional/industrial use, as opposed to only 11% who said this is the case; one respondent noted that in their sector, 60% of data is lost due to rules designed for a very different technological context.

In a dedicated ‘reality check’ focus group with stakeholders on the cookie framework of Art. 5(3) ePrivacy Directive 74 , several of the participating stakeholders held that requiring consent in all cases as currently mandated was too rigid. Stakeholders also report that the current regime does not give incentives to use privacy-enhancing technologies as mitigation measures, for instance apply pseudonymisation or use secure processing environments. Since consent is always required this creates an incentive to collect consent also for intrusive processing purposes (e.g. location data not necessary for the service provided) as such data may be further monetized.

Finally, different interpretations and fragmentation of the enforcement of these rules across Member States which result from the current status as a Directive pose challenges to harmonised enforcement and accountability of non-compliant actors, ultimately hampering the strong protection of citizens. This includes the fact that in some Member States, data protection authorities are competent to enforce the rules, while in other Member States other supervisory authorities have been designated to enforce the rules of the ePrivacy Directive, often leading to diverging interpretations. A majority of businesses consulted reiterate these concerns about fragmented enforcement, and call for greater harmonisation to increase legal certainty.

While civil society organisations and consumer protection organisations underline that the current regime is necessary to protect users, they also see problems with how businesses ask users for consent. According to the representatives, cookie pop-up banners are complex by design, making it difficult for users to understand what will happen to their data. They claim that a majority of users do not want to be tracked.

Costs for businesses. Implementation and compliance with the current rule can be costly. The cost for businesses to set up cookie banners vary depending on the solutions the entity opts for. In 2014, at the time of evaluation and impact assessment to review the Directive, average compliance costs were estimated around EUR 900 per website (including the costs associated with legal advice, updates to privacy policies, and technical updates to websites). 75 Considering an average inflation rate of 2% per year from 2014-2025, we can estimate an average cost of EUR 1,200 per website over the lifespan of three years 76 , resulting in yearly costs of EUR 400. During the ’reality check’ focus group on Art. 5(3) ePrivacy Directive, one business association reported that the average yearly cost of maintaining a cookie banner for a middle-sized publisher amounts to EUR 100,000–500,000. Another stakeholder from the e-commerce industry estimated that it incurred yearly personnel costs of around EUR 2.0 million to comply with ePrivacy rules (not only focusing on Article 5(3)). The estimates of costs reported by SMEs in a dedicated SME panel conducted by the Commission 77 indicated yearly costs between EUR 100 to EUR 2,000 per year.

Taken together, this data would lead to confirm the EUR 400 as an average annual cost estimate. Assuming a total of 10 million active websites in the Union and estimating that about 41% display a cookie banner 78 , the estimate cost over a year amounts to EUR 1.64 billion - and 4.92 billion over a period of 3 years.

An indication of scale: productivity estimates. Out of the total EU population of 450.4 million 79 , roughly 75% use the internet to find information about goods and services 80 and thus visit websites. Assuming that an average user visits 100 websites a month 81 of which 85% use cookie banners 82 , spending an average of 3,5 seconds 83 per banner, this would result in approximately 334 million hours spent on cookie banners per year. Considering the average hourly wage across the EU 84 , this equates to costs of roughly EUR 11.2 billion per year. This value of lost productivity time would apply if internet users would browse websites predominantly for professional reasons and during working hours. However, as people visit websites mostly during their free time, such loss of productivity needs to adjust the value to the monetary value that individuals can award to leisure time. Calculating that value is not impossible and done notably when calculating the value of investments in transport systems, e.g. to calculate what the monetary value cutting commuters’ travel time would have. Depending on a range of factors (reason for travel, mode of transport), transport planning departments allocate between 30% and 70% of after-tax wage as the monetary value of leisure time 85 . That suggests that the gained value is in the order of EUR 3.36 billion to EUR 5.6 billion.

The objectives. Addressing the challenges identified for citizens and businesses alike, the framework governing the accessing and storing of personal data on a user’s device should be placed under the strong protection framework of the GDPR. This reform shall ensure one single protection framework, for situations where personal data are being processed. This will not only lower costs for businesses via the reduction of cookie banners. It will also significantly simplify and enhance the experience of citizens online while continuing to offer the highest levels of protection for their personal data. In particular, users’ rights to exercise their data protection rights and expressing their choices online are strengthened.

1.3.2.Simplification measures and impacts

1.3.2.1.Consent fatigue and cumbersome cookie banners

To address the growing problem of consent fatigue and ineffective cookie banners, and as a first step to modernizing the current ePrivacy framework, the Commission proposes to update the rules on storing information or on gaining access to information stored on devices (“terminal equipment”). The latter is designed to regulate amongst others the use of cookies and other similar technologies, therefore often referred to as the ‘cookie Article’.

The proposal seeks to reduce the number of cookie consent banners by reducing the cases where consent will need to be obtained. The reform proposal moves the protection under the General Data Protection Regulation (‘GDPR’) and maintains the consent requirement as a rule when accessing a natural person’s device.

In addition, the proposal will clarify that accessing the device and processing of personal data from connected devices which is necessary for certain specific low-risk purposes is considered lawful: carrying out the transmission of an electronic communication over an electronic communications network, provision of service, audience measurement when carried out by a media service provider under data protection safeguards, creating website and application usage statistics, and maintaining or restoring the security of the provided service.

1.3.2.2.Express choices with one click

In order to enhance user control over their data and device, and to avoid the usage of “dark patterns”, i.e. artificially driving up consent rates by using manipulative or misleading cookie banner designs, a requirement is introduced that it must be possible for the user to give or refuse consent to processing via a single-click button whenever consent is used as a legal basis. Moreover, when the user has made a choice to give or refuse consent, the proposal requires the controller to respect this choice and, in case of refusal, prohibits asking the user again for a period of 6 months.

The Impact Assessment for the ePrivacy Regulation proposal already found that citizens do not have time to read long and complex privacy statements and find it difficult to understand what their consent implies. 86  Ideas to allow internet users to set their cookie consent preferences go back to the 2009 amendment to the ePrivacy Directive (cf. Recital 66 of Directive 2009/136/EC), are reflected in Article 21(5) of the GDPR as well as in the 2017 proposal of the Commission on a Regulation on Privacy and Electronic Communications (COM(2017)10). The proposal creates an obligation on controllers to respect the machine-readable expression of consent preferences via their online interfaces.

1.3.2.3.Standards for machine-readable preferences

Controllers would be obliged to respect the preferences of data subject set in an automated and machine-readable manner communicated via their online interfaces, i.e. web browsers or a mobile application 87 . The legal obligation should be accompanied by the development of standards, to ensure that the obligation can be easily met, and that the rigor of the GDPR requirements is carefully included by design in the technological solutions that will be developed. This is necessary to ensure that both website or app providers and the providers of the service used to set the preference signal can rely on a ‘common vocabulary’ of processing purposes and use the same technical specifications.

The obligation for controllers to accept centrally set machine-readable preferences does not apply to the providers of media services. This exemption is justified by the important role of media services providers in guaranteeing a plurality of opinions and safeguarding freedom of speech, both being central pillars of any liberal, democratic society. They need to maintain the possibility to individually ask each user of their services for consent to process their personal data, ensuring that users of media services are fully informed of the use of data in the advertising practices that are necessary for the provision of the media services.

1.3.2.4.Browsers signals

Given the pivotal role of web browsers in the users’ navigation online, they can play an important role in supporting data subjects to set cookie consent preferences in accordance with the standards to be developed and to communicate, in a machine-readable manner, to websites the machine-readable expression of cookie consent preferences, colloquially also known as the ‘browser signal’.

1.3.3.Estimated impacts

While the proposed amendments will not lead to the complete disappearance of cookie banners, it is expected that they will significantly reduce and simplify their use.

Since the proposal will lay down that processing of personal data from the device will be lawful for certain specific low-risk purposes, there will be less instances in which providers of websites and mobile applications will have to rely on consent. For an estimated 60% of used cookies 88 , consent will not be required any longer. For providers of websites that do not use cookies based on consent, the cost of EUR 1,200 per website will be saved over the three-year life span of the website, thus resulting in significant reduction of burden.

As an example, for savings generated through such a measure for public sector websites, an approximate of EUR 320.2 million could be saved through the proposed amendments 89 . 

Assuming that the new measures will result in 50% of European private sector websites and 80% of public sector websites 90 no longer relying on consent and using cookie banners, and taking the estimates presented in the previous section, this would result in overall savings of EUR 2.4 billion 91 across the EU for a three year life span of websites, and more than EUR 800 million per year. The assumptions for the calculations are laid out in Table 6 below.

The proposed whitelist for purposes that will be considered to lawful will significantly reduce burden, especially for SMEs. The SME Panel consultation carried out by Commission services in September-October 2025 showed that 40% of responding SMEs primarily rely on cookies to create website statistics 92 . Companies relying on the whitelist will benefit from additional clarity and reduced burden, since they can rely on those grounds directly. The whitelisted grounds are very restricted and represent purposes of low-risk to the rights and freedoms of individuals’ purposes.

Where cookies requiring consent are used, cookie banners can be designed in a less complex way. This not only helps users better understand the implications of their consent and can result in less cognitive burden for users to understand the information provided. It also contributes to cost reduction for businesses, including maintenance cost when adding new functions requiring cookies.

As concerns European productivity cost, judging from a conservative point of view, the cost will be decreased since i) less cookie banners will be used on the market, ii) cookie banners will be more transparent and less complex demanding less time from users to understand and make their choices; iii) users’ choices will need to be respected for a certain time, prohibiting the repeated request for consent, and iv) users will be able to set cookie preferences centrally.

In a 2016 survey, 60% of EU citizens said that they have changed their privacy settings of their internet browser 93 . We assume that those users would also make use of centralised browser settings to set cookie preferences, amounting to approximately 200 million users. Given that these would not need to read and interact with cookie banners anymore, it would lead to reducing time spend interacting with cookie banners by 198 million hours per year, thus saving – when adjusting with leisure value of 30% - the equivalent of EUR 500 million per year. 94

Table 6: Estimated cost savings from the changes made to the cookies regime

1.3.4.Preserving the objectives of the rules and other impacts

The proposed reform represents a targeted amendment to the current framework and will place the conditions of accessing devices that lead to the processing of personal data under the strong protection framework of the GDPR. It maintains the protection of devices (“terminal equipment”), only allowing access with the consent of the user in principle and the added whitelisted purposes to ensure legal certainty. This approach ensures that the legal framework continues to offer the highest levels of protection for personal data, while simplifying the experiences of data subjects in exerting their rights and expressing their choices online.

The proposal also foresees measures to strengthen users’ privacy and control. The status quo in the application of the rules is ineffective: the complex design and confusing layers of decision implemented make it hard for data subjects to take full control over their choices in accepting or rejecting cookies and subsequent processing of their personal data. The proposed rules seek to simplify and streamline the decision steps precisely to allow data subjects to make genuine choices and benefit from all the protections the rules have in place.

Giving users the possibility to set their cookie preferences centrally coupled with the obligation for providers of online interfaces to accept such signals would further strengthen users’ rights and offer a real choice and increased autonomy to decide what can be done with their data. In fact, since most consumers (76%) want to be able to choose how much data devices can collect 98 , this amendment would place the user at the centre, allowing them to make modern choices with modern tools and respond to such demands by consumers.

The proposed amendment will bring relief to users who will no longer be exposed to a large number of pop-up banners when visiting websites. Second, the proposal protects citizens from repetitive pop-up banners, providing that a choice made will need to be respected during a time period of six months. This will reduce nuisance for citizens, especially on websites that they visit on a regular basis.

The proposal further addresses the issue that some entities make cookie pop-up banners complex and hard to understand by design. The single click requirement will render pop-up banners easier to navigate where they are being used for consent. This will reduce nuisance created by having to click on multiple buttons to refuse or accept all choices.

The reform does not touch upon the high level of protection of citizens. The consent requirement is maintained as a general rule for accessing the device. The proposed amendments do not affect the protection of citizens against the illegal use of spyware, since the rules of the GDPR including its strong safeguards against such activities continue to apply. Furthermore, users remain protected against placing of malware on their devices under the rules of the ePrivacy Directive. The protection of the interests of legal persons under Article 5(3) continues to apply equally.

Moreover, moving the current rules from a Directive to a Regulation will further help to decrease fragmentation across Member States and will thus help to provide more legal clarity to businesses operating in the Union. Finally, the proposed amendments will also place the enforcement under the supervision of national data protection authorities. This will support a more uniform and consistent interpretation and enforcement, providing more certainty and clarity to entities.

All in all, the proposed amendments will contribute and strengthen the policy goal of guaranteeing a strong legal framework, for users and society as a whole. They preserve the right to privacy as well as the right to data protection enshrined under the Charter, while also taking into consideration the needs of businesses.

2.Incident reporting

The Digital Omnibus will introduce a single-entry point (SEP) through which entities can simultaneously fulfil their incident reporting obligations under multiple legal acts. Through fostering a “report once, share many” principle, the single-entry point will reduce administrative burdens for entities, while ensuring effective and secure flow of information about security incidents to the recipients defined in the respective legislation.

Under the current EU cybersecurity regulatory framework, the same event may lead to multiple incident reporting obligations for different purposes. For example, a mid-sized company facing a ransomware attack that disrupts services and extorts customers’ personal data may have to report the same incident with separate forms and procedures stemming from several legal acts. This may include reporting to one or more competent authorities or Computer Security Incident Response Teams (CSIRTs) under the NIS2 Directive 99 , as well as reporting to sectorial authorities under sectorial legislation (for example Digital Operational Resilience Act (DORA 100 ), Electricity Network Code on Cybersecurity (NCCS 101 ), aviation security and safety rules 102 ). In particular, companies that provide multiple services face various cybersecurity-related obligations under horizontal instruments such as the NIS2 Directive and – with regard to personal data breaches - the GDPR 103 , as well as abovementioned sectorial legislation. Moreover, an incident may trigger reporting obligations related to cybersecurity and physical security, notably under the CER Directive 104 . The resulting incident reports often have to be sent to different authorities across various Member States, as well as to different authorities within the same Member State, using different formats.

2.1.Analysis of the problems and opportunities

The rules and main issues. Multiple EU legal instruments contain reporting requirements for incidents relevant to cybersecurity. The NIS2 Directive serves as a horizontal framework for regulating the cybersecurity of essential and important entities in 18 critical sectors, including by setting an obligation to report significant incidents to the CSIRT or, as applicable, to the competent authority under NIS2. The Directive has several interlinkages with the CER Directive, which sets out obligations for critical entities in 11 sectors 105 regarding their resilience. In particular, the NIS2 Directive applies to all entities that are identified as critical entities under the CER Directive. Regarding incident reporting, the CER Directive requires critical entities to notify to the CER competent authority incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Under the GDPR, controllers are required to notify personal data breaches to the competent supervisory authority under GDPR. The Cyber Resilience Act 106  (CRA) sets out rules for the cybersecurity of products with digital elements in the internal market, including notification obligations. For example, the CRA requires manufacturers to notify any actively exploited vulnerability contained in the product with digital elements that it becomes aware of, as well as to notify any severe incident having an impact on the security of the product with digital elements. Each of these notifications are to be made to the CSIRT designated as coordinator and are made available simultaneously to the European Union Agency for Cybersecurity (ENISA). The CRA requires ENISA to establish a single reporting platform, which is, among other types of notifications, used for the purposes of the abovementioned notifications.

The EU Digital Identity Regulation 107  sets reporting requirements for different types of actors, including trust service providers (TSPs) and qualified trust service providers (QTSPs). For example, under the Regulation, non-qualified TSPs and QTSPs are obliged to notify security breaches or disruptions in the provision of the service.

In addition to the abovementioned instruments, certain pieces of EU acquis set out cybersecurity-related reporting requirements for entities active in particular sectors. The DORA requires financial entities to report major ICT-related incidents to the relevant competent authority under DORA. Moreover, the relevant requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions. Although DORA is lex specialis to the NIS2 Directive, incidents reportable under DORA are also often reportable under other Union legal acts such as NIS2 or the GDPR. 108  

In the electricity sector, the NCCS requires critical-impact and high-impact entities to share relevant information related to a reportable cyber-attack with its CSIRTs and its competent authority. Regarding the aviation sector, the Commission Implementing Regulation (EU) 2023/203 and Commission Delegated Regulation (EU) 2022/1645 set requirements for certain types of organisations to report to the competent authority any information security incident or vulnerability which may represent a significant risk to aviation safety.

As regards providers of publicly available electronic communications services, the ePrivacy Directive 109  sets reporting requirements in case of a particular risk of a breach of the security of the network, and in case of a personal data breach 110 . Besides the obligation to notify incidents under different legal instruments, it should be noted that there are partial overlaps in the content of information to be notified to relevant authorities under those instruments. The contents of incident reports are defined through different means depending on the legal act.

For example, for DORA, incident reporting templates are defined in a Commission Implementing Regulation 111 , while for NIS2, the Commission has an empowerment to adopt implementing acts to further specify the type of information, the format and the procedure of notification 112 . Under legal acts including the GDPR 113 , CER 114 , the legal act mandates certain contents for the incident notification, although an EU-wide template has not been defined. The abovementioned legal acts, using varying terminologies and criteria, require entities to notify information related to aspects such as an overall description or assessment of the incident, the cause of the incident, the severity and impact of the incident, and mitigating measures that the entity has taken to address the incident. The Digital Omnibus provides a basis for creating common EU-wide reporting templates for CER and for the GDPR. However, as regards instruments which take the form of delegated and implementing acts such as NCCS and relevant instruments for the aviation sector, separate amendments of the respective acts would be needed in order to create common reporting templates for incidents notified under those acts, and for ensuring the use of the single-entry point for those acts.

In addition to the Digital Omnibus, the upcoming revision of the Cybersecurity Act will contribute to streamlining the EU cybersecurity legislative framework. While the Digital Omnibus will introduce a single-entry point for incident notifications, the Cybersecurity Act will address other areas with simplification potential. Coherent implementation of the Digital Omnibus and the simplification-related provisions of the Cybersecurity Act will contribute to reducing administrative burden for entities, while guaranteeing a high level of cybersecurity in the Union.

The objectives. Cutting duplicate costs for entities that need to report the same incident under multiple frameworks and tackling underreporting. Furthermore, it provides a basis for further streamlining the contents of incident reports by enabling the definition of EU-wide reporting templates for CER and for GDPR, and by ensuring the adoption of common templates for the NIS2 Directive. By doing so, the Digital Omnibus will streamline the notification of incident information to the recipients defined in respective Union legal acts.

2.2.Simplification measures and impacts

The measures. The Digital Omnibus Regulation will simplify entities’ compliance with their incident reporting obligations by providing for a single-entry point for incident notifications. The single-entry point will be managed by ENISA, and will serve as a gateway, that channels and delivers to the competent authorities notifications of certain types of incidents under the NIS2 Directive, DORA, CER Directive, NCCS, relevant aviation acquis, GDPR and the EU Digital Identity Regulation. The introduction of the single-entry point does not modify the addressees of incident reports defined under the respective legal acts, nor does it change the substance of the reporting obligations. While ENISA maintains the single-entry point, the introduction of the SEP thereby does not amount to adding ENISA as a recipient of the reported information as the SEP will not be a data processing platform, Moreover, the SEP will simplify reporting obligations without deregulating and thereby maintain a high level of cybersecurity.

To guarantee secure treatment of sensitive data arising from incident reporting, ENISA will define specifications on the technical, operational and organisational measures regarding the establishment, maintenance and secure operation of the single-entry point. The single-entry point will be interoperable and compatible with European Business Wallets, which will further facilitate the use of the single-entry point by entities. Furthermore, the single-entry point will reduce the administrative burden for entities arising from incident reporting by ensuring that a single notification submitted via the single-entry point can be used to fulfil reporting obligations under several Union legal acts. This will be facilitated by the inter-operability with other platforms and databases.

The legislation concerned by the SEP sets reporting obligations for some of the most critical infrastructure of Member States, which calls for advanced security guarantees and risk management measures. Building on the expertise of ENISA and the experience with the CRA single reporting platform, these measures would include a secure-by-design approach as well as pre-deployment and post-deployment penetration testing of the platform and the conditioning of the implementation of the SEP on successful piloting and testing.

The single-entry point should ensure that information notified by an entity under one legal act contributes towards fulfilling the entity’s reporting obligations under any of the legal acts which provide for reporting via the single-entry point. Furthermore, in the longer term, the introduction of the single-entry point may facilitate identifying possibilities for convergence between the contents of incident reports under different legal acts. Where the contents of incident reports are defined in legally binding acts, modifications of the reporting obligations would be subject to amendment of the respective legal acts.

The Digital Omnibus will streamline the implementation of the NIS2 Directive by requiring the Commission to adopt implementing acts that specify the type of information, the format and the procedure of incident notifications. These implementing acts will reduce complexity in the regulatory framework, in particular by ensuring that the same information is required as part of NIS2 incident notifications in all Member States.

Moreover, the Digital Omnibus will repeal Article 4 of the ePrivacy Directive. Whereas the Article sets requirements for providers of publicly available electronic communications services as regards safeguarding the security of their services and notification requirements, the NIS2 Directive provides for requirements as regards cybersecurity risk-management measures and incident reporting for those providers. Therefore, the repeal will reduce overlapping obligations for entities in the electronic communications sector.

The benefits. Considering the multiple reporting requirements arising from the abovementioned EU acquis, establishing a single-entry point for incident notifications represents an opportunity to reduce administrative burden for entities falling in scope of these obligations. The single-entry point streamlines the implementation of relevant legislation, thereby facilitating entities’ compliance with their reporting obligations. Furthermore, it is expected to bring savings for Member State authorities by reducing administrative overheads related to establishing, maintaining and operating separate reporting platforms for different legal acts.

The single-entry point is expected to be particularly beneficial for operators that are active in multiple Member States and in multiple economic sectors. According to one study, 82% of surveyed entities reported that they have to notify more than one authority in case of a cybersecurity incident, with 21% of respondents stating that they had to notify 5 authorities. 116 For instance, in the case of an incident on a financial institution providing managed security services and for which the incident involved the breach of personal data, the stakeholder would potentially need to notify the competent authorities under DORA, NIS2, CER and GDPR. If this concerns a group stakeholder of entities subject to the jurisdiction of several Member States, this would entail the multiplication of reporting for the group as a whole. In such a case where all authorities are notified through separate means, a single-entry point for reporting would consequently be able to reduce the reporting effort by at least 50% for a large majority of entities - insofar as they would only notify once instead of (at least) twice for the same incident, while for one fifth of entities, the single-entry point could reduce reporting burden by 66-80%, as they would reduce from at least 3-5 notifications to a single one.

Operators that are subject to multiple Union legal acts are particularly likely to report incidents to multiple authorities, resulting in a multiplication of reporting burden in cases where the same incident is reported through different channels. In the case of operators that are active in multiple Member States, an incident that spreads across different entities in the same group may additionally result in multiple incident reporting obligations under the same legal act, such as the NIS2 Directive or GDPR as per the EDPB’s Guidelines 117 . As another example, under the NIS2 Directive, providers of public electronic communications networks and providers of publicly available electronic communications services fall under the jurisdiction of all Member States in which they provide their services, including as regards incident reporting obligations under the Directive. More broadly, the single-entry point would particularly benefit SMEs, which often lack administrative capacity to navigate multiple reporting regimes. In such cases, reporting duties usually fall under the responsibilities of incident response teams, and the time spent on several notifications represents an opportunity cost in terms of the effectiveness of incident management.

All in all, the presence of multiple reporting platforms, which in the context of many legal acts are replicated at national level in each Member State, and require providing comparable information via multiple templates, represents untapped potential for savings.

2.3.Estimated impacts

The establishment of a single-entry point for reporting would result in significant savings for entities subject to incident reporting requirements under the relevant Union legal acts and for Member States.

Costs for developing the single-entry point. Notifying incidents via single-entry points is recognised as a potential means to decrease the administrative burden for entities 118 , and contributes to reducing the number of reporting platforms that must be maintained by relevant national authorities. However, if single-entry points for each Member State are developed at the national level, the cost could range from EUR 150,000–200,000 and up to EUR 1.3–1.5 million 119  per Member State to achieve EU-wide coverage. With a moderate estimate of an average cost of EUR 550,000 per Member State, the total cost of development of national single-entry points across the Union would reach EUR 15,000,000. Wherever no national platform is yet in place, a single-entry point at the EU level is expected to bring savings by reducing administrative overheads related to establishing, maintaining and operating separate reporting platforms for different legal acts. The additional costs foreseen to operate and maintain the single-entry points would be estimated to equal to 2–4 FTEs per Member State. Overall, these costs reflect the additional complexity of mandating national incident single-entry points and legislative revisions. Therefore, even the establishment of national single-entry points, which should be seen as a cost-reducing measure, would result in higher costs than putting in place a European-wide single-entry point.

At an EU level, the estimated initial cost for the development of the single-entry point is EUR 6 million, while maintaining the single-entry point would require 8 FTEs within ENISA 120 . The cost of onboarding each additional legal act into the single-entry point is estimated at EUR 500,000. Compared to the implementation of national single-entry points within each Member State, the overall implementation cost of a single-entry point at the EU level would be significantly lower, as only one centralised single-entry point would be developed and maintained at EU level.

Cost savings from streamlined reporting though the single-entry point. According to one study 121 , 40% of the more than 4,000 surveyed organisations active in European markets face at least one incident annually. 44% of those experience more than 4 incidents, resulting in a weighted average of 1.18 incidents per entity per year. Assuming that the full process of reporting one incident takes 12 hours of staff time 122 , the staff costs for incident reporting would be approximately EUR 440 123 . This estimate can be taken as comparatively conservative, since it omits the costs of other associated internal compliance processes to report an incident, such as in-house IT tools or external legal support on how to comply with different regulatory authorities. In an SME Panel consultation run by the Commission in September-October 2025 124 , responding SMEs estimated that the overall cost of reporting an incident could range between EUR 500 and EUR 35,000 (when taking into account additional implied costs), depending on the nature of the incident and on the company profile. However, when directly asked about the costs of incident reporting, stakeholders consulted as part of the ‘reality check’ carried out on 2 October 2025 raised the different expenses associated with the aforementioned aspects of incident reporting, but were unable to produce a quantified estimation.

At the same time, it is estimated that at least 160,000 entities are regulated under NIS2 125 , while approximately 1 million entities meet the definition of data controller under the GDPR and are established or operating in more than one Member State 126 . Consequently, assuming that all entities under the NIS2, DORA and CER are also data controllers, at least 160,000 entities fall under the scope of multiple legal acts covered by the single-entry point, while even a larger number of entities would benefit from easier cross-border reporting of incidents.

Provided each of these entities faces 1.18 incidents per year, on the basis of the forementioned study, it can thereby be extrapolated that the total cost for entities arising from reporting each of the incidents faced is EUR 83,072,000 per year. With the estimate that the single-entry point can reduce the costs by 50% as described in the previous section, it would therefore result in approximately EUR 41.5 million of savings each year. This figure represents a conservative estimate that does not account for additional savings from simplification of reporting under the GDPR.

Although estimates suggest that incidents are common, under-reporting of incidents has long been recognised as an issue hindering the successful implementation of the EU cybersecurity framework 127 . According to the 2024 incident reporting data on the CIRAS (Cybersecurity Incident Reporting and Analysis System) platform 128 managed by ENISA, a total of 1 340 cybersecurity incident reports were collected. With the estimated cost of EUR 440 for reporting an incident, the cost involved in reporting these incidents would amount to EUR 589,600, while savings of 50% arising from simplified means of incident reporting would total EUR 294,800 per year. However, as the overall number of incidents occurring in the EU is estimated as larger, with full reporting of relevant incidents, the savings arising from the single-entry point should be assessed as higher than EUR 294 800 per year 129 . By its induced simplicity for stakeholders, the single entry-point is expected to further incentivise the reporting of incidents.

The below Table 7 presents the overview estimated savings, based on the outlined explanations and taking into consideration the ongoing transposition of the NIS2 directive by Member States as well as the scarcity of quantified empirical data available on the number and cost of incidents under the relevant legislations.

Table 7: Estimated cost savings for the introduction of a Single-Entry Point

2.4.Preserving the objectives of the rules and other impacts

The proposed measures will fully preserve the rights and competences of the authorities empowered by the respective legal framework to receive incident reports channelled through the single-entry point.

Moreover, the system will support a more effective application of the underlying reporting obligations. Complex reporting requirements and limited awareness are among the perceived drivers for underreporting of cybersecurity incidents 137 . A single-entry point for incident notifications would contribute to addressing these issues, thereby incentivising more comprehensive reporting of incidents. In turn, receiving a larger number of incident reports enables the recipients of the reports to gain a fuller and more accurate picture of the landscape of incidents, which enables better drawing of lessons from incidents. Over time, the process is expected to result in increased cyber resilience of the critical sectors concerned, thereby enhancing Europe’s security 138 . Furthermore, as a larger number of incidents are reported through a single-entry point, cost savings arising from simpler incident reporting vis-à-vis separate entry points will increase.

Establishing the single-entry point also contributes to the digital-by-default principle by ensuring a fully digitised solution for reporting incidents under the relevant Union legal acts. Interoperability of the single-entry point with the European Business Wallets will contribute to digitalisation by providing one use case for the Business Wallets, thereby incentivising the uptake of the Business Wallets. More broadly, the single-entry point contributes to the interoperability of ICT systems used by Member State authorities by ensuring that information notified through the single-entry point is channelled to the recipients defined in the relevant Union legal acts.

The single-entry point will support the protection of fundamental rights as regards the right to the protection of personal data. By providing streamlined means for reporting incidents that, in many cases, involve breaches of personal data, the single-entry point will increase the speed and consistency of response to such breaches.

The single-entry point also has a limited positive impact on the environment. Consolidating incident reporting into a single-entry point is expected to save energy consumption compared to separate incident reporting entry points operated at the level of Member States for various Union legal acts.

ENISA will be mandated to establish and maintain the Single-Entry Point and ensure its security, proper functioning, reliability, integrity and confidentiality. It should pilot the functioning and consult the Commission and the relevant Member State authorities prior to enabling the reporting under any legal act.

3.Targeted amendments to the Artificial Intelligence Act

The Commission is committed to a clear, simple and innovation-friendly implementation of the AI Act, as set out in the AI Continent Action Plan  139 and the Apply AI Strategy  140 . Initiatives such as the launch of the AI Act Service Desk  141 and the preparation of guidelines and other support tools build clarity regarding the applicable rules and support their application. The Commission will continue these efforts and is preparing further guidelines. The commitment to a successful implementation also includes building on the lessons learned during the progressive roll-out of the AI Act and continuously stepping up efforts to facilitate a smooth application. In this regard, the Commission has identified implementation challenges that jeopardise the AI Act’s successful and innovation-friendly general entry into application on 2 August 2026. These challenges should be addressed through legislative amendments.

3.1.Analysis of the problems and opportunities

The rules. The AI Act, which entered into force on 1 August 2024, creates a single market and harmonised rules for trustworthy and human-centric AI in the EU. It aims to promote innovation and uptake of AI, while also ensuring a high level of protection of health, safety and fundamental rights, including democracy and the rule of law. The AI Act’s entry into application occurs in stages, with all rules entering into application until 2 August 2027.

The rules for high-risk AI systems are the most comprehensive body of rules in the AI Act and will apply as of 2 August 2026 or 2 August 2027. High-risk AI systems must be developed to meet requirements in relation to data and data governance; documentation and record keeping; transparency and provision of information to users; human oversight; robustness; accuracy and security. Providers of high-risk AI systems have to ensure that the systems comply with these requirements and must themselves comply with certain obligations. They must in particular carry out a conformity assessment of the high-risk AI system before it is being placed on the market or put into service. Standardisation should play a key role in the provision of technical solutions to providers, so as to ensure that high-risk AI systems comply with the requirements of the AI Act. In May 2023, the Commission requested the European standardisation organisations CEN-CENELEC to develop such standards 142 . In June 2025, it updated this request in order to take account of the final text of the AI Act 143 , which CEN-CENELEC accepted. The Commission takes note that CEN-CENELEC has been unable to deliver the standards by the deadline of 31 August 2025.

The AI Act also sets out a regime for the supervision, monitoring and enforcement of its rules on AI systems. In line with its regulatory design as a product safety legislation, much of the AI Act’s supervision and enforcement will take place at the national level. For this purpose, Member States have to establish or to designate national competent authorities and lay down rules to empower those authorities and provide for penalties. The deadline for Member States to notify the Commission of the designated authorities and laws on penalties was 2 August 2025, with the objective that the infrastructure related to the governance and the conformity assessment system should be operational well before 2 August 2026  144 . Many Member States have not been able to meet this deadline, and these delays suggest that the governance and conformity assessment system may not be operational on time.

A key feature of the AI Act is its regulatory design as a horizontal product safety legislation, that is consistent with the ‘New Legislative Framework’, following the approach of and ensuring coherence with existing EU product legislation and other relevant EU legislation. This horizontal nature means that it is essential to have clarity as regards the AI Act’s interplay in order to ensure a smooth interplay with other EU laws. However, the application of the AI Act’s rules in parallel and coherently with other applicable EU legislation raises questions in their practical application. Uncertainty about how to apply those rules risks discouraging the adoption of AI systems and undermining the AI Act’s objective of fostering the uptake of AI.

Main issues. Most of the AI Act has not yet entered into application, and even those parts that have entered into application have only done so recently  145 . Therefore, there are no reliable calculations for compliance costs arising from the existing framework for businesses. Moreover, the AI Act only introduces rules for certain AI applications, so the cost of compliance with the AI Act varies greatly.

In the impact assessment accompanying the proposal for the AI Act (hereafter: the ‘initial AI Act impact assessment’)  146 estimated that the theoretical maximum compliance costs and administrative burden amount to around EUR 10 000 for companies that follow standard business procedures. This is applicable only to those companies that are provide high-risk AI systems (estimated at no more than 5-15% of all AI applications  147 ). There would also be between EUR 3,000-7,500 of verification costs for a subset of such high-risk applications  148 . Compliance costs would significantly increase if harmonised standards were not available to demonstrate compliance. This is especially true for smaller companies with limited legal resources. The application of harmonised standards is voluntary, and companies can seek compliance with the AI Act without them. However, standards do provide clear guidance and a presumption of compliance, and they can in certain cases enable self-assessment (thus avoiding the costs of seeking an external conformity assessment). In a survey of AI Pact signatories  149 , 20% of respondents estimated that their compliance costs would be at least 80% higher, while 26.67% estimated that their compliance costs would increase by 20-50% in the absence of harmonised standards or similar tools for compliance with the high-risk AI systems 150 . The costs for business from the delayed establishment of national competent authorities is expected to be mostly indirect. The most significant cost could arise from a delay in designating conformity assessment bodies as a result of the delayed establishment of notifying authorities. This is because such a delay could delay companies being able to place products on the market or oblige them to incur extra cost by switching to conformity assessment bodies in other Member States.

Additional compliance costs arise from obligations that were only introduced during the interinstitutional negotiations and were therefore not part of the initial AI Act impact assessment. This is particularly the case for the obligation for providers and deployers of AI systems to ensure a sufficient level of AI literacy for their staff, due to its horizontal application (regardless of the level of risk actually posed by those providers’ or deployers’ AI systems). This obligation has already applied since 2 February 2025. In the survey amongst AI Pact signatories mentioned above, 54.05% of respondents said that they have incurred additional costs in order to comply with the new obligation in Article 4 AI Act because of the uncertainty what is required, despite already taking measures to foster AI literacy among their staff before being obliged to do so. The respondents’ answers varied when they were asked how much additional costs they had incurred: 36.11% estimated that their additional annual compliance cost reaches up to EUR 10 000, but 16.67% stakeholders even estimated it at up to EUR 50 000 annually to comply with this obligation.

The objectives. The AI Act’s successful implementation is a priority of the Commission, and the Commission’s commitment to a clear, simple and innovation-friendly has been reaffirmed in the AI Continent Action Plan and Apply AI Strategy. The progressive roll-out of the AI Act allows that the experience gathered in implementing the first parts of the rules can feed into the preparations for the parts that are still to apply. This includes taking measures that are necessary to overcome challenges in the implementation. The objective of this intervention is to address those implementation challenges that jeopardize the successful transition of the AI Act’s next entry into application milestone on 2 August 2026 and that require legislative measures.

3.2.Simplification measures and impacts

The simplification measures proposed by the Commission are targeted amendments to the existing regulatory framework that aim to provide relief for identified implementation challenges, while at the same time preserving legal certainty and predictability for stakeholders. These efforts are complemented by several non-legislative initiatives, including the setting-up of an AI Act Service Desk and the provision of guidance.

First, the Commission proposes to align the application timelines for certain rules to address the challenge posed by the delay of standards and the establishment of national competent authorities. Building on the lessons learned, it is appropriate to put in place a mechanism that links the entry into application to the availability of measures in support of compliance with the AI Act’s high-risk rules, such as harmonised standards, common specifications, and Commission guidelines. However, this flexibility should apply only for a limited time and a definite date by which the rules apply in any case should be set. Moreover, it is appropriate to distinguish between the two types of AI systems that classify as high-risk and extend a longer transition period to AI systems that classify as high-risk pursuant to Article 6(1) and Annex I AI Act. The Commission also proposes to respond to the challenge of retroactively introducing technical solutions to generative AI systems in order to ensure that outputs from the AI system are marked in a machine-readable format and are detectable as artificially generated or manipulated in accordance with Article 50(2) of the AI Act, by introducing a transition period of 6 months for Article 50(2) of the AI Act. This would allow AI systems that are already on the market on 2 August 2026 to be made compliant by 2 February 2027.

Second, it is necessary to simplify certain obligations with a view to ensuring that the burden of complying with them is proportionate to their objectives. Certain privileges for SMEs should be extended to SMCs in line with the objectives set out in the Commission’s proposal for a regulation of the European Parliament and of the Council as regards the extension of certain mitigating measures available for SMEs to SMCs and further simplification measures  160 . In other words, simplified technical documentation, a quality management system that takes account of their size, to receive special consideration of their interests in the calculation of fines for violations, special consideration of their needs in the preparation of voluntary codes of conduct and guidelines, and additional regulatory privileges should be considered. In addition, an existing privilege granted to microenterprises, namely simplified quality management, should be extended to all SMEs. In the light of the finding that the horizontal obligation to ensure a sufficient level of AI literacy does not achieve its objective but does cause serious compliance concerns, the obligation on companies to ensure a sufficient level of AI literacy should be replaced with an obligation on the Commission and Member States, to encourage providers and deployers to ensure that their staff and other users have an adequate level of AI literacy. The obligation for deployers of high-risk AI systems to assign human oversight only to staff with the necessary training, competence and support remains 161 . Moreover, there should be flexibility for providers of high-risk AI systems to implement a post-market monitoring system that works for their organisation. The Commission should accordingly not adopt harmonised conditions that prevent such flexibility but should rather offer voluntary guidance for those who seek it. Providers of AI systems that are exempted from classification as high-risk should not be obliged to register in the EU database for high-risk AI systems – so as to remove an administrative burden that is not justified because these AI systems do not pose significant risk.

Third, it is crucial to improve the effectiveness of the governance system. The AI Act already foresees that the AI Office assumes the supervisory role for large and capable general-purpose AI models, and general-purpose AI systems built on these models in certain cases. This is due to the complex and evolving nature of these models, for which there are few experts, rendering it most efficient to centralise the oversight at the AI Office rather than requiring 27 Member States to build such capabilities. As general-purpose AI models proliferate and an increasing number of systems are built on these models, including AI agents, the AI Office’s powers should be reinforced to oversee AI systems built on general-purpose AI models, to ensure their effectiveness. This will not only reduce fragmentation of governance but also contribute to a coherent application of rules for AI systems, including prohibitions, high-risk and transparency, offering guidance for national authorities who oversee other AI systems. It will allow the respective providers to only deal with one regulatory authority; it would thus reduce cost on the side of the providers as well for national authorities (for example, only one authority would be responsible for the post market monitoring instead of 27). However, this should not apply for AI systems related to products covered under Union harmonisation legislation listed in Annex I of the AI Act, for which the oversight should remain with the sectoral market surveillance authorities in the Member States. Where AI systems constitute or are embedded in VLOPs or VLOSEs within the meaning of Regulation (EU) 2022/2065 (Digital Services Act), the oversight should also be allocated to the Commission’s AI Office, to make a coherent and synergetic application of the AI Act and Digital Services Act easier. Finally, the existing mechanism of the AI Act to facilitate cooperation of market surveillance authorities and authorities or bodies that supervise or enforce EU law protecting fundamental rights should be strengthened in order to enable the smooth functioning of the AI Act governance, while also ensuring that operators do not face duplicate requests for information.

Fourth, the scope of the measures that support stakeholders in the compliance should be extended. Article 10(5) of the AI Act allows providers of high-risk AI systems to exceptionally use sensitive personal data – which is otherwise prohibited by the GDPR – for the purpose of bias detection and correction. This facilitates effective AI training and testing. The possibility of relying on this legal basis should be extended to providers of all AI systems and general-purpose AI models. AI regulatory sandboxes are a crucial measure for supporting AI innovators in the development of trustworthy and compliant high-risk AI systems. Their roll-out should be supported by reinforcing the cooperation at EU-level. Moreover, the AI Office should be enabled to establish an AI regulatory sandbox at EU level for AI systems under its supervision. It is also necessary to broaden the scope of the real-world testing of high-risk AI systems so that this instrument can be used for the high-risk AI systems listed in Annex I to the AI Act. Leveraging these infrastructures and facilitating cross-border collaboration will result in better streamlining of the coordination and optimisation of resources.

Fifth, operational changes and technical corrections should be made to contribute to an overall improved application of the AI Act. With regard to the interplay of the AI Act with the Union harmonisation legislation listed in Section A of Annex I, it is necessary to streamline the procedure for conformity assessment bodies to apply for and be assessed in order to become notified bodies. There is also need for a transitional rule for the first time after the AI Act’s governance system has been established, to reduce the risk of a gap in availability of notified bodies when the rules start to apply. Moreover, an Annex to the AI Act should be created with the codes according to which notified bodies under the AI Act are classified and which they can use to register in the Commission’s New Approach Notified and Designated Organisations (NANDO) information system, supporting the rapid establishment of notified bodies and their integration into the existing frameworks. It is also necessary to amend parts of the EU’s common rules in the field of civil aviation  162  so that the AI Act’s high-risk requirements can smoothly be integrated into those rules by means of implementing or delegated acts. In light of the objective to reduce implementation challenges for citizens, businesses and public administrations, it is also essential that harmonised conditions for the implementation of certain rules are adopted only where strictly necessary. For that purpose, it is appropriate to remove certain empowerments bestowed on the Commission to adopt such harmonised conditions by means of implementing acts in cases where this is not strictly necessary 163 .

Sixth and finally, it is important to make it clear that many implementation challenges cannot be addressed through legislative amendments and that stakeholders are also calling for non-legislative support measures. For example, 72.09% of respondents of the survey of AI Pact signatories said they saw the establishment of a centralised platform to bring together all guidance and compliance support tool as the most helpful measure that the Commission could take. The recently published AI Act Single Information Platform caters to this 164 . The Commission will therefore continue to step up its efforts to facilitate and support compliance through other means. In particular, further concerns related to the interplay with other EU law will be addressed in guidance on the practical application of the rules. This includes the requests to provide guidance on the interplay with the GDPR, which the Commission is preparing jointly with the European Data Protection Board.

The Commission has also noted that many challenges stem from the uncertainty surrounding the practical application of certain concepts, such as the ‘safety component’ concept, the high-risk classification, and the scope for exemption of AI systems used for research and development. The Commission will clarify these concepts in forthcoming guidelines  165 and continue to work on different forms of additional guidance  166 .

3.3.Estimated impacts

The proposed simplification measures are expected to reduce compliance costs and make implementation easier for businesses (especially SMEs and small mid-caps) and public authorities. Aligning timelines and introducing a transition period will allow operators to adapt gradually. It will also avoid the need for costly retroactive adjustments. Extending SME privileges, simplifying documentation, and providing guidance from authorities will lower administrative burden. Clarifying how the AI Act interacts with other EU laws will further reduce duplication and uncertainty. Supporting innovation through AI regulatory sandboxes and real-world testing will also help firms develop and test AI safely and facilitates their compliance efforts.

A direct reduction of compliance cost can be expected and estimated for the following measures:

-extension of certain regulatory privileges of microenterprises to SMEs and of SMEs to SMCs

-alignment of the implementation timeline for the rules related to high-risk AI systems

-replacing the obligation on operators to ensure a sufficient level of AI literacy of their staff with an obligation on the Commission and Member States to encourage such measures

-removing the obligation on providers of AI systems that are exempted from classification as high-risk to register those systems (which may for instance only carry out preparatory tasks) in the EU database

There is no reliable evidence or estimate of compliance cost that allow a cost calculation of other measures to simplify the future implementation. Moreover, several measures are expected to have indirect effects.

The extension of some regulatory privileges regarding risk management systems for microenterprises to SMEs is expected to benefit many companies. Extending the simplified quality management system requirement of Article 63, which currently applies only to microenterprises, which constitute 94% of the 26.1 million SMEs in the EU  167 , to SMEs would theoretically bring benefits to 1 566 000 companies. Eurostat data indicate that 13.5% of enterprises with 10 or more employees in the in the EU use AI  168 . Assuming that a third of them are (also) developers of AI systems, of which 5% to 15% (median 10%) are concerned by the AI Act’s requirements, this results in an estimated number of 7 000 additional companies.

The extension of some regulatory privileges granted to SMEs regarding documentation requirements to SMCs would equally bring significant benefits. Although the provisions for which regulatory privileges are granted do not yet apply, a conservative estimate would be a cost reduction by about 25% of the two categories ‘administrative burden regarding documentation and traceability’ and ‘administrative burden regarding provision of information’ which were calculated at about EUR 8 000 combined in the initial AI Act impact assessment. Thus, the regulatory costs for compliance of a high-risk AI system would decrease on average by EUR 2 000 for an SMC. In the Commission Staff Working Document on small mid-cap companies  169 , the Commission services have estimated that 38 000 companies classify as small mid-caps in the EU. In the Eurostat survey on AI usage, SMCs are part of the category large companies, which have a significantly higher AI adoption rate of 41%. Assuming again that a third of them also develop AI, and that 5% to 15% (median 10%) are concerned by the AI Act’s requirements, this results in an estimated number of 1 250 additional companies, with corresponding savings of EUR 2 500 000.

In the initial impact assessment for the AI Act, the Commission estimated maximum aggregate compliance costs for the obligations for providers of high-risk AI systems at EUR 100 - EUR 500 million per year, with around EUR 100 million of verification costs, if harmonised standards are available. Without harmonised standards, according to the survey amongst AI Pact Signatories  170 , 20% of stakeholders expect costs to increase by over 80%, 13.33% expect a 50-80% increase, 26.67% expect a 20-50% increase and others were not able to disclose. One can thus estimate an average of 34% increase in compliance and verification costs. Taking as a baseline the Commission's initial impact assessment, this would lead to an additional estimated maximum aggregate cost of EUR 68–204 million per year, which an alignment of the implementation timeline to the availability of harmonised standards (or alternative tools) would avoid. In addition, one can expect positive cost reductions for Member States’ competent authorities who would otherwise incur additional cost by having to perform oversight without a clear guidance what is deemed compliant through harmonised standards or alternative tools.

The co-legislators introduced the obligation on operators to ensure AI literacy (Article 4 of the AI Act). This was not part of the Commission’s proposal and therefore was not covered by the impact assessment. It is difficult to estimate average training costs across 27 Member States, particularly given the natural variety among different company sizes. 36.11% of respondents of the survey amongst AI Pact signatories estimated that their additional annual compliance cost ranges from EUR 0-10,000  171 . However, the average cost will be considerably lower because the obligation relates to staff training and is therefore more costly for larger companies, which were overrepresented in the survey  172 . Moreover, companies do provide AI training even without a legal obligation (and are still encouraged to do so) in order to ensure that the AI systems are deployed and used responsibly and effectively. Thus, an estimate could be that the additional compliance with Article 4 costs on average up to EUR 1 000 per company, on top of efforts carried out independently to foster AI literacy. As previously mentioned, Eurostat data indicate that 13.5% of the 1.65 million enterprises with 10 or more employees in the EU use AI (i.e. around 222 750). Applying the above estimate, the simplification measure would thus result in cost savings of up to EUR 222,75 million. Meeting the Digital Decade target of 75% of enterprises using AI in 2030 could result in savings of up to EUR 1.24 billion by 2030.

The obligation to register AI systems in the EU high-risk database involves inputting into the online database some information which is readily available to the provider of an AI system. No more than 2.5 working hours should be required on average considering the need to understand the requirements, the once-off registration of the provider and the uploading of information for each AI systems that has been developed. The average labour cost in information services (Sector J of the Eurostat classification  173 ) was EUR 37.19 in 2020 (the results from the 2024 survey are not yet available). Under these circumstances, EUR 40 per hour appears a relevant approximation. Hence, the costs would be EUR 100 per company. Taking the above-mentioned 222 750 companies using AI as an upper limit of companies that might have to register AI systems, assuming again that a third of them also develop AI, and that between 5 and 15% (median 10%) of AI applications would be high-risk as a proxy for the number of companies affected, there could be up to 7425 companies which need to register potential high-risk AI applications. If one assumes that at most 20% of these systems could be exempted under Article 6(3) of the AI Act, then a maximum of 1485 companies affected. Thus, total savings could be up to EUR 148,500 per year.

The below table 7 outlines all the above calculations, with their underlying assumptions.

Table 8: Estimated cost savings for targeted changes to the Artificial Intelligence Act

The reinforcement of the AI Office’s oversight over certain AI systems is expected to lead to indirect positive impacts for businesses, including reducing the governance fragmentation across authorities and contributing to the coherent application of the AI Act’s AI systems rules, as national authorities will be able to take the AI Office’s approach as guidance for their enforcement work, as well as offering new pathways to compliance support through an EU level AI regulatory sandbox. These measures have resource implications for the Commission, due to the volume and high complexity of tasks requiring specific technical and legal expertise as well as specialised tools and methodologies. According to the Commission’s estimates, the AI Office’s supervisory powers would encompass at least 230 AI systems and up to 100 platform-embedded AI systems built on general-purpose AI models, as well as hundreds of small-scale AI systems not embedding such models, used by platforms, 174 in addition to the supervision it already exercises over general-purpose AI models. The rapid evolution of AI technology, particularly the development and deployment of agentic AI becoming increasingly sophisticated, makes it challenging to accurately estimate the number of entities that will fall under our enforcement purview under Article 75(1) of the AI Act, which could likely also be significantly higher. Moreover, the EU-level AI regulatory sandbox will require additional resources. These tasks are estimated to require additional 53 FTEs (50 FTE for enforcement activities and 3 FTE for the operation of the EU-level AI regulatory sandbox). These implications have to be weighed against reduced budgetary requirements for Member States, who would otherwise be responsible to ensure the oversight for those AI systems. In this context, it has to be recalled that AI systems based on large general-purpose AI models are typically made available in all EU Member States at the same time. The counterfactual scenario, whereby the oversight and enforcement of these AI systems would be allocated to Member States would require at least 1 technical FTE in all Member States and for the 5 largest Member States and 5 Member States with active AI ecosystems at least a team of 10 FTE each. Thus, at the absolute minimum, 117 FTE would be required, i.e. more than twice the 55 FTE at EU level. With an average hourly cost of around EUR 30 per hour, i.e. EUR 60 000 per year, the extra 62 staff would amount to a minimum of EUR 3.7 million per year additional costs for Member States.

3.4.Preserving the objectives of the rules and other impacts

The initial AI Act impact assessment considered other types of impacts, such as societal impacts, impacts on safety, impacts on fundamental rights and environmental impacts.

Regarding societal impacts  175 , the initial AI Act impact assessment concluded that (i) there could be labour market impacts due to increased trust in – and therefore uptake of AI applications – (ii) the AI Act would reduce involuntary discrimination by AI systems; and (iii) promoting the uptake of AI would accelerate the development of socially beneficial applications. The targeted nature of the envisaged amendments means that they are not expected to modify such impact. The alignment of the AI Act’s implementation timeline could slightly delay the attainment of such impacts, although it must be considered that they affect only part of the rules that cumulatively lead to the expected societal impact. Conversely, the extended measures in support of innovation could positively contribute to accelerating the development of socially beneficial applications.

Regarding impacts on safety  176 , the initial AI Act impact assessment concluded that the AI Act would fill gaps in relation to the specific safety and security risks posed by AI embedded in products in order to minimize the risks of death, injury and material. The targeted nature of envisaged amendments would not affect the scope of AI systems covered by the AI Act or the substantive requirements for the different risk levels, so they are not expected to modify this impact.

Regarding impacts on fundamental rights, the initial AI Act impact assessment considered that the AI Act would boost the protection of fundamental rights. The Commission’s explanatory memorandum to the proposal states that the AI Act is expected to enhance and promote the protection of many rights set out in the Charter  177 , as well as positively affect the rights of a number of special groups  178 . The AI Act proposal was also found to impose some restrictions on certain rights  179 , but these were assessed as proportionate and limited to the minimum necessary. The envisaged alignment of the timeline of entry into application could delay the attainment of the positive effects on the protection of fundamental rights. This impact must be weighed against the alternative of no postponement, with the risk that an application of the rules would practically not be feasible or extremely costly. Such situation would conversely aggravate the restriction of certain rights, notably the freedom to conduct business. Against this background, this delayed attainment of the positive effects on the protection of fundamental rights appears proportionate.

Regarding environmental impacts, the initial AI Act impact assessment found that the direct environmental impacts that could be expected from the AI Act were limited. However, it also identified some possible negative indirect impacts due to the increased uptake of AI that could cancel out the positive effects of increased energy efficiency through AI use. The targeted nature of the envisaged amendments means that they are not expected to modify this impact.

The initial monitoring framework of the initial AI Act impact assessment remains the reference base for the continuous implementation of the legislation and achievement of the unchanged broader policy objectives.

4.Repeal of the Platform-to-Business Regulation

The 2019 Platform-to-Business Regulation (‘P2B Regulation’) was the first step towards providing a comprehensive legal framework for the platform economy. It was the initial general framework applicable to what are called ‘online intermediation services’. These services intermediate for a very large number of both large and small undertakings, or ‘business users’, within the internal market. However, the entry into application of the Digital Markets Act (DMA) and Digital Services Act (DSA) in 2023 and 2024 respectively significantly reinforced the set of rules for online intermediation services and online platforms. This has led to questions over the implementation of the P2B. The Digital Omnibus proposes to repeal large parts of the latter, underlining that the P2B Regulation’s significant provisions are already taken on in other legal acts. This will increase legal clarity for stakeholders over the application of the rules, and a more streamlined digital rulebook. A transitory period to 2032 is foreseen to ensure legal certainty for acts containing cross-references to certain provisions of the P2B Regulation.

4.1.Analysis of the problems and opportunities

The rules. Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (the platform-to-business or ‘P2B Regulation’) has been in application since 12 July 2020. The P2B Regulation was the first step towards providing a comprehensive legal framework for the platform economy. It was the initial general framework applicable to what are called ‘online intermediation services’. These services intermediate for a very large number of both large and small undertakings, or ‘business users’, within the internal market. The P2B requirements were designed to ensure that business users, in particular SMEs that can have limited bargaining power relative to the online platforms, should be able to conduct their business in a predictable manner (e.g. relying on transparency as regards rankings) and are not exposed to unnecessary costs when facing issues with the online platform (e.g. suspension of the business account, or products and services being blocked by the platform). In addition, the P2B Regulation was also designed as a tool to ensure that fairness and transparency help smaller platforms to grow and innovate in a common legal framework shared with larger platforms, in a levelled playing field. To ensure that online intermediation services comply with the P2B requirements, its enforcement lies with the competence of the Member States.

To assist with implementation, the Commission published a notice on ranking guidelines 180 pursuant to Article 5(7) of the P2B Regulation, which should remain as a reference including after the repeal of the Regulation.

The main issues. Since its entry into application, other acts of EU law have come to regulate online intermediation services and online platforms. These include the Digital Markets Act (DMA) 181 and the Digital Services Act (DSA) 182 . 

A preliminary assessment of the state of implementation of the P2B Regulation was published on 21 September 2023 183 .

The report observed initial positive effects when it comes to contractual transparency for business users and due process in complaint-handling for instance. However, the report also evidenced that there was a lack of awareness among business users as well as providers of online intermediation services and of online search engines of their respective rights and obligations under the P2B Regulation. This was also coupled to insufficient compliance with the P2B Regulation and led to a lack of implementation. Hardly any complaints were received under the P2B Regulation until 2023. The report concluded that “the full potential of the P2B Regulation [was] not achieved at present”.

This first preliminary review of the P2B Regulation of 2023 was published when the DSA and DMA had just entered into force. In the meantime, the EU regulatory framework for online intermediary services and online platforms has become more complete and more robust.

The DMA became applicable on 2 May 2023. Its purpose is to contribute to the proper functioning of the internal market by laying down harmonised rules ensuring for all businesses, contestable and fair markets in the digital sector across the Union where gatekeepers are present, to the benefit of business users and end users. With a view to protecting contestability and innovation in digital markets, the DMA prohibits certain unfair practices by so-called gatekeeper platforms that have proven harmful. Among the practices addressed are ranking transparency obligations, fair general conditions for access to gatekeeper services, data portability, access to data and self-preferencing.

Since its entry into application on 17 February 2024, the DSA aims to contribute to the proper functioning of the internal market, while also ensuring a safe, predictable, and trusted online environment that facilitates innovation and in which fundamental rights enshrined in the Charter are effectively protected. The DSA fully harmonises the obligations imposed, among others, on providers of intermediary services, including online platforms and online search engines, therefore pre-empting national rules in this area. It contains rules on terms and conditions, recommender systems, complaint-handling systems, out-of-court dispute settlement and codes of conduct. Enforcement of the rules lies with national authorities of Member States for online platforms established in their territory, and with the Commission for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs).

The objectives. By repealing the P2B Regulation, the regulatory framework applicable to online platforms and business users is simplified by eliminating overlaps and multiple layers of regulation. This minimises legal uncertainty and reduces unnecessary compliance costs which contribute to business trust in the legal framework and encourages new entrants into the EU market. This simplification also contributes to more robust and more targeted enforcement of existing rules.

4.2.Simplification measures and impacts

The Digital Omnibus proposes to repeal the P2B Regulation, with provisions largely covered in other legal texts as outlined below.

Transparency and fairness of terms and conditions by providers of online intermediation services (Articles 3 and 8 P2B Regulation) is granted now by the eponymous Article 14 of the DSA, covering also conditions for restrictions on the use of their service. Similarly, obligations on intermediation service providers as regards restriction, suspension and termination (Article 4 P2B Regulation) are largely covered by the obligation on hosting service providers to provide a statement of reasons for restrictions (Article 17 DSA) and, to some extent, conditions for measures and protection against misuse (Article 23 DSA). However, there is a difference in scope on the types of restrictions covered by the two regimes, in particular as regards specific situations for self-employed platform workers.

When it comes to transparency on differentiated treatment, ranking and self-preferencing (Articles 5 and 7 P2B Regulation), both the DSA and the DMA contain clear rules. Online platforms have to be transparent about the parameters used in their recommender systems as per Article 27 DSA, and VLOPs/VLOSEs have to consider the design of any of their algorithms in their risk assessment (Article 34(2) DSA). Under DMA, in turn, gatekeepers are prohibited from positively discriminating in favour of their own services and products in ranking results, and apply transparent, fair and non-discriminatory conditions to such ranking (Article 6(5) DMA). Additionally, gatekeepers are required to apply fair, reasonable an non-discriminatory general conditions of access for business users to its designated core platform services.

As regards access to relevant data by business users, the P2B Regulation provides for transparency obligations in the terms and conditions of the online intermediary service provider, including on the absence of such an access (Article 9 P2B Regulation). The DMA obliges gatekeepers to provide effective and free of charge data portability rights to its users and free-of-charge, continuous and real-time access to relevant data by users (Articles 6(9) and (10) DMA).

When it comes to the “most favoured nation clauses” (restricting business users to offer the same goods and services under different conditions through other means than through the services of the intermediation service provider) (Article 10 P2B Regulation), the P2B imposed an obligation of transparency on the platform. The DMA establishes a prohibition for gatekeepers to impose such clauses (Article 5(3) DMA).

The P2B Regulation contains obligations for online platforms to allow for complaint-handling, mediation and specialized mediators (Articles 11, 12 and 13 P2B Regulation). This largely overlaps with the DSA’s provisions on internal complaints systems, out-of-court dispute settlement, complemented by transparency and reporting obligations (Articles 20, 21, 15, 24, 42 DSA). To be noted that certain categories of persons performing platform work, as regulated by Directive (EU) 2023/2831 on improving working conditions in platform work, rely on these provisions in the P2B Regulation. Specific mediation mechanisms are also foreseen in the P2B Regulation for very large online platforms as regards media content by the European Media Freedom Act (Article 18 EMFA).

The right for representative action for organisations and associations of business users (Article 14 P2B Regulation) is mirrored in the DSA (Articles 86 and 90), and importantly now covered by Directive (EU) 2020/1828 on representative actions for the protection of the collective interests of consumers 184 .

Finally, the possibility for developing codes of conduct under the P2B Regulation (Article 17) is largely covered by Article 45 of the DSA, allowing for the drawing up of codes of conduct to be developed to contribute to the application of the DSA.

4.3.Estimated impacts

This strengthened EU regulatory framework has largely overtaken the provisions of the P2B Regulation. The P2B Regulation, by providing for more transparency for business users of online platforms, implicitly aimed at practices by larger platforms where a difference in bargaining power exists. In this context, the DSA and the DMA provide for stronger protections for SMEs vis-à-vis larger actors. This is especially the case when it comes to unfair practices related to transparency and self-preferencing, data access and dispute resolution where the DSA and the DMA go further than the mere transparency obligations under the P2B Regulation.

Simplification of the regulatory framework for online platforms will reduce compliance costs due to layered and overlapping rules. Online intermediary service providers will benefit from increased clarity of legal provisions.

Repealing large parts of the P2B Regulation will also contribute to a more coherent and robust enforcement vis-à-vis larger platforms by clearly identified regulators, avoiding potential duplications. Regulators, such as DSCs for all intermediaries established in their respective Member States, and the Commission for VLOPs/VLOSEs and gatekeepers, will be able to focus their resources to the benefit of a more consistent and harmonised enforcement.

Arguably, repealing the P2B Regulation may lead to fragmentation since Member States will be allowed to regulate other aspects relating to online intermediary service providers. This was indeed recognized as a risk in the Impact Assessment preparing the P2B Regulation: “the uncoordinated adoption of national legislations - whether platform-specific or covering B2B issues in general but applicable to platform businesses – may result in divergent regulatory measures across the EU”[3] 185 . However, the EU digital rulebook is now more robust with the entry into application of the DMA and the DSA, complementing the e-Commerce Directive, which are of maximum harmonization and align therefore with the P2B Regulation’s objective to create a harmonised legal framework 186 .

This risk for fragmentation is considered to be particularly low given that the regulatory space for national measures is very narrow. Indeed, the e-Commerce Directive, the DSA and the DMA almost exhaustively cover the aspects related to online intermediary service providers that are regulated by the P2B Regulation. For instance, the Court of Justice has stated that the e-Commerce Directive must be interpreted as precluding measures adopted by a Member State, with the stated aim of ensuring the adequate and effective enforcement of the Platforms-to-Business Regulation, under which, on pain of penalties, providers of online intermediation services established in another Member State are subject, with a view to providing their services in the first Member State, to the obligation to be entered in a register maintained by an authority of that Member State, to communicate to that authority certain detailed information about their organisation and to pay a financial contribution to that authority 187 . Therefore, the country-of-origin principle will nevertheless remain as an indispensable instrument to protect the single market.

Based on these considerations, it can be concluded that the P2B Regulation is only of residual relevance and should be repealed. At the same time, there is a need to ensure a transitory phase allowing that, where the P2B rules are complementary to or cross-referenced by other legislations, those elements of complementarity are preserved. This is the case for certain definitions pioneered by the P2B Regulation in EU law, as well as certain protections offered in particular to self-employed platform workers, in complementarity to the Platform Workers Directive 188 , in course of transposition.

Conclusion

The Digital Omnibus is an ambitious burden reduction proposal. It contributes directly to the Commission’s target objective of cutting recurring administrative costs by EUR 37.5 billion by the end of the mandate 189 .

On aggregate, and on the basis of initial estimates, it could lead up to EUR 1,335,634,500 in administrative cost savings per year for businesses, on top of EUR 1,043,943, 500 in estimated one-off savings. Provided the proposal enters into force by early 2027, this would amount to at least EUR 5 billion by the end of the Commission mandate in 2029. In addition, a further EUR 1 billion are estimated to be saved for public administrations by 2029. An overview of all estimated savings can be found in Annex II.

Several of the measures put forward in this Omnibus, by their very targeted nature, were not immediately quantifiable in terms of direct cost reduction on the basis of available data when preparing this proposal. Similarly, the cost of adaptation could not always be quantified, but is overall expected to be limited due to the targeted nature of the amendments. The latter are largely expected to create more favourable business conditions, for companies of all sizes in Europe, and stimulate innovation. The overall beneficial cost impact of this proposal is thereby expected to be higher than estimated at this stage.

On a more qualitative level, the Omnibus also leads to distinct cross-regulatory simplification by clarifying certain interplays between laws. This delivers better clarity in the engagement with the European digital rulebook. The amendments are ‘optimising’ changes, that seek to deliver the same, or better results, at a lower cost. Their impact on the underlying objective of the rules is expected to be positive. In particular, they are expected to support the highest standards of protections for fundamental rights, not least the right to privacy, the right to data protection, the right to non-discrimination, as well as the right to conduct a business.

The Digital Omnibus, as part of the broader Digital Simplification Package, is only the first step of a larger set of actions. The Commission will pursue its digital simplification agenda through the Digital Fitness Check across the mandate – with a view of delivering further regulatory clarity for businesses, citizens, and administrations across Europe.

ANNEXES

Annex I - Stakeholder consultations

Introduction

Numerous consultation streams were carried out in the context of the proposal. Each were conceived as complementary to one another, addressing either different topical aspects or stakeholder groups concerned by the initiative.

In the initial scoping phase of the Digital Omnibus, three public consultations and calls for evidence were published on the key pillars of the proposal in the spring of 2025. A consultation ran on the Apply AI Strategy from 9 April to 4 June 190 , another on the revision of the Cybersecurity Act from 11 April to 20 June 191 , and finally another on the European Data Union Strategy from 23 May to 20 July 192 . Each questionnaire had a dedicated section (or at times multiple) on implementation and simplification concerns, directly related to the reflexions on the Digital Omnibus. Taken together, 718 unique responses were obtained as part of this first consultation stream.

A Call for Evidence on the Digital Omnibus was further published from 16 September to 14 October 2025 193 . Its aim was to cover the entirety of the initiative, and give the opportunity to stakeholders to comment on a more targeted set of proposals in a consolidated stream. 512 responses were received, by diverse stakeholder categories.

With a view of raising awareness on the Digital Omnibus among small and medium-sized enterprises (SMEs), and collect their feedback, a dedicated SME Panel was run via the Enterprise Europe Network (EEN) between 4 September to 16 October 2025. The EEN is the world’s largest support network for small and medium-sized enterprises, and is implemented by the European Commission’s European Innovation Council and SMEs Executive Agency (EISMEA). SME Panels are a consultation stream falling under this framework, whereby small and medium-sized enterprises have the opportunity to contribute their views to an upcoming policy initiative. In addition to the online written consultation (where 106 SME responses were gathered), the Commission also presented the Digital Omnibus proposal to SME associations part of the network, in a dedicated meeting on 1 October.

Two other consultation streams were organized, with a focus on direct exchanges with stakeholders. At political level, two implementation dialogues were held by the Executive Vice-President Henna Virkkunen: the first on data policy 194 (1 July 2025), and the second on cybersecurity policy 195 (15 September). Another was held by Commissioner McGrath on the implementation of the GDPR on 16 July 2025 196 . At technical level, five reality checks were organized by Commission services with stakeholders between 15 September and 6 October 2025 to deep dive into different implementation barriers on specific sets of rules considered for simplification under the Digital Omnibus.

Finally, a large number of bilateral meetings were organized by Commission services with stakeholders throughout the year of 2025, to address specific concerns. Discussions were also held with Member States. In addition to bilateral exchanges, dedicated agenda points on the Digital Simplification Package where discussed at Council Working Parties in June and September 2025 where the Commission presented the state of play and asked for Member States’ views.

Overall, stakeholder feedback converged as to the need for a simplified application of some of the digital rules. Better coherence, and a focus on optimisation of compliance costs, is largely welcome by stakeholders of all nature. Some divergence exists as to some of the more tailored measures. While discrepancies between stakeholder categories were noted across the Digital Omnibus span of targeted amendments, they are to be viewed through the prism of the specific legal change considered. This Annex presents an overview of each consultation, highlighting the key findings.

I.Call for Evidence on the Digital Omnibus

The consultation ran from 16 September to 14 October 2025. In total, 512 responses were submitted online by a diverse group of stakeholders. In addition, several others sent their contributions directly to the Commission services. Most feedback was received by business associations (35.9%) and companies (27.2%), with SMEs representing 66% of the latter respondents. This was followed by NGOs (9.4%), citizens (8.8% EU citizens and 1% non-EU citizens), academic/research institutions (3.9%), public authorities (3.5%), trade unions (2.2%), consumer organisations (1.6%), as well as others (6.6%).

In terms of geographical distribution, most of the respondents were based in the EU, with a majority of contributions coming from Belgium (25.8%), Germany (15.4%), and France (10.0%), who together account for a share of over half of all the contributions. Countries like the Netherlands (6.8%), Italy (4.9%), and Czech Republic (4.9%) also showed notable engagement.

Internationally, the highest share of respondents that participated were from the United States (4.7%) and the United Kingdom (2.9%). The companies and business organizations that participated showed a high EU-establishment rate: 80.6% specified that they were established in the EU. Overall, 78.5% of all submissions included an attachment (non-paper or other type of paper).

Figure 1: Stakeholder Categories

Figure 2: Country of Origin

Figure 3: SMEs Among Business Type

Summary of results

Most stakeholders strongly voiced support for the simplification agenda. A large majority of respondents across different stakeholder types converged on the view that the EU’s digital regulatory landscape has become overly complex, and that simplification should focus on coherence, consistency, and proportionality, reducing unnecessary burdens for businesses while delivering and maintaining effective standards for consumer protection. This was often accompanied by a widespread call to harmonize definitions and rules (with recurring calls for centralized glossaries, for instance), and offer better guidance on legal interplays, such as between the GDPR and other acts (AI Act, Data Act, Data Governance Act, Cyber Resilience Act and EHDS).

A majority of responding NGOs and several citizens, however, pressed to not water down the EU’s established high regulatory and social standards in the simplification effort. Rules around privacy and artificial intelligence were particularly singled out in this purpose. Many SME associations similarly stressed that simplification should not affect essential rules which have created a level-playing field for them.

While most of the received feedback focused on the core areas under consideration in the Call for Evidence (rules relating to the data acquis, artificial intelligence, cybersecurity and digital identity 197 ), a limited amount of business stakeholders also contributed on the application of other types of digital legislation, such as telecommunications and platform rules. Across topical areas, many stakeholders called for further harmonization between horizontal and sectoral rules – with some suggesting future work on that in the future, for instance via the Digital Fitness Check or via sector-specific Omnibuses.

Feedback on the data acquis

A large proportion of respondents gave feedback on the data acquis elements under consideration in the Digital Omnibus. The topic of cookie banners, and more generally potential simplification of the GDPR, attracted most of the feedback. Among business stakeholders, as well as some public authorities, there was broad support for better alignment between the GDPR and ePrivacy Directive (Art. 5(3)) regarding consent fatigue, fragmentation and proportionality - with additional specific support for broader legal grounds to access terminal equipment in alignment with the GDPR’s risk-based approach. Many NGOs and privacy groups countered this by stating it would weaken the protection level that is intended by the ePrivacy directive, prioritizing preservation of user protection. EU-citizens frequently mentioned cookie fatigue, from a user perspective, with several calling for simpler, browser-based (standardized) consent mechanisms as a solution to cookie fatigue (also joined by many business stakeholders). Publishers and media representatives called strongly against centralized browser solutions, with concerns that it would reinforce the control of a limited set number of companies.

On the GDPR more broadly, most stakeholders across categories argued for better guidance on interplays with other rules. The AI Act was the most frequently cited legislation, followed closely by the Data Act. Other clarifications were also asked regarding alignment of rules with the Data Governance Act, the Cyber Resilience Act, and the EHDS. Some business stakeholders (especially large associations and companies) expressed additional support as to allow AI training on personal or pseudonymised data under legitimate interest, as well as a plea for additional consideration of privacy-enhancing technologies (PETs) as a proportionate safeguard for low-sensitivity data. Overall, the ‘risk-based’ approach of the GDPR was raised as something to be strengthened by business stakeholders of all sizes. SMEs notably called for further exemptions, in the continuity of the Fourth Omnibus Package from the European Commission.

Feedback on the Data Act, Data Governance Act (DGA) and the Open Data Directive (ODD) featured prominently across the consultation, particularly among business stakeholders. Overall, stakeholders converged on the view that both the DGA and the ODD are conceptually relevant but operationally fragmented: some stakeholders therefore called for merging of the ODD, DGA and also Free Flow of Non Personal Data Regulation (FFDR). Stakeholders advocated for further harmonization between the ODD, DGA and Data Act to boost clarity, predictability, and reduce costs in order to achieve consistent data sharing in machine-readable format. Many stakeholders additionally noted persistent uncertainty about the distinction between personal and non-personal data, and the conditions for lawful data reuse.

Specifically on the Data Act, SMEs and SME associations (both sectoral and horizontal) strongly urged for a forceful implementation of the rules. Some SME and startup associations further encouraged for dedicated funding for SMEs to incentivize participation in common data spaces, as well as better guidance on general applicability of the data acquis. On the other hand, large companies and associations called for a postponement of the Data Act application – with suggestions ranging from 12 to 24 months. Additionally, they urged for a review of the trade secrets framework under the Data Act, arguing that it jeopardized established business models, and less stringent Business to Government (B2G) data requests. Respondents from the automotive and railway industry at European level (joined by several other large companies) particularly encouraged as to the exclusion of B2B contracts from the Data Act, and to avoid retroactive application of legacy contracts. German industrial stakeholders, joined by several other business associations across sectors, explicitly supported a number of exemptions for Small Mid-Caps.

Non-EU respondents (notably from the US, Japan, and Switzerland), joined by some large European business stakeholders, urged for clearer alignment of international data transfer rules and interoperability standards, warning that fragmented approaches could hinder transatlantic and global cooperation.

Feedback on implementation of artificial intelligence rules 

Feedback was also substantial on the artificial intelligence mentions under the Call for Evidence. The implementation of high-risk rules under the AI Act was the most debated topic. A broad majority of business stakeholders (especially large ones) called for a revision of the implementation timeline for the AI Act’s high-risk provisions. Within this group, the types of postponement mechanisms varied considerably:

·Some advocated for a grace period, generally of 1 year, meaning temporary relief from penalties while voluntary compliance continues;

·Others opted for full postponement of the application of the rules until harmonised standards are formally adopted and published, with suggestions ranging from 6 to 24 months;

·And the remaining contributions favoured sectoral rules (or guidance) and sectoral frameworks, some proposing a (sector-based) phased entry into force where certain high-risk categories would come into effect later than others (particularly put forward by stakeholders in the medical devices industry, for instance, as well as in the machinery and construction, railway, and automotive sectors).

Almost all responding NGOs (especially consumer associations), as well as some standardization bodies and citizens, strongly contested this phased approach. They urged to not slow down the implementation work, which may provide a negative signal to companies about to invest into compliance with the new rules.

SMEs highlighted the challenges faced by smaller players with the AI Act’s high-risk rules. Many SMEs called for more support tools, subsidized conformity assessment, guidance and simplified compliance, rather than legal changes necessarily. Other innovation support measures, such as AI regulatory sandboxes and real-world testing, were further called for by larger business stakeholders as well. Several large businesses or associations (especially non-European) specifically called for a revision of the threshold for General Purpose AI systemic risk, and a closer alignment on international standards. The railway industry was vocal, across several contributions, as for B2B (‘business to business’) requirements to be less stringent than for B2C (‘business to consumer’), as well as a general exemption for legacy systems.

A transversal matter of concern across business stakeholders of all sizes related to the assessed lack of clarity in certain definitions under the AI Act, as well a call for better tailoring of the high-risk categorization and more flexibility around low-risk products. Many respondents also called for additional clarification of the AI Act’s interplay with other digital laws, namely the GDPR and the Digital Services Act.

Finally, some industry stakeholders (many of them based in the US), pointed to the restrictions under data protection law affecting AI training and testing under legitimate interest. This was also supported by some European startups. Overall, in many contributions, a need for clearer guidance on the use of legitimate interest when it comes to consent for AI training, was underlined. Publishers and media representatives expressed general caution as to the potential dilution of the copyright principles under the AI Act, as part of the simplification agenda.

Feedback on cybersecurity rules

A significant proportion of contributions addressed cybersecurity matters. Respondents across companies of all sized, public authorities, business groups but also consumer organisations overwhelmingly supported streamlined cyber incident reporting, citing heavy overlaps between NIS2, DORA, CRA, and the GDPR. Calls for a single EU reporting portal were widespread across stakeholder categories. Recommended solutions varied as to their level (with some urging for a stronger role for ENISA, at European level, and others favoring an approach at national level), and the extent to which reporting templates, timelines and thresholds should be aligned.

A number of business contributions called for clarification of scope and interplay with other frameworks under the Cyber Resilience Act (CRA). SMEs in particular requested better guidance on implementation, clearer definitions and proportional requirements, noting that certification costs can be disproportionately high for smaller firms.

Moreover, several business associations and standardization organisations underlined the importance of standardisation, calling for leveraging and relying on existing industry standards rather than developing more overlapping security frameworks.

Finally, some feedback from business stakeholders focused on NIS2’s implementation. Almost all stakeholders commenting on this point called for a more harmonized approach, and consistent enforcement across Member States (with notable concerns about auditing costs).

Feedback on digital identity rules

The contributions on the topic of digital identity were very limited in this Call for Evidence. Most of the contributions on digital identity were submitted by companies in the digital identity industry. Some stakeholders underlined the fragmented compliance landscape and advocated for a single-audit framework for QTSPs, recognized by all competent authorities (supervisory bodies, NIS2, GDPR, DORA). In line with this, contributions generally called for aligning the eIDAS-revision (EUDI framework) with the European Business Wallet proposal, (global) standards, SDG, DPP and PSD2 (for the payments authentication process). Some SME stakeholders further expressed concern on some of the standardization work being pursued for the EUDI Wallet, assessing it as potentially too prescriptive.

Additionally, some stakeholders (especially SMEs) called for clear and multilingual onboarding guidelines for all businesses (including those outside of the EU) to make the European Business Wallet an attractive and accessible tool. Some respondents stressed that the European Business Wallet should be a market driven initiative. Relatedly, a large European SME association called for the use of the Business Wallet and EUDI Wallet to remain optional for businesses and citizens.

II.Public consultations on the Apply AI Strategy, the revision of the Cybersecurity Act, and the Data Union Strategy

As aforementioned in the introduction, to support the development of the Digital Omnibus proposal, three public consultations and related calls for evidence were launched in spring 2025. Each addressed one of the Digital Omnibus’ key pillars: the Apply AI Strategy consultation, the Cybersecurity Act revision and the European Data Union Strategy consultation.

Each consultation had a respective section centered on simplification concerns. The below subsections provide an overview of the main findings that directly relate to simplification topics.

Apply AI Strategy consultation

The public consultation took place between 9th of April and 4th of June 2025. It aimed to gather information about the current state of AI adoption and development in the EU, with a specific focus on implementation challenges, to guide the Apply AI Strategy as well as further potential support actions for stakeholders.

The public consultation gathered 230 responses, and the associated Call for Evidence 287. Responses came from companies or businesses (90 out of 230), EU citizens (42), business associations (41), academic/research institutions (15), NGOs (14) and public authorities (10), trade unions (3), one consumer organisation, one non-EU citizen and 13 respondents who chose the option ‘Other’. The vast majority of the respondents were from EU member states, with Belgium on the lead.

Among the several topics addressed, regulatory uncertainty emerged as a particularly relevant issue. One of the academic/research institutions, and 29 of the companies indicated that regulatory uncertainty is a barrier to AI (both for AI users and non-users) and mentioned that difficulty in identifying applicable rules and accessing information in relation to those rules as one of their main concerns. Uncertainty about future or upcoming legislation was mentioned by 27 companies and the burden of adapting internal procedures to ensure compliance with applicable rules was mentioned by 25 companies. Additionally, 14 companies pointed out heavy administrative burden as the main factor to not use any of the support initiatives provided by the EU such as CEDS, EDIHs, TEFs and AI on Demand.

Among AI developers, 52 stressed uncertainty about the scope and rules under the AI Act implementation as the major obstacles to compliance, particularly for small and medium-sized enterprises, which may not have the necessary resources or expertise to navigate the complex regulatory landscape. The absence of clear guidelines and standards was cited as a significant challenge, and the use of regulatory sandboxes was suggested as a potential solution. The complexity of the regulatory framework was criticised, with multiple regulations, such as the Digital Services Act, NIS2, and the AI Act, imposing overlapping and sometimes conflicting requirements. The need for a more risk-based approach was emphasised, as well as the importance of providing clear and practical guidance to support the implementation of the AI Act.

The administrative burden imposed by the AI Act was seen as a significant hurdle, particularly for global companies with multiple AI-based solutions. The lack of harmonised standards, the capacity of Notified Bodies, and the potential for fragmented interpretations and enforcement across the EU were also identified as major challenges. The interplay between the AI Act and other EU regulations, such as the GDPR, MDR, and Machinery Directive, was noted as an area of uncertainty, with potential overlaps and conflicts between these frameworks. The requirements for high-risk AI systems, including fundamental rights impact assessments and conformity assessments, were seen as duplicative and burdensome, with some respondents arguing that these requirements do not deliver material benefits to customers. The lack of clarity and legal certainty surrounding the AI Act was a recurring theme. The need for international alignment and the use of international standards was also highlighted to reduce trade barriers and facilitate the development of AI in the EU.

Revision of the Cybersecurity Act consultation

The Public Consultation was conducted in the context of the ongoing revision of the Cybersecurity Act (Regulation (EU) 2019/881), running from 11 April to 20 June 2025. It aimed to gather feedback from a wide range of stakeholders on the effectiveness of the current legislative framework and potential areas for improvement. A total of 193 responses were received, with partial responses accepted. Among the respondents, 40.9% represented companies or businesses, 28% business associations, 13.5% EU citizens, 4.1% public authorities, 4.1% Other, 3.6% academic/research institutions, 3.1% non-governmental organisation, 2.1% trade union and 0.5% non-EU citizen. Responses were received from across 26 countries, including all EU Member States and a few non-EU countries.

According to written submissions in the associated Call for Evidence, there was a strong consensus among stakeholders on the need to reduce complexity and administrative burden, particularly for SMEs. Several contributors highlighted the challenges faced by smaller entities in navigating the current regulatory landscape and called for simplified compliance procedures. Stakeholders stressed the importance of clearer, harmonised guidelines to avoid fragmented implementation and ensure consistent application across the EU. Others emphasised the disproportionate impact of complex obligations on SMEs and advocated for tailored support mechanisms, including exemptions and simplified reporting frameworks. Several contributors also proposed the development of centralised EU platforms for reporting and compliance tracking, which would enhance efficiency and reduce duplication across different legislative instruments.

National authorities and ENISA representatives provided practical perspectives on implementation barriers, highlighting the need for streamlined reporting mechanisms, clearer guidance, and improved coordination across legislative instruments. They stressed the importance of making compliance processes more efficient and responsive to the needs of both Member States and industry.

This Public Consultation showed that NIS2 was the most frequently cited applicable EU legislation, with many respondents indicating multiple frameworks (GDPR, DORA, CER, AI Act) apply to their entities. Cross-sectoral associations and digital service providers highlighted the growing complexity and called for a more integrated legislative approach.

Stakeholders expressed strong concern about the diversity of incident reporting tools and processes at the national level, with medium-sized, small, and micro enterprises reporting the highest difficulty. The lack of harmonised reporting thresholds across EU legislations was a major challenge, especially for SMEs and business associations.

Implementation of cybersecurity risk-management measures showed varied responses, reflecting differences in organisational capacity. Overlap of requirements and the burden of proving compliance were significant issues, particularly for medium-sized, small, and micro enterprises, as well as trade unions. Calls for clearer guidance and streamlined processes were frequent.

Open-ended responses emphasised the need for simplified regulations, standardised templates, and centralised platforms. Stakeholders described the current system as fragmented and resource-intensive, with overlapping obligations diverting resources from operational cybersecurity efforts. There was strong support for cross-sector harmonisation, especially in banking, energy, transport, and public administration.

Overall, the analysis revealed a consistent call for simplification, harmonisation, and clarity in EU cybersecurity legislation. Medium-sized companies reported the highest concern, particularly regarding reporting thresholds, tool diversity, and compliance burdens. Small and micro enterprises also express significant concern, while large companies tend to be more moderate. Business associations advocated strongly for harmonisation, and public authorities, EU citizens, and other stakeholders highlight the need for coordination and sector-specific guidance. These findings underscore the importance of a coordinated and inclusive approach to cybersecurity governance that balances regulatory ambition with practical feasibility for all entities.

Data Union Strategy consultation

The public consultation on the European Data Union Strategy ran from 23 May to 20 July 2025. The strategy aimed to explore options to increase the availability of high-quality data, streamline existing data rules, potentially creating a simplified, clearer, and more coherent legal framework for businesses and administrations to share data more seamlessly and at scale, and address the international aspects of data flows.

In total, 171 contributions were received, of which 99 were on behalf of a company or business organisation / association, 28 from public authorities, 16 from citizens (all EU citizens), 16 from non-governmental organisations, 4 on behalf of academic / research institutions, 2 from consumer organisations, 1 from a trade union and 5 identifying as “other”. Amongst the 52 companies, 27% were small and medium-sized enterprises. Overall, 88% of the replies came from the EU-27. Around 66 position papers were submitted, either in addition to questionnaire answers (62) or as stand-alone contributions (4). The below gives an overview of the consultation areas with a direct link to simplification.

1.Main simplification concerns expressed in the consultation

A wide majority of stakeholders thinks that consolidation of the data legislation is necessary due to uncertainties regarding their interplay. Out of 149 respondents, 30% completely agree with this finding, 29% to a large extent and 26% to a certain extent, while only 7% of stakeholders answer “not at all”.

Concretely, 62% of 142 respondents support consolidation across the Data Act, Data Governance Act, Open Data Directive, Free Flow of non-personal data Directive, sector-specific rules, and ePrivacy Directive. Moreover, 27% want to include the GDPR in the consolidation efforts.

A majority of stakeholders is uncertain whether the benefits of data legislation outweigh the costs associated with its introduction (70% of 110 responding stakeholders). On the ePrivacy Directive, almost 80% opt for this option.

When asked about the balance between privacy protection and innovation, the respondents express mixed opinions. Regarding the processing of the content of electronic communications for other purposes than providing the service, 28% of the 125 respondents are opposed, 22% agree provided they have actively consented, and 34% want to limit the use of such data to legitimate interests. Regarding the processing of metadata of electronic communications, 20% oppose, 19% only with active consent, and 46% want to limit the use of such data to legitimate interests. Regarding data originating from terminal equipment, using cookies and other tracking techniques, 36% agree with the use of such data for legitimate interests related to the service provision, 20% agree to the use of such data but only when having actively consented, while 24% state they do not want to be tracked in any form.

Regarding the processing of IoT data for professional/industrial use, around 45% of 114 respondents do not think that the current ePrivacy rules provide a good balance and do reflect well the technical situation, as opposed to 11% who think this is the case. 44% say they do not know. Many stakeholders believe the ePrivacy framework is outdated or call for an alignment with the GDPR. While businesses call for more flexibility for processing purposes, users and civil society express the wish for modernised rules that effectively protect users from tracking and provide a real choice for their privacy settings.

When asked about the main challenges in balancing data protection with innovation and technological advancements (multiple-choice question, 146 respondents), the most chosen answers were “ensuring consistent enforcement of data protection laws within the EU” (29% of the responses) and “guidance on interplay with other legislation” (28%), followed by the “absence of regulatory sandboxes or means to discuss solutions with supervisory authorities” (16%). Among respondents who give more detail to their answers, the majority reports that the inconsistent enforcement and one-sided interpretation of regulations by data protection authorities is a significant issue. Key areas for clarification include the interplay of the GDPR with the Data Act and the AI Act, and the interpretation of “personal data”, especially in the context of IoT. Roughly 20% call for better defining the limits of the definition of personal data, especially in an industrial and IoT context, and including a criterium of reasonable risk of reidentification.

On the preferred future governance structure on data sharing, 32% of 129 respondents state to prefer one single EU governance body to be set up, whereas 15% want governance to be left to the member States, with stronger cooperation rules between them, and 15% prefer several EU governance bodies with strong cooperation rules. 14% answer “I don’t know”.

When asked about how to improve the current legal framework as regards access and use of Data for AI and innovation (multiple-choice question), the most chosen answers among the 154 responding stakeholders were to harmonize the legal terminology (68%), to provide guidelines on the interaction of laws (66%), to reduce administrative burden (62%) and to streamline governance structures at EU level (59%).

62% of the respondents indicated reducing administrative burden as the way to improve the current legal framework. Environmental reporting (22% of responses) and financial reporting (20%) stood out as the areas where over 70% of the 123 participants believed that existing rules could be enforced more efficiently through automated data exchanges, followed by trade/customs declarations (15%), product safety/standards (14%), AI contracting (13%) and workplace/labour law compliance (10%).

Out of 134 respondents, a clear majority (63 %; 39%: high potential, 24%: moderate) showed potential in data spaces to cut red tape by automating compliance procedures. Several respondents argue that the primary burden is overly complex compliance steps; they urged the Commission to streamline or eliminate these before layering automation on top. Nearly two-thirds of respondents (65 % of 130 respondents) wanted the EU to make it a high priority to fund digital tools that simplify regulations. In general, the respondents proposed to start with high-burden and high impact sectors where regulations are complex and data flows already exists, and to avoid new fragmentation. They proposed to review and simplify the underlying rules first, highlighting the fact that digital tools should support, not substitute regulatory clarity. Several submissions called for a one-stop-shop EU portal where firms lodge all regulatory reports (“report once, comply many”), or to use existing building blocks such as the European Digital Identity Wallet. Civil society organisations cautioned that “simplification” such as automation must not erode fundamental rights, cybersecurity, or environmental safeguards.

Moreover, when asked about data localisation requirements, 28% of 90 responding stakeholders confirmed considerable costs, and 19% to some extent. The answers given in the free-text section (28%) highlighted the burdens imposed by varying and overlapping legal data regimes on international operations. 54% of 89 respondents were worried (completely or to a large extent) about the insufficient clarity of the interaction between the regulatory framework of the EU and third countries, and 51% were concerned about compliance or administrative burdens linked to international data transfers. Criticisms uttered in the free-text section included perceived regulatory burdens, especially for small and medium enterprises, legal fragmentation and complexity, and a perceived protectionism, which might restrict innovation. Stakeholders repeatedly highlighted the importance of international cooperation and adequacy decisions to simplify GDPR-compliance. Additionally, when asked about the obstacles to engage in data altruism, the most chosen answer was “administrative or legal complexity” (21% of 103 respondents).

2.Data availability and AI training

Most of the 136 responding stakeholders think the EU should re-examine legal regimes to facilitate data usage for AI training (yes: 70%; no: 30%). Of those saying “yes”, 34 respondents identify the GDPR, 15 the Copyright Directive, 12 the AI Act, 9 the Data Act and 4 the ePrivacy Directive as the main legal regimes to be re-examined. The majority reports the need to strike a balance between protecting personal data and enabling the use of data for AI.

Among 130 stakeholders, there are similar views about the solutions which the EU should financially support to enhance data availability (create synthetic data; facilitating market access to articulated data needs; establish data intermediation services supporting not-for-profits, researchers and SMEs; negotiate and acquire collective data usage licences, with access limited to not-for-profits, researchers and SMEs). All proposed answers enjoy broad support, ranging between 56% and 60% approval rates, while between 14% and 20% of respondents answer “I don’t know”.

On the role of public service broadcasters in making data available for AI (multiple-choice question), many of the 108 responding stakeholders think that public service broadcasters should make their content available to EU organisations for AI training (50%), while 29% do not see a specific role for such broadcasters. A majority further reports that public broadcasters should have the sovereignty to decide about making their content available, with copyright clearance indicated by some as a major challenge.

On the role of national deposit libraries in making data available for AI (multiple-choice question), a majority thinks that these libraries should negotiate specific licences with copyright holders to make data available for AI (58% of 112 respondents), while 18% do not see any role for such libraries. Most of the 29 responses in the free-text section highlight the danger of national libraries and archives circumventing copyright laws.

On synthetic data, most stakeholders are in favour of the EU financially supporting the production of synthetic data (among 126 stakeholders, 18% see this as highly beneficial, 17% as somewhat beneficial and 26% as useful). Similarly, a majority agrees that the EU should mandate Member States to make certain synthetic data assets publicly available (17%: highly beneficial, 11%: somewhat beneficial, 29%: useful).

3.Specific focus on the Data Governance Act, the Free Flow of Non-Personal Data Regulation, and the Open Data Directive

(I)Data Governance Act

Regarding the Data Governance Act (DGA), many of the responding stakeholders report that they are very familiar with it (43% out of 134) or know most of its objectives and content (33%). Familiarity is especially high among respondents from Germany (70% of respondents) and Belgium (78% of respondents), and within large organisations (250+ employees), where 48% report being “very familiar”. 77% of 134 respondents indicate some form of direct relevance of the DGA for their organisation: 38 identify as organisations wanting to re-use public sector data (33%), 29 as public sector bodies (25%), and 17 as organisations engaged in data-sharing activities involving data intermediation service providers (15%).

Responses to the question about the effectiveness of the DGA are mixed. Only 8% of 125 respondents indicate that the DGA has achieved completely or to a large extent its objective of making more public sector data available. Similarly, only 9% feel that the DGA has met its objective of facilitating the collection of data for public use. Just 10% indicate that the DGA has fully or largely achieved its objective of reinforcing data sharing. On average, 46% of respondents express mixed views on the extent to which the DGA's objectives have been achieved, answering “somewhat” or “to some extent.”

About half of the 119 responding stakeholders are either strongly (33%) or slightly (18%) in favour of applying stricter conditions for reuse of public sector documents covered by the DGA to ‘gatekeepers’ under the Digital Markets Act or ‘very large online platforms’ under the Digital Services Act. 22%, many of which being business associations, disagree to such suggestion. Similarly, 47% of 121 respondents are in favour of applying different rules to non-EU companies

A majority of stakeholders (52% of 116 respondents) would wish that the public sector makes more efforts to allow processing of confidential data as described in the DGA. 21% indicate having “recently worked with a public sector body that provided for a mechanism to re-use confidential data with privacy/confidentiality safeguards.” On data intermediation services, half of the 121 respondents express support for the current strict regime of the DGA aiming to ensure the trustworthiness of such services, while 20% do not see the need for such legal framework. 12% favour a differentiated regime based on the market power of service providers. Only 2 stakeholders indicate that a voluntary certification of such services would be sufficient. The question on experiences with data altruism attracted 12 responses, of which 17% express positive views based on their experience working with data made available voluntarily by individuals through consent or by organisations through permission. When asked about the obstacles to engage in data altruism, the most chosen answer was “administrative or legal complexity” (21% of 103 respondents), followed by a lack of “trust that data will be used for the common good only” (16%) and “financial sustainability” (14%).

(II)Free Flow of Non-Personal Data Regulation

Among the 113 respondents, 48 % demonstrate strong familiarity with the Free Flow of Non-Personal Data Regulation (FFDR): 27 are very familiar (24%) and another 27 know most of its objectives and content (24%). A further 30 respondents (26%) say they know some of its objectives. Only 16% of 101 respondents have encountered being subject to a written rule in an EU Member State preventing them from storing certain data outside that state, while 57% answer “no” and 27% “I don’t know”.

Asked about the effectiveness of the FFDR, views are mixed and uncertainty remains high. Fewer than four in ten respondents believe any FFDR objective is already fully met, and a consistent one-third cannot yet assess the Regulation’s impact. Confidence is strongest where the FFDR directly tackles localisation rules (38% of 103 respondents agreeing that the FFDR is already easing localisation barriers); it is weakest on trust, security (26%), and practical switching between providers (28% perceiving benefits). Out of 104 respondents, 45% think the FFDR has been effective (13%), somewhat effective (29%) or very effective (3%) in facilitating cross-border data flow within the EU, while 43% choose the answer “I don’t know”.

Uncertainty is also high when asked about whether the mechanisms for monitoring compliance with the FFDR are sufficient. Among 101 respondents, almost two-thirds do not know whether the current monitoring set-up is sufficient. 20% of stakeholders deem it sufficient, whereas 14% do not see it as sufficient. Similarly, 68% of 103 respondents do not know whether the enforcement mechanism of the FFDR is sufficient, and 62% of 88 respondents do not know whether they would suggest reforming the rules of the FFDR.

(III)Open Data Directive

Among the 114 respondents, 39 % report being highly familiar with the Open Data Directive (ODD). A further 29 % say they know most of its objectives, while 18 % indicate familiarity with both the directive’s objectives and its detailed provisions. Respondents from Germany, France and Belgium show above-average familiarity with the ODD, and within large organisations (250 + employees) the share of highly familiar respondents is about 21.4 %.

Asked about the need to modify the ODD, the largest share (39% of 107 respondents) feels that the ODD should be modified, while a smaller group (25%) believes no changes are needed. Around 37% say they do not know.  Answers in the free-text section highlight the need to eliminate national and cross-legislative inconsistencies by creating a consolidated legal framework, the need for a higher quality of open data and more high-value datasets, and missing legal clarity vis-à-vis data protection.

Of the 105 respondents, 46% say they use public-sector data frequently, 35% use it only to a limited extent, and just 8% have never used it at all. The groups most relevant to the ODD are businesses, business associations, and public-sector organisations. By country, the largest shares of respondents come from Germany, Belgium, France, Sweden, Italy, and the Netherlands.

Most respondents have a positive view on the effects of the ODD in practice. 68% of 104 respondents either slightly (47%) or strongly (21%) agree that more public sector data has become available for reuse, especially for SMEs. Similarly, 66% of 100 respondents agree slightly (44%) or strongly (22%) that the implementing act on high-value datasets has had a positive impact on the availability of such data. Around 57% of 103 respondents are in favour of transforming the ODD into a directly applicable Regulation (31% strongly, 26% slightly).

III. SME Panel on the Digital Omnibus

The European Commission conducted an SME Panel to gather input about business operations linked to digital rules among small and medium-sized enterprises (SMEs). The consultation was run online from 4 September to 16 October. It was complemented by an in-person meeting with SME associations on 1 October, to present the Digital Omnibus initiative to SMEs.

With a total of 106 contributions to the consultation, 94 respondents provided information regarding their company size, distributed across five categories. The largest group of respondents represented micro enterprises (1-9 employees), accounting for 44 responses, followed by small enterprises (10-49 employees) with 21 entries. Medium-sized enterprises (50-249 employees) with 16 responses, while 10 respondents identified as self-employed (owner-only, no employees). Finally, three responses came from larger enterprises employing more than 750 people.

Most participating businesses were based in Greece (34%), Poland (19%), and Spain (19%), followed by Portugal (6%), France (4%), Bulgaria (4%), and Hungary (4%). A smaller number of responses came from Cyprus (3%) and Sweden (1%). The geographical distribution shows a strong representation from Southern and Eastern Europe, with Greece providing over one-third of all responses.

Overall, 60% of participating companies indicated that they provide services or products in more than one EU Member State, reflecting a strong cross-border dimension among respondents. The questionnaire was structured into four sections covering different areas of law explored under the Digital Omnibus: cybersecurity incident reporting, data sharing, artificial intelligence, and digital identity framework. It aimed to explore how to help reduce daily compliance-related operational costs.

Summary of Results

Cybersecurity incident reporting

This section focused on the obligations of companies in the event of cybersecurity incidents such as cyberattacks or data breaches. It explored the challenges companies may have encountered in complying with EU legislation and its national transpositions.

Respondents were asked whether their company had ever submitted an incident report under several regulatory frameworks, including the Network and Information Security Directive ( NIS2 ), Digital Operational Resilience Act ( DORA ),, General Data Protection Regulation ( GDPR ), Network Code on cybersecurity of cross-border electricity flows ( NCCS ). Most of the respondents (79%) indicated that they had never submitted an incident report under the regulatory frameworks considered. Among the companies that did report incidents, the most frequent case (9%) concerned companies designated as ‘essential’ or ‘important’ under NIS2, reflecting the critical role of companies in sectors such as energy, transport, health, manufacturing and ICT service management. On the contrary, no incidents were reported under regulations like NCCS.

The results suggest that reporting obligations to different regulatory authorities remain relatively uncommon for SMEs, with 55 respondents stating that this was not the case for their company. Nevertheless, five companies reported being required to notify the same incident to multiple authorities (with one company from Portugal stating, for instance, that it reports each year in Portugal, Poland, France, Czechia, Germany and Spain), with a further 32 respondents unsure. This uncertainty highlights a possible lack of awareness concerning overlapping reporting obligations. In their qualitative responses, participants pointed out that this is for instance, the case when it comes to GDPR compliance, national data protection authorities, and in some cases, sectoral regulations.

Despite this, several companies estimated that the cost of their company linked to the reporting of a cybersecurity incident could range from €500 to €35.000 (including cost of labor, and necessary in-house tools). Such range could be explained by factors such as the company size, sector, and nature of the incident.

Regarding the frequency of the incidents faced and reported per year, 19% of the companies participating in the survey experience between 0 to 10 reportable incidents annually, while 2% faced between 10 and 20 incidents per year, and only one company reported more than 20 incidents per year. Therefore, cybersecurity incidents seem to remain relatively infrequent among the surveyed companies (78% did not face or report any incident).

Figure 4: Reported and Faced Incidents per Year

Data sharing

Most respondents indicated not being aware of which legislative frameworks governing data sharing and access were applicable to their work model and operations. The most frequently recognised framework was the ePrivacy Directive, with 19 companies indicating that it applies to them. Eleven respondents stated that their company falls under the Data Act, followed by nine under the Free Flow of Non-Personal Data Regulation, and six each under the Open Data Directive and the Data Governance Act.

Figure 5: EU Data Related Legislation Applicable to Respondents

In addition, the great majority of the respondents considered that accessing data held by public sector bodies to re-use it for their own business activities was too complex as a process or that the data available was not relevant to their business.

Figure 6: Respondents Accessing Data Held by Public Sector

Of those who reported having requested this type of data (11%, 23 respondents), 15 considered that the cost of such request was low compared to the value created by such data. Five stated that it was moderate or proportionate, while only three reported that the cost was high in comparison to the added value. Some companies further added cost estimates for such requests, but with broad and inconclusive ranges (from €100 to €50.000 for one micro-sized company from Greece)

When asked specifically about cookies (regulated under the ePrivacy Directive), 66% of the respondents indicated that they did not use them for other purposes than the technically necessary functions envisioned in the ePrivacy Directive, such as for sending a message over a network or for providing a service the user has specifically asked for. On the contrary, 34% of the respondents affirmed using cookies for other purposes. Website statistics were reported as the most common among these alternative practices.

Figure 7: Other Purposes for Cookies Use

Responses regarding the average annual cost of creating and maintaining cookie banners varied significantly. Twenty SMEs provided quantitative data. While some respondents indicated that they do not use such banners, most others reported expenses ranging from €50 to € 1500 per year, A small number of respondents reported considerably higher costs, between €2,000-€5000 annually. Furthermore, respondents were asked whether they would continue to rely on cookie banners if the collection of personal data for audience measurement and website statistics no longer required user consent. The results suggest that, even if consent were no longer mandatory for audience measurement, a majority of companies (37 out of 61) would still rely on some form of cookie banner, either to ensure transparency or to safeguard against legal uncertainty.

Artificial Intelligence

While SMEs already benefit from a simplified regulatory regime under the AI Act, this section explored whether further supporting measures could be useful for a smoother implementation. In this regard, the greatest difficulties reported were uncertainty about the scope of the legislation and which rules apply (30%) and access to standards, guidance documents, or other compliance tools (18%), while 13% reported uncertainty regarding the responsible supervisory authorities. This was followed by 12% who pointed out resource constraints, and 8% cited bureaucratic hurdles or duplication with existing procedural requirements.

Companies indicated that templates and toolkits for SMEs (33%), staff training (23%), and access to a contact point for free compliance advice (27%) would most reduce the burden of implementing the AI Act, while 12% requested more guidance documents and 4% reported no support needed.

Figure 8: Type of Support to Reduce Compliance Burden

Additionally, respondents listed hiring or training staff for compliance, legal and consultancy fees and updating technical processes or systems as top cost drivers, while certification and conformity assessment and ongoing monitoring and reporting were considered lower cost factors. A small number of respondents shared an estimate of their overall compliance costs with the AI Act, ranging between €150 and €50.000 for some.

Finally, on the matter of regulatory overlap, respondents identified interactions between the AI Act and the General Data Protection Regulation (GDPR) as the principal cause of legal uncertainty for their business. Smaller impact was reported for other laws such as the Digital Services Act (DSA) or the EU Copyright Directive.

Figure 9: Cases of Uncertainty between the AI Act and Other Laws

Digital Identity Framework

The last section of the consultation focused on the application of the eIDAS Regulation . Respondents whose organisations are subject to regular compliance audits under this Regulation stated that they destinate 74% of the costs for external audits services, and 26% to other services. Besides the external audit fees, respondents listed specialised staff and external legal or consultancy fees as the typical costs involved, headed by IT systems costs. Other types of costs mentioned were AI subscriptions and server costs.

Figure 10: Typical Costs Involved for Auditing Under eIDAS 2

While arguments such as additional cost savings, less workload, and fewer disruptions to operations were brought forward as support for a longer audit cycle, most respondents (52%) stated that they didn’t know whether prolonging the audit cycle would bring direct benefits for their organisation. 22% of the respondents considered that prolonging the audit cycle would bring direct benefits for their organisation, with 26% of the respondents indicating that it would not bring any benefits. It should however be noted that auditing under the eIDAS 2 concerns a very limited amount of qualified trust service providers in Europe, leading to potential additional qualification of the responses. In addition, support in the form of simplified guidance was pointed out to make compliance audits more manageable.

Overall, while the eIDAS Regulation ensures secure cross-border digital transactions, compliance audits remain resource-intensive. Clearer and simplified guidance is viewed as key to easing the compliance burden.

IV. Reality checks

The European Commission’s services held a series of five reality checks between 15 September and 6 October 2025.

Reality checks are a consultation method whereby Commission services meet with a set of business stakeholders at technical level to discuss implementation of specific rules, and test potential simplification avenues. Where relevant, non-business stakeholders can also be invited to the meetings to share specific knowledge or expertise.

With regards to the Digital Omnibus, the objective was to seek detailed views on cookie banners, the implementation of artificial intelligence rules, the availability of protected public sector information for reuse, cybersecurity incident reporting, and auditing under the EU’s digital identity regulatory framework 198 .

These meetings were organised under a ‘focus group’ format, with Chatham House rules. They were held online in order to facilitate the participation of stakeholders across Europe. A registration page was created on EU Survey, and shared via the Enterprise Europe Network, European Digital Innovation Hubs, and the AI Pact. Respondents had the option to indicate their meeting of interest. Commission services then proceeded to the applicants’ selection, with a view of ensuring a balanced representation of profiles. Number of participants was limited to a maximum of 15-20 stakeholders per meeting, in order to facilitate in-depth exchanges and sharing of technical knowledge.

A summary of discussions for each of the five reality checks can be found below.

1.Reality check on the cookie policy framework under Article 5(3) ePrivacy Directive

The reality check took place on 15 September 2025, from 14:00-16:30. It focused on Article 5(3)ePrivacy Directive, particularly on the cookie policy framework. A background note with guiding questions was circulated before the meeting.

Around 20 stakeholders were present, representing businesses and civil society. While business representatives largely agreed on the problem of “cookie fatigue” and the lack of user having a meaningful choice, civil society insisted that the cookie fatigue was caused by the industry using confusing and complicated banners on purpose.

A majority of stakeholders (including one civil society representative) considered the current consent requirement under Art. 5(3) ePrivacy Directive unnecessary. They favoured a risk-based approach, with more exemptions for low-risk activities such as fraud prevention, web analytics, security purposes, contextual advertising, improving the customer journey, and purposes not involving personal data. At the same time, they stressed that personalised advertising cannot be considered low-risk and should remain subject to consent. One business stakeholder proposed reforming Art. 5(3) to require consent only for personalised advertising.

Participants discussed also whether audience measurement should be exempt: one business association argued it serves the public interest (e.g. supporting enforcement of online child protection rules, allocation of press revenues), while a civil society representative underlined that some audience measurement practices are privacy-intrusive. However, the latter agreed that limiting consent banners to invasive practices like targeted advertising could improve user choice, as banners would then act as genuine warnings. It was also noted that most websites (e.g. NGOs or consumer brands) do not need personal data to provide their services, a view supported by others.

Stakeholders also discussed whether to regulate centralised consent management systems, such as allowing cookie settings via browsers. Some businesses raised competition law concerns about the dominance of a few browser providers and the importance of understanding website use. Others, particularly from civil society, supported this as user-centric and simplifying choice. They argued competition risks could be addressed through instruments like the DMA, supported by open standards. Alternative solutions mentioned included using trusted third parties or certification schemes for cookie banner providers. A civil society representative also highlighted California’s regulation of global privacy control as a positive example.

Asked about the greatest challenge in complying with Art. 5(3) ePD and GDPR, many stakeholders from the business side highlighted the expansive interpretation of what constitutes personal data and consent requirements under the ePD by some DPAs and particularly recent EDPB guidelines, and the inconsistent enforcement and interpretation throughout Europe.

Civil society repeatedly insisted, however, that the focus on personal/non-personal data would be misguided as the right to privacy (which the current ePrivacy Directive protects) was a different fundamental right (Art. 7 Charter) from data protection (Art. 8), protecting notably the confidentiality of communications and not only personal data. Accordingly, even without personal data-relevance, terminal equipment should be protected against unauthorized access.

Participants identified scenarios in which the subscriber in the sense of the current ePrivacy Directive could be a legal person, e.g. in IoT scenarios. The user and subscriber could be different persons and obtaining consent can be challenging. On the other hand, one stakeholder representing a law firm questioned whether this necessarily means maintaining the integrity of the terminal equipment, and suggested focussing on the protection of the data obtained from it, potentially restricting particularly invasive tracking or analysis methods instead.

On the topic of privacy-enhancing technologies (PET), there was a large agreement on the importance of incentivizing the use of PETs. While not being perfect, PETs could significantly reduce privacy-related risks of tracking and other technologies. Several stakeholders pointed out that under the current approach, investing in PETs was unattractive, as Art. 5(3) requires consent even if using a PET. Civil society cautioned against an overly reliance on PETs due to “privacy washing”-risk, as the effectiveness of PETs heavily depended on their design. One business stakeholder therefore highlighted the importance of independent audits and certification of PETs.

Regarding compliance costs, one business association stated that maintaining a cookie banner for a middle-sized publisher would bring about costs of 100.000-500.000 EUR/year. The representativeness of this figure was questioned by civil society, which held that the price of maintaining a standard 3rd party cookie banner was negligible and that there are service suppliers on the market that would charge much less for more complex cookie consent situations. One business stakeholder estimated that their company incurs a cost of 2 million EUR/year to comply with the ePD, based on 20 full-time employees working on the topic.

On the use cases for placing and processing of information on terminal equipment that are unrelated to personal data, there were only a few responses. One representative from civil society put forward the problematic examples of blockchain mining and unauthorized exploitation of devices, besides the legitimate uses cases (e.g. setting the font style of a website), which are already allowed under Art. 5(3) today. A business association pointed out that any communication with a website will require the storage of information on the device (e.g. the user highlighting text in a website).

2.Reality check on AI Act implementation

On September 16, 2025, the AI Office hosted an online roundtable event, bringing together stakeholders to discuss the implementation and implications of the AI Act. This event was part of a broader initiative by the European Commission to conduct a series of “reality checks”, focus-group discussions aimed at evaluating the practical application of digital legislation, particularly the previously mentioned AI Act, across various industries. The feedback from these discussions will be crucial in refining the Digital Omnibus Package, ensuring it meets business needs while maintaining regulatory objectives. This report will cover the following aspects of the discussion: approach, organisation, participants, and topics.

Organisational structure:

The event was conducted virtually, from 3 PM to 5:30 PM CET, lasting approximately 2 hours and 30 minutes. The virtual format allowed for the inclusion of companies across the EU and based in third countries, ensuring a diverse range of experiences and perspectives. The session was divided into a welcome and scene-setter segment, followed by an in-depth roundtable discussion.

Participants:

10 participants representing individual companies were selected among applicants, following an open call for registration. The selection ensured a diverse range of sectors and company sizes to provide a comprehensive view of the AI Act’s application experience and cost. One participant introduced broader stakeholder views as a business association. To ensure diversity of perspectives, with particular regard to the broader implications of AI, two civil society organisations were invited.

Types of Questions Discussed:

Two main topics were addressed by the participants during the discussions:

1. Experiences preparing compliance: Participants shared their challenges and pressure points in preparing for the 2 August 2026, deadline for implementing high-risk and transparency rules under the AI Act. They also discussed the resources dedicated towards AI Act compliance, including full-time equivalents (FTEs) and estimated costs.

2. Experience with applicable requirements: Participants provided feedback on their experiences with implementing the AI Act’s AI literacy requirements and prohibitions. This included discussions on challenges encountered and the resources allocated towards achieving AI literacy within their organizations.

Summary:

The roundtable discussion on the AI Act revealed several key themes and challenges faced by companies and stakeholders. One of the main concerns is the significant compliance cost associated with high-risk AI systems, which some participants estimated to be at least €100,000 per system. The absence of clear standards and the interplay between the AI Act and other regulations, such as GDPR, pose substantial challenges to stakeholders.

Additionally, there is a strong demand for more guidance on AI literacy and the need for better clarification on what constitutes a "sufficient level of AI literacy". Participants also highlighted the difficulties in implementing post-market monitoring strategies, as well as the complexities involved in different types of AI systems, including GPAI and downstream applications.

Furthermore, the roundtable underscored the importance of simplified compliance procedures and the need for harmonized standards to facilitate practical implementation. The participants emphasized the need for more support tools, standards, and notified bodies to facilitate compliance with the AI Act.

Overall, the reality check event provided a valuable opportunity for stakeholders to share their challenges regarding the AI Act’s implementation. The event underscored the importance of ongoing engagement and collaboration between regulators, industry stakeholders, and experts to ensure that the AI Act is effective in promoting trust, innovation, and responsible AI development and deployment.

Quoted costs in the Meeting and Related Explanations

Quoted FTEs in the Meeting and Related Explanations

3.Reality check on the availability of protected public sector information for reuse

This meeting was held on 16 September 2025, from 10:00-12:30. Around 15 stakeholders were present, representing the public sector (national data coordinators and data holders) and businesses both on individual and association level. A background note with guiding questions was circulated before the meeting.

The meeting explored the potential streamlining of rules on availability of protected public sector information for reuse. The latter are currently regulated in two different, complementary instruments. First, the Open Data Directive sets out rules for the re-use of accessible public sector information but excludes from its scope certain categories of data that are not generally open due to their confidentiality (e.g. statistical confidentiality, protection of IP rights and trade secrets) or personal data protection concerns. Secondly, Chapter II of the Data Governance Act sets our common rules (e.g. non-discrimination, reasonable fees) for situations when public sector bodies decide to make also their non-open data available for reuse under specific conditions.

The discussion highlighted the importance of creating a more coherent, streamlined framework for public sector data reuse. Participants stressed the need for improved awareness among authorities, harmonized legislation, and a supportive European-wide structure that enables better data sharing and reuse without compromising data protection and security concerns. The key conclusions were the following:

I.Challenges in Complying with Requests for Data Reuse and in Making Public Sector Datasets Available

oData Protection Concerns: Authorities often cite GDPR and other data protection rules as reasons to withhold public sector data, though Article 86 provides leeway that isn't fully utilized. Also, clearing personal data from datasets prior to release is labour-intensive, and authorities sometimes lack the awareness of their roles within data governance.

oIdentification of Users: Difficulty in identifying data users hampers data sharing, especially sensitive datasets in today's geopolitical context.

oPublication Costs: Administrations face significant expenses in making data available proactively, acting as a deterrent to publication.

oAPI Development Costs: The development and maintenance of APIs are financially burdensome, creating barriers to data sharing in some Member States (MS). It hinders proactive data publication.

oComplexity from the Data Governance Act (DGA): The Act's novelty introduces complexity and overlaps, resulting in confusion in some MS.

oAccess Restrictions on Specific Data: For instance, treating Vehicle Identification Numbers (VIN) as personal data severely limits useful dataset access.

oReluctance to Share Data: There exists a cultural hesitation to share data due to fear of favouritism or infringement on competition laws.

oFragmented Responsibilities and Limited Capacity: Especially in Central/Eastern Europe, limited resources and decentralised data holding complicates data access decisions.

oLack of Clarity and Awareness: There is often a lack of understanding among public bodies about what constitutes a dataset and what information can be re-used, compounded by inadequate metadata.

II.Potential for Harmonisation of Reuse Rules

oImproving Awareness and Accessibility: Harmonised rules would enhance understanding for companies regarding data availability and usage processes.

oOne-Stop Shop for Data Access: Establishing central access points in each MS could streamline data availability, potentially with EU support.

oUniformity Across MS: Varied data availability across MS calls for harmonization, possibly through regulation, ensuring consistent access and usability.

oUnified Framework: A unified EU legislative framework for data would bridge the Open Data Directive (ODD) and DGA while respecting specific sectoral laws.

III.Simplification for Small-Mid Caps

oBenefiting from Harmonised Rules for all: Clear, universal rules will ease navigation for all companies, irrespective of size.

oFocus on Data Quality and Formats: Emphasizing standardization in data quality and formats is deemed more beneficial than differential treatment.

oAvoiding Discrimination Against Large Companies: The focus should remain on accessible data, rather than discriminating based on company size or type.

IV.Obstacles in Accessing or Reusing Public Sector Data

oVariability in National Implementation of Rules: Different national implementations lead to varying data quality, impacting cross-border usability.

oResource and Procedural Challenges: Public sector bodies often lack the necessary resources, resulting in delays and inconsistent procedures for data access.

oNeed for Sustainable Funding: Continued public funding is necessary to sustain the availability and quality of data provisions.

V.Differences in Reuse Rules Across Member States

oIssues with Interoperability: Variations in data granularity and availability lead to challenges in cross-border interoperability.

oSuccessful Access Models: Adopting successful models, like those under the HVD implementing act for weather data, could inspire improvements in other sectors.

4.Reality check on cybersecurity incident reporting

The meeting was held on 2 October 2025, from 14:00-15:30. A background note with guiding questions was circulated before the meeting. Twelve stakeholders were present, representing small and large enterprises as well as civil society organisations.

The reality check was aimed at collecting quantified feedback on the impact of EU legislation and compliance with cybersecurity incident reporting requirements. However, participants raised the difficulty of producing data requested. They were encouraged to share, where possible, any additional quantified information in writing following the meeting.

Businesses raised concerns about the burden associated with reporting to multiple authorities following different channels and formats while the incident management is ongoing. This often requires relevant teams to step away from their duties to comply with notification obligations which can impact the timeliness and efficiency of the response. Some Member States’ delay in transposing the NIS2 directive as well as not entirely repealing Articles 40 and 41 of the European Electronic Communications Code (EECC) was brought to the attention of the Commission.

The “report once, share many” model received wide support from stakeholders, while some discussed whether submitting incident reports to the Member States with which they are used to cooperating would not be more appropriate.

Main conclusions:

(I)Stakeholders all face compliance obligations from multiple EU rules and regulations:

oMultiple EU legal acts relevant to cybersecurity incidents apply to companies directly and/or are required by contracts with third parties. In this context most commonly were mentioned NIS2, GDPR and DORA.

oConcerns were raised about the continued applicability at the national level of policies that should have been repealed by subsequent European legislation (e.g. EECC Articles 40 and 41), increasing the compliance burden. 

(II)Cybersecurity incident reporting modalities are fragmented:

oParticipants voiced difficulties with notifying multiple authorities in different reporting modalities (e.g. uploading documents, using different platforms) to provide different information in various formats.

oIt was also mentioned that the reporting burden extends to additional efforts to answer follow-up questions.

oConcerns were also raised about the burden of identifying the adequate authorities in different markets to notify.

oIt was highlighted that the vast majority of the incident reports submitted concern the GDPR and increasingly NIS2.

(III)Cybersecurity incident reporting incurs costs that are identified but difficult to quantify:

oParticipants did not provide data on the estimated costs of incident reporting.

oCurrent incident reporting may require teams in charge of incident management to step away from their duties and take time to fulfil the compliance obligations at the cost of time spent solving the incident and minimizing consequences.

oAdditional costs are incurred by the external resources needed to set up and maintain the underlying processes that will enable reporting during the emergency, such as enabling the assessment of the incident's significance, if and under which legislation it should be reported.

(IV)Broad support for the "report once, share many" model with divergence on the most appropriate level of reporting:

oFrom the perspective of telecom operators, reporting to one authority per market at the national level could help alleviate the burden and help foster a relationship of trust.

oSome participants suggested ENISA could provide a guiding document on different practices across Member States and facilitate the reporting process, including for critical entities.

oIf the reporting is made before a single authority which disseminates the report further, several participants stressed there should not be follow-up questions from all the authorities that receive the report.

oThere should be harmonized templates, timelines and terminologies to be used by all Member States. Additionally, regarding the data and information requested, more context and justification of the purpose for collecting more detailed information should be considered.

oOne suggestion was to adopt a reporting approach that accommodates the urgent character of incident management in the spirit of the 112 European emergency number and combine this with assistance provided by response teams.

oReporting should also be simplified and streamlined when the obligations extend to suppliers.

oParticipants generally agreed ENISA should have a role but did not agree on what the role should be (e.g. provide guidance or oversight).

5.Reality check on trust services and the European Digital Identity Wallets

This meeting was held on 6 October 2025, from 15:30-17:30. It focused on the auditing process for qualified trust service providers (QTSPs), as well as on different use cases for the European Digital Identity Wallets (EUDIW) across various sectors. Half a dozen stakeholders, most of them European QTSPs, participated.

On the auditing process for QTSPs, the participating concerned entities first highlighted the need to define the concept of a “high level of confidence”, which is not currently specified in the Implementing Act or the main regulation. The absence of a clear definition could lead to market fragmentation, with each TSP implementing services differently. TSPs requested clarification on the level of confidence and how it differs from the level of assurance (LoA). As possible alternatives, stakeholders suggested either postponing the timeline or focusing instead on the substantial LoA.  

Participating QTSPs also underlined that the high number of Implementing Acts, with different application deadlines, it make it very difficult for them to know when the regulation needs to be applied and when they need to “stop doing what”. One stakeholder suggested the creation of a summary in form of a White Paper that specifies requirements.

Participants noted that an audit requires around 100 days to be completed, requiring a lot of resources. In some cases, it is also more complex as auditors usually request additional information which makes the process even longer. Additionally, some stakeholders expressed the need to have a standard to be made mandatory to have clear guidelines for auditors with regards to ensuring compliance with overlapping regulations to eIDAS 2.0 (DORA, NIS2, Cyber Resilience Act…).

Finally, some stakeholders suggested that auditing could be further automatized, to accelerate and simplify processes.

On the European Digital Identity Wallets, more generally, participants stressed the need for a unified business model. While the framework is useful to European society, one QTSP from Italy for instance expressed skepticism about the effective uptake as the bar has been set too high. This is because there is no EUDIW today, and the other option is to have EDIWs subsidized by Member States on the citizens – which will create inconsistencies across countries. Reaching consensus will all ecosystem stakeholders was perceived to be difficult.  

Furthermore, achieving a high level of assurance (LoA) was deemed complex. Conformity assessment bodies (CABs) are currently lacking, affecting the user experience. The overall certification scheme is not yet in place despite an ambitious timeline, which will create problems to meet the deadline.

Some participants suggested to adopt a risk-based approach for the level of assurance – not necessarily to change the high LoA itself, but rather to allow the substantial level to be applied within a risk-based framework. A unified approach across Member States was also called for, and support from ENISA could help achieve this alignment. 

Some participants suggested the need to set up a monitorization scheme around the data and credential exchange, especially to find a way to maintain privacy.  

Stakeholders expressed that there is at times a lack of understanding with regards to article 5f of eIDAS 2.0, and whether it is about the provision of the wallets or the usage itself. The Commission acknowledged that public services have to accept EUDIW when providing their services, with regards to authentication and identification according to the regulation. Stakeholders also inquired if the wallets should be accepted in the payments systems. They emphasized that the article is not clear, especially for banks, leaving the door open to interpretation. 

Participants also inquired about the potential consequences of non-compliance. The Commission outlined the infringement procedure process. However, in most cases, such situations do not lead to a formal infringement procedure; rather, the issue is flagged to the concerned Member State, which then takes the necessary corrective measures. 

Finally, on the topic of free digital signatures for non-professional use, participants underlined the need to clearly define what non-professional use/professional use means, to ensure alignment and a common understanding across Member States.

V.Implementation dialogues

Implementation dialogues are a new consultation tool for the European Commission at the political level, launched in the spring of 2025. Their objective is to seek feedback from stakeholders in order to facilitate the implementation of EU policies.

Each Commissioner is to hold two meetings a year. Executive Vice-President Henna Virkkunen held a first dialogue on data policy on 1 July 2025, followed by a second on 15 September 2025. Commissioner McGrath also hosted an implementation dialogue on the application of the GDPR on 16 July 2025. A summary of these meetings can be found below.

Data Policy

The Implementation Dialogue took place on 1 July 2025. It was chaired and moderated by EVP Henna Virkkunen. The goal was to present and discuss the state of play and level of implementation of the current ‘data acquis’. It was specifically aimed at identifying solutions for streamlining and simplifying certain parts of the ‘data acquis’ in the context of the Digital Omnibus planned for November 2025. Relevant feedback could also inform the European Data Union strategy planned for October 2025.

The list of participating stakeholders is in the Annex.

I.Main findings

The roundtable discussion was structured according to four themes:

· Theme I - Public sector data re-use under the current Open Data Directive and chapter II Data Governance   Act

· Theme II - Data intermediation services as a facilitator of voluntary B2B data sharing (DGA Chapter III)

· Theme III: Rights to access and use data from connected products (Data Act Chapter II/III)

· Theme IV - Feedback on other data rules

Theme I - Public sector data re-use under the current Open Data Directive and chapter II Data Governance Act

The guiding questions asked to participants were:

·What potential lies in the re-use of data held by the public sector? In which areas should more data be made available? What are the bottlenecks?

·How are public sector bodies supporting industry with access to relevant data, in particular sensitive data (e.g. personal data, data representing commercial secrets)?

Public sector stakeholders reported ongoing efforts to publish high-quality data under open licences (Open Data Directive) and to enable access to sensitive data under controlled conditions (DGA Chapter II), with statistical offices now helping other public bodies take on this role. Cadastral offices flagged the difficulty of funding cross-country data harmonisation from national budgets and called for EU support.

Two AI start-ups reported difficulties accessing legal data (laws, regulations, case law) and language resources in some Member States. They suggested turning the Open Data Directive into a Regulation to reduce national divergences and expanding the list of high-value datasets to include legal, health, and financial data. They also supported the development of a European legal data space. GDPR and trade secrets are often used as pretexts to deny access, they argued. For protected data, secure processing environments and regulatory sandboxes could offer solutions.

EU statistical offices also aim to reduce burden on companies having to fill in statistical surveys by using mechanisms for on-demand access to privately-held data. In this context, the Financial Data Access Regulation was mentioned as a lost opportunity to reduce the number of surveys. The Data Act is a stepping stone in this direction.

Theme II - Data intermediation services as a facilitator of voluntary B2B data sharing (DGA Chapter III)

The guiding questions asked to participants were:

·What role do you see for data intermediation services in voluntary data sharing, in particular in common European data spaces?

·What legislative obligations are necessary for companies to trust them? What could be achieved through voluntary labelling?

Representatives of the emerging ecosystem of data intermediation services and technologies highlighted the importance of a European framework for B2B data sharing for the Union’s competitiveness.

A service provider described itself as the “PayPal” of the data economy, enabling permissioning flows and empowering end-users while improving efficiency. For instance, a French bank automated 75% of consumer loan processes, reducing credit checks from 5 days to 6 minutes. Such data intermediation services, aligned with the Data Act and Chapter III of the DGA (if based on neutral business models), can support compliant and efficient data sharing. The provider opposed making the regime voluntary.

The French data intermediation association supports the mandatory regime but recommends: (1) expanding the categories of allowed value-added services (e.g. data preparation that doesn’t retain data or extract undue value), and (2) enhancing the label’s attractiveness by granting privileges, such as acting on behalf of users in dealings with public authorities. Intermediaries can also help assess data value for inclusion in company balance sheets—a practice already regulated in China.

Theme III: Rights to access and use data from connected products (Data Act Chapter II/III)

The following guiding questions were put to the stakeholders:

·Do you consider it important to ensure that users have a right to access and use data from connected products they own/operate?

·How can perceived risks to data holders’ trade secrets, such as misappropriation or loss of competitive advantage, be addressed?

Company representatives from various sectors - aviation, energy, automotive, agriculture, insurance, and SMEs - view the Data Act as a major milestone. It increases transparency about available data, fosters innovation and efficiency, and enhances competition by allowing users to share data with providers of their choice, helping avoid vendor lock-ins. It also empowers customers and smaller market players, supporting rights such as repair and connectivity.

The Act is expected to enable faster, more efficient maintenance - for instance, allowing a farmer to repair machinery during harvest without waiting for a technician. Cross-brand interoperability was highlighted as essential, especially when using equipment from multiple vendors. However, some types of data - those derived through proprietary algorithms - may fall outside the Act’s scope.

Several participants warned that manufacturers might overuse the "trade secrets" clause (the so-called 'handbrake') to restrict data access. They called for enforcement by authorities with sector expertise, and welcomed model contract terms and clearer guidance on the trade secrets provision.

Companies obliged to adapt their data systems under the Data Act acknowledged compliance costs but saw the requirements as manageable, especially when building on existing data-sharing infrastructure. They rejected calls to replace the Act with sector-specific rules, favouring a unified framework to avoid regulatory fragmentation. The consistent rules across sectors for IoT products are seen as a key strength of the legislation.

Consumer advocates stressed that the Act’s success depends on data holders acting in good faith. Without cooperation, IoT-based services will not develop. Protection under GDPR and the ePrivacy Directive must be upheld. They also warned against excessive tracking and default data-sharing features in connected devices, which consumers largely oppose.

Theme IV - Feedback on other data rules

The guiding questions were:

·Is the EU ‘data acquis’ innovation-friendly enough, in particular in view of developing AI in Europe?

·What is the interaction with sector-specific legislation?

·What are the specific hurdles for small and medium enterprises?

·What simplification would you recommend strengthening competitiveness?

This last session helped raise awareness on a wide range of issues.

“EU regulation simplifies”

A consumer organisation pointed to a study undertaken by the European Investment Bank , according to which, the highest hurdle is not regulation and certainly not EU regulation. EU regulation harmonising a certain area of law is rather simplifying as it replaces potentially diverging national legislations. The highest hurdle is the lack of skilled labour, followed by energy costs. Regulation only would come fourth . In other words, EU regulation simplifies.

Complexity due to overlap, “without prejudice” clauses and cascading effect in contractual clauses

While participants acknowledged the legitimacy of various regulations, they highlighted the complexity caused by overlapping regimes and “without prejudice” clauses, which create regulatory silos. This is especially problematic for service providers operating across sectors, where obligations placed on larger players often cascade down to smaller ones via contracts, complicating business operations. To address this, one participant called for a risk-based regulatory approach and greater use of exploratory tools like sandboxes. The absence of cross-regulatory guidance further exacerbates complexity.

An insurance sector representative noted overlaps between the AI Act and existing insurance regulations. Although the Commission had initially suggested insurers wouldn’t fall under the AI Act’s high-risk category, these obligations now appear to apply regardless. Another participant observed that in some countries, AI enforcement bodies assume non-compliance by default—an approach that stifles innovation. SMEs, in particular, need fast-track support and a more coordinated, constructive enforcement environment.

Areas for simplification

One area in which access to more privately-held data could be provided would be health and cybersecurity. This could help insurance companies to offer better tailored insurance policies and premiums. Others considered the European Health Data Space Regulation to be good in principle, but requiring strong enforcement.

Some other stakeholders suggested that certain legislation could further be simplified, including sectorial legislation such as the financial data access regulation (FIDA), with suggestions from the representative of the insurance industry as to its scope and potential effects.

Diverging GDPR enforcement and low degree of harmonisation of interpretations by the European Data Protection Board were seen as a hindrance to develop pan-European AI solutions. Also, the AI Act mandates keeping training data whereas that would normally not be possible under GDPR, thus calling for better alignment of the two acts.

Simplification should make compliance easier. Regulation also should aim to achieve interoperability and thus trigger standardisation. Innovation and regulatory sandboxes were also seen as very useful, and could be tailored to the needs of SMEs and SMCs. To further support such companies, rules on public procurement should be revised to include more companies in EU R&I funding actions. The focus of such actions should be on applied research that leads to actual products or services.

Synthetic data was mentioned as a good compliance tool whenever data is too sensitive to be shared. However, a common definition and standards are still lacking. One participant mentioned a positive experience with a certification scheme under the GDPR.

The coordinator of the European tourism data space highlighted the lack of sufficient granularity in public sector data, which hinders the development of viable business cases—an issue also seen in private sector data. Companies active in the data economy struggle with compliance challenges, particularly around consent management and confidentiality.

Support is especially needed for SMEs and micro-enterprises, such as tourist guides, through technical tools for data use and sharing. Interoperability of data space architectures and common standards is essential.

Participants also raised concerns about the dominance of non-European big tech firms. One called for a sovereign EU cloud solution for strategic data and suggested mandating EU data localisation in public procurement to safeguard data sovereignty.

One stakeholder reported that Member States have different regimes for accessing language data with challenges often relating to copyright and data protection. The organisation perceived the legal regime in the United States under the so-called “fair use” doctrine as a more permissive, which they believe offers a competitive advantage to US-based organisations. In the EU, one would have to go through many and complex licensing negotiations. Collective licensing agreements with media companies and broadcasters could provide a solution.

The Data Union strategy would be an excellent opportunity to provide industry stakeholders with unified vision on how to use data as an asset in the economy.

II.Links with ongoing or future policy initiatives, stress tests and reality checks

This Implementation Dialogue is linked to the on-going evaluation and potential revision of the Open Data Directive, the Data Governance Act, as well as to support the implementation of the Data Act. It links with the ongoing public consultation for the Data Union Strategy. It is also relevant for the monitoring of the roll-out of common European data spaces. As there are many legal regim regulating horizontal aspects of (certain) data (data protection, copyright, trade secrets), but also sectoral regimes, the dialogue showed that there are many interlinkages between legal regimes. This may be taken up during the GDPR dialogue.

The input will be used to inform the Digital Omnibus proposal, planned for Q4 of 2025. It will further be assessed in the preparation of the Data Union Strategy communication planned for Q3. Going beyond these measures, input may also influence the questions asked in the course of the Digital Fitness Check to be launched as a further step towards stress testing the digital acquis.

III.Next steps and possible future initiatives

The findings serve as insights for targeted amendments to the Data Governance Act to be undertaken as part of the Digital Simplification Omnibus package, other measures to be announced in the Data Union strategy as well as considerations for more substantial Digital Fitness Check and potentially, more substantial amendments to the ‘data acquis’.

Participants

Implementation Dialogue on Cybersecurity Policy

Executive Vice-President Henna Virkkunen held an Implementation Dialogue on Cybersecurity Policy in Brussels on 15 September 2025. The aim was to share insights and experience on implementation and simplification in the area of cybersecurity, while maintaining the required high level of cybersecurity. The Implementation Dialogue was organised in particular in the context of the preparations of the digital package on simplification as well as the revision of the Cybersecurity Act planned for later this year.

Potential for Implementation and Simplification:

·Simplification of legislation: Many stakeholders stressed the need to simplify the EU legal framework governing cybersecurity. The current regulatory landscape, shaped by a number of horizontal and sectorial rules, such as NIS2, CRA, DORA, CER or GDPR is seen as complex, at times with overlapping requirements, and divergences in national implementation, creating compliance challenges for businesses. Stakeholders are calling for a single, cohesive framework that would minimise administrative burden and provide clarity. This suggestion includes efforts to align and harmonise legislation across EU Member States, reducing discrepancies and facilitating easier compliance, especially for small and medium-sized enterprises which may lack the resources to navigate complex legal environments. Large stakeholders highlighted how their vast network of suppliers (10.000 suppliers for some), among which many SMEs, is confronted with significant compliance challenges due to the EU's fragmented regulatory environment.

·Rationalised reporting mechanisms: Many stakeholders suggested moving towards a “report once – share many” approach, for example via a single reporting platform, to simplify the processes and reduce duplication. NIS2, GDPR and DORA were most referred to in this context. Such a system could use standardised templates or digital platforms to streamline compliance with multiple regulatory requirements. This way, organisations could focus on risk management, allocating their attention and resources more effectively, improving their ability to respond to incidents without being caught up by redundant compliance requirements. Aligned timelines and reporting requirements across the EU, would make it easier for companies operating in multiple countries to adhere to one set of rules rather than adapting to multiple, potentially conflicting requirements.

·Enhancing ENISA’s role: The European Union Agency for Cybersecurity (ENISA) was identified as a potential central actor in the effort to simplify cybersecurity frameworks and support implementation. Several stakeholders suggested ENISA could serve as a central hub for situational awareness and report consolidation and information sharing. Such responsibilities for ENISA would reduce fragmentation in reporting channels and provide companies with a single point of contact for cybersecurity issues, thereby streamlining processes and allowing quicker response time in the event of incidents.

·Sharing of compliance information: Many stakeholders suggested that a shared, EU-wide, unified “evidence package” would help streamline regulatory compliance processes. Such a package would allow companies to compile compliance documentation once and share it across national competent authorities and jurisdictions, saving time and resources. This would allow organisations to "comply once and share across Europe", thereby enhancing efficiency.

·Harmonisation of frameworks: overall, stakeholders called for a streamlined cybersecurity framework across the EU, harmonising existing frameworks to reduce duplication and enhance mutual recognition between Member States. Stakeholders also suggested to harmonise compliance through non-regulatory tools and advocated for an “online cybersecurity library” with relevant resources that could be administered by ENISA. This library could compile relevant information regarding the implementation, guidelines on implementation especially for SMEs and a toolbox for companies.

·Simplifying certification processes: Several stakeholders highlighted the challenge of coping with differing certification processes across Member States, and the resulting cost. They advocated for the introduction of mutual recognition rules, emphasising how harmonising these processes could exempt companies from going through multiple, often very costly, certifications in different jurisdictions. This approach would significantly reduce compliance costs and allow businesses to focus their resources on enhancing cyber defence rather than addressing bureaucratic processes.

·Internal market sovereignty: The internal market remains fragmented due to inconsistent implementation of EU rules at national level. This inconsistency shifts the focus to compliance instead of building strong capabilities and crisis management. Strengthening the cybersecurity sector requires boosting the demand for solutions developed within the European Union. Stakeholders highlighted that EU needs to stop relying on high-risk vendors, that businesses need to secure their supply chains and focus on developing EU-based cyber solutions. Additionally, the EU-wide market rules should promote innovation, research and investment. ENISA can contribute by creating standards that enhance market sovereignty and address limitations posed by existing frameworks. Coordinating the efforts of various authorities is crucial for enabling companies to grow and innovate. This coordination will ensure that regulations support, rather than restrict, market expansion. By prioritising technical expertise over simple compliance with rules, a more dynamic and adaptable market can be developed. This approach will position the market to lead advancements in cybersecurity.

Obstacles Relating to Existing Rules and Their Implementation:

·Regulatory complexity and overlap: Overall, stakeholders repeated concerns about the complexity and overlap in the existing EU cybersecurity regulations. This network of legislation, composed of acts like NIS2, the CRA, the Cyber Solidary Act, sectoral cybersecurity rules like DORA for the financial sector, and their interplay with the GDPR, for instance in case of personal data breaches, has created a burdensome compliance environment. SMEs, in particular, are struggling to interpret which rules apply to them and to ensure compliance without exhausting their resources. Stakeholders noted the difficulty in determining compliance scope given national discrepancies, which can lead to different interpretations and applications of the rules. This fragmentation increases administrative overhead and distracts from a unified EU market approach.

·Lack of clarity and consistency: The current regulatory framework lacks clarity, which produces inconsistency in implementation, in particular the scope of NIS2 Directive. This discrepancy is further exacerbated by the difference in how rules are enacted across the EU's Member States. Stakeholders have highlighted that inconsistent reporting timelines, authorities and certification requirements across Member States further complicate compliance efforts.

·High reporting burden: Reporting obligations under existing regulations are extensive and often duplicative. The requirement for firms to file multiple, often similar reports across different regulatory bodies for the same event is not only time-consuming but is seen as distracting resources away from incident management and resolution efforts. This misallocation of resources becomes especially pronounced during crisis situations, further weakening the organisation's response capabilities.

Best Practices:

·Single reporting entry point: Many stakeholders pointed out the benefits of a centralised reporting system or entity where a single submission could fulfil the obligations of multiple requirements. This approach could reduce procedural redundancy and alleviate the burden currently felt by entities navigating multi-layered bureaucratic requirements.

·Sharing information: Stakeholders reported successful information-sharing practices based on open-source standards (such as STIX and TAXII) and emphasised the value of collaborative threat intelligence networks for situational awareness and collective cybersecurity defences.

·Unified Control Sets: The establishment of common control sets fulfilling the requirements of multiple laws is a viable method of streamlining compliance. This strategy could be expanded and standardised across the EU to promote a more coherent regulatory environment and reduce redundant compliance efforts.

·Automation of compliance tools: Some stakeholders highlighted that efficiency gains can be achieved through automating compliance tasks. Automation can alleviate the burden of manual compliance processes and improve the speed and accuracy of reporting.

·Support measures: The European Commission could take action to provide better guidance and support for businesses, helping them understand and meet current regulatory requirements. This could include comprehensive guidelines, templates, and training programmes focusing on the specifics of EU regulation.

·Investing in digital compliance tools: Encouraging the development and implementation of digital solutions to automate compliance processes could significantly reduce administrative burdens.

·Expanding ENISA’s role: Several stakeholders recommended expanding the role of ENISA as a central point for cybersecurity information exchange, reporting on threat landscape, and standard-setting. This expansion could foster a more streamlined approach to incident management and regulatory compliance across the EU.

·Education and awareness-raising initiatives: Enhancing the cybersecurity education and awareness of stakeholders, particularly SMEs, was recommended by many. Facilitating access to information about regulatory requirements and compliance processes could empower businesses to more effectively manage their cybersecurity obligations.

·Alignment with the ongoing initiatives (Digital Omnibus and Cybersecurity Act revision): The simplification ideas presented in the Implementation Dialogue would feed into the ongoing initiatives and largely support the Commission’s vision and ambition.

·Call for evidence on the Digital omnibus: the call for evidence on the digital omnibus run from 16 September to 14 October and gather over 500 submissions by stakeholders. The call for evide nce and the public consultation are important tools used by the European Commission to ensure that policymaking is transparent, inclusive, and evidence-based. Through these instruments, the Commission gathers input from a wide range of stakeholders — including citizens, businesses, NGOs, and public authorities — at an early stage of the policy cycle. The call for evidence helps identify key problems, objectives, and potential policy options, while the public consultation allows for deeper feedback on specific proposals. Together, they help the Commission assess the likely impacts of initiatives, improve the quality and legitimacy of EU legislation, and ensure that new measures reflect real needs and practical experiences across the Union.

Implementation Dialogue on the application of the general data protection regulation

The Implementation Dialogue on the Application of the General Data Protection Regulation was held on 16 July 2025 in Brussels.

The meeting was attended by representatives of selected stakeholders, representing business, civil society, and academia, from different sectors and fields of life. The objective of the Implementation Dialogue was to collect stakeholders’ views and ideas on the possible need and ways to simplify and improve the application of the GDPR, keeping in mind that these should not result in lowering the high level of data protection in the EU. The feedback from stakeholders can be summarised as follows:

• Overall, stakeholders consider that the GDPR is a balanced legal framework which has met its objectives.

• While stakeholders cautioned against a general reopening of the GDPR, some industry representatives suggested targeted measures including possible amendments to the rules to enhance clarity of certain concepts or simplifying obligations for data controllers, insisting on the respect of the GDPR risk-based principle, notably as regards AI and other new technologies.

• Businesses also underlined that they have invested in compliance and a general reopening could create uncertainty, including in the context of international data transfers.

• Civil society organisations strongly opposed any amendment of the GDPR, highlighting that the GDPR is an expression of the fundamental right to data protection.

• Stakeholders share the view that there is a need to ensure consistent and harmonised enforcement and application.

• All stakeholders underlined the need for more practical guidance and increased stakeholder engagement from the national data protection authorities and the European Data Protection Board.

• They also called for tailor-made support, such as templates and checklists, especially for SMEs. Several stakeholders referred to the codes of conduct as a useful compliance tool, but their development and adoption procedure were considered cumbersome.

• The importance of clear articulation of different pieces of EU legislation was raised by most stakeholders, who mainly referred to the interplay between the GDPR and the AI Act, and many considered that this could be achieved through guidance and enhanced cooperation of different regulatory authorities. Commissioner McGrath reaffirmed the Commission’s commitment to high standards of data protection and to a balanced approach that both fosters innovation and protects fundamental rights.

List of participating entities: Bundesverband Digitale Wirtschaft (BVDW), Bureau Européen des Unions de Consommateurs (BEUC), Business Europe, Cloud Infrastructure Services Providers in Europe (CISPE), Confederation of European Data Protection Organisations (CEDPO), Connect Europe/GSMA, Digital Europe, Ecommerce Europe, European AI Forum (EAIF), European Automobile Manufacturers’ Association (ACEA), European Banking Federation (EBF), European Centre for Digital Rights, NoyB, European Digital Rights (EDRi), European Federation of Pharmaceutical Industries and Associations (EFPIA), European School Heads Association (ESHA), Federation of European Direct and Interactive Marketing (FEDMA), France Digitale, IAB Europe, Insurance Europe, Irish Council for Civil Liberties (ICCL), Privacy International, SMEunited, Stiftung Digitale Chancen (SDC), Transatlantic Consumer Dialogue (TACD), Union Fédérale des Consommateurs - Que Choisir (UFC - Que Choisir), Verbraucherzentrale Bundesverband (vzbv), Prof. Gloria González Fuster, Prof. Christopher Kuner.

VI.List of meetings

In addition to its engagement in the different settings laid out above (either at political or technical level), the Commission services held bilateral meetings with the following stakeholders in the preparation of its proposal for the Digital Omnibus:

1.Confederation of Swedish Enterprises

2.Digital Europe

3.European DIGITAL SME Alliance

4.Google

5.Swedish National Board of Trade

6.BritCham

7.European Tech Alliance

8.AmCham

9.German Insurance Association

10.Automobile Manufacturers Association

11.European Startups Network

12.Berthelsmann Foundation

13.APPLIA

14.Move EU

15.BEUC

16.IBM

17.IKEA

18.Amadeus

19.Delivery Platforms Europe

20.Association Financial Markets Europe

21.EDRI

22.Access Now

23.Centre for Democracy & Technology