On September 16, 2025, the European Commission opened a call for evidence to inform a forthcoming “Digital Omnibus” aimed at simplifying and reducing administrative burden across the EU’s data, cybersecurity and AI regulatory frameworks. The initiative sits within the Commission’s simplification agenda and its headline target to cut administrative burden by at least 25% overall (35% for SMEs).
At a high level, the Digital Omnibus is expected to deliver proportionate, technical adjustments rather than wholesale reform—simplifying reporting, harmonizing definitions and timelines, and clarifying obligations across data, cybersecurity and AI rules.
Background and Political Context
Framed by the 2024 Draghi Report on EU Competitiveness and, more recently, President von der Leyen’s recent “one year on” stock-take, the Commission’s overarching Digital Package on Simplification is part of a broader recalibration to reduce regulatory drag while safeguarding core policy objectives. In parallel, Brussels has advanced simplification in adjacent domains (e.g., sustainability reporting and ESG disclosure). As we wrote in New Changes to GDPR Proposed: An Indication of Shifting Policy Priorities?, which highlighted proposed changes to the GDPR aimed at reducing the regulatory burden for SMEs, Brussels has signaled a clear willingness to recalibrate obligations in the interest of proportionality.
What’s on the Table
The Commission has identified a variety of areas where complexity, duplication and outdated rules contribute to the administrative burden faced by businesses. While the call for evidence highlights broad issues, the Commission has not proposed specific measures at this stage. Instead, it is calling for suggestions from stakeholders on possible ways forward. This comes against the backdrop of media reports suggesting potential delays to implementation of the EU AI Act, underlining the importance of clarity and predictability in the regulatory landscape.
The Commission’s consultation touches on the following themes:
- Data: simplifying and aligning the patchwork of instruments such as the Data Governance Act, Free Flow of Non-Personal Data Regulation, and the Open Data Directive, with particular focus on easing burdens for SMEs and mid-caps.
- Cookies and tracking: modernizing rules under the ePrivacy Directive to reduce “consent fatigue,” clarifying lawful access and processing, and strengthening user rights while supporting data availability for businesses. It will be interesting to see whether some of the concepts originally proposed under the draft ePrivacy Regulation resurface here. For example, exempting certain categories of cookies (such as first-party analytics) from the consent requirement (similar to measures recently taken in the UK under the Data (Use and Access) Act), or recognizing privacy preference signals sent by browsers (similar to the Global Privacy Control mechanism already being adopted in California and other U.S. states).
- Cybersecurity: rationalizing incident and breach reporting obligations spread across horizontal and sector-specific laws, by introducing streamlined tools and harmonized processes across Member States.
- Artificial Intelligence Act: ensuring predictable and effective application of the EU AI Act, tackling implementation challenges, and providing legal certainty. With reports that the Commission is preparing the ground for a possible “pause” in parts of the EU AI Act’s rollout (though not an overall moratorium on the EU AI Act), the call for evidence could help frame how businesses and regulators approach practical implementation challenges.
The call for evidence, positioned as a first step toward a comprehensive omnibus proposal, follows prior consultations on the Data Union Strategy (a blueprint for simplifying EU data policy and reducing fragmentation), the Cybersecurity Act review (focused on harmonizing incident reporting and certification across Member States) and the “Apply AI Strategy” (exploring how to support a competitive EU AI industry while ensuring effective application of the EU AI Act).
The feedback window closes October 14, 2025.
Why This Matters—and What Organizations Should Do Now
For businesses active in the EU digital economy, the Digital Omnibus call for evidence signals that changes are on the horizon. The Commission is clearly intent on streamlining overlapping obligations and reducing administrative burden, but the details will evolve as the legislative process unfolds. Organizations should stay alert to how these proposals develop and consider positioning themselves early so that compliance strategies remain aligned with eventual outcomes. Particular care will be needed in interpreting how horizontal simplification measures interact with sector-specific rules and in preparing for potential adjustments once the final package takes shape.
Pillsbury can also assist businesses in preparing and submitting responses to the Digital Omnibus call for evidence, ensuring their perspectives are effectively conveyed to policymakers and that their interests are represented in this critical stage of the legislative process.
The authors would like to thank trainee solicitor Samson Verebes for his contributions to this blog.