The EU Commission's Digital Package

On November 19, 2025, the European Commission published a Digital Package aimed at promoting innovation and reducing administrative costs for businesses. The package contains a “digital omnibus” designed to simplify European regulations on artificial intelligence, cybersecurity and data, a strategy for the Data Union, and a European Business Wallet. The goal is to allow companies more time for innovation and expansion. Henna Virkukken, Executive Vice-President for Technological Sovereignty, Security and Democracy, commented on the Commission’s initiative as follows: “We have everything we need to succeed in the EU. We have talent, infrastructure and a large internal market. But our businesses, especially start-ups and SMEs, are often held back by rigid rules. By reducing bureaucracy, simplifying EU legislation, opening up access to data and introducing a unified European Business Wallet, we are creating space for innovation and its commercialisation in Europe.” We already covered the publication of the Digital Package in the December edition of our Data Protection Newsletter. For businesses, the key question is which mechanisms the Digital Package specifically provides and to what extent they can achieve the goals of innovation and cost reduction.

The Digital Omnibus

With the digital omnibus, the Commission proposes to simplify and consolidate existing regulations on artificial intelligence (AI), cybersecurity, and data. This is particularly intended to benefit small and medium-sized enterprises as well as start-ups and is expected to save five billion euros in administrative costs by 2029. In a two-page factsheet on the Digital Package, published on November 19, 2025, the European Commission provides a brief overview of the main aims and benefits of its proposal.

Artificial Intelligence

Since 2024, the Regulation on Artificial Intelligence (AI Act) has been in force and is subject to phased applicability. Since new regulations often present challenges in preparation and implementation for affected businesses, the Commission’s proposal suggests that requirements for high-risk AI systems will only apply after the establishment of support tools and standards. This would postpone applicability of the rules for high-risk AI systems by up to 16 months. Additionally, an amendment to the AI Act would reduce documentation obligations for small and medium-sized enterprises, as well as provide expanded access to regulatory sandboxes, offering technical relief for these companies. 

Cybersecurity

If a company is affected by a cybersecurity incident, it is currently required to report the incident under certain conditions due to various regulations — including the NIS 2 Directive, the General Data Protection Regulation (GDPR), and the Regulation on Digital Operational Resilience in the Financial Sector. By introducing a single entry point, the reporting obligation should be fulfilled by submitting to one central office just once.

Data Protection

While maintaining a high level of data protection, the Commission suggests amending certain provisions of the GDPR. In addition to adjusting the definition of personal data in Article 4 (1) of the GDPR, the further processing of personal data for scientific purposes is to be legitimised. An exception is also to be established, allowing the processing of personal data for the development and operation of certain AI systems. However, this is to be permitted only under strict conditions and only for special categories of personal data to maintain the high level of data protection. Furthermore, cookie rules are to be modernised so that consent for the associated data processing can be centrally stored in the browser or operating system and does not have to be given again each time a website is visited. A harmonised set of rules for non-personal data should also be created by integrating the Open Data Directive, the Free Flow of Non-Personal Data Regulation, and the Data Governance Act into the Data Act. Businesses should benefit from avoiding double regulation and increased legal clarity.

Strategy for Data Union

In its Digital Package, the Commission has developed a strategy for a European Data Union. This strategy aims to increase the availability of training data for AI and strengthen the data sovereignty of the European Union.

High-quality, competitive AI training requires developers to have access to high-quality data. Thus, companies and researchers are to be given easier and cheaper access to relevant datasets. To further increase the availability of such data, data labs will be set up to pool private and public resources. A joint European data space shall also be expanded in certain sectors — such as the automotive industry. To support businesses with compliance, the European Commission published model contract terms for data access and usage as well as standard contract clauses for cloud computing contracts on November 19, 2025. Additionally, a helpdesk for legal questions regarding the Data Act is to be established. The intention is to enable businesses to spend less time on administrative tasks and more time on innovation. To further strengthen the EU’s data sovereignty, guidelines for assessing the fair treatment of EU data abroad will be published, new measures to protect sensitive non-personal data will be established, and tools against unfair or insecure data outflows (“Anti-Leakage Toolbox”) will be developed.

European Business Wallets

Finally, the Commission advocates for the introduction of a European Business Wallet (press release of 19.11.2025). At present, many business operations and interactions still have to be conducted in analogue formats. The introduction of the European Business Wallet aims to digitise these transactions. This would allow companies to sign documents digitally and exchange them securely with other businesses or public authorities. A factsheet published by the European Commission on November 19, 2025 summarises the expected benefits of the European Business Wallet at a glance. If widely adopted, the Commission anticipates that European businesses could save annual administrative costs amounting to € 150 billion.

Next Steps: Digital Fitness Check

The European Commission is currently conducting a comprehensive suitability assessment of the existing digital provisions as part of a so-called “digital fitness check”. The aim of this initiative is to systematically examine the cumulative effects and interplay of different EU digital laws — including their impact on innovation, competitiveness, and corporate administrative burden. Input from businesses, authorities, and other stakeholders is being collected in order to identify synergies, gaps, overlaps, and inconsistencies in regulatory practice. Particular attention is given to strategically important sectors and the feasibility for small and medium-sized enterprises. The fitness check also evaluates how efficient, coherent, and practical the EU’s digital regulatory framework is and whether existing provisions continue to meet the high EU standards for the protection of fundamental rights and data protection. Additionally, the Commission is analysing where simplification, adaptation, or better coordination between various laws might be necessary or possible. After evaluating the consultation process, the Commission will present proposals for targeted optimisation and, where appropriate, legislative adjustments. Any changes will subsequently be decided by the European legislative bodies — the European Parliament and the Council — within the framework of the ordinary legislative procedure. Further consultations and implementation dialogues with stakeholders are planned for 2026, so the process will continue dynamically and inclusively. We will, as always, keep you informed about further developments. 

Conclusion

With the Digital Package published by the European Commission in November 2025, the Commission intends to promote innovation, reduce the administrative burden on businesses, and limit double regulation (press release of 19.11.2025). Key measures include the simplification and consolidation of regulations — especially for artificial intelligence, cybersecurity, and data — the creation of legally secure implementation conditions through guidelines and support measures, and facilitating the practical use of AI systems by businesses. Furthermore, a balance between openness to international data flows and the values and interests of the European Union is being sought. The Digital Package offers numerous opportunities for companies, particularly through reducing administrative overhead, greater legal clarity, and fostering innovation. Nevertheless, challenges remain — such as the complexity of the legal framework despite consolidation and the actual effectiveness of the measures, which will depend heavily on their practical implementation and acceptance. The joint statement by the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) of February 10, 2026, covered in our current Data Protection Newsletter (March 2026), also stresses that, alongside the positive aspects such as reduced burdens for businesses, open and critical points remain — particularly regarding the compatibility of individual measures with existing data protection requirements. Ultimately, the ongoing roll-out process and the concrete design of the regulations will be decisive for the success of the initiative.