EU Digital Omnibus: simplifying the Digital Rulebook to boost innovation

The European Commission’s Digital Omnibus aims to simplify overlapping digital regulations without lowering standards, potentially saving businesses billions. Here, Parva Consulting unpacks what that means for compliance, governance and risk across data, cybersecurity and AI.

What if compliance became easier to run day to day without lowering standards? That’s the intent behind the European Commission’s Digital Omnibus initiative, presented in November 2025 as part of a broader digital package to streamline EU digital regulation while keeping Europe’s standards for data protection, safety, and fairness.

The Commission estimates the simplification measures could save businesses up to €5 billion in administrative costs by 2029. The Digital Omnibus is a major move in that direction.

What the Digital Omnibus is

The Digital Omnibus is a set of coordinated amendments to multiple EU digital laws, packaged as two proposed regulations: Digital Omnibus covering data, cybersecurity and privacy rules and Digital Omnibus on AI.

The goal is to simplify and align the framework, reduce duplication, and support more consistent compliance across the single market.

What key changes are proposed

1. Reduce duplication. The proposal introduces a single-entry point for incident and breach reporting, so organisations can meet multiple notification duties through one channel. It also repeals or streamlines older provisions where newer rules already address the same risks, including overlapping ePrivacy notification requirements now covered through cybersecurity and GDPR mechanisms.
   What this means in practice: incident triage and evidence need to be aligned internally, so one event does not generate multiple versions of the truth.
2. Clarify how regimes interact. The proposal simplifies how cookie and device access rules sit across ePrivacy and GDPR. It addresses consent fatigue by introducing a six-month pause after a refusal and recognising machine-readable preference signals where standards exist. It also provides clearer guidance on pseudonymisation and identifiability, supporting data classification and reuse decisions.
   What this means in practice: inconsistent implementation would limit the impact. These changes only reduce uncertainty when consent and identifiability decisions are applied consistently and documented in a way that can be relied on across products and markets.
3. Support more consistent supervision across the EU. For high-risk AI, key obligations would apply only once supporting standards and tools are available, helping organisations plan implementation. 
   • The proposal also removes the registration requirement where a system is assessed as not high-risk, provided that there is a documented assessment in place. 
   • It extends key AI Act support beyond SMEs to small mid-caps, including access to innovation support such as sandboxes and simplified compliance, and eligibility for reduced fines. 
   • Finally, it strengthens the AI Office through an EU-level sandbox and more centralised oversight for certain AI systems.

What this means in practice: the focus shifts from filing to governance, so classification decisions, sign-off and supporting evidence need to be clear, defensible, and kept relevant as systems change.

Why this matters for organisations

For financial institutions and technology companies, the impact is immediate.

First, digital compliance is now connected by design. Data, cyber, resilience and AI obligations increasingly touch the same systems, the same controls, and the same governance decisions. If compliance is still organised as separate rulebooks owned by separate teams, it becomes expensive and fragile.

Second, simplification should not be read as softer expectations. In many regulatory environments, clarity is what enables enforcement. When requirements are clearer, supervisors have fewer grey zones to work around.

Key priorities for 2026

However, the Digital Omnibus progresses through finalisation, and the legal obligations already apply. The priority for 2026 is to set strong, proportionate compliance foundations that support the business and unlock the benefits. To do that, three priorities stand out.

1. Build one integrated view of obligations across privacy, cyber, resilience and AI.  Leverage it to set strong governance across legal, risk, security, data and product, with clear ownership and escalation. 
2. Address the obligations proportionately, strengthening resilience, risk management and control tools, so business needs are met without compromising compliance. For financial services, this is especially relevant in the DORA context. Resilience and incident management should be reinforced as one joined-up capability across technology, third parties and regulatory reporting.
3. Stay close to the legislative process. And importantly, do not pause high-risk AI readiness.

Bottom line

The Digital Omnibus is a sign of regulatory maturity. The EU is not stepping back from its digital standards. It is trying to make the Digital Rulebook easier to apply in real organisations, across real markets, with real operational constraints.

For executives in tech and financial services, the opportunity is to turn this moment into a governance upgrade with effective compliance aligned with strategic goals.