AI delays, cookie reform, and simplified reporting: Key takeaways from the EU Digital Omnibus

The European Commission has unveiled its Digital Omnibus, a legislative package designed to simplify the EU’s complex digital rulebook. The changes aim to reduce regulatory burdens on businesses and give European start-ups a better chance in the global race for artificial intelligence leadership.

Framed as a gamechanger for European businesses, the proposals aim to reduce administration and compliance costs while maintaining high standards for data protection and online safety. 

One of the most significant changes concerns the implementation of the AI Act. It proposes extending simplifications for SMEs and small mid-cap companies, expanding regulatory sandboxes, and strengthening the AI Office’s powers to centralise oversight of general-purpose AI models.

Cybersecurity reporting will be simplified through a single-entry point for all incident reporting obligations, replacing multiple requirements under laws such as NIS2, GDPR and DORA. In addition, the proposals consolidate EU data rules by merging four pieces of legislation into one under the Data Act. This aims to provide greater legal clarity while unlocking access to high-quality datasets to accelerate AI development across Europe.

Finally, the package seeks to overhaul cookie consent rules to reduce “cookie fatigue”. Under the proposal, users could accept or reject cookies for a six-month period instead of being asked repeatedly and eventually set browser preferences to opt in or out automatically. The changes would also expand the definition of harmless data that websites can track without consent and introduce exemptions for media outlets.

One of the most controversial proposals is on postponing the obligations for high-risk AI systems until the necessary support tools and guidance are available. This could be as late as December 2027, but this could be brought in earlier if the supports are in place, bringing huge uncertainty to companies about when companies will actually need to comply. There is also a risk that if negotiations stall, the start date of the obligations could revert to the original August 2026 deadline, requiring enforcement of the rules before the guidance is available.

While industry groups are welcoming the focus on simplification, some argue the package lacks ambition and fails to address deeper structural challenges in EU digital regulation. Meanwhile, digital rights advocates have called it “the biggest rollback of digital rights in EU history,” warning that GDPR, e‑Privacy, and AI Act protections could be weakened in the name of simplification.

The Digital Omnibus now moves to the European Parliament and Council, with adoption expected to be a priority in 2026. Until negotiations conclude, businesses face uncertainty over timelines and obligations, particularly for high-risk AI systems, where delays could revert to the original August 2026 deadline if talks stall.

The coming months will shape Europe’s digital economy for years to come. Early engagement with policymakers on key issues such as AI compliance timelines, cookie rules, and centralised reporting will be critical. Businesses should also monitor progress on technical standards and support tools to ensure readiness and seize opportunities under the consolidated Data Act.

Want to understand the implications or influence the outcome? Get in touch to discuss how we can support your engagement strategy and help you prepare for a smooth transition when the Digital Omnibus comes into force.