The European Commission’s newly introduced Digital Omnibus package is a good starting point for the EU’s digital simplification. Measures such as adjusting the timeline for the application of high-risk AI rules and a reinforced role for the European AI Office are tangible improvements that will give businesses more certainty about how and when they need to meet their compliance obligations. Similarly, the Commission’s launch of a Digital Fitness Check to stress test the digital rulebook and a Data Union Strategy to unlock high-quality data for AI development are important steps. 

However, in certain areas the Commission’s proposal does not go far enough, especially in the harmonisation of cybersecurity obligations. A single entry point for incident reporting helps, but duplication and fragmentation persist across the Network and Information Security Systems Directive 2, the Cyber Resilience Act, the Digital Operational Resilience Act and the General Data Protection Regulation. To cut costs for businesses while raising cyber resilience, the Omnibus should also: 

• Harmonise taxonomies, thresholds and timelines 

• Expand the main establishment principle 

• Align certification and conformity assessments to avoid double audits 

Lessons from other Omnibus initiatives underscore the need for the co-legislators to take swift action and ensure reliable political support behind the Commission’s competitiveness agenda. The stakes for the Digital Omnibus are Single Market-wide. Manufacturers, healthcare and life sciences, financial services, mobility, energy and retail all rely on digital technologies and all face unnecessary burdens from overlapping digital rules. Targeted simplification that reduces duplication and clarifies enforcement promises to accelerate AI adoption, bolster cyber resilience and free resources for investment and jobs across Europe. 

For more detailed recommendations, read our Digital Omnibus position paper.