Skip to content
Search
EN
← Search
Public Affairs

Digital Omnibus Package: what does the new wave of European simplification mean for digital companies?

8 Dec 2025
6 minutes reading

On November 19, the European Commission presented an ambitious new digital simplification package, with a strong promise: less time spent on compliance, more time to innovate and grow in Europe.

Behind this “Digital Omnibus Package” are several highly structuring building blocks for your business:

  • an “omnibus” package of measures touching on AI, data and cybersecurity,
  • a strategy for a European Data Union,
  • and a European digital identity portfolio for businesses, designed to streamline administrative and commercial interactions across the EU.

This is a major turning point for digital businesses, from start-ups to ETIs and large groups: the law is being reorganized around a few key texts and a more readable logic.

Numeum offers you an educational and operational reading of this package, with a focus on what it means in concrete terms for you.

One objective: to simplify and give companies back their breathing space

The initial observation is shared by the entire ecosystem: in Europe, the multiplication of texts (RGPD, Data Act, Data Governance Act, AI Act, NIS2, DORA, Cyber Resilience Act, etc.) has created a regulatory millefeuille that is difficult to follow, especially for SMEs and scale-ups.

With this new package, the Commission announces its intention to :

  • reduce compliance costs,
  • clarify the texts and how they relate to each other,
  • support European competitiveness and the emergence of AI and advanced technology champions.

For numeum and its members, who have long been calling for simplification, this sends out a strong signal: we are moving from a logic of piling up to a logic of rationalization.

Data, AI, cybersecurity: the big changes to keep in mind

Data side: the Data Act becomes the “backbone

  • Merger of the Data Act, the Data Governance Act and the Open Data Directive into a single text (the Data Act),
  • Deletion of certain obsolete texts,
  • Harmonization of cloud provider switching rules, with specific relief for :
  • SaaS and PaaS offers,
  • SMEs and small mid-cap companies.

What’s in it for you?

  • a clearer legal environment for your data models,
  • a clearer framework for changing cloud providers, a crucial point in limiting the risk of vendor lock-in,
  • standard contractual clauses announced for data access and cloud contracts, which should facilitate negotiation and reduce consulting costs.

But numeum remains vigilant on two points:

  • sharing industrial data must remain an incentive,
  • intellectual property and corporate security must be fully protected.

AI: a more pragmatic approach for the AI Act

On artificial intelligence, the EU is seeking to reconcile protection and innovation. The package includes

  • a delay in the application of the rules for high-risk AI systems, linked to the availability of the necessary standards and support tools (up to 16 months),
  • the extension of several simplification measures (documentation, technical requirements) to mid-sized companies, in addition to SMEs,
  • the generalization of regulatory sandboxes, with the possibility of EU-wide sandboxes from 2028.

What’s in it for you?

  • if you’re developing or integrating high-risk AI systems, you’ll have a bit more time to get organized,
  • if you’re an SME or ETI, your documentation costs should be adapted to your size,
  • sandboxes provide a concrete space for testing innovative solutions with regulators, without regulatory paralysis.

However, a number of grey areas remain:

  • how the AI Act will fit in with existing sectoral frameworks (health, industry, machinery, etc.),
  • thresholds and triggers for the most stringent obligations, which are still too vague for some players.

For numeum, it’s essential that the AI Act works with these already mature frameworks, not above them, so as not to undermine the competitiveness of European manufacturers.

Cybersecurity: towards a one-stop shop for incidents

On the cybersecurity front, the big news is the creation of a one-stop shop, supported by ENISA, for incident reporting.

Today, a company may be required to report the same incident under several frameworks (NIS2, RGPD, DORA, etc.). Tomorrow, the aim is to report once, in the right place, via a secure and thoroughly tested interface.

What’s in it for you?

  • potential administrative relief for safety/compliance teams,
  • more consistent reporting obligations.

For this relief to be real, numeum insists on two conditions:

  • effective harmonization of report content and deadlines,
  • more proportionate application of the Cyber Resilience Act, particularly for low-risk products.

A more strategic European Data Union

The Strategy for a European Data Union completes the package. It aims to make more high-quality data usable for AI through, for example, data labs and a legal support service dedicated to implementing the Data Act.

For digital companies, this means :

  • more accessible datasets to train and improve your AI systems,
  • enhanced legal support to secure your data-driven business models,
  • a more strategic approach to European data sovereignty (anti-leakage measures, protection of sensitive non-personal data, etc.).

European Digital Identity Portfolio: a discreet revolution for your procedures

Finally, the Commission is proposing a European digital identity portfolio for businesses.

In concrete terms, this portfolio will make it possible to :

  • digitally sign, time-stamp and seal documents,
  • store and exchange verified documents,
  • communicate securely with other companies and administrations in all member states.

The challenge:

Make opening a subsidiary, responding to a call for tender, or interacting with an administration in another EU country as easy as in your own.

For a manager, it’s a concrete lever for :

  • reduce administrative time and costs,
  • accelerate European expansion,
  • secure your company’s identity and exchanges across the single market.

In concrete terms, what can I do as a digital company director?

Some short- and medium-term courses of action:

1. Map your regulatory dependencies

    • Where are you affected by the AI Act, Data Act, RGPD, NIS2, DORA, Cyber Resilience Act?
    • Which products/services are most at risk?

    2. Review your cloud and data strategy

    • Anticipate portability/change of supplier rules,
    • Integrate future standard contractual clauses into your contracts.

    3. Identify your high-risk AI use cases

    • Adapt your roadmaps to the new schedule,
    • Prepare to participate in regulatory sandboxes, especially if you’re an SME, ETI or scale-up.

    4. Preparing for the arrival of the digital identity portfolio

    • Imagine how to integrate this portfolio into your back-office processes,
    • See how it can simplify your international operations.

    5. Keep abreast of legislative developments

    • The package must now be examined by the European Parliament and the EU Council.
    • Adjustments are likely in the coming months: numeum will be at your side to decipher them and voice your concerns.

    Numeum will remain fully mobilized

    Numeum and its members have long been calling for a clearer, more coherent framework, better adapted to the operational realities of digital companies.

    This Digital Omnibus Package opens up an interesting avenue.

    Our role from now on will be to ensure that the final legislation really does simplify life for businesses, while preserving the essential objectives of security, confidence and competitiveness.

    Read our experts’ analysis: https: //numeum.fr/affaires-publiques/train-de-mesures-omnibus-sur-le-numerique-simplifier-le-numerique-europeen/