Over recent years, the EU’s digital regulatory framework has expanded rapidly and is often perceived as difficult to navigate. For many companies, this has resulted in increased costs and uncertainty as to what is actually required in order to remain compliant. Against this background, the European Commission presented its Digital Omnibus package on 19 November 2025. The initiative aims to make the rules more understandable, more coordinated, and better aligned with how companies actually use data in practice. The focus is on simplification, proportionality, and improved interaction between existing regulatory frameworks, not least the GDPR, the cookie rules, and the new AI Regulation.
With regard to the GDPR, the starting point is clear: the regulation is here to stay, but its application should become more reasonable. Today, many companies devote significant resources to documentation, internal processes, and formal procedures even where the processing of personal data is limited and poses a low risk to individuals. Within the framework of the Digital Omnibus, adjustments are therefore being discussed that could reduce administrative burdens in such situations, particularly for small and medium-sized enterprises. This is not about relaxing the requirements, but about ensuring that the requirements more accurately reflect actual risk and real impact.
Supervisory issues are also in focus. Today, the same type of processing may be assessed differently depending on which Member State’s supervisory authority is responsible. For companies operating in multiple EU countries, this creates uncertainty and makes it difficult to predict regulatory risk. A stated objective of the Digital Omnibus package is therefore to contribute to more harmonised supervision and more predictable assessments, not by lowering standards, but by making enforcement more consistent.
Cookies and tracking are an area where the need for change is particularly evident. The widespread fatigue with cookie banners is a clear indication that the current rules are not functioning optimally. The Commission has made it clear that not all cookies pose the same privacy risks and that the rules must better reflect this reality. Among the issues under discussion are a reduced focus on consent for technical and functional cookies, as well as clearer scope for basic analytics and security-related uses. For companies, this could mean fewer disruptive interfaces and an improved user experience, but also a greater responsibility to genuinely understand and assess how data is used, rather than relying on standardised consent solutions.
The interaction between data protection and AI is another key issue. Many AI solutions rely on large volumes of data, often user or behavioural data. This means that GDPR, cookie rules, and AI regulation can no longer be treated as separate regulatory frameworks. How data is collected, on what legal basis it is used, and for what purpose becomes decisive in determining whether an AI solution is sustainable from a regulatory perspective. For companies working with personalisation, automated decision-making, or data-driven services, this is already a business-critical issue.
It is also important to stress that the Digital Omnibus Package is, at this stage, only a legislative proposal. Its content may change during the ongoing legislative process, and both its scope and final form remain uncertain. There is currently no fixed date for entry into force, but the assessment is that any changes would not start to apply before late 2026 or early 2027.
Overall, the Digital Omnibus package points towards a more business-oriented and risk-based approach to digital regulation. For companies, this is not a matter of waiting and seeing, but of understanding which areas are likely to be simplified, which requirements will remain central, and how data protection and AI should be managed as a coherent whole.
At Advokatbyrån Gulliksson, we closely follow developments relating to the Digital Omnibus package, with a particular focus on data protection, marketing law, and AI. Our aim is to help companies stay aligned with regulatory requirements without creating unnecessary administrative burdens or excessive caution, and to translate legal developments into practical, usable solutions. Please contact us if you have any questions or need guidance!
-
Partner, Office Manager Stockholm
+46 73 316 38 64
