In brief
On 19 November 2025, the European Commission released the Digital Package, a three-part initiative to simplify and modernize the EU's digital rulebook, support innovation, and facilitate cross-border operations.
It consists of the following:
- The Digital Omnibus, introducing targeted amendments across data protection, privacy and cybersecurity legislation, and recalibrating the implementation timeline for the Artificial Intelligence (AI) Act
- The Data Union Strategy, expanding structured access to reliable, high quality datasets, supported by "data labs" and legal/contractual guidance
- A proposal for European Business Wallets, enabling companies to use a secure, single digital identity and exchange documents across the single market
The European Parliament and European Council will now negotiate the package. The proposals for Digital Omnibus and the European Business Wallets take the form of EU Regulations, which will apply directly across all Member States once they enter into application, whereas the Data Union Strategy is a non-legislative initiative and will develop progressively through guidance and supporting tools. For further information or tailored advice about this package, please contact your usual Baker McKenzie contact.
Key takeaways
The Digital Package consolidates and simplifies requirements across data governance, privacy and cybersecurity. Organizations will need to progressively integrate these changes into their internal processes, operational frameworks and compliance systems.
A major structural change is the introduction of a single EU reporting interface for cybersecurity and personal data breach notifications. Instead of navigating parallel reporting regimes, companies will submit one incident report through a harmonized EU gateway. This will require escalation paths, reporting templates and internal decision-making processes to be updated.
High-risk AI obligations under the AI Act will only apply once the European Commission confirms that supporting standards and tools are available. The proposal sets clear outer limits: high-risk AI in sensitive sectors may be deferred for up to 16 months high-risk AI embedded in products may be deferred by up to 12 months, and providers of generative AI systems will benefit from a six-month transition period to implement required retroactive technical adjustments. This phased approach improves predictability for organizations developing AI governance frameworks, documentation systems and risk-management controls.
The Data Union Strategy introduces structured mechanisms — such as data labs and legal and contractual guidance — to support responsible access to high quality datasets. This facilitates compliant AI development in data-dependent sectors.
The European Business Wallet will provide companies with a secure, interoperable EU-wide digital identity. Once widely deployed, it is expected to reduce inefficiencies in licensing, procurement and regulatory processes. Once adopted, public administrations will have two years to deploy the European Business Wallets, supported by technical standards and guidance that the Commission will develop along with Member States.
Recommended actions
- Assess overlaps between your GDPR, Data Act, NIS2/DORA/CER/CRA and AI Act processes, and develop a single workflow to prepare for the forthcoming single-entry reporting model
- Update cookie interfaces and analytics practices by implementing one-click refusal, integrating browser-level preference signals and determining which analytics functions qualify for whitelist treatment; and ensure vendor agreements reflect this updated model
- Adjust AI compliance planning by linking internal milestones to the European Commission's confirmation of standards availability, and incorporate participation in regulatory sandboxes and the extended simplifications available to small and medium-sized enterprises and small mid caps
- Identify high-volume cross-border operations that could benefit from early adoption of the European Business Wallet, such as licensing, procurement or regulatory filings
In more detail
What is in scope?
The package aims to reduce overlaps and increase coherence across the EU digital rulebook.
The Digital Omnibus adjusts existing frameworks, while the Data Union Strategy provides practical tools — data labs, model contractual clauses and a dedicated help desk — to support access to high quality datasets.
The European Business Wallet adds a secure, interoperable corporate digital identity to simplify cross border regulatory and administrative procedures.
AI Act
The AI component of the package focuses on making the AI Act more workable.
To avoid "compliance before standards," the package links the application date of high-risk AI obligations to the availability of necessary standards and support tools. Organizations will have up to 16 months to comply once these are confirmed.
The package also extends simplified compliance modalities for SMEs to small mid caps, expands regulatory sandboxing opportunities and strengthens the European AI Office's role as a centralized oversight body.
Cybersecurity reporting
A unified EU gateway will replace multiple parallel incident reporting channels under NIS2, DORA, the GDPR and the CER Directive. Organizations will file a single notification through a standardized interface, with automated routing to the competent authorities. This aims to reduce duplicative reporting and administrative burden for security and incident response teams.
Data and privacy — consolidation, clarity and cookies
The European Commission consolidates the EU data framework by bringing the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation into the Data Act, creating a more coherent legislative structure for data access and reuse.
The package also does the following:
- Reaffirms the GDPR as the primary instrument for personal data
- Clarifies key GDPR concepts relevant to AI and research, including pseudonymization, identifiability and lawful bases
- Modernizes cookie rules by introducing the one-click acceptance/refusal, mandating respect for browser-level privacy preferences and establishing a whitelist for low-risk analytics, with enforcement under the GDPR
Data Union Strategy — scaling usable data for AI
To unlock high-quality datasets for AI, the European Commission proposes data labs to support experimentation and development, a Data Act legal helpdesk offering guidance on contractual and regulatory issues, and measures to protect EU data abroad (including safeguards for sensitive nonpersonal data).
These initiatives aim to reduce transactional complexity and improve legal certainty in data driven operations.
European Business Wallets — a company-grade digital identity
European Business Wallets will offer companies a secure and interoperable EU-wide digital identity, enabling consistent authentication and document exchange across member states.
The European Commission expects significant efficiency gains, with potential savings of up to EUR 150 billion per year, once widely adopted.
Call to action
For tailored support on adapting your reporting processes to the single-entry incident portal, sequencing your AI Act compliance to align with standards-dependent timelines, refreshing cookie and consent flows, and preparing for the deployment of European Business Wallets, please reach out to your usual Baker McKenzie contact.