Brussels loves a framework. It builds them the way gardeners build hedges: carefully, with pride, and in great quantity. But last week, the European Commission decided it had too many.
The result was a pair of heavyweight releases: the legislative Digital Omnibus, a separate simplification proposal on AI, and the Data Union Strategy, a policy roadmap on data and AI, all designed to simplify the EU’s digital rulebook and finally make sense of the legislative jungle that governs data, AI, privacy, and cybersecurity.
For the enterprise software industry, these proposals are something of a collective exhale. They promise the kind of clarity that has been missing since Europe’s digital policies began multiplying faster than anyone could implement them.
The Grand Cleanup
Think of the Digital Omnibus as Brussels’ great decluttering exercise or a Marie Kondo moment for data law. It bundles three major data-related laws into one coherent framework: the Data Governance Act, the Open Data Directive, and the Free Flow of Non-Personal Data Regulation are all merged into the Data Act. The idea is simple: one data law to rule them all, resulting in fewer overlaps, fewer grey zones, and a more streamlined rulebook for non-personal data.
Among the changes: companies will gain a Single-Entry Point for cybersecurity and data breach notifications, to be designed and managed by the EU Cybersecurity Agency (ENISA). Instead of filing the same incident under multiple laws (NIS2, DORA, GDPR, and more), businesses would report it once through a centralized system. It’s the kind of practical innovation that could save thousands of hours of compliance work. The Commission, however, felt it was short of the means to harmonize the thresholds and timelines for reporting incidents.
The Omnibus also clarifies the definition of personal data, narrowing it to cover only information that can reasonably identify a person. “Reasonably” is in italics because that small word matters. Against all odds, the Commission ultimately proposed substantial changes to the GDPR, much to the ire of the European Parliament and civil society groups. But the payoff could be real, as it could finally bring consistency to how Member States interpret pseudonymized or aggregated data, which is an everyday concern for enterprise software providers navigating analytics, AI training, and cross-border operations.
The now-redundant Platform-to-Business Regulation has quietly been retired, with its remaining provisions deemed absorbed into the DSA and DMA frameworks, representing another small victory for regulatory coherence.
There’s more: lawful processing of sensitive data for bias mitigation under strict safeguards; the incorporation of cookie rules into the GDPR to address consent fatigue; and a general tidy-up of overlapping definitions. The Omnibus even adds a dose of realism on cloud switching, giving SMEs and custom-built service providers more flexibility to adapt existing contracts rather than tearing them up overnight.
And because nothing in Brussels is ever complete without an AI angle, there’s also a separate digital simplification proposal on AI. This one synchronizes the AI Act’s high-risk systems’ timelines with the actual availability of technical standards. It means the clock won’t start ticking on new obligations until the necessary guidance is in place, a long-term – and much welcome- request from industry.
The Big Picture: a Data Union
Now, if the Omnibus is the housekeeping, then the Data Union Strategy – Unlocking Data for AI is the home renovation plan. It lays out a vision for a European data market that’s open, trusted, and usable. It wants to turn data into something closer to infrastructure, and it does so by building on three pillars: access, simplification, and sovereignty.
The first is about scale: connecting data spaces, launching new data labs, even experimenting with “synthetic data factories” to power AI development. The second is about rules: streamlining data legislation through the Omnibus and cutting down contradictions.
The third, sovereignty, is where things get interesting. It proposes guidelines to assess how fairly third countries treat European companies, an “anti-data-leakage toolbox” to counter market exclusions or localization demands, and extra safeguards for sensitive non-personal data.
But the concept of sovereignty can mean very different things depending on who’s using it. Done right, it could protect Europe’s values while keeping its markets open. Done wrong, it could harden into digital protectionism, building walls instead of bridges.
That’s why nuance matters. As BSA has long argued, strategic autonomy should grow through international cooperation with like-minded and trusted partners, not isolation. The EU can lead by example: embedding data-flow commitments in trade agreements, building interoperable standards with like-minded partners, and promoting the European Trusted Data Framework as a tool for openness, not closure.
For Enterprise Software, a Clearer Horizon
Taken together, these proposals add up to something long overdue, and that is a cleaner map of the digital landscape.
The clarified personal data rules will make compliance less of a guessing game. The bias-mitigation clause gives AI teams room to innovate responsibly. The Single-Entry Point reduces the compliance load that’s long weighed down smaller providers. And the European Business Wallet, with its dream of “one-click compliance,” suggests that regulation might finally catch up with the digital age.
If the EU gets this right, it could turn regulatory clarity into a competitive advantage — proof that trust and innovation can coexist.
The irony, of course, is that “simplification” in Brussels often starts by making things more complicated. But this time, the tone sounds somewhat different. Policymakers are finally admitting that fragmentation has become a feature, not a bug, and that the costs of regulatory sprawl are real. The Omnibus and the Data Union Strategy won’t fix everything (nothing ever does), but they stop pretending that more rules automatically mean more progress and that simplification, rather than more regulation, leads to innovation.
For the companies that have spent years trying to make sense of overlapping obligations, it’s the biggest answer yet to one of Brussels’ oldest riddles: what happens when the rulebook finally learns to simplify itself?
The Digital Omnibus proposals now move to the European Parliament and the Council for what is expected to be a fierce debate, especially on GDPR. The Data Union Strategy, meanwhile, will guide the Commission’s broader policy agenda on data and AI in the months ahead. We at BSA and its Global Data Alliance will continue engaging with EU policymakers to ensure that openness, trust, and innovation remain the guiding principles as these proposals evolve.
