On 19 November 2025, the European Commission presented its long expected Digital Package, including a Digital Omnibus proposal to simplify existing data regulation, a new EU Data Union Strategy, and a European Business Wallet proposal.
The opinions on it vary widely – Politico called 19 November the day “Brussels finally gave up on its decade-long dream of seeking to be the predominant global tech regulator that would rein in American tech titans”. Others have called the Digital Omnibus, a part of the package, a first step towards simpler EU digital rules, but maintain that a bolder approach (and more simplification) is needed. What does the package hold for our community? This article looks at the new Data Union Strategy and its provisions for the next year.
Timeline
July 2024: the Political Guidelines put forward by Ursula von der Leyen ahead of her re-election give a first taste of what’s to come (“simplify, simplify, simplify”).
January 2025: simplification and the removal of Single Market barriers are considered as two of the five key horizontal enablers in the EU’s Competitiveness Compass. We wrote about the Compass here.
February 2025: the Commission Work Programme for 2025 is published. The annual work programme sets out a list of the most important new policy and legislative initiatives the Commission will tackle in the year ahead. It includes a “Fitness Check on the Digital Acquis” (i.e. the collection of digital laws, rights, and obligations).
May 2025: the 4th Omnibus Simplification Package is published. It outlines several legislative proposals, i.e. the European Business Wallet, the Digital Networks Act, the Cloud and AI Development Act; and it announces the publication of a Digital Omnibus package to streamline the EU digital rulebook.
June 2025: the Polish Council Presidency release their input into the digital omnibus package.
November 2025: the Digital Package is released.
Starting in 2026: the flagship actions of the Digital Package will be implemented. The Digital Omnibus regulation proposal will have to be negotiated and approved by the European Parliament and Council. This includes the consolidation of four instruments into one – an updated Data Act Regulation – an update to the ePrivacy Directive to reform the rules on cookies, and targeted GDPR amendments.
The new EU Data Union Strategy
The new EU Data Union Strategy is based on the premise that Europe needs to fuel its AI development with high-quality data, the baseline is that we live in times of “data scarcity and geopolitical uncertainty”. To make sufficient data available, the strategy identifies three priority areas for action:
- Scaling up access to data for AI: ensuring businesses have access to high-quality data.
- Streamlining data rules: making data-sharing easier for businesses and researchers.
- Safeguarding the EU’s data sovereignty: following a strategic international data policy.
Data Labs
The first priority area tries to tackle data scarcity and accessible computing infrastructure by further elaborating on the Data Labs. The first time we heard about the Data Labs was in the AI Continent Action Plan (see here for the CONNECT Article), where it was mentioned that Data Labs will be attached to the AI Factories – a specialized component of an AI Factory – to federate data from different AI Factories and link with the Common European Data Spaces (CEDS). The new Data Union Strategy explains that the Data Labs will be specialized facilities to link data holders, CEDS, and the wider European AI ecosystem. Practically, the first data labs will be established under the AI Factories initiative through the EuroHPC Joint Undertaking. The first wave should cover healthcare, manufacturing, energy, and climate; the second wave languages, cybersecurity and cultural heritage.
Data Labs should provide hands-on services to help organisations, in particular start-ups and scale-ups, share and use data safely, facilitate cooperative AI training, and support the development of AI models in key sectors. The offering should include services for data pooling, curation, labelling, pseudonymization and anonymization, and tailored regulatory guidance. To ensure that the Data Labs are realized as the bridge between the European AI and Data ecosystem, and the private and public end-users, the newly created Labs should work in close coordination with the European Digital Innovation Hubs (EDIH). The first data labs should be launched before the end of the year (Q4 2025).
How would the Data Labs work?
Problem: Company A in Member State X wants to develop AI-based predictive maintenance systems for electric vehicles but struggles to access enough sensor data from different car models and charging infrastructure.[1]
Solution: Company A approaches an EDIH for manufacturing and the automotive sector. The EDIH points Company A to the AI Factory Y and the adjunct Data Lab Z. The Company receives access to different datasets, which the Data Lab congregates from Original Equipment Manufacturers and the Mobility Data Space. Because the Data Lab is part of AI Factory Y, Company A also has access to tools to analyze, anonymize, and curate the data to train its predictive maintenance system.
This example was taken from the Strategy and slightly simplified. The workflow assumes that businesses, once they identify the need for high-quality data, will know to turn to EDIHs and the AI Factories to access the services and solutions the Data Labs hold for them.
Scaling the Common European Data Spaces
The above example assumes that the Data Labs will collate the data requested by users from the domain-specific Common European Data Spaces. Those who have followed the build-up of the data spaces know how operational they are currently – and whatever is there will be scaled up in the next phase to link them to the AI Factories and the adjacent Data Labs. The roll-out of the data spaces across priority sectors will continue in 2026. Special attention is focused on the Health Data Space, which should act as a key bridge between health data ecosystems and AI Factories to “leverage anonymized and synthetic datasets within trusted processing environments”. Other Data Spaces that are mentioned include Mobility, Media, Legal, Language, Green Deal, Defence, and EOSC, which is mentioned as the R&D Data Space to support AI in Science and the RAISE initiative.
Other flagship actions
For priority area 1, which includes the Data Labs and the scaling up of the CEDS, flagship actions include the launching of a quality data for AI initiative. This initiative would
- expand high-value datasets under the Open Data Directive (Q4 2026)
- set up a stakeholder forum with public broadcasters and AI developers (Q2 206)
- make 30 million digitized cultural objects available for AI training (Q3 2026)
- launch a crowdsourcing initiative for domain-specific data and language data in smaller European languages (Q2 2026)
For priority area 2, which aims to simplify the digital acquis, the below actions are taken from the Digital Omnibus. It is important to note, however, that the changes proposed by the European Commission will be negotiated and approved by the European Parliament and the Council.
- Proposal to consolidate data legislation (Q4 2025)
- Proposal to update ePrivacy rules on cookies and similar technologies (Q4 2025)
- Proposal for targeted GDPR adjustments (Q4 2025)
- Launching a one-click compliance initiative (from Q4 2025 onwards)
- Rolling out support measures for the implementation of the Data Act (from Q4 2025 onwards)
For priority area 3, on EU data sovereignty, flagship actions include the publication of
- guidelines to assess fair treatment of data abroad (Q2 2026)
- a toolbox to counter unjustified localisation, exclusion, weak safeguards, and data leakage (Q2 2026)
- measures to protect sensitive non-personal data (Q3 2026)
Next steps
In addition to the targeted Digital Omnibus proposals, the Commission will also start conducting “Digital Fitness Checks” to see whether further adjustments are needed. In 2026, the Digital Decade Policy Programme will be reviewed (the Consultation is open now); the Open Internet Regulation and the NIS2 Directive in 2027.
Finally, the Digital Omnibus proposes streamlining cybersecurity incident reporting by bringing them under the umbrella of a single reporting mechanism. Following the “report once, share many” principle, ENISA will be obliged to develop the single-entry point, following the Cyber Resilience Act (CRA) model. The proposal foresees that this single entry-point will be used for reporting under the NIS2 Directive, GDPR, DORA, eIDAS, and the CER Directive.
This article focused on the new Data Union Strategy, but the Digital Package includes many more documents that will be fully screened. We will keep following the developments and informing the community as necessary.
This article was written in WP2T4 (Policy Engagement) of the GN5-2 project.
[1] Problem and Solution were adapted from the example given on p. 9 of the Data Union Strategy on how data labs would work in practice.
