Europe’s data regulation at a crossroads

On 19 March 2026, four experts and a European Commission representative gathered to debate the EU’s Digital Omnibus proposal and its sweeping changes to the data regulatory landscape. Here are the highlights.

Moderated by Danielle Borges, Research Associate at the CDS, this session brought together five voices to examine the European Commission’s Digital Omnibus proposal, each offering distinct perspectives – ranging from cautious optimism to sharp warnings about the risks of simplification becoming deregulation.

The Commission’s vision: simplification through consolidation

The European Commission opened by framing the Digital Omnibus as a direct response to the Letta and Draghi reports, both of which stressed the strategic importance of data for Europe’s economy and AI ambitions. The centerpiece of the proposal is the merger of four existing instruments- the Data Act, the Data Governance Act (DGA), the Open Data Directive, and the Free Flow of Non-Personal Data Regulation- into a single, streamlined framework.

Key changes include targeted amendments to IoT data rights, a narrowing of business-to-government data sharing to emergency situations only, relief for SME cloud providers from certain switching obligations, and a shift from mandatory registration to a voluntary trust mark for data intermediation services. The Commission was clear: this is not a final destination, but the beginning of a broader “fitness check” of EU digital governance structures.

A researcher’s caution: good intentions, incomplete execution

A doctoral researcher specialising in data intermediation offered a nuanced critique. While welcoming the merger of the Open Data Directive into the DGA framework – long overdue to resolve overlapping boundaries – she raised concerns about the choice to anchor everything in the Data Act rather than the Data Governance Act, warning that the Data Act risks becoming an unwieldy umbrella regulation far beyond its original IoT focus.

Crucially, her empirical research – based on interviews with data intermediation services, data altruism organisations, and public sector bodies — revealed a striking finding: none of the interviewed organisations considered mandatory registration a barrier. Many saw it as a positive signal of trustworthiness. Removing it, she argued, may undermine rather than support the ecosystem. She also flagged a legal contradiction: if registered status is no longer required, obligations on non-personal data transfer protections may become unenforceable.

A national regulator’s perspective: welcome relief, but watch the details

Germany’s digital regulatory authority (BNetzA) offered a practitioner’s view. Tasked with enforcing both the Data Act and the DGA at national level, the regulator welcomed the Omnibus’ clarifications – particularly the narrowing of data-sharing obligations to genuine emergencies and relief for SME cloud providers. These changes, they noted, are likely to reduce the volume of complaints they must handle.

However, a word of caution: the new term “custom-made” introduced in the cloud switching provisions is already being tested by market participants seeking exemptions, and its scope remains legally unclear. The regulator also expressed concern that removing trust-building provisions from data intermediary service rules – such as requirements for fair, transparent and non-discriminatory access – could erode the very trust the DGA was designed to build.

Industry’s ask: make simplification actually simple

Representing European-born tech companies (including Spotify, Vinted, and Bolt), the European Tech Alliance, made the case plainly: 30% of company resources are currently consumed by compliance, diverting engineers and product developers away from innovation. The Omnibus is welcomed in principle, but must deliver three things: tangible operational benefits, protection of fundamental rights (including privacy as a competitive advantage), and a level playing field with global competitors.

Two specific concerns were raised. First, the inclusion of financial hardware services within the “connected products” definition risks fraud vulnerabilities and duplicates existing PSD2 obligations. Second, the industry warned against copy-pasting the DMA gatekeeper concept into other legislation without robust impact assessments, arguing it risks creating growth ceilings for successful European companies. The call to action: more structured cooperation between national data authorities, AI boards, competition regulators, and consumer protection bodies – because for companies, it is all just “compliance.”

Civil society’s warning: simplification must not mean deregulation

The final voice, EDRi, put forward what may have been the sharpest critique. Across multiple EU digital files, a pattern is emerging: complex legal frameworks reframed as obstacles, and simplification presented as a solution – often without full impact assessments or evidence-based procedures.

Three specific risks were identified. First, merging different data regimes without clearly defining their interaction could blur the boundary between access to data and lawful basis to process personal data, subtly eroding GDPR protections without formally amending them. Second, expanded rights for data holders to refuse access, combined with cloud-switching exemptions, risk entrenching vendor lock-in and reducing citizens’ practical control over their own data. Third, a shift towards self-declared compliance and voluntary trust marks increases the advantage of well-resourced actors over individuals, smaller intermediaries, and under-funded regulators.

The overarching message: This is not a technical adjustment. It is a choice about how power over data is structured.”

 

The road ahead

All speakers converged on one point: governance coherence is the unresolved challenge. How the European Data Innovation Board, the AI Board, the EDPB, competition authorities, and national regulators work together- or fail to- will determine whether the Omnibus delivers real simplification or merely shifts complexity from law to practice. The upcoming fitness check is the next critical moment. The direction set now, speakers agreed, will shape the EU data framework for years to come.