Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
On behalf of the IAPP Europe team, I wish you all a wonderful year, free of Friday evening data breaches, weaponized data subject access requests and intricate standard contractual clauses updates. I wish us all a year full of fulfilling digital governance work, the kind that makes a difference, genuinely protects people and allows modern life to prosper.
As we work toward that lofty goal, we are reminded change is the only constant in life. This year won't disappoint, if only with the promise of change as negotiations kickstart soon on the digital package, as known as the Digital Omnibus and Omnibus on Artificial Intelligence, proposed last November.
The proposals caused a mix of outrage, disappointment, fury and disinterest with the European Commission being criticized by some for sacrificing protection of fundamental rights, and by others, for not going far enough into simplification. An accurate characterization is probably somewhere in the middle.
The road to the proposals becoming final and actionable for digital governance professionals will be long and tortuous. The two draft regulations will eventually be applicable directly across the EU, which should mean more harmonization rather than fragmentation, but the final products will inevitably look different from the current working versions.
Procedurally, both omnibus proposals will go through the EU legislative process, which will take at least several months to complete. The Commission is proposing to delay the application of high-risk AI systems provisions beyond the August 2026 deadline currently set in the AI Act, so negotiations would need to conclude well ahead of that deadline to be actionable for organizations in scope.
In late December, the European Parliament attributed committee responsibilities, with leading roles for the Civil Liberties and Internal Market committees. Shared competence from these two committees already announces legislators will have to strike a delicate balance of political views. This already required a first arbitration as several committees — in charge of internal market, fundamental rights, industry and technology, legal affairs, and committees with sectoral remit such as culture and transport — oversee some aspects of the issues at play.
As lead negotiators are confirmed, each political group and committee will need to reach its own position, trickling up to a committee-approved position and eventually a Parliament position adopted in plenary session. The process on the member states side will similarly require capitals to reach a negotiating position as they reconcile ministries' equities and weight in regulators' positions. These national positions will then be reconciled in a "general approach" all member states sign on to.
In a somewhat rare occurrence, several government bodies in the Czech Republic, Estonia, Finland, Ireland and Latvia contributed to the public consultation last year, announcing a high-level of interest in the process to come. So did France's data protection authority, the Commission Nationale de l'Informatique et des Libertés.
Interest groups will be able to weigh in throughout the process and will bring sector-specific asks. Many industry stakeholders are already congregating around a set of cross-cutting issues, calling for better alignment of AI rules with sectoral frameworks, streamlined reporting, and an alignment of definitions across laws, largely urging delayed enforcement of new obligations — especially under the AI Act, Cybersecurity Resilience Act and Data Act — until standards and guidance are available.
Building consensus will be very challenging and will take time. First, if the EU General Data Protection Regulation or the AI Act are any historical indication, the process will easily lead to thousands of proposed amendments. Second, the European Parliament's composition under the current term has made political lines blurrier and alliances less predictable. Earlier omnibus packages proposed by the Commission have been highly politicized, leading to antagonistic negotiations, forcing it to back-track in some cases.
In the meantime — despite good intentions to suppress the "regulatory 'clutter'" as Executive Vice-President Henna Virkkunen said in November 2025 — the coming months will remain uncomfortable for practitioners who will need to navigate the uncertainty, operating in the existing regulatory framework while best preparing for what may come.
Isabelle Roccia, CIPP/E, is the managing director, Europe, for the IAPP.
This article originally appeared in the Europe Data Protection Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
