ACM Europe TPC Comments on the EU Digital Omnibus (COM(2025)837): Data Governance, Privacy, and Cybersecurity

February 2026

The Association for Computing Machinery (ACM) is the world’s longest-established professional society of individuals involved in all aspects of Computing. It annually bestows the ACM A.M. Turing Award, often popularly referred to as the “Nobel Prize of Computing.” ACM’s Europe Technology Policy Committee (“Europe TPC”) is charged with, and committed to, providing policymakers and the public with sound technical information to support sound public policymaking. Europe TPC has responded to the European Union stakeholder consultations in the past in the context of the AI Act^[1], the Data Act^[2], the Digital Services Act^[3],[4], the Digital Citizen Principles^[5], and the Cyber Resilience Act^[6], amongst others^[7]. ACM and Europe TPC are non-profit, non-political, and non-lobbying organisations.

Introduction

The European Commission’s Digital Omnibus proposal is an ambitious attempt to untangle the EU’s digital regulatory web. By introducing targeted amendments to the AI Act, GDPR, the Data Act, and the ePrivacy framework, the Commission aims to create a more cohesive "digital acquis." As the ACM Europe Technology Policy Committee, we recognize this as a necessary step toward a more streamlined strategy for Europe’s digital future, one that balances fundamental rights with regulatory efficiency.

This initiative is particularly timely given the current focus on Europe’s global standing. The 2024 Draghi Report made it clear: if Europe wants to compete in the age of AI and data-driven industry, it must strip away administrative complexity and improve regulatory coherence. (Draghi 2024)

While we fully support the goal of reducing unnecessary burdens and providing much-needed clarity, we believe it is essential that "simplification" does not come at the cost of technical integrity. Our committee’s perspective is rooted in the practical realities of computing; any reform must ensure that accountability and enforceability remain central to the framework. The following comments detail our specific concerns and recommendations regarding data governance, cybersecurity, and the oversight of AI systems.

Article 88a - Processing of personal data in the terminal equipment of natural persons

Article 88a aims to reduce cookie banner fatigue and simplify cookie regulations, and to recognise that current implementations do not always constitute informed consent.

• Changes to current business models

The changes to the regulation may have minimal impact on the actual number of cookie banners. Many websites are monetised by behavioural and tracking advertising technology and will still require consent to continue the current business model. The proposed change may not reduce the number of cookie consent banners significantly, nor increase clarity about what a user is agreeing to.

Article 88b - Automated and machine-readable indications of data subject’s choices

• No standard for technical means

The technical means to allow data subjects to give or refuse consent are appreciated; however, there appears to be no regulation or standard across all browsers to support this. Without a standard for technical means, fragmentation of businesses and platforms could lead to confusion and additional work. Businesses will need to meet requirements for multiple browser specifications, which could increase complexity and cost. As some browsers do not need to provide the technical means at all, this could result in manual consent being used as the default for lesser-known browsers. If a standard for a protocol were in place, it would simplify aligning browser behaviours.

Recommendation (Applies to both articles 88a & 88b)

The Commission is encouraged to support the development of interoperable technical standards for machine-readable privacy signals through European and international standardisation bodies, such as:

• ETSI
• CEN/CENELEC

Interoperable standards would improve usability for citizens while reducing compliance complexity for businesses.

Article 4 Amendments to Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data

• Data being processed, returned, and subject re-identified

A potential loophole allows companies to operate within a processing chain or web outside regulatory obligations. Under the proposed amendment to Article 4(1), intermediary processors can claim that pseudonymized data does not constitute personal data for them, even when the explicit outcome of the processing is to enable re-identification and act upon individuals.

• Each member of the processing chain, apart from the initial data controller, may escape regulatory obligations by asserting they lack the means to identify data subjects, while the initial data controller can then receive the results of processing and re-identify subjects. This creates a situation in which personal data is effectively processed throughout the chain, but without the safeguards and accountability mechanisms required by regulations

Recommendation

To maintain accountability in data ecosystems, the Digital Omnibus proposal should clarify that:

• Personal data that is pseudonymised but intended to be re-identifiable by another actor in the processing chain remains personal data for the purposes of EU data protection law.
• This interpretation would ensure consistent application of GDPR safeguards throughout the data lifecycle.

Article 6 Amendment of Directive (EU) 2022/2555 (NIS2): Single-entry point (SEP) for incident reporting

The simplification of incident reporting is welcome and appropriate. The report references the core principles of cybersecurity for the SEP; however, further specification in the following areas would increase confidence in implementing a single entry point.

• System Architecture and Interoperability

The SEP will be an application independent of the systems that process incident reports. There is a risk that it will simply route information to other systems without meaningfully simplifying templates and processes. Clarification on coordination and transformation across the multiple existing reporting systems would help understand how simplification can be achieved while meeting the requirements of Article 23a, Paragraph 3.

• Elasticity, Scalability, and Resilience

Clarification on resilience in the event of a widespread major incident, such as the Log4Shell vulnerability, would be useful. Can learning from that incident be applied to ensure resilience, elasticity, and scalability of the SEP during large-scale incidents?

• Operational Transparency and Service Expectations

Providing clarity on service levels, expected response times, and operational status via open reporting would increase confidence in the SEP.

• Data handling, segregation, and incident prioritisation

The challenge of removing duplicate data while segregating data and prioritising incidents should not be underestimated for the SEP.

These objectives may lead to competing requirements and an overly complex data structure that is difficult to maintain and update over time. Ensuring maintainability and ease of modification would support the long-term sustainability of the SEP.

• Data prioritisation and deduplication

Incident reports may contain overlapping or incomplete information. The system must support intelligent prioritisation and deduplication to avoid overwhelming authorities with redundant reports.

• Deadlines for reporting

How will the SEP reconcile different reporting timelines in a single template without all reports being sent to meet the shortest reporting time? Underreporting is a concern; there is also a risk that the SEP could lead to overreporting, as it would be less risky to report immediately before incidents are fully investigated.

Recommendation

The Commission is encouraged to complement the legal framework with technical implementation guidance, including:

• Interoperable reporting schemas
• Minimum service-level expectations
• Resilience and scalability requirements for the reporting infrastructure.

Protection of Trade Secrets in Data Sharing

The Digital Omnibus introduces a "safety valve" for data holders: the right to refuse the disclosure of trade secrets if there is a high risk that the information could be leaked to jurisdictions outside the EU where protection is weak or non-existent.

Assessment

This shift in policy is a direct response to the intensifying debate over technological sovereignty. In the high-stakes environment of global AI development, cross-border data flows are often a double-edged sword.

• Protecting the "Secret Sauce": For many European data-driven companies, trade secrets are their primary competitive advantage. Strengthening the safeguards against unlawful disclosure isn't just a legal preference; it’s a necessary defence against strategic technology leakage that could hollow out European innovation.
• The Risk of Over-Protection: However, there is a fine line here. We must ensure that "trade secret protection" does not become a convenient excuse for large incumbents to lock their doors. If these protections are applied too broadly, they could effectively block legitimate data access for the very entities—smaller firms and research organizations—that the Data Act was designed to empower.

Recommendation

To prevent the "trade secret" clause from becoming a blanket loophole, the regulation must move beyond vague "high risk" language. We recommend:

1. Establishing a Clear Evidentiary Threshold: Data holders should be required to demonstrate a specific, substantiated risk rather than citing a general fear of disclosure.
2. Proportionality Mechanisms: The framework should include a "technical middle ground," such as the use of Privacy-Enhancing Technologies (PETs) or trusted execution environments, that enable data analysis without exposing underlying trade secrets. This ensures that protection does not lead to a complete shutdown of legitimate data sharing.

Conclusion

The Digital Omnibus is a timely and much-needed effort to harmonize the EU’s digital landscape. It directly addresses the "red tape" and regulatory fragmentation highlighted by the Draghi report, barriers that have long hindered the European Single Market’s ability to compete globally.

The ACM Europe Technology Policy Committee fully supports this move toward operational efficiency. However, we must be clear: "simplification" cannot be a synonym for "deregulation." For Europe’s digital governance to remain trustworthy, the underlying technical robustness, enforceability, and accountability mechanisms must remain non-negotiable.

To ensure this legislative proposal achieves its goals without compromising its integrity, we encourage the Commission to prioritize the following:

• Machine-Readable Privacy: Technical standards must move beyond "paper-based" compliance to support automated, machine-readable privacy mechanisms.
• Chain of Custody: Data protection obligations must remain seamless and consistent, even across highly complex, multi-layered data processing chains.
• Scalable Security: Cybersecurity reporting infr astructure should be built for the real world, prioritizing scalability and cross-border interoperability.
• Structural Clarity: As the "digital regulatory acquis" is consolidated, we must maintain razor-sharp definitions and governance structures to avoid creating new legal gray areas.

If implemented with a focus on these technical realities, the Digital Omnibus will not only sharpen Europe’s competitive edge but also reinforce its global leadership in responsible, human-centric digital governance.

References

European Commission. Commission Staff Working Document Accompanying the Proposal for a Regulation Amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as Regards the Simplification of the Digital Legislative Framework (Digital Omnibus). SWD(2025) 836 final, 19 Nov. 2025.

European Commission. Proposal for a Regulation of the European Parliament and of the Council Amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as Regards the Simplification of the Implementation of Harmonised Rules on Artificial Intelligence (Digital Omnibus on AI). COM(2025) 837 final, 19 Nov. 2025.

European Commission. A Simpler and Faster Europe: Communication on Implementation and Simplification. COM(2025) 47 final, 11 Feb. 2025.

Draghi, Mario. The Future of European Competitiveness. European Commission, 2024.

---

^[1] https://www.acm.org/binaries/content/assets/public-policy/europe-tpc-comments-ai-consultation.pdf

^[2] https://www.acm.org/binaries/content/assets/public-policy/acm-eur-tpc-data-act-comments-13may22a.pdf

^[3] https://www.acm.org/binaries/content/assets/public-policy/europetpc-digital-services-act-comments.pdf

^[4] https://www.acm.org/binaries/content/assets/public-policy/acm-europe-tpc-dsa-comments.pdf

^[5] https://www.acm.org/binaries/content/assets/public-policy/europetpc-comments-digital-principles.pdf

^[6] https://www.acm.org/binaries/content/assets/public-policy/acm-europe-tpc-cyber-reslience-comments-pdf

^[7] https://www.acm.org/public-policy/public-policy-statements

---

PDF Version Avaliable Here