Building on the Draghi and Letta reports, the EU is pursuing a simplification agenda — including for its digital rulebook. This article focuses on the Digital Omnibus Regulation, one of two separate proposals (alongside the Digital Omnibus on AI) under the Commission’s “Simplification – digital package and omnibus” initiative.
According to the Commission, the immediate objective of the amendments is to ensure that compliance with the rules comes at a lower cost, delivers on the same objectives, and brings a competitive advantage to responsible businesses.
The proposal is primarily harmonisation and clarification in nature rather than a substantive policy overhaul. It does not directly address all outstanding issues of concern to trade credit insurers and sureties, such as the treatment of sole trader data or the scope of legitimate interest¹ as a lawful basis for business data processing. The clarifications it introduces are nonetheless worth understanding for those operating in this space.
What rules are amended under the Digital Omnibus Regulation proposal?
The Digital Omnibus Regulation proposal (further referred to as the proposal) introduces targeted amendments to several key directives and regulations (Table 1).
Table 1. Rules amended by the proposal
| Regulations | Directives |
| General Data Protection Regulation (GDPR) | ePrivacy Directive |
| Data Act | Directive on measures for a high common level of cybersecurity across the Union (NIS2) |
| Single Digital Gateway Regulation | Directive on the resilience of critical entities (CER) |
| Regulation on the protection of personal data by EU institutions, bodies, offices and agencies |
Source: European Commission
What rules are repealed?
To eliminate overlap and duplication, as their objectives are now considered to be achieved through other EU digital legislation, the following rules are proposed to be repealed:
- Free Flow of Non‑Personal Data Regulation
- Data Governance Act
- Open Data Directive
- Platform to Business (P2B) Regulation, with certain provisions kept temporarily for cross‑references
Should these acts be repealed, their regulatory content would not be entirely removed. Notably, large parts of the Free Flow of Non-Personal Data Regulation, the Data Governance Act and the Open Data Directive would be consolidated into the Data Act, while the P2B Regulation’s objectives are considered largely covered by the Digital Services Act and the Digital Markets Act.
What are the key changes and why do they matter for trade credit insurance and surety?
The Digital Omnibus focuses on targeted simplification rather than substantive policy change, with the most material implications for insurers arising in the data and privacy area, while other themes are expected to have more indirect or operational effects (Table 2).
Table 2. Amendments per theme and their impact on insurers
| Theme and rules | Data and privacy
(GDPR, ePrivacy, EU institutions’ data protection rules, Data Act)
|
Cybersecurity and resilience
(NIS2, CER)
|
Digital public services
(Single Digital Gateway Regulation)
|
| Key changes | Clearer rules on anonymisation and pseudonymisation
More certainty on data reuse, including analytics and AI Simplified breach notification duties |
Streamlined incident reporting
Less overlap between cyber and resilience rules Clearer reporting responsibilities
|
Simpler digital interaction with authorities
More standardised cross-border procedures
|
| Why it matters | Potentially clearer legal parameters for underwriting and monitoring
Potentially greater scope for using aggregated or derived data |
Potentially smoother incident reporting processes | Potentially easier access to certain company information through digital administrative procedures
Faster verification processes
|
| Indicative implications for insurers | Moderate, positive
|
Indirect, limited
|
Lower, marginal gains
|
Sources: European Commission, ICISA
Note: The table provides a high-level, indicative view based on the Commission proposals. The impact assessment does not prejudge the outcome of the legislative process or subsequent guidance.
Which changes are most relevant for trade credit insurance and surety underwriting and operations?
As shown in Table 2, the amendments are not expected to have the same level of relevance for the insurers. The data and privacy category is expected to be the most material for insurers’ underwriting and operations, although some of the proposed changes are likely to affect information providers and other service providers more directly. The following text therefore focuses on the key changes within this category; GDPR, the EU institutions’ data protection rules, the Data Act, and the ePrivacy Directive.
GDPR
The proposal introduces targeted amendments to clarify key definitions and improve legal certainty, including the notion of personal data (by clarifying that information does not constitute personal data for a given controller2 where that controller does not have means reasonably likely to identify the natural person concerned), the treatment of data resulting from pseudonymisation (by providing for EU-level criteria to assess re-identification risk), and the conditions under which certain information obligations and data breach notification requirements apply (by clarifying when those duties apply).
It also clarifies the application of the rules on automated decision-making in contractual contexts, including the interpretation of the “necessity for entering into or performance of a contract” condition under Article 22 GDPR, and clarifies the conditions under which personal data may be processed in the development and operation of AI systems, including provisions addressing limited residual processing (i.e. incidental processing that cannot reasonably be avoided), while maintaining the existing level of data protection. The detailed amendments are set out in Article 3 of the Digital Omnibus proposal.
EU institutions’ data protection rules
The proposal aligns the data protection regime applicable to EU institutions, bodies, offices and agencies with the amendments introduced to the GDPR, notably by mirroring the clarifications introduced in relation to key definitions, information obligations, data breach notifications and automated processing. These changes are intended to ensure consistency across the EU data protection framework and do not alter the underlying objectives or level of protection. The detailed amendments are set out in Article 4 of the proposal.
Data Act
The proposal expands the scope of the Data Act by repealing and integrating provisions from the Free Flow of Non-Personal Data Regulation, the Data Governance Act and the Open Data Directive, thereby bringing previously fragmented rules on data sharing, re-use and access into a strengthened single regulatory framework. It introduces targeted calibrations to improve legal clarity, including strengthened safeguards for trade secrets, a more narrowly defined framework for business-to-government data access, adjusted cloud switching obligations, and reduced administrative burdens, notably by extending certain SME facilitations to small mid-cap companies (as defined under the Commission proposal). The detailed amendments to the Data Act are set out in Article 1 of the proposal.
ePrivacy
The proposal simplifies the interaction between the ePrivacy rules3 and the GDPR by moving the regulation of the processing of personal data on and from terminal equipment4 into the GDPR framework, thereby aiming to remove the dual regulatory regime applicable to access to terminal equipment and subsequent personal data processing. It clarifies when consent is required for such processing, addresses repeated consent requests in practice, and provides a legal basis for the future use of automated, machine-readable expressions of user choices, while preserving the existing level of privacy protection. The detailed amendments to the ePrivacy Directive are set out in Article 5 of the proposal.
What is the current legal status?
The Digital Omnibus Regulation has been adopted by the European Commission as a legislative proposal and transmitted to the European Parliament and the Council under the ordinary legislative procedure. The proposal does not yet have legal effect. ICISA will continue to monitor this and other digital regulatory developments relevant to trade credit insurance and surety.
Endnotes
- Legitimate interest is a lawful basis for processing personal data under Article 6(1)(f) GDPR, subject to a balancing test against the rights of individuals concerned. Its applicability to certain business data processing contexts remains subject to interpretation and has not been directly clarified by this proposal.
- A controller is the natural or legal person, public authority, agency, or other body that determines the purposes and means of personal data processing.
- In the ePrivacy Directive context, terminal equipment refers to devices connected to a public communications network, including computers, smartphones, and similar connected devices. Accessing or storing information on such devices (e.g. cookies) is governed by ePrivacy rules.
- Terminal equipment refers to devices connected to a public communications network, such as computers and smartphones. In the ePrivacy Directive context, accessing or storing information on such devices, including through cookies, is subject to specific consent requirements.
