EU unveils major overhaul of GDPR, cookie rules, and AI regulations

The European Union is preparing to introduce one of the most significant shake-ups to its digital regulatory framework since GDPR came into force in 2018. In a move that has already sparked intense debate, the European Commission has proposed sweeping changes that would scale back certain long-standing privacy protections, streamline compliance requirements, and reshape how data, artificial intelligence, and cybersecurity are governed across the bloc.

The proposals are bundled into what Brussels is calling a Digital Omnibus package, a broad legislative update intended to simplify overlapping rules that have grown increasingly complex as technologies evolve. The planned revisions would affect multiple cornerstone laws, including GDPR, the Data Act, and the recently adopted AI Act.

One of the most visible changes concerns how websites use cookies. For years, EU citizens have been inundated with pop-up requests for consent, the result of strict rules designed to give users full control over how their data is tracked. Under the new plan, Europe aims to reduce that friction. Users would be able to express their preferences with a single click through the central controls of their web browser, which would then apply across websites. Cookies considered to pose minimal risk would no longer require constant consent prompts, potentially transforming the user experience for millions of people browsing the web in Europe.

The reforms do not stop there. In a major adjustment to the AI Act introduced in 2024, companies would no longer be required to register certain AI systems used in high-risk contexts if the tasks they perform are not themselves high risk. This change, according to the Commission, is meant to reduce unnecessary administrative burdens on businesses without weakening safeguards for truly sensitive uses of AI. Smaller companies, in particular, stand to benefit, as the Commission is proposing lighter documentation requirements and streamlined reporting procedures for cybersecurity incidents.

Currently, organizations operating in the EU often must report cybersecurity breaches under multiple legal regimes, leading to overlapping, time-consuming obligations. The Commission acknowledges that this patchwork system discourages fast and transparent reporting. As part of the new reforms, it plans to introduce a single reporting portal, allowing entities to meet all of their obligations in one place. Officials argue that this will make the process more efficient and reinforce Europe’s cyber resilience.

Changes to GDPR itself may prove the most controversial. Under the proposed framework, tech companies would have more flexibility to share anonymized datasets and use personal data to train AI systems, provided that identities remain protected and other GDPR safeguards are upheld. Supporters of the reforms say this will accelerate AI innovation in Europe and help the continent compete with the United States and Asia. Critics, however, warn that these updates threaten to erode fundamental privacy rights.

A key structural modification will also shift how the EU oversees artificial intelligence. Amendments to the AI Act would give the EU’s AI Office centralized authority to supervise general-purpose AI models deployed by major platforms and search engines. Some provisions of the Act have been pushed back and will not take effect until August 2026 or 2027, giving companies more time to adapt.

Predictably, response to the Commission’s proposals has been polarized. Privacy activists and civil society groups have sounded the alarm, accusing Brussels of undermining the very protections that made the EU a global standard-setter in digital rights. In a joint statement, 127 organizations described the package as the largest rollback of digital human rights in the Union’s history, urging lawmakers to reject the amendments.

The tech industry, by contrast, is largely welcoming the move. CCIA Europe, a major lobbying organization representing companies such as Google, Apple, Amazon, and Meta, praised the package as an important step toward reducing the regulatory burdens that have complicated digital operations for years. Still, the group argued that even more ambitious reforms will be necessary to keep Europe competitive.

The legislative process now moves to the European Parliament and EU member states, both of which must approve the package before it becomes law. Given the intense lobbying and political stakes, the coming months are likely to bring heated debate over the balance between innovation and privacy, and over the direction of Europe’s digital future.