The European Commission (EC) proposed a new digital simplification package, driven by the strategic imperative to streamline regulation and unlock data flows. The package includes a digital omnibus that streamlines rules on artificial intelligence (AI), cybersecurity, and data, complemented by a Data Union Strategy to unlock high-quality data for AI. Also proposed are the European Business Wallets that will offer a single digital identity to simplify paperwork and make it easier to do business across EU member states. The package directly targets the complexity and cost of compliance within the banking sector, particularly in areas like risk modeling, KYC/AML, and operational resilience.
Data Union strategy
The Data Union Strategy aims to fuel innovation by increasing high-quality data availability for AI development, streamlining EU data rules, and strengthening the EU’s global position on international data flows. Its three priority action areas are:
Scaling Access: Ensuring businesses have reliable access to the high-quality data required for AI innovation.
Streamlining Rules: Providing legal certainty and reducing compliance costs by simplifying fragmented data rules.
Data Sovereignty: Strengthening the EU’s global position and control over international data flows.
Key proposals impacting financial sector
Once finalized, the proposed rules will introduce critical changes to compliance framework and operational processes in the financial services sector:
AI Act timeline: As per the proposal, the application of rules to high-risk AI models (used for credit scoring and pricing) may be delayed by up to 16 months, from August 02, 2026; the rules will not take full effect until the EU defines the necessary technical standards under the AI Act.
Targeted amendments to AI Act: This includes introducing an EU-level AI Regulatory Sandbox, alongside national sandboxes, and expanding real-world testing opportunities for high-risk AI systems. Other changes include removing the mandatory public registration requirement for high-risk AI systems that perform only minor, procedural, or narrowly constrained tasks and centralizing oversight of AI systems built on general-purpose AI models.
Streamlined incident reporting: The Digital Omnibus establishes a single-entry point for reporting cybersecurity incidents, consolidating complex obligations under regulations like the Digital Operational Resilience Act (DORA), NIS2, and the General Data Protection Regulation (GDPR). This simplifies crisis management during security events.
GDPR administrative relief: Amendments to the GDPR extend the deadline for notifying Data Protection Authorities of a data breach from 72 hours to 96 hours, providing banks with crucial additional time for incident assessment.
SME/SMC support: Administrative relief, including simplified technical documentation, is extended to Small Mid-Cap companies (SMCs); this involves extending certain existing GDPR derogations (for instance, the exemption from the obligation to maintain Records of Processing Activities) from small and medium-sized enterprises (SMEs) to a broader category of SMCs.
Consolidation under Data Act: Simplifying and consolidating EU data rules by merging four pieces of existing legislation (including Data Governance Act and Open Data Directive) into one within the Data Act, ensuring enhanced legal clarity and targeted exemptions for cloud-switching rules.
Digital identity transformation: The package proposes the European Business Wallet as a secure, harmonized, and interoperable digital identity solution for all legal entities. This can be expected to enable banks to automate and streamline KYC/AML processes and unlock up to €150 billion in annual savings for business across the EU.
Future simplification agenda: The legislative proposals (Digital Omnibus) are now under review by the European Parliament and Council. Separately, EC launched a parallel Digital Fitness Check consultation to evaluate the cumulative impact of EU digital rulebook, with the consultation closing on March 11, 2026.
Beyond compliance to digital opportunity
The strategic intent of this package is clear: to pivot the EU from regulatory complexity to digital leadership. While the proposals offer measurable administrative relief—from consolidated incident reporting to the 96-hour extension for data breach notification—the greater imperative lies in seizing the opportunity presented by the European Business Wallets and the Data Union Strategy. Financial institutions must move beyond compliance and treat this package as a mandate to restructure their operations, integrate high-assurance digital identity solutions, and leverage the clarified data environment to build superior, risk-aligned AI models. The true value lies in leveraging this new environment to sharpen data quality and risk intelligence.
Related links
LEARN MORE
Innovating with purpose
Moody’s is incorporating cutting-edge technologies, such as artificial intelligence, to help banks meet their existing challenges more effectively.