EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

Europaudvalget 2025-26
EUU Alm.del Bilag 22
Offentligt

The

Danish Government’s

response to the Commission's call for evidence for the

Digital Omnibus as regards the digital area

A year after Mario Draghi’s recommendations on

The future of European competitiveness

is imperative to take decisive action to strengthen Europe’s digital competitiveness, and

Denmark encourages the Commission to present a Digital Omnibus that serves this end. It

is of paramount importance that opportunities for simplification are considered without

prejudice and with a high level of ambition. Therefore, we need to be open-minded and

bold in pursuing genuine simplification throughout EU’s digital framework.

Denmark fully supports the Commission’s

initiative

to simplify the digital acquis and shares

its ambition to reduce administrative burdens, simplify regulation and reduce fragmenta-

tion of the application of EU-law with a view to enhance competitiveness and innovation.

We embrace a comprehensive review of the digital acquis, ensuring that all legislation is

thoroughly assessed, and decisions are made on what should be retained, revised, or re-

pealed. We furthermore welcome the digital fitness check to be introduced as an ongoing

effort and hope that these processes will enable a more cohesive approach to the digital

acquis focusing on improving alignment and suitability of the digital regulation.

Furthermore, we support the overarching objective behind the Digital Omnibus, focusing

on targeted measures with immediate adjustments within areas where the same objectives

can be achieved by less burdensome means. Consistent application and effective enforce-

ment will be key. In this context, Denmark reiterates our strong commitment to support the

Commission in its efforts towards reducing administrative burdens by 25 pct. overall and by

35 pct. for SMEs. In this endeavour, Denmark encourages the Commission to conduct im-

pact assessments to get a better overview of the regulatory burdens before any new regu-

lation is introduced

–

as well as changed.

To support the Digital Omnibus in achieving the objective of simplifying the digital acquis,

the following section presents a summary of the Danish government’s key suggestions. A

detailed set of recommendations is outlined below and presented in greater detail in sub-

sequent pages. It should be noted that this response does not include recommendations on

cybersecurity, as this will be addressed in a separate contribution.

14 October 2025

Specific recommendations (further detailed on page 4-16)

Data

The European data legislation should be simplified, streamlined and aligned in order for the

horizontal legislation to provide a clear and consistent legal framework for data sharing and

re-use with significantly fewer burdens for businesses. In particular, we encourage the Com-

mission to:

1.1 Revise and simplify the data protection regime to reduce burdens for businesses and

make it more innovation friendly, including by considering a more risk-based ap-

proach to data protection (GDPR).

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

1.2 Merge overlapping data legislation (including Free Flow of Non-Personal Data Regu-

lation, Open Data Directive and Chapter II of Data Governance Act).

1.3 Ensure less stringent requirements for data intermediation in the Data Governance

Act, for example by making the registration as a data intermediation service provider

voluntary.

1.4 Provide guidance on correlated or overlapping legislative instruments, such as Data

Act and GDPR regarding for example the distinction between personal and non-per-

sonal data.

1.5 Provide guidance on Data Act regarding complex data holder relationships and the

relevance of product rules.

1.6 Ensure a demand-driven approach to requirements on public sector data sharing to

create maximum effect.

1.7 Strengthen the mandate of the European Data Innovation Board (EDIB) and clarify

the governance structure around the data acquis

1.8 Address legal uncertainties regarding use of public sector data, for example in the

training of AI models

1.9 Encouraging data-driven solutions to simplify sharing of business data

Cookies and ePrivacy

Rules on cookies and online tracking technologies in the ePrivacy Directive should be up-

dated and aligned with GDPR with a view to reduce burdens for European companies, while

upholding the protection of data privacy. In this vein, we suggest the Commission to:

2.1 Abolish the cookie-banner for technical purposes and simple statistics (as now cov-

ered by article 13-15 in the GDPR).

2.2 Establish a structured dialogue for responsible authorities on cookies and tracking

technologies to align enforcement and address cases of cross-border relevance.

2.3 Increase the liability for Consent Management Platforms (CMP) to address dark pat-

terns and insufficient technical safeguards, thereby improving compliance.

2.4 Modernise the language and definitions of the ePrivacy directive to meet technologi-

cal and legal developments.

2.5 Refrain from consolidating the ePrivacy Directive with the Data Act due to limited

potential.

AI Act

The EU has demonstrated a firm commitment to take the lead in developing trustwothy AI.

However, the rules have shown increasingly complex over time. In order to simplify the AI

Act, while preserving the key objectives behind, we encourage the Commission to:

3.1 Extend the timelines for high-risk obligations by at least a year

3.2 Ensure proportional requirements for SMEs and start-ups

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

3.3 Safeguard coherence and avoid duplication with other digital EU legislation

3.4 Keep in mind that implementing acts on AI Regulatory Sandboxes could enable

adaptable and flexible implementation

3.5 Remove the AI Literacy obligation and make it a non-binding guidance

3.6

Provide guidance on the term “vulnerable groups”

3.7 Balance proportionality and oversight by amending Article 49 on Registration Re-

quirements

Electronic identification

Existing gaps, unclarities and obligations with limited added-value related to electronic

identification should be addressed, ensuring that redundant burdens are removed. To this

end, we encourage the Commission to:

eIDAS2

4.1 Remove references to legal persons from eIDAS2, by addressing this aspect compre-

hensively in a separate chapter of the Business Wallet regulation instead.

4.2

Introduce a “wallet-by-default”-principle

to guarantee that the wallet-infrastructure

is used in all relevant use-cases where there is value-added and demand.

4.3 Remove obligations for MS-specific certification schemes.

4.4 Reconsider Article 45e on Verification of attributes against authentic sources.

4.5 Create a category of attestation issuers which are not Trust Service Providers

4.6 Adjust the Open Source licensing requirement for EUDI Wallets in order to ensure

necessary flexibility in contracting and development

Single Digital Gateway

4.7 Streamline synergies between the SDG-regulation and other legislation on electronic

identification, by assessing whether the SDG-framework, including the OOTS, be-

comes redundant with the EBW.

4.8 Amend the definition of local services and include the definition in Article 3.

4.9 Amend article 14 to further clarify different mechanisms for exchange.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

Specific recommendations in detail

Data

Recalling the Danish position outlined in the call for evidence on the European Data Union

Strategy, we welcome the Commission’s commitment to address concerns related to the

current rules within the European data aquis, in view of ensuring their continued relevance

and effectiveness. In particular, we encourage the Commission to streamline and consoli-

date existing legislation with the aim of reducing compliance burdens for European busi-

nesses and public authorities, and to unleash the full potential of data. In the following, we

outline specific initiatives to consider:

1.1 Revise and simplify the data protection regime to reduce burdens for businesses and

make it more innovation friendly, including by considering a more risk-based approach to

data protection (GDPR)

While the protection of personal data is a fundamental right, which in its core shall be re-

spected, the GDPR in its current form is creating barriers to the development and use of data-

driven solutions such as AI that benefit European companies, citizens and public authorities.

Where better data use could support the development of solutions that benefit European com-

panies and citizens, the current regime risks stalling technological and societal innovation and

limit Europe’s chances to compete in the AI race.

A recent study finds that compliance with GDPR (and associated national legislation) costs Dan-

ish companies close to EUR 2 billion every year. There is an urgent need to address the negative

effects of GDPR, which constitute a drag on European competitiveness.

Many initiatives in the private and public sector are being paused or abandoned due to con-

cerns over compliance, stemming from GDPR rules that can be complex, unclear, and challeng-

ing to navigate without specialised legal expertise. In this vein, it is imperative to address une-

ven implementation and enforcement of the GDPR across Member States, in the aim of allevi-

ating administrative burdens, in particular for European businesses engaged in cross-border

activities in the EU.

Danish companies point to burdensome documentation requirements and mapping of data-

flows and the broad scope of the rights granted to the data subjects. In particular, small com-

panies and non-profit organizations find the GDPR burdensome to comply with. The impact is

also felt by citizens

—

who find it more cumbersome to participate in community and volunteer

organisations. From a Danish perspective it is very important to safeguard the continued func-

tioning and prosperity of the civil society and local associations.

Thus, Denmark advocates for an upcoming revision of the GDPR that ensures that public au-

thorities, businesses and individuals can benefit from data-driven solutions. Rather than hin-

dering innovation, the revised framework should unlock improved access to data for the train-

ing of AI models.

There is no doubt that we need data protection in the EU. Nonetheless, we need to do it

smarter and more flexible. Specifically, Denmark encourages an even more risk-based ap-

proach, where regulatory requirements are proportionate to the actual risks involved in data

processing. Denmark sees a need to recalibrate the balance between, on one hand, ensuring

an adequate level of protection of personal data, and on the other, ensuring the right scope of

action for companies, so they can continue to thrive.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

1.2 Merge overlapping data legislation (including Free Flow of Non-Personal Data Regulation,

Open Data Directive and Chapter II of Data Governance Act)

Denmark encourages streamlining and improving coherence across the data acquis. This

should include a thorough and ambitious review of the continued need for provisions of the

data acquis, ensuring that only what remains relevant and effective is retained or added. In

this context, it is important to carefully consider relevant upcoming proposals to assess

which data-related legislative instruments could be meaningfully merged or aligned to re-

duce overlaps and complexity. It is also important to assess which legislative instruments

should remain distinct to preserve legal clarity and purpose. Ultimately, providing a more

coherent data acquis is about reducing overlap where it exists and streamlining relevant

definitions, making it easier for authorities to enforce and for businesses to navigate their

obligations and rights.

To this end, we propose to consolidate and merge legislation that governs overlapping ar-

eas, such as the Free Flow of Non-personal Data (FFoD), the Open Data Directive (ODD) and

Chapter II of the Data Governance Act (DGA) on public sector data. Currently, it is unclear

whether obligations fall under one or the other, creating unnecessary confusion for both

public and private sector actors, as well as for national authorities, who must consult mul-

tiple legal texts covering the same subject matter.

The FFoD’s provisions on cloud switching

has been overtaken by the Data Act and can there-

fore be repealed. The work already invested in switching standards such as SWIPO (Switch-

ing Cloud Providers and Porting Data) should however be considered in the development of

standards under the Data Act. The FFoD’s prohibition against national data-localisation

re-

quirements remains very valid and should be retained but could be integrated in the Data

Governance Act or in another data relevant act. The continued relevance of the transpar-

ency obligation regarding such localisation requirements should be assessed.

It is questionable whether the Data Act would be the right framework for a merging of the

ODD, DGA and FFoD. Adding the ODD, the DGA and the FFoD to the Data Act would not

itself

lead to administrative burdens for businesses and authorities when no clear cohesion

exists. Also, the Data Act is already fragmented, covering several distinct areas and actors

—

for example Chapter II introduces obligations on data sharing from connected products,

while Chapter VI requires easier switching between data processing services. At worst,

simply merging different legislation with no clear overlap can lead to a more complex en-

forcement considering the division of labour between multiple competent authorities, thus

not necessarily resulting in more clarity for businesses.

1.3 Ensure less stringent requirements for data intermediation in the Data Governance Act,

for example by making the registration as a data intermediation service provider volun-

tary

We see merit in making the requirements for data intermediation service providers (Art. 12

of the Data Governance Act) less stringent, as the current rules make it difficult for compa-

nies to create a viable business model. Making the registration as a data intermediation

service provider voluntary could be considered in this regard.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

1.4 Provide guidance on correlated or overlapping legislative instruments, such as Data Act

and GDPR regarding for example the distinction between personal and non-personal data

To genuinely reduce burdens for businesses and competent authorities, Denmark encour-

ages the Commission to develop clear guidance on areas such as the interpretation of reg-

ulations, including examples of use cases as well as on delineations between overlapping or

correlating legislative instruments.

One area where guidance is particularly needed is the relationship between the Data Act

and the GDPR. While the Data Act is intended to supplement the GDPR, the distinction be-

tween personal and non-personal data will often be difficult to draw for data holders under

Chapter II, particularly when datasets contain both types. Moreover, the Data Act intro-

duces technical requirements for data sharing that affect how GDPR obligations are fulfilled,

further blurring the boundaries between the two frameworks. This distinction is also highly

relevant for the Free Flow of Non-Personal Data Regulation.

1.5 Provide guidance on Data Act regarding complex data holder relationships and the rele-

vance of product rules

The Data Act constitutes a new set of rules regulating a previously unregulated areas, form-

ing a general need for more guidance on the interpretation and real-life use of the Data Act

–

both for businesses and Member States.

Guidance is needed regarding the more complex relationships under Chapter II, such as

manufacturers who outsource the data holder role, cases with multiple users, or cases with

second-hand sellers. Article 3(2) of the Data Act requires sellers, renters, and lessors to pro-

vide users with specific information. In practice, this information will often have to come

from the manufacturer of the connected product - likely in the form of a website link or a

QR code on the product packaging. Guidance is needed for physical sellers/renters/lessors

in cases where the manufacturers does not provide the information on the packaging of the

product.

Furthermore, it would be helpful to further clarify the relevance of product rules and the

European Commission’s

“Blue Guide on the implementation of EU product rules”

(2022) in

interpreting the Data Act. In particular, greater clarity is needed on the extent to which

Article 3 of the Data Act should be read in light of product rules and the

Blue Guide.

This

applies both to the definition of who qualifies as a manufacturer (for example, whether an

actor who purchases a product and then relabels it with their own brand should be regarded

as a manufacturer under the Data Act), and to the interpretation of disclosure obligations

(for example, whether “clear and comprehensible” should be understood to imply the same

language requirements as those set out in product rules).

The European Commission’s FAQ, under Question 8, states that the

Blue Guide

“served as

inspiration for the Data Act’s rules on products and provides comprehensive guidance on

this topic. For instance, the Blue Guide identifies situations where a product is not considered

to be ‘placed on the market’.”

However, the extent to which the principles of the

Blue Guide

should apply in a Data Act context remains unclear.

1.6 Ensure a demand-driven approach to requirements on public sector data sharing to create

maximum effect

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

We encourage allowing for a demand driven approach to spend the resources required for

making data available where these efforts can create maximum effect rather than chasing

mindless publication of more and more datasets with limited reuse value. Rather than a

more stringent requirements on public sector data sharing such as mandatory APIs or ex-

panding the scope of high value datasets.

1.7 Strengthen the mandate of the European Data Innovation Board (EDIB) and clarify the

governance structure around the data acquis

There is a need to clarify and strengthening the governance structure around the digital

acquis by improving the composition of the European Data Innovation Board (EDIB) and

strengthening its mandate, and we suggest aligning it better with other fora such as the

Open Data Committee and the IEB.

1.8 Address legal uncertainties regarding use of public sector data, for example in the training

of AI models

Further, fragmentation in the EU’s data legislation can create legal

uncertainty, e.g. when

public authorities seek to train AI models. To address this EU-level guidance could be pro-

vided on the lawful bases for re-use of public sector data, especially in the AI context, e.g.

how the purpose limitation principle (Article 5(1)(b) GDPR) is to be interpreted. In the same

vein, robust and harmonised EU standards for anonymisation and pseudonymisation could

be considered, giving public authorities the necessary legal certainty when sharing or re-

leasing data sets.

1.9 Encouraging data-driven solutions to simplify sharing of business data

As a more horizontal point, we wish to highlight the importance to advance and ensure

common standardised data, structured data formats and enhance cross-border interopera-

bility between digital business systems efficiently reducing the burdens stemming from

non-standardised data, fragmented digital ecosystems and manual processes within com-

panies.

Cookies and ePrivacy

There is an urgent need to modernise the EU regulatory framework on cookies and online

tracking to reduce burdens for European businesses and address persistent issues, including

consent fatigue and information overload, fragmented and uneven enforcement and tech-

nological developments in the market. It is therefore imperative to move forward, refining

and updating key elements of the ePrivacy Directive to ensure a less burdensome frame-

work for business in EU while upholding the protection of data privacy. To this end, a num-

ber of measures should be considered.

2.1 Abolish the cookie-banner for technical purposes and simple statistics (as now covered by

article 13-15 in the GDPR).

We urge the Commission to consider the interaction between the GDPR and the ePrivacy Di-

rective. The ePrivacy Directive requires end-users’

informed consent before storing cookies or

other online tracking technologies on a user’s device. In other words, all providers of websites

or apps find themselves in need of a cookie banner in order to fulfill the requirements for con-

sent of the end-user.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

The costs related to implementing and maintaining a cookie banner are substantial. The major-

ity of all European companies own websites, which collect and process end-user’s

data

for tech-

nically necessary functions and for conducting simple statistics for the functioning and use of

their website. From a privacy perspective, these tracking purposes are to be considered harm-

less. Hence, there are huge costs reductions to be made for European companies, if collection

and processing for these purposes are clearly exempted from prior consent. In effect, only com-

panies collecting data for other purposes,

e.g.,

marketing or sharing of data with third parties,

would be required to maintain cookie banners.

In practice, this scenario could most clearly be implemented by changing the GDPR as well as

the ePrivacy Directive. The ePrivacy Directive defines the term consent through a reference to

the GDPR. This link between the two regulations makes good sense, as GDPR can require con-

sent from a legal person, the data subject, for the processing of personal data, even if the ePri-

vacy Directive did not require consent to collect and process the end-user’s

communications

data. Thus, it could be appropriate to make an exemption in the GDPR, whitelisting the pro-

cessing and storage of personal communications data for technical purposes and for simple

statistics.

Amendments for Regulation (EU) 2016/679 (GDPR) to implement recommendation 2.1

It is recommended that a minimum threshold is implemented when it comes to

Article 13-15

of the

GDPR. For instance, by introducing a lower limit for the processing activity required before the rights

of the data subject apply. In particular, the right of access by the data subject under Article 15 of the

Regulation is thus perceived by many controllers as a particularly burdensome right to comply with. It

should also be considered to ease the requirements and / or to expand the exceptions to Article 13.

Further, it is suggested that the need for Article 20 of the GDPR is reconsidered, as the provision ap-

pears to be more in the nature of a consumer right.

2.2 Establish a structured dialogue for responsible authorities on cookies and tracking technolo-

gies to align enforcement and address cases of cross-border relevance

The ePrivacy Directive regulates many service providers operating across EU borders, which

has created challenges for enforcement at the national level. Providers often face cases being

opened simultaneously in different Member States, along with diverging interpretations of the

rules depending on the jurisdiction. We recommend establishing an EU-level advisory board or

coordinating forum that could issue expert opinions on cases of cross-border relevance, which

are not well-suited to be handled solely at the national level. This could potentially be a done

under the auspices of the EDPB or the EDIB. In the long-term further harmonisation of require-

ments and enforcement could be considered.

2.3 Increase the liability for Consent Management Platforms (CMP) to address dark patterns and

insufficient technical safeguards, thereby improving compliance

Currently, website and app owners bear sole responsibility for complying with legal require-

ments, even though they often rely on CMPs to handle user consent. CMP providers, however,

carry no direct legal responsibility. This imbalance has led to weak compliance, widespread use

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

of dark patterns in cookie banners, and insufficient technical safeguards to prevent tracking

before consent is given.

To address this, a clear legal framework should be established to define the extent to which

CMP providers can be held jointly responsible for compliance. Such a framework would

strengthen cookie banner practices, reduce the reliance on manipulative design patterns, and

improve technical safeguards to ensure that tracking does not occur without consent. Redis-

tributing responsibility in this way would reduce the burden on website owners, while requiring

CMP providers to assume greater accountability.

Concretely, CMPs should be required to provide default solutions that comply with existing

legislation. If a website owner chooses to alter or disable these default compliance features,

the CMP should be legally obliged to advise them of the potential legal risks. For example, if a

website owner attempts to remove the option to “reject all tracking technologies,” the CMP

must explicitly inform them that such an action is likely unlawful.

This rebalancing of responsibility could be achieved through a legislative amendment, ensuring

that CMP providers play an active role in upholding legal standards while supporting both busi-

nesses and consumers in the digital environment.

2.4 Modernise the language and definitions of the ePrivacy directive to meet technological and

legal developments

When reviewing and applying the ePrivacy Directive, it becomes clear that the regulation relies

on outdated terminology. We recommend updating its language and definitions to better re-

flect the evolving digital landscape and to ensure consistency with other relevant EU digital

legislation. Furthermore, it should also be assessed if all rules are still needed given the tech-

nological developments, and it should be ensured that similar services are subject to the same

rules. This would provide much-needed legal clarity and greatly benefit both consumers and

businesses, who often find the current directive difficult to interpret.

2.5 Refrain from consolidating the ePrivacy Directive with the Data Act due to limited potential

While consolidating the ePrivacy Directive with the GDPR and the upcoming Digital Networks

Act could create synergies by aligning similar and compatible rules on on the one hand data

protection and oversight and on the other hand electronic communications providers, the Data

Act does not regulate comparable issues. Incorporating the ePrivacy Directive into the Data Act

would therefore risk complicating an already fragmented legal framework and would make su-

pervision at the national level more difficult.

AI Act

The European Union has shown its strong commitment to lead in trustworthy artificial in-

telligence (AI), notably through the adoption of harmonised rules in the Artificial Intelli-

gence Act (AI Act). The Act lays down a risk-based regulatory framework with concrete re-

quirements for, e.g., high-risk AI systems. In the following we propose ideas for how to sim-

plify the regulation without compromising the fundamental objectives of the Regulation.

3.1 Extend the timelines for high-risk obligations by at least a year

The current compliance deadlines for high-risk obligations set in AIA, chapter III, risk over-

whelming providers, particularly SMEs and start-ups. Compliance depends heavily on the

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

timely availability of harmonised standards, both of which are still under development and will

be at least one year delayed. The Commission guidelines is likewise significantly delayed. Im-

posing full obligations before this framework is in place creates legal uncertainty and dispro-

portionate burdens on businesses and risk undermining the development and uptake of AI in

Europe.

We therefore propose extending the implementation timelines for high-risk AI systems by at

least one year, allowing providers and deployers to adapt once the standards are available as

originally foreseen during negotiations. This can be achieved via targeted amendments to arti-

cle 113 of the AI Act

on “Entry

into force and application”. We believe this is a fair and balanced

approach that makes compliance more realistic for providers and deployers, while maintaining

constructive pressure on standardisation organisations to finalise harmonised standards as

quickly as possible.

3.2 Ensure proportional requirements for SMEs and start-ups

SMEs should not be required to meet the same resource-intensive obligations as larger provid-

ers as their systems are unlikely be as widespread in use and therefore unlikely to pose the

same level of risk. The volume of individual documentation, registration and assessment for

providers of high-risk AI systems poses a significant burden. Fulfilment should be proportionate

to the resources and capacity of the provider and to the risk posed by the systems. Some re-

quirements are particularly challenging for SMEs and start-ups. We therefore suggest the fol-

lowing adjustments.

Firstly, we suggest an exception is made to article 11(1)

on “Technical documentation”,

so that

SMEs and start-ups only have to provide technical documentation upon request. Currently, ar-

ticle 11 obliges providers to prepare and maintain full technical documentation before placing

an AI system on the market, which requires substantial ongoing administrative effort. Cur-

rently, article 11(1) states that “SMEs,

including start-ups, may provide the elements of the

technical documentation specified in Annex IV in a simplified manner”. We suggest to clarify

the article to make it clear that providers are only required to provide technical documentation

upon request. This would be a more proportionate approach, ensuring accountability, while

avoiding unnecessary costs.

Secondly, we suggest extending the derogation in article 63(1)

on “Derogations

for specific op-

erators” to SMEs and start-ups, as quality management systems and post-market monitoring

are among the most expensive compliance elements; a narrowly scoped exemption would al-

leviate some of the burdens while preserving safety objectives.

3.3 Safeguard coherence and avoid duplication with other EU legislation

To support a well-functioning single market for AI development and deployment, the AI Act

must be implemented consistently, predictably and coherently with other frameworks notably

the GDPR. For example, article 27 in the AI Act introduces an obligation that is overlapping with

article 35 in GDPR in scope. Article 27 requires deployers to self-assess potential impacts of

high-risk AI systems on fundamental rights before placing a system on the market. This places

a heavy burden on companies, especially SMEs, which often lack the expertise for such complex

assessments.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

We therefore propose removing the article 27 self-assessment for companies and relying in-

stead on the post-market supervisory role of Article 77 bodies, namely national public authori-

ties or bodies protecting fundamental rights. Under the suggested approach, Article 77 bodies

would monitor whether companies uphold their fundamental rights obligations, similar to the

way market surveillance authorities s supervise other AI Act obligations. This would be more

efficient and reliable.

In line with the risk-based approach and to avoid double notifications, we would also recom-

mend reconsidering the classification of ‘any’ infringement of EU law obligations intended to

protect fundamental rights as

a “serious incident”

in article 3(49)(c). Such infringements are

already subject to appropriate sanctions under the relevant laws. Additional AI Act notifications

are unlikely to significantly improve protection and will generate large volumes of reports,

which will draw resources from genuinely serious incidents, covered under the other points in

article 3(49). We therefore recommend deleting point c.

Furthermore, the AI Act introduces extensive obligations, particularly for high-risk systems used

in the public sector. Uncertainty on risk classification and compliance risks regulatory paralysis

or inadvertent non-compliance. To mitigate this, the Commission should develop clear and

user-friendly guidance on integrated impact assessments, bringing together AI Act articles 9

and 27 (risk management & fundamental rights), GDPR article 35 (Data Protection Impact As-

sessment), and NIS2 article 21 (cybersecurity risk management). A single, coherent methodol-

ogy would enable straightforward, timely and correct compliance.

3.4 Keep in mind that implementing acts on AI Regulatory Sandboxes could enable adaptable

and flexible implementation

The AI regulatory sandboxes can be highly beneficial if they remain flexible and do not overbur-

den Member States and participants with detailed procedural requirements. Implementing

acts should allow for adaptable setups and avoid disproportionate administrative obligations

for hosting authorities.

3.5 Remove the AI Literacy obligation and make it a non-binding guidance

We suggest removing article 4 and making it a non-binding recommendation. At present, the

requirement is widely misunderstood and often over-implemented due to fear of non-compli-

ance.

It is particularly unclear what constitute “sufficient AI-literacy”,

and unproportionate

amounts of resources are spent on uncovering it.

3.6 Provide

guidance on the term “vulnerable groups”

Article 9(9) requires providers to consider the likelihood of negative impacts on minors and,

where relevant, other vulnerable groups when implementing article 9 (1-7). The objective is

important, but further guidance is needed to keep

requirements

practicable. Any guidance on

”vulnerable groups” under article 9(9), should take into account existing guidance and inter-

pretations related to the prohibited AI practices.

3.7 Balance proportionality and oversight by amending Article 49 on Registration Requirements

The AI Act requires certain providers of high-risk AI systems to register products in a central EU

database prior to market placement. While transparency is a legitimate aim, the mechanism as

designed risks imposing disproportionate burdens, especially on SMEs and start-ups, without

clear benefits for end-users or regulators.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

A more proportionate approach would be to either remove the requirement in article 49 en-

tirely or amend it so that registration obligations are streamlined and limited to essential, non-

sensitive information. Ideally, the necessary information would be shared through a Digital

Product Passport rather than a new database.

Electronic identification

With regard to simplification towards aspects related to electronic identification under the

European Digital Identity Framework, including the forthcoming proposal on a European

Business Wallet, Denmark reiterates the position laid out in Denmark’s response to

the Call

for Evidence on the European Business Wallet (EBW). In addition, the following section pre-

sents key recommendations for simplifying Regulation (EU) 2024/1183 (eIDAS2).

Recommendations on eIDAS2

4.1 Remove references to legal persons from eIDAS2, by addressing this aspect comprehensively

in a separate chapter of the Business Wallet regulation instead.

When introducing the EBW it is suggested that the existing infrastructure gaps are addressed

first. To this end, we recommend removing references to legal persons from eIDAS2, address-

ing this aspect comprehensively in a separate chapter of the Business Wallet regulation instead.

In this context, Denmark supports the principle behind the “one in, one out” approach in rela-

tion to the publication of the EBW initiative, as we understand it to reflect a commitment to

reduce unnecessary burdens on businesses, ensuring that new obligations introduced through

the EBW are offset by the removal of redundant requirements and burdens under eIDAS and

eIDAS2.

4.2

Introduce a “wallet-by-default”-principle

to guarantee that the wallet-infrastructure is used

in all relevant use-cases where there is value-added and demand.

We echo the need for a “wallet-by-default”-principle

to ensure that the wallet-infrastructure

is used in all relevant use-cases where there is value-added and demand. This would, among

other things, ensure that both the EUDI Wallet and European Business Wallets would be

widely used for authentication purposes in EU legislation.

4.3 Remove obligations for MS-specific certifications schemes in eIDAS2

While transparency and trust in the Wallet require that user-facing components remain open

source, a blanket obligation to open-source all application software components risks reducing

flexibility in procurement, contracting, and development. Many Member States rely on private

contractors who use proprietary modules, libraries, or integration layers that cannot legally or

commercially be licensed under open-source terms.

The strict obligation to open source license all components installed on the user device may

discourage private-sector participation, limit innovation, and increase costs by forcing cus-

tom-made development rather than reuse of existing solutions. A strict requirement that

all wallet components on the user’s device must be open-sourced

may hinder Member

States’ ability to contract flexibly with private developers, especially where proprietary

modules or licensed elements are embedded. For some implementations, it may be legally

or commercially impossible to release such components under an open-source license with-

out undermining security or intellectual property rights.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

Member States should retain the option to exempt specific components

—

including those

on user devices

—

where duly justified. Safeguards can be maintained through e.g. closed

disclosure to authorities or civil society organisations. This maintains transparency for users,

while giving Member States necessary flexibility to procure and develop Wallet solutions

efficiently.

Suggestions for Regulation (EU) 2024/1183 (eIDAS2) to implement recommendation 4.3

DRAFTING SUGGESTION FOR ARTICLE 5c:

“3. For requirements referred to in paragraph 1 of this Article that are not relevant for cybersecurity,

and, for requirements referred to in paragraph 1 of this Article that are relevant for cybersecurity, to

the extent that cybersecurity certification schemes as referred to in paragraph 2 of this Article do not,

or only partially, cover those cybersecurity requirements, also for those requirements,

the Commission

must establish one or more complete certification schemes for the commonly recognized architec-

tural profiles for use by conformity assessment bodies across the Union, taking into account the need

for different wallet implementations across Member States.

Member States

shall may also

establish

national certification schemes following the requirements set out in the implementing acts referred to

in paragraph 6 of this Article. Member States shall transmit their draft national certification schemes

to the European Digital Identity Cooperation Group established pursuant to Article 46e (1) (the ‘Coop-

eration

Group’). The Cooperation Group may issue opinions and recommendations.”

4.4 Reconsider Article 45e on Verification of attributes against authentic sources in eIDAS2

Article 45e, as drafted, obliges all Member States to open authentic sources for verification by

Qualified Trust Service Providers (QTSPs). This wide obligation risks a costly and far-reaching

implementation, while potentially also undermining the subsidiarity principle and the flexibility

Member States need in organizing their identity infrastructures.

We find the objective of Article 45e regarding the verification by QTSPs to be unclear. If the

intention is for QTSPs to issue Public-sector attributes listed in Annex VI (e.g., civil status, na-

tionality, residence) as Qualified Electronic Attestation of Attributes (QEAAs), this may not be

relevant in some Member States, as they may wish to retain exclusive control over issuance,

ensuring these attributes are only released as Public-Sector Electronic Attestation of Attributes

(Pub-EAAs) directly from the competent authority. Others may see value in enabling QTSPs to

verify and issue attributes on request. Both models are valid and should remain at the discre-

tion of the Member State.

For smaller administrations in particular, creating and maintaining secure interfaces for exter-

nal QTSP verification is costly and administratively burdensome. Moreover, delegating access

to authentic sources raises governance and liability issues that some Member States may prefer

to avoid.

Therefore, Article 45e should be reframed to say that Member States may enable QTSPs to

verify attributes against authentic sources, but are not obliged to do so. See appendix X for

Article specific suggestions.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

Suggestions for Regulation (EU) 2024/1183 (eIDAS2) to implement recommendation 4.4

DRAFTING SUGGESTION FOR ARTICLE 45e:

“1. Member States

shall ensure, within 24 months of the date of entry into force of the implementing

acts referred to in Articles 5a(23) and 5c (6), that, at least for the attributes listed in Annex VI, wher-

ever those attributes rely on authentic sources within the public sector, may take

measures

are taken

to allow qualified trust service providers of electronic attestations of attributes to verify

attributes that

rely on authentic sources within the public sector those attributes

by electronic means at the request

of the user, in accordance with Union or national law.”

4.5 Create a category of attestation issuers which are not Trust Service Providers in eIDAS2

Today, issuing EAAs is a trust service by design. eIDAS2 makes “issuance of Electronic Attesta-

tion of Attributes” a new trust service; providers of qualified and non-qualified

EAA services are

regulated as TSPs. That means any private issuer that wants to place EAAs into wallets steps

into the eIDAS trust-service regime. Even non-qualified TSPs face formal obligations (risk man-

agement, 24-hour incident/breach notifications to the supervisor, etc.), and eIDAS2 sets ad-

ministrative-fine ceilings that can reach

€5M or 1% of worldwide turnover —

deterring SMEs

and sector issuers whose attributes are low-risk (e.g., training completions, memberships, loy-

alty status).

Wallet adoption needs many ‘everyday’ attestations. eIDAS2 already reserves stricter tracks for

(i) public-sector authentic-source attestations and (ii) qualified EAAs. But there is no light-

weight, clear pathway for private issuers of routine attributes to participate without becoming

TSPs. The gap slows ecosystem growth and creates uncertainty for companies

“outside the

realm of eIDAS” about what they commit to.

Legal certainty can be preserved without full TSP status. eIDAS2 already grants baseline legal

effect to EAAs (they can’t be dismissed just for being electronic or non-qualified).

Preserving

that baseline while creating a lighter issuer category would keep relying parties free to weigh

probative value case-by-case, while avoiding disproportionate supervisory burdens for low-risk

use cases

4.6 Adjust the Open Source licensing requirement for EUDI Wallets in order to ensure necessary

flexibility in contracting and development in eIDAS2

While transparency and trust in the Wallet require that user-facing components remain

open source, a blanket obligation to open-source all application software components risks

reducing flexibility in procurement, contracting, and development. Many Member States

rely on private contractors who use proprietary modules, libraries, or integration layers that

cannot legally or commercially be licensed under open-source terms.

The strict obligation to open source license all components installed on the user device may

discourage private-sector participation, limit innovation, and increase costs by forcing cus-

tom-made development rather than reuse of existing solutions. A strict requirement that

all wallet components on the user’s device must be open-sourced

may hinder Member

States’ ability to contract flexibly with private developers, especially where proprietary

modules or licensed elements are embedded. For some implementations, it may be legally

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

or commercially impossible to release such components under an open-source license with-

out undermining security or intellectual property rights.

Member States should retain the option to exempt specific components

—

including those

on user devices

—

where duly justified. Safeguards can be maintained through e.g. closed

disclosure to authorities or civil society organisations. This maintains transparency for users,

while giving Member States necessary flexibility to procure and develop Wallet solutions

efficiently.

Suggestions for Regulation (EU) 2024/1183 (eIDAS2) to implement recommendation 4.6

DRAFTING SUGGESTION FOR ARTICLE 5a:

“3. The source code of the application software components of European Digital Identity Wallets shall

be open-source licensed. Member States may provide that, for duly justified reasons, the source code

of specific components

other than those installed on user devices

shall not be disclosed.

Member

States shall ensure that, in such cases, appropriate measures are in place to guarantee transparency,

security, and interoperability”

Recommendations on the SDG (Single Digital Gateway Regulation)

4.7 Streamline synergies between the SDG-regulation and other legislation on electronic identi-

fication, by assessing whether the SDG-framework, including the OOTS, becomes redundant

with the EBW.

In addition, with the introduction of the EBW we recommend that the potential double im-

plementation when it comes to the Once-Only Technical System (OOTS), as laid out in the

SDG EU 2018/1724, is considered and assessed further. We therefore urge the Commission

to examine whether use cases and interactions currently covered by the OOTS could be

more effectively supported through the EWB framework, and whether such cases should

consequently be exempted from exchange via the OOTS.

In this vein, it is suggested that the synergies between the SDG and other legislation related

to electronic identification is streamlined in order to reduce administrative burdens. There-

fore, two further amendments on the SDG are proposed below.

4.8 Amend the definition of local services and include the definition in Article 3

Currently, the exception of certain national procedures from being made fully accessible

online due to being highly localised is briefly described in SDG preamble 20. However, this

brief and surface-level description has led to confusion over what is to be considered as a

local service and its practical implications, as our mapping of the Danish procedure portals

has uncovered a wide range of procedures that in theory fall within the purview of Annex II

but have few to no cross-border users annually, or where all the documentation, that is

requested during the procedure, is issued by another Danish Competent Authority. We

therefore propose that the description of such exceptions in preamble 20 is amended, and

that its definition is included in Article 3 regarding definitions.

EUU, Alm.del - 2025-26 - Bilag 22: Notat og høringssvar vedr. den digitale omnibus fsva. det digitale område

Suggestions for Regulation (EU) 2018/1724 (SDG) to implement recommendation 4.8

Preamble 20:

“For cross-border

users who are not resident or established in the Member State con-

cerned, online national procedures that are not relevant for the exercise of their internal market rights

(local procedures),

for instance enrolment in order to receive local services, such as garbage collection

and parking permits, do not need to be made fully accessible online.

Where such procedures are al-

ready accessible online, they do not need to be connected to the OOTS.”

Article 3, (new) paragraph 6:

“Local procedures

are defined as procedures that require the user to have

a pre-established connection to the Member State concerned, i.e. registering for residential garbage

collection or applying for residential parking permits; national procedures that have few to no cross-

border users annually; and national procedures that exclusively require information and/or documen-

tation issued by the Member State of the said national procedure.”

4.9 Amend article 14 to further clarify different mechanism for exchange

Article 14, paragraph 10 in the SDG already contains an exception of document exchange where

different mechanisms for the exchange of evidence are already established at Union level.

However, since the drafting of the SDG, the inception of eIDAS2 regulations made it clear that

there is a not insignificant volume of evidence that is to be exchanged both via the OOTS and

the EUDI Wallet. Additionally, there also exists an overlap between information that is relevant

to the procedures in Annex II and information that is already made publicly available by issuing

Competent Authorities in accordance with existing EU-regulation.

Consequently, the exchange of information via the OOTS that is either already publicly available

or will also be exchanged via the EUDI Wallet is in practice a costly double implementation that

contains no additional benefit to neither the requesting nor the providing Competent Authori-

ties

–

or even to the end-user carrying out the online procedure. To avoid such an unnecessary

and burdensome dual implementation, we propose that Article 14, is amended to include the

EUDI Wallet and publicly available information as different mechanisms for exchange, by in-

serting these as paragraphs 11 and 12, respectively, with the existing paragraph 11 becoming

paragraph 13.

Suggestions for Regulation (EU) 2018/1724 (SDG) to implement recommendation 4.9

Article 14

“(new) 11. Paragraphs

1 to 8 shall not apply to procedures and documentation that are covered by the

EUDI Wallet as set out in EU 2024/1183.”

”(new) 12. Where the requested information is already made publicly available by the issuing Compe-

tent Authority and thereby already accessible to the requesting Competent Authority, this shall be con-

sidered as a different mechanism for evidence exchange in accordance with those described in para-

graph 10, and paragraphs 1 to 8 shall therefore not apply to such publicly available information.”