Technology and Innovation

Heads of the Regulation of Artificial Intelligence and Non-Personal Data Bill are currently in preparation. While not yet published, the Bill will conceivably designate the competent authorities and establish the regulatory framework for the Data Act in Ireland.

Data and digital regulation

Simplification and consolidation on the horizon

Two proposals to simplify existing digital legislation and stimulate growth make up the European Commission’s Digital Package on Simplification (Omnibus Package), published on 19 November 2025. The first focuses primarily on: consolidating the EU’s data legislation; and making targeted amendments to the GDPR (Regulation (EU) 2016/679). The second focuses on targeted simplification measures for the Artificial Intelligence Act (Regulation (EU) 2024/1689) (AI Act). Notably, the proposals will undergo inter-institutional negotiations and possibly amendment, before they can be adopted, making it difficult at this stage to predict the tangible impact the Omnibus Package will have on digital regulation. Nonetheless, organisations should monitor its progress.

For more information on the Omnibus Package, read our briefing: Digital Package on Simplification and see the Commission FAQs here.

Data Act (Regulation (EU) 2023/2854) – Consolidation, access to data obligations and Irish implementation

  • Heads of the Regulation of Artificial Intelligence and Non-Personal Data Bill are currently in preparation. While not yet published, the Bill will conceivably designate the competent authorities and establish the regulatory framework for the Data Act in Ireland.
  • Connected products and related services placed on the market after 12 September 2026 will be subject to new product design obligations, specifically the requirement in Article 3(1) Data Act to design these products in such a way to allow easy, secure and free-of-charge access to product and related service data directly by the user, where relevant and technically feasible.
  • In the Omnibus Package, the Free Flow of Non-Personal Data Regulation (Regulation (EU) 2018/1807), the Data Governance Act (Regulation (EU) 2022/868) and the Open Data Directive (Directive (EU) 2019/1024) are proposed to be repealed. Their provisions will, subject to some exceptions and adaptions, be reflected in an augmented Data Act. The core obligations of the Data Act are not proposed to change, save for the application of the switching rules for certain companies and greater protection for trade secrets. The Omnibus Package is one of the legislative priorities for the three EU institutions (European Parliament, Commission and Council for the European Union) for 2026.

Read our briefings on the Data Act.

GDPR – Targeted amendments and procedural rules

  • The first proposal in the Omnibus Package (referred to above) makes targeted amendments to the GDPR to ease the administrative burden on organisations (particularly small and medium-sized enterprises). Examples of some of the changes to the GDPR proposed in the Omnibus Package include an updated definition of personal data; changes to the right of access and the reporting of personal data breaches. A single-entry point for incident reporting under several legislative frameworks and new cookies rules are also proposed.
  • Regulation (EU) 2025/2518 laying down additional procedural rules relating to the enforcement of the GDPR entered into force on 1 January 2026 and applies from 2 April 2027, subject to certain transitional provisions. The Regulation establishes detailed procedural rules for handling complaints and conducting investigations in cross-border processing cases under the GDPR.

For more information on the Omnibus Package, read our briefing: Digital Package on Simplification. For more information on the GDPR Procedural Regulation, read our briefing: Cross-border processing complaints - what to expect with the new GDPR Procedural Regulation.

2030 Consumer Agenda and the Digital Fairness Act

Presented as a new strategic framework for EU consumer policy that sets out concrete priorities and actions for the next five years, the European Commission’s 2030 Consumer Agenda addresses four key priority areas: an action plan for consumers in the single market; digital fairness and online consumer protection; sustainable consumption; and enforcement and redress. It envisages publication of a proposal for a Digital Fairness Act by the end of 2026, to protect consumers from dark patterns, addictive design, influencer abuses, and unfair personalization in social media, gaming, and e-commerce. The Act will also seek to simplify business rules by streamlining consumer information requirements for certain contracts and repetitive transactions.

Separately, on 23 December 2025, the Department of Enterprise, Tourism and Employment launched a public consultation on a proposed Consumer Protection, Competition and Enforcement Bill.

For more on the Digital Fairness Fitness Check that precipitated the Digital Fairness Act, read our briefing: Recent EU Digital Fairness Fitness Check shines light on deceptive patterns. Read about the 2030 Consumer Agenda here.

European Digital Identity Wallet

By the end of 2026, all Member States must offer their citizens a secure digital wallet to store and manage credentials like ID cards, diplomas, and health records and trust services, such as e-signatures and certificates, simplifying access to online services, secure transactions and cross-border operations.

Read our briefing on the European Digital Identity Wallet.

Cybersecurity

National Cyber Security Bill

This Bill, which is not yet available, will, when enacted, transpose the Network and Information Security Directive 2022/2555 (NIS2) into Irish law and establish the National Cyber Security Centre on a statutory basis. NIS2 expands the scope of the original NIS Directive, to cover a broad range of sectors and entities, ensuring that critical infrastructure across the EU is better protected against cyber threats.

For more on the application of NIS2 thresholds, read our briefing: NIS2 & SME guidelines: How do they apply and thresholds. For a more general discussion of NIS2, watch our NIS2 video series.

Cyber security for products with digital elements

Provisions on notification of conformity assessment bodies in the Cyber Resilience Act (Regulation (EU) 2024/2847) (CRA) will apply from 11 June 2026, and reporting obligations concerning actively exploited vulnerabilities and severe incidents having an impact on the security of products with digital elements, will apply from 11 September 2026. Manufacturers, importers and distributors of products with digital elements will also be monitoring for the harmonised standards for compliance, expected to be adopted from August 2026. These horizontal (product agnostic and framework-orientated) and vertical (product-specific) standards aim to assist organisations in adapting to the requirements of the CRA.

Read our briefing: Ensuring cyber resilience for connected products. Read about the standards here.

The National Strategy for the Resilience of Critical Entities

Member States must adopt a national strategy enhancing the resilience of critical entities and must carry out a risk assessment by 17 January 2026 under the Critical Entities Resilience Directive (Directive (EU) 2022/2557) (CER). Taking into account the outcome of this risk assessment, critical entities for the purpose of CER must be identified by 17 July 2026.

Artificial Intelligence

National AI Office and high-risk AI systems extension

  • Heads of the Regulation of Artificial Intelligence and Non-Personal Data Bill are currently in preparation. This Bill will establish the National AI Office, which is expected to be set up by August 2026, as the central authority to provide coordination and centralised functions.
  • The majority of rules in the AI Act are due to come into force in August 2026. However, under the Omnibus Package, the timeline for the application of obligations related to high-risk AI systems is proposed to be extended to align to the availability of standards and other support tools. If adopted, the rules for AI systems classified as high-risk pursuant to Article 6(2) (Annex III) will apply a maximum 16 months later than originally envisaged, i.e. 2 December 2027, and the rules for high-risk AI embedded in products AI systems classified as high-risk pursuant to Article 6(1) (Annex I) will apply a maximum 12 months later, i.e. 2 August 2028. A transitional period of 6 months is suggested for providers of generative AI systems who have already placed their systems on the market before 2 August 2026 to comply with Article 50(2), i.e. by 2 February 2027. Other proposed changes to the AI Act concern AI literacy requirements; bias detection and correction; and the extension of SME exemptions to SMCs.

Watch our video series on Governing AI, Powering Innovation and read about the new AI guidelines here.

Please contact a member of our Technology and Innovation Group or your usual Arthur Cox contact for more information

The National Cyber Security bill, when enacted, will transpose the Network and Information Security Directive 2022/2555 (NIS2) into Irish law and establish the National Cyber Security Centre on a statutory basis.

arthurcox.com

Technology and Innovation

Cookie policy

Cookie preferences

© 2026 Arthur Cox LLP | All rights reserved