The EU’s digital omnibus: simplification, consolidation, and a sharper edge on compliance

Today the European Commission published its so-called “Digital Omnibus” proposal.  The proposal lands at an inflection point in EU tech regulation. Over the past five years, the EU has assembled world‑leading frameworks for data, AI, cybersecurity, platforms and media. The result has been high standards and - let’s be candid - high complexity. The Digital Omnibus aims to simplify the system without lowering protections. It promises to reduce compliance burdens now and make it clearer how the rules fit together. The key message of the Commission is a clear, simple, more cost-effective and above all innovation-friendly implementation of the rules. If you’re interested in GDPR, the Data Act, NIS2, DORA, eIDAS, or the AI Act, this proposal matters: it re‑keys several obligations, consolidates overlapping regimes, and introduces new “digital by design” compliance rails, notably a single cyber incident reporting entry point. The headline is simplification; the substance is targeted, technical change that will reshape day‑to‑day governance.

What the omnibus really does, in plain language

The proposal is a consolidation and fine-tuning exercise. It fuses fragmented data reuse rules into the Data Act, scraps duplicative laws, tightens the Data Act’s business‑to‑government (B2G) access to true public emergencies, and puts cookie consent and device access clearly under the GDPR with a new, limited lawful‑use carve‑out for low‑risk purposes and an on‑ramp to browser‑/machine‑mediated consent signals. It introduces a single EU entry point to “report once, share many” for cyber incidents across NIS2, GDPR breaches, DORA, eIDAS and CER. It lifts and shifts the Free Flow of Non‑Personal Data localisation ban into the Data Act, and repeals the P2B Regulation whose space is now occupied by DMA/DSA.

On the GDPR itself, it trims administrative friction: extending breach notification to 96 hours and aligning the threshold to the Article 34 “high risk” trigger; harmonising DPIA lists and templates at EU level; clarifying automated decision‑making necessity under Article 22; and sharpening the abuse/excessive request logic under Articles 12–15. Meanwhile, on data sovereignty, it strengthens trade secret safeguards to mitigate leakage to third country jurisdictions, a pressure point many manufacturers and IoT vendors have flagged since the Data Act passed.

The data pillar: one Data Act, fewer moving parts

The most consequential change for data practitioners is the consolidation of the Open Data Directive (ODD) and the Data Governance Act (DGA) Chapter II into a single “re‑use of public sector information” chapter within the Data Act. In practice, that means a harmonised definitions layer distinguishing “data” (digital) and “documents” (non‑digital), unified principles on non‑discrimination, charging, formats and licences, and streamlined redress. It also modernises charging by requiring public bodies to enable cross‑border online payments and permits proportionate higher fees or special licence conditions for very large enterprises, with particular sensitivity to DMA‑designated gatekeepers. Does this tilt the field against scale? Not necessarily—those levers are conditioned by objective criteria and proportionality, and seek to avoid reinforcing dominant positions in the data economy.

Two other Data Act recalibrations are pragmatic and overdue. First, B2G data access is narrowed from “exceptional need” to “public emergencies,” matching legal certainty to political intent and reducing scope creep in day‑to‑day requests. The public emergency definition is already embedded in EU law; tying requests to response, mitigation or recovery keeps the perimeter tight. Second, switching obligations for data processing services are adjusted for custom‑made services and for SMEs/SMCs with legacy contracts concluded before 12 September 2025, while preserving the core ambition to eliminate switching and egress charges. Providers can include proportionate early termination penalties, but not barriers to switching. The message is clear: remove lock‑in, reduce renegotiation churn, and avoid retroactive friction where the economics for smaller providers are most fragile.

Finally, the Omnibus repeals the “smart contracts” essential requirements under Article 36 of the Data Act. The original provisions tried to future‑proof data‑sharing automation but landed in a definitional thicket—“robustness,” the so-called “kill switch and conformity assessments were hard to square with tamper-proof, decentralised architectures that are supposed to keep on running.

GDPR simplification without softening protections

The Omnibus’s GDPR changes are targeted. The breach notification alignment to the “high risk” threshold reduces noise, and the 96‑hour deadline recognises operational reality. A single, EU‑level DPIA list (and a mandatory “non‑DPIA” list) will bring long‑requested harmonisation, coupled with a common methodology and templates. Controllers will appreciate the clarification that under Article 22, contractual necessity does not require automated decisions to be the only route—provided controllers choose the least intrusive effective option.

On transparency, the extension of Article 13’s derogation where the context is clear and non‑data‑intensive (think a local craftsman’s client ledger; not employment data) balances substance and burden. The proposal also codifies abuse/excessive use safeguards around access requests, addressing the cottage industry of tactical DSARs used to engineer refusals and leverage damages. Critically, none of these changes alter the high‑level protection: the accountability spine remains intact; risk remains the organising principle.

The most visible privacy change is the ePrivacy-to‑GDPR migration for access to/storing information on terminal equipment when personal data is processed, via a new GDPR Article 88a. In practice, that means consent remains the rule for device access, but a limitative list of low‑risk, necessary purposes (e.g., transmission; a service explicitly requested; audience measurement for the controller’s own use; security maintenance) can proceed lawfully without consent, subject to GDPR. Coupled with Article 88b, the Commission gets a mandate to drive standardisation for browser‑/app‑mediated consent signals; once standards land, controllers must respect machine‑readable user choices after a short grace period, with a presumption of compliance for those who adhere. Media service providers are carved out from the obligation to respect automated signals, reflecting the political economy of publisher revenue and the need for direct engagement on consent. Will this finally address “consent fatigue”? If the standards are practical and the UX remains intelligible, it could, without undercutting the integrity of consent.

Cyber incident reporting: report once, share many

For CISOs and compliance teams, the single‑entry point may be the most impactful operational change. ENISA is tasked with building and maintaining a secure conduit through which entities can satisfy reporting under NIS2, GDPR data breaches, DORA, eIDAS and CER. Templates should align with DORA’s RTS content, reducing duplicate fields and reconciling thresholds where feasible. The single‑entry point must be interoperable with European Business Wallets for entity identification and authentication, and is slated for use within 18 months of entry into force. Will this cure under‑reporting and audit exhaustion? It certainly moves the architecture towards coherence. Success will turn on national onboarding, template convergence, and the back‑end data flows between authorities, which the Omnibus anticipates but leaves Member States room to configure.

International data, trade secrets, and third‑country exposure

A recurrent concern under the Data Act has been trade secret leakage where users or third parties sit within or are subject to third‑country jurisdictions with weaker protections. The Omnibus squarely addresses this by enabling data holders to refuse disclosure where there is a “high risk” of unlawful acquisition, use or disclosure to third countries or controlled entities, paired with tight safeguards against misuse: written, duly substantiated demonstrations; proportionality; confidentiality; and avenues for challenge with competent authorities, courts or dispute bodies. Refusals must be tailored; blanket country‑wide denials are discouraged. The third‑country access framework for non‑personal data is also clarified to minimise conflict with Union/national law and ensure only the minimum data permissible is provided when conditions are met. In practice, expect more rigorous due diligence on counterparties’ control structures and jurisdictional exposure, and more precise internal criteria for invoking refusal.

Where this goes next

The Commission forecasts at least €5 billion in business administrative cost savings by 2029, plus €1 billion for public authorities. That figure will depend on how quickly templates, standards and the single‑entry point come online, and on Member State implementation choices. Importantly, the Digital Omnibus is only step one: the Digital Fitness Check will stress‑test the accumulated rulebook across the mandate, and sectoral evaluations (DMA, DSA, Chips, AVMS, Data Act, AI Act) are on the calendar through 2029. The risk for counsel and compliance teams is drift - definitions and interplays have been a recurring source of uncertainty, especially between GDPR and the AI Act. The opportunity is coherence: the Omnibus brings a chance for progress on consolidation, clarifies edges where friction was greatest, and embraces “simplification by design” and “innovation” through digital tools. As always in EU tech law, time will decide the impact of the proposal and whether these “innovation-friendly” mechanisms are not further watered down in order to not dilute fundamental freedoms. But this package is a meaningful reset in service of competitiveness, without retreating from the Union’s high bar on rights and trust.