The EU Digital Omnibus

On 19 November 2025, the European Commission unveiled two closely interconnected legislative proposals that together form what is now commonly referred to as the EU Digital Omnibus.

• The Digital Omnibus introduces horizontal simplification and consolidation across the EU’s digital and data acquis.
• The AI Omnibus delivers targeted amendments to the AI Act, refining timelines, governance and compliance mechanics to ensure workable implementation.

Both initiatives take the form of Commission proposals for EU regulations and will proceed through the ordinary legislative procedure in the European Parliament and the Council.

Taken together, the proposals signal a clear evolution in the EU’s regulatory posture: from rule-making to rule-making that works. Rather than reopening core policy choices, the Commission focuses on operational coherence, legal certainty and administrative burden reduction, while explicitly maintaining the Union’s high standards for fundamental rights, cybersecurity and consumer protection.

A unifying design principle runs through both Omnibus packages: simplification through alignment. This includes harmonised timelines, shared thresholds, consolidated reporting mechanisms and a “report once, share many” architecture for incident notifications. While the proposals remain subject to negotiation and amendment, the direction of travel is unmistakable.

Below, we analyse the most consequential changes by regulatory domain and assess their practical implications for organisations operating in, or with, the EU.

The Digital Omnibus introduces a set of targeted clarifications and operational adjustments to the GDPR, with a particular focus on legal certainty, proportionality and coherence with the emerging AI governance framework.

Clarification of personal data and anonymisation

First, the proposal refines the understanding of personal data by codifying recent jurisprudence. Information held by an entity that could theoretically be used to identify a natural person, but for which the controller does not have means reasonably likely to be used for identification, is clarified as falling outside the scope of personal data.

In parallel, the Commission is empowered to support harmonised criteria and methodologies to assess when data resulting from pseudonymisation or similar techniques no longer qualifies as personal data. This aims to improve predictability for anonymisation strategies, secondary data use and large-scale analytics, including AI development.

Lawful bases for AI development and bias mitigation

Second, the Digital Omnibus clarifies the interaction between lawful bases under the GDPR and AI development. It confirms that, subject to appropriate safeguards such as data minimisation, transparency and the right to object, legitimate interests under Article 6(1)(f) GDPR may in certain circumstances be relied upon for the development, testing and operation of AI systems.

In addition, and in close coordination with the AI Omnibus, a specific and narrowly framed legal basis is introduced to allow the processing of special category data solely for the purposes of detecting, preventing and correcting bias in AI systems, where no effective alternative exists and strict safeguards are applied. This represents a notable shift from reliance on guidance and enforcement discretion toward explicit legislative anchoring of AI-relevant processing scenarios.

Data subject rights, transparency and DPIAs

Third, data subject rights and transparency obligations are recalibrated to address operational challenges. Controllers are granted clearer grounds to refuse access requests that are manifestly abusive or pursued for purposes unrelated to data protection.

Transparency obligations are adjusted to allow a pragmatic derogation in limited, low-risk situations where the controller reasonably believes that the data subject already understands the identity of the controller and the nature of the processing, and where no high risk to rights and freedoms arises.

The proposal also envisages a more harmonised EU-level approach to data protection impact assessments (DPIAs), supported by common methodologies and coordinated lists, to reduce divergent national practices.

Personal data breach notifications

Fourth, personal data breach notification requirements are better aligned with operational realities. The deadline for notifying supervisory authorities is extended from 72 to 96 hours, and mechanisms are introduced to better calibrate notification thresholds and templates, with the aim of reducing low-value notifications while preserving robust protection for high-risk incidents.

Terminal equipment access, cookies and consent signals

Finally, the Digital Omnibus integrates governance of terminal equipment access and cookies more closely into the GDPR framework. Consent remains the baseline, but a limited set of low-risk, necessary purposes is recognised for which consent is not required, including transmission, provision of an explicitly requested service, aggregated audience measurement for the controller’s own use, and security maintenance.

The Commission is tasked with developing standardised, machine-readable consent and objection signals mediated through browsers and applications. Once implemented, controllers would be required to respect such signals, subject to limited and clearly defined carve-outs, notably in certain media service contexts. The objective is to reduce consent fatigue while preserving meaningful user choice.

Building on the GDPR adjustments, the Digital Omnibus codifies an expanded but tightly constrained set of cookies and device identifiers that may be used without consent for specific low-risk purposes. Beyond what is strictly necessary for transmission or a requested service, consent-free use may cover aggregated audience measurement limited to the controller’s own use and measures to maintain or restore security.

Consent for cookies is not abolished in the EU. Instead, the proposal clarifies and modestly broadens consent-free categories while preparing the ground for standardised consent signals to improve user experience and enforcement consistency.

A central operational reform introduced by the Digital Omnibus is the establishment of a single EU entry point for incident notifications across multiple regimes, including GDPR personal data breaches, NIS2, the CRA, DORA, eIDAS and the CER Directive.

Developed and operated with the support of ENISA, this entry point is designed to enable a “report once, share many” model, using aligned templates and data fields inspired by DORA reporting structures. Where possible, overlapping notification triggers are streamlined, while preserving sector-specific supervisory powers.

The single entry point is intended to interoperate with European digital identity and business wallet tools and is expected to become operational within a defined period following entry into force. While its effectiveness will depend on Member State onboarding and technical interoperability, the architecture represents a significant step toward more coherent EU-level cyber governance.

The Digital Omnibus introduces targeted adjustments to the Data Act and consolidates related data governance rules to reduce fragmentation and improve legal clarity.

Trade secrets and third-country access

Protection of trade secrets is reinforced. Data holders may, under defined conditions, refuse disclosure where they can demonstrate a high risk of unlawful acquisition, use or onward disclosure, including in third-country contexts with insufficient safeguards. Such refusals must be substantiated, proportionate and subject to challenge; blanket denials are explicitly discouraged.

Switching, cloud portability and SME relief

Switching and cloud portability obligations are adjusted to better reflect market realities. A lighter regime and specific exemptions apply to custom-made data processing services and to services provided by SMEs and small mid-caps under contracts concluded before 12 September 2025. Proportionate early-termination fees are permitted in fixed-term contracts, while the core objective of preventing unjustified lock-in is preserved.

Consolidation of the data framework

Rules on the re-use of public sector information are integrated into the Data Act, with harmonised definitions, pricing and licensing principles. The Free Flow of Non-Personal Data localisation prohibition is likewise consolidated into the Data Act, and duplicative or obsolete instruments are repealed or merged.

Notably, the proposal removes the Data Act’s essential requirements on smart contracts, acknowledging implementation challenges in decentralised and heterogeneous technical environments.

The AI Omnibus introduces targeted adjustments to the AI Act while leaving its core risk-based architecture intact.

Timelines linked to standards availability

Timelines for high-risk AI obligations are more closely linked to the availability of harmonised standards, common specifications or Commission guidance. Once such instruments are published, obligations for Annex III high-risk systems apply six months later, and Annex I obligations after 12 months, subject to backstop dates of 2 December 2027 and 2 August 2028 respectively.

For content authenticity, providers of generative AI systems placed on the market before 2 August 2026 benefit from a six-month grace period to deploy robust watermarking solutions.

Governance and centralised supervision

Governance is partially centralised to address systemic and cross-border risks. The European AI Office is designated as supervisor for general-purpose AI models and certain platform-integrated systems, with powers to request documentation, conduct inspections, oversee conformity assessments and impose penalties within the AI Act’s limits.

Innovation support and compliance proportionality

Innovation support is reinforced through regulatory sandboxes and real-world testing. In addition to national sandboxes, an EU-level sandbox operated by the AI Office from 2028 will facilitate cross-border experimentation.

Practical simplifications include eased database registration for narrowly constrained high-risk systems, more principles-based post-market monitoring supported by guidance, and proportionality measures extending SME benefits to small mid-caps.

Alignment with data protection law is strengthened through the explicit legal basis for processing special category data for bias detection and correction.

The Digital and AI Omnibus proposals do not fundamentally alter the EU’s regulatory ambitions. Instead, they reflect a decisive shift toward consolidation, proportionality and operational realism, aimed at ensuring that recently adopted frameworks can be implemented effectively at scale.

• Privacy teams should reassess data classification and anonymisation strategies, prepare for changes to cookie and terminal equipment access governance, and monitor the development of standardised consent signals.
• Cybersecurity and operational risk functions should prepare for the single EU incident reporting entry point and adjust internal coordination across GDPR, NIS2, DORA and related regimes.
• Data and cloud strategy teams should review arrangements on data sharing, trade secret protection and cloud switching, particularly for bespoke services and third-country access risks.
• AI programmes should realign compliance planning with standards-linked timelines, assess potential exposure to AI Office supervision and prioritise content authenticity mechanisms where relevant.

While amendments remain possible as the proposals move through the legislative process, the Commission’s emphasis on timely alignment suggests strong political momentum. Organisations that begin adapting governance structures and compliance roadmaps early will be best placed to benefit from the intended simplifications once the Omnibus packages enter into force.