On 19 November 2025, the European Commission published the Digital Omnibus package, a set of draft legislative proposals intended to simplify, consolidate and align the EU’s digital regulatory framework. The initiative responds to concerns from businesses and regulators about overlapping obligations, fragmented national implementation and increasing compliance complexity across EU digital laws. The Digital Omnibus is complemented by two additional initiatives: a Data Union Strategy, aimed at improving access to high-quality data for innovation and artificial intelligence, and the proposed European Business Wallet, designed to simplify cross-border business interactions within the Single Market.
The Data Union Strategy outlines additional measures to improve access to high-quality data for artificial intelligence and innovation. These include practical implementation support such as data labs, a Data Act legal helpdesk and a more coordinated approach to international data policy and data protection. The proposed European Business Wallet would provide businesses and public sector bodies with a secure digital identity recognised across all Member States. The wallet would support activities such as digital signing, document exchange and interaction with public authorities, with the aim of reducing administrative processes associated with cross-border operations.
Artificial Intelligence Act: Adjustments to Implementation and Governance
The Digital Omnibus proposes changes to the implementation of the AI Act to address practical compliance challenges. A key proposal is to link the application of obligations for high-risk AI systems to the availability of harmonised standards, common specifications and practical guidance. Under the proposal, high-risk requirements would apply six or twelve months after the Commission confirms that supporting standards and tools are available, with dates extending into 2027 and 2028. This approach is intended to prevent organisations from being subject to obligations before the necessary compliance infrastructure is in place.
Small Mid-Cap Relief: The Omnibus also extends certain simplifications currently available to small and medium-sized enterprises to small mid-cap companies, including reduced technical documentation requirements and proportionate compliance expectations.
EU-Level GPAI Sandbox: Access to regulatory sandboxes is broadened, including the introduction of an EU-level sandbox for general-purpose AI systems. Oversight of AI systems based on general-purpose models is further centralised by strengthening the role of the AI Office to reduce fragmentation across Member States.
AI Office: The Digital Omnibus on AI strengthens the position of the AI Office that will, for example, be given exclusive competence to oversee AI systems based on GPAI developed by the same provider.
Changes to GDPR
The Digital Omnibus includes certain amendments to the General Data Protection Regulation aimed at clarifying interpretation and reducing administrative burden without changing the core principles or scope of the GDPR.
The definition of personal data is clarified to reflect established Court of Justice case law. The Commission states that the proposed wording is intended to clarify existing law rather than introduce substantive changes. The amendments confirm a relative approach to personal data, under which information is considered personal data only for an entity that can reasonably identify an individual from it, taking into account the means likely to be used by that specific entity. Identifiability is therefore assessed at the level of the individual controller or processor. The clarification also aims to avoid conflicts between the GDPR and data-sharing obligations under the Data Act.
Other proposed changes are:
Data Breaches: Operational changes are proposed to the personal data breach notification regime. Controllers would be required to notify supervisory authorities only where a breach is likely to result in a high risk to the rights and freedoms of individuals. The notification deadline would be extended from 72 to 96 hours, and reporting would be submitted through a single-entry reporting point shared with other EU cybersecurity frameworks.
DSARs: Additional proposals include clearer grounds for refusing or charging for abusive or excessive data subject access requests, limited exemptions from transparency obligations in low-risk or non-data-intensive contexts, and harmonisation of data protection impact assessment practices through EU-level lists and templates.
ePrivacy and Cookies: The proposals further modernise cookie and tracking rules by reducing repeated consent requests. Where consent is refused, controllers would be required not to request consent again for at least six months. The framework also supports the future use of browser-based consent signals once technical standards are available.
DPIA practices updated: A common DPIA template is being considered as well as common methodology and clarification on where DPIAs are required.
Legitimate interest and AI: Companies can rely on a “legitimate interest” to process personal data for training and operating of AI systems, for example, to improve bias detection, accuracy, or to test AI’s performance. This is subject to safeguards, such as data minimisation, risk assessments, and providing data subjects with an unconditional right to object to the processing. The proposals also allow for the incidental processing of special category personal data (e.g., health data) in the development of AI systems and models, subject to the implementation of certain safeguards.
Special Category of data: The proposals permit special category personal data to be used in AI bias detection and correction more widely (i.e., not only in the development of AI models and systems).
Automated Decision Making and the use of contract: The proposal aims to provide greater legal certainty to controllers regarding the conditions for when they can lawfully use automated individual decision-making. It clarifies that decisions based solely on automated processing may be taken when they are “necessary for entering into, or performance of, a contract between the data subject and a data controller,” when authorised by the EU or member state law, or when based on the data subject’s consent.
The Digital Omnibus simplifies the EU data governance landscape by consolidating several existing instruments into a single framework under the Data Act. Elements of the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation are repealed or integrated to reduce duplication and improve coherence.
The proposals strengthen protections for trade secrets, refine business-to-government data sharing to focus on public emergencies, and adjust cloud switching obligations, particularly for customised services and smaller providers. These changes are intended to improve legal clarity and reduce compliance complexity while preserving safeguards for sensitive data and data sovereignty.
Cybersecurity: Streamlined Incident Reporting Across EU Frameworks
The Digital Omnibus also proposed to streamline cybersecurity and incident reporting obligations across multiple EU legal frameworks. Under the proposals, the deadline for notifying personal data breaches to supervisory authorities under the GDPR would be extended from 72 to 96 hours. Notification would be required only for breaches likely to result in a high risk to individuals, aligning the threshold with existing data subject notification requirements. The European Data Protection Board would be tasked with developing a standardised notification template and a common EU-level list of scenarios considered to constitute high risk.
To address duplication across regimes, the Omnibus proposes the creation of a single EU reporting portal, to be developed by ENISA. This single-entry point would allow organisations to meet incident reporting obligations under multiple EU laws, including the GDPR, NIS2, DORA, the Critical Entities Resilience Directive and the eIDAS Regulation, through a harmonised reporting process.
Next Steps
The Digital Omnibus proposals will proceed through the ordinary legislative process in the European Parliament and the Council, where they may be amended before adoption. In parallel, the Commission has launched a Digital Fitness Check consultation, open until March 2026, to assess the cumulative impact and coherence of EU digital legislation.
While the proposals remain subject to change, the Digital Omnibus signals a clear policy direction towards consolidation, simplification and improved operability of the EU digital rulebook. Organisations should monitor developments closely and consider the potential impact on their compliance frameworks, data governance practices and AI strategies
Pam George, BH Consulting
