The EC's Digital Omnibus proposal – re-writing the EU's digital rulebook

Over the last few years, the European Union has acquired new digital legislation almost as quickly as the technology it seeks to regulate has developed. Concerns about over-regulation and overlapping and even conflicting provisions have now led the European Commission to re-think its approach and attempt to streamline the digital regulatory compliance burden.

On 19 November 2025, the European Commission published its Digital Omnibus proposal. This comprises two main proposals: one focusing on 'quick fixes' for some of the pain points in the AI Act, and a second, more complex proposal amending the data acquis, most notably the GDPR, the ePrivacy Directive and the Data Act. 

The standout points are delays to the rules on high-risk AI under the EU AI Act, and a new GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (subject to safeguards). There's a lot to digest – no sooner have we got our heads around the new legislation, revisions are being made, some of which are likely to prove contentious, and others of which will be welcomed as entirely sensible.

Here we take a look at the headlines.

GDPR

The EU's flagship legislation, the GDPR, is set for its first major overhaul with some significant proposed changes. These include:

• Changes to the definition of personal data: reflecting the decision in EDPS v SRB, the proposal is to clarify that data will not be considered as personal data within scope of the GDPR, where the holder cannot identify an individual, taking into account the means reasonably likely to be used by that holder. In other words, where the holder is not reasonably likely to be able to re-identify an individual, pseudonymised data will not be personal data for that holder – regardless of whether or not it might be for a different holder (Article 4).
• Definition of scientific research: a new definition of scientific research is included with clarification that further processing for scientific purposes is compatible with the initial purpose of processing and that scientific research constitutes a legitimate interest.
• New Article 9 derogations: AI development and operation, and biometric ID: there are two proposed additional derogations from the prohibition on processing special category data, the first of which is particularly significant as it would allow the processing of special category data for the "development and operation of an AI system". Under a new Article 9(5), controllers must try to avoid collecting such data, but if it is residually present, they are only required to remove it if doing so does not require disproportionate effort. A further Article 9 derogation is proposed in relation to the processing of biometric data necessary to confirm the identity of an individual where the means of identification is under the sole control of that individual. 
• DSARs: changes to Article 12 clarify that information must be provided to data subjects free of charge under Articles 13-15, 22 and 34. However, there is clarification as to when DSARs may be refused or a reasonable fee may be charged for manifestly unfounded or excessive requests, namely where they are repetitive, or where GDPR rights are exploited other than for protection of personal data.
• Reduced information provision requirement: changes to Article 13(4) provide an exemption from the Article 13(1-3) information requirements where there is a clear relationship between a controller and a data subject, the controller's activity is not data-intensive and there are reasonable grounds to assume the data subject already has the relevant information. This exemption will not apply where the controller transfers the personal data (whether to a third party or a third country), carries out automated decision-making including profiling, or where processing is likely to result in a high risk to the rights and freedoms of individuals.
• Clarification of contractual necessity in the context of ADM: changes to Article 22 provide that automated decision-making can be considered necessary for performance of a contract, even where the decision could have been taken by a person.
• Breach notifications: the maximum time for reporting a data breach to the supervisory authority moves from 72 to 96 hours from having become aware of it where a breach is likely to result in a high risk to the data subject's rights (Article 33). Once it is live, incidents must be reported via the newly created single-entry point (SEP) (see below), but until the SEP is live, notifications will continue to be made to the relevant Supervisory Authority.
• Consolidating and simplifying: the EDPB is charged with developing common templates for incident reporting and DPIAs, a process it has already begun. Individual Member State lists of processing requiring (or not requiring) a DPIA will be a thing of the past and the EDPB will produce an EU-wide list.
• Legitimate interest for AI (new Article 88c): a new Article 88c explicitly states that processing personal data for the "development and operation of an AI system... may be pursued within the meaning of Article 6(1)(f) [legitimate interest]" unless Union or other national laws explicitly require consent. This is subject to the usual requirements to carry out a balancing exercise against the rights of individuals, and to apply safeguards, including data minimisation, transparency, and an "unconditional right to object"'. 
• Cookies: see section on ePrivacy Directive.
• Regulators: provision is made for a European Data Innovation Board (EDIB) to advise on Data Act enforcement and policy relating to the data economy.  The Commission has various powers to adopt delegated acts

ePrivacy Directive 

Following the failure to introduce a new ePrivacy Regulation, the European Commission now proposes integrating cookie (and similar storage technology) requirements into the GDPR. It also extends permitted processing on terminal equipment and reforms cookie consent rules.

• Processing personal data on terminal equipment (cookies) (new Article 88a GDPR): this permits processing of personal data on or from terminal equipment where necessary for transmission, an explicitly requested service, first-party audience measurement or service/terminal security. In all other circumstances consent will apply. Where processing is based on consent, it must be one-click (or similar), as easy to refuse as give, and refusals must be respected for six months before consent is re-sought for the same purpose. This Article will apply six months after entry into force.
• Automated and machine-readable indication of data subject's choices (new Article 88b GDPR): under the new Article 88b, data subjects must be able to give or refuse consent through automated and machine-readable means (with exemptions for media service providers) within 24 months of entry into force. The Commission is required to facilitate the creation of standards.  Web browsers (aside from SMEs) are required to provide the means for giving and receiving consent through automated and machine-readable means within 48 months of entry into force.
• Deletion of Article 4: this covers security requirements for providers of publicly available electronic communications services. The Commission concludes it has been superseded by the NIS2 Directive and is no longer required.
• Changes to Article 5(3): this will continue to apply with regard to non-personal data but with regard to personal data, it is now being covered under the new Articles 88a and b.

Data Act

The planned amendments to the Data Act (Regulation (EU) 2023/2854) aim to simplify the legal landscape, strengthen competitiveness, and reduce administrative burdens. At its core, the initiative focuses on establishing a single, coherent legal framework for the European data economy through substantive and procedural adjustments including:

• Consolidation of the data acquis: the merger of the Free Flow of Non-Personal Data Regulation (FFDR), the Data Governance Act (DGA), and the Open Data Directive (ODD) into the Data Act creates a unified set of rules for data handling within the EU.

• Stronger trade secret protections: data holders are granted the explicit right to refuse the disclosure of trade secrets where there is a high risk of unlawful use or disclosure to third countries with weaker protection standards.

• Restriction of business-to-government obligations: the obligation to share business data with public authorities is significantly narrowed and only applies to strictly defined public emergencies, such as disaster response or recovery.

• Removal of smart contract requirements: the provisions on smart contracts (formerly Article 36) are being fully repealed to avoid uncertainty and unnecessary administrative effort.

• Exemption for bespoke cloud services: for data processing services that are custom-developed or significantly adapted (excluding IaaS) and concluded before 12 September 2025, simplified rules regarding switching obligations will apply.

• Extension of switching relief to Small Mid-Caps (SMCs): in addition to SMEs, SMCs will, in future, also benefit from simplified cloud switching rules for  pre-existing contracts. Additionally, all providers gain clarity on the ability to agree on early termination fees for fixed-term contracts.

• Voluntary registration for data intermediaries: a voluntary registration procedure will replace the previously compulsory notification process for data service providers, thereby improving market access and flexibility.

• Functional rather than legal separation for intermediaries: data service providers will no longer be required to maintain strict legal separation from other services offered; instead, a standard of functional separation is sufficient.

• Higher charges for gatekeepers in public data re-use: public bodies will be permitted to impose higher charges and special licensing conditions for the re-use of open and protected public sector data by DMA gatekeepers and large enterprises, to counteract market concentration.

• Enshrining the free flow of data: the prohibition of unjustified limitations on the localisation of non-personal data, as originally embedded in the FFDR, is directly incorporated into the Data Act to ensure legal certainty.

Single-entry point for incident reporting

To streamline regulatory processes and reduce the compliance burden for businesses facing overlapping EU incident reporting requirements, the Digital Omnibus introduces a centralised Single-entry Point (SEP) for incident notifications:

• Centralised submission: the SEP serves as the unified channel for incident notifications covered by multiple EU legal acts, including the NIS2 Directive, the Digital Operational Resilience Act (DORA), the GDPR, the Digital Identity Regulation (eIDAS), and the Critical Entities Resilience (CER) Directive.

• Role of ENISA: the European Union Agency for Cybersecurity (ENISA) is responsible for developing, maintaining, and specifying the technical details of the SEP, including interfaces for national authorities.

• Reducing bureaucracy: the scheme specifically aims to ease administrative effort for cross-border firms by eliminating the need to report identical incidents separately to different national bodies.

• Implementation timeline: the obligation to submit notifications via the SEP for incidents under the NIS-2 Directive, eIDAS, DORA, and the CER Directive will apply 18-24 months after the Digital Omnibus Regulation enters into force.

• Cloud and identity compatibility: SEP technical specifications must ensure seamless interoperability with European Business Wallets, supporting identification and authentication for reporting entities.

• Workflow changes: the SEP alters how reports are submitted. While the underlying legal standards and roles of national authorities are generally unchanged, the package notably extends the GDPR breach notification deadline from 72 to 96 hours.

• Data retrieval: the platform must enable entities to access and update information on incidents they have previously reported via the SEP, assisting with internal compliance records.

• Contingency arrangements: if technical issues prevent use of the SEP, Member States must provide alternative means for incident notification and make these publicly available.

EU AI Act

The EU AI Act proposal addresses implementation challenges in the AI Act (Regulation (EU) 2024/1689), offering significant commercial and procedural clarifications. Important proposals include:

• High-risk rules delayed: the application of Chapter III AI Act on high-risk AI is linked to completion of standards and guidance.  The rules will only apply once the Commission adopts a Decision confirming completion and after that, a six month transition period for Annex III systems, and 12 months for Annex I.  However, if no such Decision is adopted, a back stop kicks in and the rules will apply from 2 December 2027 (Annex III) and 2 August 2028 (Annex I).
• Bias detection: providers and deployers of all AI systems and models (not just high-risk) will be allowed to process special category personal data for the purpose of ensuring bias detection and correction, subject to appropriate safeguards.
• Broader exemptions: regulatory privileges for SMEs (eg simplified documentation, lighter fines) are to be extended to SMCs (Articles 3(14b), 11(1), 17(2),99).
• Lighter burdens: AI literacy obligations are shifted from operators to the Commission and Member States (Article 4). The proposal also offers more flexibility by removing the mandate for a harmonised post-market monitoring plan and reduces the registration burden for systems used in a high-risk context where a provider assesses the system as not high-risk.
• Centralised governance: in a major structural shift, oversight for AI embedded in Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs) under the DSA will be centralised with the Commission's AI Office (Article 75).
• AI Office pre-market assessments: provision is made for the AI Office to carry out pre-market conformity systems for certain types of AI  There is also provision for wider use of regulatory sandboxes including an EU-level sandbox from 2028.
• Further guidelines: the Commission notes that beyond legislative measures, it will provide additional guidance across a range of areas where stakeholders have concerns, including on research exemptions and consistency with other Union laws and policies.

See also the section on the GDPR for important changes relating to the use of personal data to train and develop AI systems.

Repealed and additional measures

The FFDR, the DGA and the ODD will be repealed with retained elements being included in the Data Act. In addition, the Platform to Business (P2B) Regulation (Regulation (EU) 2019/1150) – intended to promote fairness for business users of online platforms – will be repealed as it is considered to be obsolete, however, cross-references in other legislation will be maintained unless explicitly removed, up to, at the latest, 31 December 2032.

Alongside the Digital Omnibus, the Commission also published a proposal for a European Business Wallet to provide EU companies and public sector bodies with a unified digital tool to allow them to digitalise operations including signing, timestamping and sealing them.  And a new Data Union Strategy sets out additional measures to unlock high-quality data for AI and provisions around EU data sovereignty.  The Commission  also published final versions of the model contractual terms on data access and standard contractual clauses on cloud computing under the Data Act.

What to expect

Once passed, the Digital Omnibus will enter into force on the third day after publication in the Official Journal.  Article 5(2) will come in six months after publication, the SEP provisions 18 months later (or up to 24 if the SEP platform is not ready in time), and the new Articles 88a and b GDPR as set out above.

There are some sensible steps taken in the Digital Omnibus to simplify and clarify digital rules and reduce the compliance burden on businesses. Notably the SEP for incident reporting, the inclusion of ePrivacy cookie rules in the GDPR, updated definitions in line with case law, the addition of legitimate interest as a lawful basis for developing and using AI, the shift of AI literacy requirements away from operators, and consolidation of the data sharing regime would be welcome changes.

Having said that, some of these very same changes are likely to prove highly controversial, particularly with privacy campaigners. We’d expect the AI-related provisions of the GDPR to be under particular scrutiny. Member States are already reportedly divided on whether the changes are prioritising businesses interests over the rights of individuals, and the legislative process is unlikely to run smoothly. This means we expect to see changes before final agreement.