EU Digital Omnibus: At a glance

What you need to know

On 19 November 2025, the European Commission published its highly anticipated Digital Omnibus – a sprawling package of new reform proposals which aim to simplify and streamline the EU’s digital rulebook (or digital acquis).

The proposals aim to ensure that: (i) the EU’s digital rules remain fit for supporting innovation and growth, deliver on their objectives and drive competitiveness; and (ii) the implementation of the AI Act promotes innovation while preserving the EU’s standards. 

The package comprises:

• two proposed Regulations – a Digital Omnibus for the digital acquis (covering data, cybersecurity and privacy); and a Digital Omnibus on AI (together, the Omnibus)
• a Data Union strategy to scale up access to data for AI, streamline data rules and safeguard EU data sovereignty through international data policy
• a European Business Wallet Regulation proposal to simplify paperwork and facilitate business

Simultaneously, the Commission launched a consultation and call for evidence (both open until 11 March 2026) on a Digital Fitness Check – an initiative to “stress test” the digital rulebook by analysing the interplay between the different laws, their cumulative impact on businesses, and how effectively they support the EU’s competitiveness, values and fundamental rights.

The Omnibus proposals are far from finalized. Organisations operating in the EU or otherwise impacted by EU digital laws, should stay alert for developments as the European Council and European Parliament proceed to adopt their positions and enter trilogue negotiations. Speed, or lack thereof, in reaching a final agreed position will itself be a factor to closely track.

What are the key proposals in the Omnibus?

Data sharing and re-use

The proposals respond to the fragmented and overlapping EU digital acquis that has grown around the Data Governance Act, the Open Data Directive and the Free Flow of Non‑Personal Data Regulation, alongside the Digital Markets Act and the recently enacted Data Act. These are primarily contained in Articles 1 and 2 of the Digital Omnibus for the digital acquis.

The proposals aim to consolidate and simplify the digital acquis by anchoring rules in the Data Act. They introduce voluntary certification regimes for data intermediation and data altruism. Essential requirements for smart contracts will be removed and a revised, lighter regime for custom-made data processing services will be introduced. The proposals also reconfigure data access and re‑use in an effort to avoid reinforcing market power – including by allowing public sector bodies to apply proportionate special conditions and higher fees to very large enterprises and digital market gatekeepers which wish to re‑use open and protected public sector data. The proposals also calibrate cloud‑switching rules and reinforce safeguards (notably around trade secrets and international exposure), while supporting governance through a strengthened European Data Innovation Board. In addition, the Platform to Business Regulation will (in large part) be repealed, in light of its significant overlap with the more recently passed Digital Markets Act and Digital Services Act.

Data protection and ePrivacy

There are multiple “refinements” across a range of topics to unpick as modifications under this heading.

• Notably, the Digital Omnibus for the digital acquis proposes to confirm the relative concept of “personal data” (ie where an entity lacks the means reasonably likely to identify a person, the data will not be personal data for that entity’s purposes). The Commission may specify criteria to assess when pseudonymised data are non‑personal for certain recipients. 
• The proposals include two additional exemptions to the processing of special categories of data: (i) biometric data that is necessary for confirming the identity of an individual and the data and means for such verification are under the control of that individual; and (ii) residual processing for development and operation of an AI system or an AI model subject to certain conditions.
• When assessing whether a decision is necessary in the context of a contract between the data subject and controller, the fact that the decision could be taken by a human does not prevent the controller engaging automated decision-making – and where several automated solutions exist, controllers should use the least intrusive effective option.
• The proposals also include a new recognised legitimate interest for AI development/operation (with strong safeguards and unconditional right to object). The definition of “scientific research” has been defined, and clarity provided for when further processing for scientific purposes is compatible with the initial purpose of processing.
• The proposals also seek to clarify the provisions around abuse of the right of access. Controllers would be able to charge a reasonable fee or refuse to act where requests are manifestly unfounded or excessive. If an individual abuses their right of access, an organisation may refuse to comply with the request or charge a fee.
• A further change proposed seeks to streamline the information provision requirements. The right to be informed would not apply where there are reasonable grounds to assume the individual already has the requisite information, subject to certain exceptions.
• A single EU‑wide list of processing operations which require and do not require a data protection impact assessment, as well as the development of a common template and methodology for conducting DPIAs, have been proposed.

The Digital Omnibus refocuses the rules impacting cookies and similar technologies by removing overlapping security incident notification provisions and routing the rules applicable to scenarios involving personal data on devices to the GDPR. The GDPR would expressly govern the processing of (storing or accessing) personal data on a natural person’s terminal equipment. As a result, the ePrivacy regime would no longer apply where the user is a natural person and the information stored or accessed constitutes or leads to the processing of personal data. These personal data aspects are governed solely by the GDPR – consent is the default requirement, but there is also a proposed closed list of purposes not requiring consent which includes (i) first‑party audience measurement; (ii) security purposes; and (iii) when necessary for the provision of a service requested by a user transmission, a user‑requested service, first‑party audience measurement, and security. The ePrivacy rules would still apply to scenarios involving users/subscribers who are not natural persons and/or where no personal data is processed. The proposals also envisage a prohibition on re-prompting for consent: (i) during the validity period where consent has been granted; (ii) and for at least six months where a user has declined to give consent. The proposals also include a framework for automated, machine‑readable signals of user choices.  

Information security incident notification

The Digital Omnibus proposes repealing Article 4 ePrivacy Directive (the provision regarding security obligations and breach notification for providers of publicly available electronic communications services). Security and breach notification obligations for those providers would instead be handled under NIS2 and the GDPR, as applicable.

The proposals also include a single-entry point (to be developed by ENISA) through which organisations can fulfil their incident reporting obligations under several EU laws including NIS2, the GDPR, DORA, the eIDAS Regulation, the CER Directive, and other sectorial reporting rules. Through a “report once, share many” principle, the new incident reporting mechanism aims to reduce administrative burden, while ensuring effective and secure flow of security incidents information to the relevant competent authorities.

Notification of personal data breaches would only be needed where likely to result in a high risk to the data subject’s rights, and the notification deadline would be extended to 96 hours. The proposals also include the development of a common template for notifications.

AI

The AI Omnibus proposes simplifying the AI Act to reduce administrative burdens on businesses. Under the proposals, the implementation timeline of the high-risk rules in Chapter III would be linked to the availability of standards or other support tools, with backstop dates: Article 6(2)/Annex III systems by 2 December 2027; Article 6(1)/Annex I systems by 2 August 2028. The regulatory simplifications granted to small and medium-sized enterprises would be extended to small mid-caps – such as simplified technical documentation requirements and special consideration in the application of penalties.

The Commission and the Member States would become responsible for fostering AI literacy, in place of providers and deployers of AI systems, however training obligations for high-risk deployers would remain. The requirement for a harmonised post-market monitoring plan would be removed to improve flexibility. The registration burden would be reduced for providers of AI systems not considered high-risk because they are only used for narrow or procedural tasks.

Providers and deployers of all AI systems and models would be permitted to process special categories of personal data for bias detection and correction, where appropriate safeguards have been put in place.

There would be a six month transitional period for genAI providers who need retroactively include watermarking in their systems. The AI Office would take on centralised oversight over a large number of AI systems built on GPAI models or embedded in very large online platforms and very large search engines.

The use of AI regulatory sandboxes and real-world testing would be expanded, to benefit key European industries. Additionally, the Commission is also working on preparing further guidelines on key areas such as high-risk classification, transparency requirements, and the reporting of serious incidents by providers of high-risk AI systems.

What next?

As mentioned above, the Omnibus proposals are not final form. They must undergo the EU legislative procedure, which involves the European Council and European Parliament adopting their positions so that trilogue negotiations can commence.

• The Omnibus proposals have attracted significant media attention and active contributions from a wide range of stakeholders, with the debate reflecting broader questions about how best to coordinate overlapping digital, consumer-protection, and data-governance frameworks. While the proposal aims to streamline and align existing obligations, its eventual implementation presents practical challenges, particularly where different legislative instruments intersect on differing timelines.
• Businesses should monitor developments closely as the scope and direction of the proposals continue to take shape.

With thanks to authors Teniola Alao and Lizzie Charlton.