Menu
undefined undefined
My dashboard
My Content
My products (0) My insights (0) My events (0) My contacts (0)

Digital Omnibus Update

On 19 November 2025, the European Commission unveiled its initial proposals, known as the "Digital Omnibus", aimed to simplify EU’s digital regulatory landscape

21 November 2025

Publication

Loading...

Listen to our publication

0:00 / 0:00

Introduction

On 19 November 2025, the European Commission presented its initial proposals aimed at significantly simplifying the EU’s digital regulatory landscape. Although these proposals are at an early stage and will be subject to the full EU legislative process, they represent the Commission’s intended approach to making Europe’s data rules more coherent and efficient, while ensuring strong safeguards remain in place.

The main changes are outlined below.

The text of the proposal are available at the following links:

Digital Omnibus on AI

Digital Omnibus on the digital aquis

Digital Omnibus on AI

The AI Act-focused proposal suggests a number of amendments, primarily intended to reduce compliance burdens on providers and deployers of AI systems, the foremost of which is the much-discussed delay to high-risk AI systems ("HRAIS") obligations.

The key legislative proposals are as follows:

  • Timing of HRAIS Regime: The application of high-risk AI system requirements is delayed:
    • For Annex III systems: 6 months after a Commission decision confirming adequate compliance measures are available, or by 2 December 2027 at the latest.
    • For Annex I systems: 12 months after such a decision, or by 2 August 2028 at the latest.
  • Transparency Obligations Timeline: The deadline for providers of AI systems generating synthetic content to comply with machine-readable marking requirements under Article 50(2) is extended from 2 August 2026 to 2 February 2027.
  • AI Literacy: The obligation for providers and deployers to ensure AI literacy of staff is replaced with a requirement for the Commission and Member States to “encourage” such measures, reducing direct compliance burdens on operators.
  • Processing of Special Categories of Personal Data: Providers and deployers of AI systems and models (not just high-risk) may process special categories of personal data for bias detection and correction, subject to strict safeguards and only where necessary and proportionate.
  • Registration for Exempt HRAIS: Providers of AI systems listed in Annex III but exempt under Article 6(3) are no longer required to register these systems in the public database, reducing administrative requirements.
  • Transparency and GPAI Codes of Practice: The Commission can no longer adopt an implementing act to give the Transparency or GPAI Codes of Practice general validity across the EU. However, it may still set common rules if the Transparency Code is deemed inadequate.
  • Post-Market Monitoring: The Commission will issue guidance on post-market monitoring plans for HRAIS, providing less prescriptive requirements than the template originally required by the AIA.
  • Market Surveillance and Enforcement: The AI Office (“AIO”) is confirmed to have exclusive authority for AI systems based on GPAI models (where the same provider develops both model and system), except for systems covered by Annex I. The AIO also oversees AI systems integrated into very large online platforms/search engines under the Digital Services Act.
  • Slightly increased role of Fundamental Rights Authorities (“FRAs”): Market surveillance authorities can request information from operators on behalf of FRAs, provide relevant information to FRAs and cooperate closely, enhancing the role of FRAs in AI oversight.
  • Inclusion in Representative Actions Directive ("RAD"): The AI Act’s inclusion in the RAD is brought forward to the date the Omnibus enters into force, rather than 2 August 2026, though the practical impact of this may be limited.

Digital Omnibus: EU Data Act

Due to the fragmented EU’s data legislation including certain overlaps, inconsistencies in definitions, and uncertainties regarding how the different instruments interact, the Digital Omnibus proposal aims to incorporate the following data related frameworks into the Data Act:

  • Regulation (EU) 2018/1807 (Free Flow of Non-Personal Data Regulation): Most of its provisions, except for those on data localisation, will be repealed. The prohibition of localisation requirements for non-personal data withing the Union will be integrated in Chapter VIIb of the Data Act.
  • Regulation (EU) 2022/868 (Data Governance Act): Rules on data altruism and data intermediation services are merged into the Data Act to make these mechanisms more attractive and effective.
  • Directive (EU) 2019/1024 (Open Data Directive): The Open Data Directive will be repealed, noting that its substantive provisions are incorporated the Data Act without significantly altering the powers granted to Member States.

As a result, the Data Act becomes the single, consolidated legal instrument for Europe’s data economy, with the above regulations and directive being repealed. This consolidation aims to reduce legal complexity, harmonise definitions, and make compliance easier for businesses and public administrations.

Key Substantive Amendments to the Data Act

The Digital Omnibus introduces a series of targeted amendments to the Data Act. The following section outlines the most relevant changes and their practical implications.

  • Expanded and Harmonised Definitions
    The proposal amends and supplements the definitions in the Data Act (Article 1(2) Data Act), introducing new terms and clarifying existing ones. This aims to ensure consistency across the consolidated legal framework. For example, the terms “access”, “data holder” and “data intermediation service” and “anonymisation” will be (newly) defined.

  • Stronger Safeguards for Trade Secrets
    New Articles 4(8) and 5(11) of the Data Act will allow data holders to refuse disclosure of trade secrets to users or third parties if there is a high risk of unlawful acquisition, use, or disclosure to third countries with weaker protections. Such refusals must be “duly substantiated” and notified to the competent authority. This addresses concerns about the leakage of sensitive business information in the context of mandatory data sharing.

  • Narrowed Scope for Business-to-Government Data Requests
    The scope of Chapter V (making data available to the administration) is narrowed from “exceptional needs” to “public emergencies” only. Articles 14 and 15 of the Data Act are to be deleted, and a new Article 15a will be introduced, which sets out that public sector bodies may only request data from businesses when necessary to respond to, mitigate, or recover from a public emergency (e.g., natural disasters or major cybersecurity incidents). This reduces the risk of overbroad government access to business data.

  • Exemptions for Cloud Switching Rules
    The rules on switching between data processing services (Chapter VI) will be softened. Through Article 31 Data Act, a lighter regime is targeted, if “the majority of features and functionalities of the data processing service has been adapted by the provider to the specific needs of the customer” and for services provided by SMEs and small mid-caps (SMCs) under contracts concluded before 12 September 2025. This is accompanied by a clarification that the abovementioned providers “can include early-termination penalties in fixed-term contracts“. Overall, these exemptions consider the specificities of smaller or highly customised service providers.

    The Staff Working Document accompanying the Digital Omnibus proposal estimates that these exemptions could save businesses around €1 billion for custom-made contracts and €500 million for SME and SMC contracts across the EU.

  • Removal of Smart Contract Requirements
    The obligation for providers of smart contracts to comply with essential requirements (Article 36 Data Act) is to be removed completely. As explained in the Staff Working Document, Article 36 was criticised by industry stakeholders for its unclear scope and the risk of unintentionally covering a wide range of DLT-based smart contracts and automated software features. The Staff Working Document highlights that, given the early and experimental stage of smart contract development, detailed regulatory requirements could stifle innovation and lock in specific technologies. The removal is therefore intended to reduce regulatory complexity and maintain flexibility for future innovation.

  • Extended Support for SMEs and SMCs
    Already existing support measures for small and medium-sized enterprises ("SMEs") are extended to also cover small mid-cap companies ("SMCs"), reducing compliance burdens and facilitating participation in the data economy. Beyond the eased cloud switching rules, SMEs and SMCs shall benefit from simplified procedures and targeted incentives, making it easier for them to access and re-use data under the Data Act (Article 32ab).

Digital Omnibus: Amendments to Privacy Regulations and Single Entry Point for Incident Reporting

1. Amendments to Privacy Regulations

  • Definition of Personal Data

Article 4 of the Regulation EU 2016/679 (“GDPR”) is amended to clarify that information relating to a natural person is not necessarily personal data for every entity. Information is not personal for an entity if that entity cannot identify the person, considering the means reasonably likely to be used. The fact that another entity could identify the person does not make the data personal for all (Article 3, amending GDPR Article 4).

Aligning the approach with the recent CJEU ruling, this amendment would provide greater legal certainty for controllers processing pseudonymised data, potentially reducing GDPR obligations where re-identification is not reasonably possible.

  • Special Categories of Data and AI

Article 9(2) GDPR is expanded to allow:

  • Processing in the context of AI system/model development and operation, subject to safeguards (Article 9(2)(k)).
  • Processing of biometric data for identity verification, where the data or means are under the sole control of the data subject (Article 9(2)(l)). A new Article 9(5) requires controllers to implement measures to avoid processing special categories of data in AI, and to remove such data if found, or otherwise protect it (Article 3, amending GDPR Article 9).

This enables AI development using personal data under strict safeguards, and clarifies when biometric data processing is permitted.

  • Further processing

The proposal clarifies and strengthens the "purpose limitation" principle in the GDPR. It explicitly states that further processing for archiving in the public interest, scientific or historical research, or statistical purposes is to be considered compatible with the original purpose for which the data was collected, in accordance with Article 89 GDPR and regardless of the conditions in Article 6(4) GDPR.

  • DSRs and transparency

The proposal clarifies that information and actions under Articles 13, 14, 15–22, and 34 GDPR must be provided free of charge. However, if a data subject’s request is manifestly unfounded or excessive (especially if repetitive, or, for Article 15, if the right of access is abused for non-data protection purposes), the controller may charge a reasonable fee or refuse the request. The burden of proof is on the controller to demonstrate that the request is manifestly unfounded or excessive.

Article 13(4) GDPR is replaced: the obligation to provide information does not apply where there is a clear, circumscribed relationship and reasonable grounds to assume the data subject already has the information, unless the data is transferred, subject to automated decision-making, or high risk processing (Article 3, amending Article 13 GDPR).

A new Article 13(5) GDPR will allow controllers to avoid providing information for scientific research if it is impossible or would involve disproportionate effort, provided safeguards are in place (Article 3, amending GDPR Article 13).

  • Automated Decision-Making

Article 22(1)-(2) GDPR is replaced: automated decisions with legal or similarly significant effects are permitted if necessary for contract performance, authorised by law, or based on explicit consent (Article 3, amending Article 22 GDPR).

  • Data Breach Notification

Article 33(1): Notification to the supervisory authority is required within 96 hours only if the breach is likely to result in a high risk to individuals. Notification must be made via the new single entry point (see below). The EDPB will prepare a common template and a list of high-risk circumstances.

  • Data Protection Impact Assessment (DPIA)

The EDPB will prepare, and the Commission will adopt, harmonised lists of processing operations requiring or exempt from DPIA, and a common template and methodology.

  • Pseudonymisation

A new Article 41a empowers the European Commission to specify means and criteria to determine when pseudonymised data is no longer personal data.

  • Cookies and Terminal Equipment

A new Article 88a moves the rules for storing/accessing personal data on terminal equipment (e.g., cookies and other tracking technologies) from the ePrivacy Directive to the GDPR. Consent is required, with exceptions for technical storage, audience measurement in the interest of the data controller, and security. Data subjects must be able to refuse consent easily (with a single-click button or equivalent means), and refusals must be respected for at least six months.

A new Article 88b requires controllers to ensure that their online interfaces allow data subjects to:

a) Give consent through automated and machine-readable means, provided that the conditions for consent under the Regulation are fulfilled.

b) Decline a request for consent and exercise the right to object pursuant to Article 21(2) GDPR through automated and machine-readable means.

Controllers are required to respect the choices made by data subjects in accordance with the above functionalities.

The above requirements do not apply to controllers that are media service providers when providing a media service.

The European Commission must, in accordance with Article 10(1) of Regulation (EU) 1025/2012, request one or more European standardisation organisations to draft standards for the interpretation of machine-readable indications of data subjects’ choices.

Paragraphs 1 and 2 shall apply from 24 months following the date of entry into force of this Proposal
.
Obligation for Web Browser Providers:

Providers of web browsers, which are not SMEs, must provide the technical means to allow data subjects to give their consent, refuse a request for consent, and exercise the right to object pursuant to Article 21(2) through the automated and machine-readable means referred to in paragraph 1, as applied pursuant to paragraphs 2 to 5.

Timeline for Web Browser Providers: Paragraph 6 shall apply from 48 months following the date of entry into force of this Regulation.

Key Points and Impact:

  • Lawful Basis for AI Training

A new Article 88c allows processing of personal data for AI development/operation based on legitimate interests, provided appropriate safeguards are in place (Article 3, new Article 88c). In particular, where the processing of personal data is necessary for the interests of the controller in the context of the development and operation of an AI system (as defined in Article 3, point (1), of Regulation (EU) 2024/1689) or an AI model, such processing may be pursued for legitimate interests within the meaning of Article 6(1)(f) of GDPR, where appropriate, except where other Union or national laws explicitly require consent, and where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, in particular where the data subject is a child.

Any such processing must be subject to appropriate organisational and technical measures and safeguards for the rights and freedoms of the data subject. These include:

a) Ensuring respect for data minimisation during the selection of sources and the training and testing of the AI system or AI model.

b) Protecting against non-disclosure of residually retained data in the AI system or AI model.

c) Ensuring enhanced transparency to data subjects.

d) Providing data subjects with an unconditional right to object to the processing of their personal data.

Special Protection for Children:

The interests or fundamental rights and freedoms of the data subject, especially where the data subject is a child, must be given particular consideration.

2. Single Entry Point for Incident Reporting

  • Introduction and Scope

A new system is established for incident reporting via a single entry point, to be developed and maintained by ENISA. This will apply to incident reporting under GDPR, Directive 2022/2555 (NIS2), Regulation 2022/2554 (DORA), Regulation 910/2014 (eIDAS), Directive 2022/2557 (CER), and the Regulation 2024/2847 (Cyber Resilience Act) (Articles 6-8).

This proposal would streamline and harmonise incident reporting across multiple EU legal acts, reducing administrative burden and risk of duplication.

  • Key Features

    • Security and Interoperability: ENISA must ensure the security, reliability, and interoperability of the single entry point (Article 6, new Article 23a(2)-(3)).
    • Piloting and Assessment: The system will be piloted and assessed before becoming mandatory (Article 6, new Article 23a(5)-(6)).
    • Retrieval and Supplementation: Organizations can retrieve and supplement previously submitted notifications (Article 6, new Article 23a(3)(e)).
    • Fallback: Alternative channels must be provided if the system is unavailable (Article 6, new Article 23a(7)).
    • Unified Templates: The EDPB and Commission will adopt common templates for notification (Article 3, amending GDPR Article 33(6)-(7)).

  • Timeline
    The single entry point must be operational within 18 months of the Regulation’s entry into force, with a possible extension to 24 months if technical issues arise (Article 6, new Article 23a(5)-(6)).

Late 2025:

The European Commission will forward the Digital Omnibus package proposals to the European Parliament, which will assign them to the appropriate committee(s). The Internal Market ("IMCO"), Industry ("ITRE"), and Civil Liberties ("LIBE") Committees are expected to take the lead. Political groups will appoint a rapporteur and shadow rapporteurs to prepare the committee’s draft report.

From January 2026:

MEPs will review and propose changes to the draft in committee sessions, aiming to finalise and adopt a report by the end of Q1 2026.

Q2/Q3 2026:

After the Parliament’s responsible committee(s) adopt their report and the full Parliament votes in plenary, and once the Council has agreed its stance, three-way “trilogue” talks between the Commission, Parliament, and Council will start, likely in spring 2026, to agree a final compromise.

Potential Fast-Track:

If the Parliament invokes its urgent procedure (Rule 170), the proposal could skip the full committee process and go straight to a plenary vote, possibly allowing adoption as early as Q1 2026. This would limit amendment opportunities and shorten consultation periods.

Final Approval:

Under the usual process, the package is expected to be adopted by mid-2026.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.

Related insights

This website uses cookies and other similar technologies to ensure you get the best experience on our website. Please review our cookie policy and our data protection privacy notice for more information on how the data that is collected is used.