Digital Omnibus
The EU Digital Omnibus is a simplification package for the EU digital rulebook. It is designed to simplify, harmonise and modernise parts of the existing framework, reduce overlap between instruments, and lower compliance costs without changing the underlying policy objectives or reducing the level of protection for fundamental rights. The core proposal amends the GDPR, the ePrivacy framework, the Data Act and incident-reporting rules, while also repealing several older acts that are now seen as outdated or absorbed elsewhere. Alongside it, the wider package also includes a separate AI Omnibus proposal.
The practical importance of the Digital Omnibus is that it does not create a completely new digital regime. Instead, it changes how the current regime works in practice. For many organisations, the real compliance burden today does not come from one single law, but from the overlap between GDPR, ePrivacy, data legislation, AI rules, and incident-reporting obligations. The Omnibus is intended to address exactly that friction.
At a glance
- The Digital Omnibus is a targeted simplification package for EU digital regulation.
- It focuses on reducing administrative burden, improving legal clarity, and streamlining the interplay between overlapping laws.
- The main change areas are GDPR/privacy rules, incident reporting, cookies, AI, data laws, and the repeal or consolidation of older instruments.
- A separate AI Omnibus proposal sits alongside the main Digital Omnibus package.
- The proposal is still in the legislative process and may still change before adoption.
The main proposed changes
1. A narrower, more entity-specific concept of personal data
The proposal refines the definition of personal data by linking it more closely to the actual ability of a specific entity to identify an individual. The key question becomes whether that entity has means reasonably likely to be used for identification. If not, the information would not be personal data for that entity simply because another recipient might be able to identify the person.
This would move the GDPR analysis toward a more subjective, case-by-case test. It could reduce GDPR applicability in some settings, especially where pseudonymised outputs are used in a way that does not allow the holder to re-identify the person. At the same time, it may create uncertainty within supply chains, including questions around Article 28 arrangements and transfer-related obligations.
2. Clearer GDPR rules for AI development and operation
The proposal expressly recognises legitimate interests as a possible lawful basis for processing personal data in the development and operation of AI systems and AI models. This is intended to provide more legal certainty for AI developers, while leaving the balancing test in place and without overriding consent requirements that may follow from other laws.
The proposal also adds a new condition for processing special category data in AI contexts, subject to safeguards. Controllers would need to take measures to avoid collecting and processing such data as far as possible. If sensitive data is nevertheless found in training, testing or validation datasets, or in the model or system itself, it must be removed. If removal would require disproportionate effort, measures must still be taken without undue delay to prevent the data from being used to generate outputs or being disclosed to third parties. The proposal also permits biometric verification where the biometric data, or the means needed for verification, remain under the sole control of the data subject.
3. Simpler breach and incident reporting
One of the most practical changes is incident reporting. For GDPR, personal data breaches would only need to be notified to supervisory authorities where they are likely to result in a high risk to individuals’ rights and freedoms. The reporting deadline would be extended from 72 hours to 96 hours. The EDPB would also develop standardised reporting templates.
At the same time, the proposal introduces a single EU entry point for incident reporting, managed by ENISA. This is designed as a “report once, share many” mechanism across several legal frameworks, including GDPR, NIS2, DORA, eIDAS and CER-related reporting. The idea is not to replace the legal duties themselves, but to streamline the reporting workflow through one secure channel.
For organisations dealing with overlapping security and data incidents, this may become one of the most important practical changes in the package. It reduces duplication while keeping the underlying legal obligations intact.
4. Adjustments to data subject rights and privacy notices
The Omnibus also proposes targeted changes to transparency duties and access requests. For privacy notices, there would be a limited exemption where information is collected directly from the individual in the context of non-data-intensive activities and where there are reasonable grounds to assume that the person already knows the controller’s identity, contact details and processing purpose.
For access requests, controllers would be able to charge a reasonable fee or refuse to act where the request is manifestly unfounded or excessive, including where the purpose of the request goes beyond the protection of personal data. The proposal gives examples of abusive or weaponised uses of access rights, including certain nuisance or pre-litigation tactics, and lowers the burden of proof for controllers to show that a request is manifestly unfounded or excessive.
This is likely to be one of the more debated parts of the package. On one hand, it aims to address abusive requests. On the other hand, it could materially affect DSAR handling strategies and the way organisations justify refusals.
5. Cookie rules moved into GDPR and measures to reduce consent fatigue
The proposal brings the GDPR-relevant part of the current ePrivacy cookie regime into the GDPR itself through new provisions on processing personal data in terminal equipment. This would align cookie-related personal data rules more clearly within one law, while the ePrivacy framework would still remain relevant for non-personal data aspects.
Consent would remain the general rule, but there would be conditional exemptions for certain purposes, including first-party aggregated audience measurement and security purposes. Users would need to be able to refuse non-essential cookies with a single click or equivalent means. If consent is declined, the controller could not ask again for the same purpose within six months. The proposal also introduces machine-readable preference signals, such as browser-based settings, which users could use to communicate cookie choices automatically.
The overall aim is clear: reduce cookie-banner fatigue for users and align terminal-equipment data rules more neatly into the GDPR structure.
6. A separate AI Omnibus with lighter administration and delayed timelines
Alongside the main Omnibus, the package includes a separate AI Omnibus proposal. Its direction is to reduce administrative burden for low-risk and narrow-use AI, reframe the AI literacy obligation, extend certain carve-outs to SMEs and small mid-caps, defer the application of high-risk AI requirements, postpone some transparency obligations for AI-generated content, expand the legal basis for data use in AI development, and clarify conformity assessment rules.
One concrete change is that exempt AI systems under Article 6(3) would no longer require EU database registration, although providers would still need to document a self-assessment before placing the system on the market or putting it into service. Another is the postponement of certain transparency obligations for AI-generated content. High-risk AI requirements would also be deferred until supporting standards and guidance are available, with backstop dates reaching into late 2027 and 2028 depending on the AI system type.
The proposal also clarifies conformity assessment for dual-scope systems: where an AI system falls under both Annex I.A and Annex III, the Annex I.A conformity assessment would apply, and conformity assessment bodies could use one application and one assessment for both the AI Act and other EU harmonisation laws.
7. Consolidation of EU data laws into the Data Act
A major structural change is the consolidation of parts of the EU data-law framework into the Data Act. The proposal moves substantial parts of the Data Governance Act and the Open Data Directive into the Data Act, and repeals the Free Flow of Non-personal Data Regulation except for the prohibition of data localisation requirements, which is also absorbed into the Data Act structure.
This includes rules on data intermediation services, data altruism, public-sector data, international access to non-personal data, and data localisation. The goal is to create one more consolidated instrument for Europe’s data economy and reduce fragmentation across multiple overlapping data laws.
8. Targeted recalibration inside the Data Act
The Omnibus does not just consolidate data laws; it also adjusts them. The proposal reinforces safeguards around trade secrets, limits business-to-government data sharing to “public emergency” cases, narrows cloud-switching obligations in some contexts, and removes obligations for smart contract providers. It also reduces and reshapes obligations for data intermediation services to make those mechanisms more attractive and more flexible.
These are not minor technical points. For organisations active in connected products, cloud services, data intermediation, or public-sector data access, these changes could reshape where legal risk and operational burden sit within the value chain.
9. Repeal of older or superseded rules
The package also repeals several older acts viewed as outdated or largely superseded. This includes the P2B Regulation, on the basis that more recent instruments such as the DSA and DMA now largely cover the same area. Some selected provisions would remain temporarily relevant where other acts still cross-refer to them, in order to preserve legal certainty.
This is an important part of the Omnibus logic. The package is not only about adding clarifications; it is also about actively removing layers of overlapping regulation.
Legislative process and timing
The Digital Omnibus is still moving through the EU legislative process. The timeline below shows both the steps already completed and the expected next stages. After the Commission’s preparatory and drafting phase, the proposal moves into the ordinary legislative process, where the European Parliament and the Council develop their positions before negotiations on a final text. On the current trajectory, adoption is expected in early 2027, with the new rules entering into force only after a further transition period of around three to four years.
Looking back, the process began with a call for evidence from 16 September to 14 October 2025, followed by a Commission draft on 27 October 2025, a leaked draft on 10 November 2025, and a published draft V8 on 19 November 2025. The feedback period runs from 21 November 2025 to 4 February 2026. Looking ahead, the Parliamentary procedure is expected to begin in late 2025, the Council position in early 2026, and the main interinstitutional negotiation phase in mid- to late 2026.
What this means in practice
For organisations, the likely effect is mixed but significant. Some changes would clearly reduce compliance friction: fewer reportable GDPR breaches, a longer reporting deadline, one reporting channel for multiple incident regimes, less repetitive cookie interaction, and a more consolidated data-law structure.
Other changes may reduce burden in principle while creating new edge cases in practice. That is especially true for the entity-specific concept of personal data, AI-related legitimate interests, special category data in AI training, and the boundary between abusive and legitimate access requests.
In practical terms, organisations are likely to need to revisit:
- data classification and pseudonymisation analysis,
- AI training governance and documentation,
- DSAR handling standards,
- cookie consent architecture,
- incident-response playbooks, and
- Data Act-related data-sharing and cloud-switching arrangements.
