The EU Digital Omnibus proposal: What is it, what's new, and what's coming next?

The EU Digital Omnibus proposal – what is it, what's new, and what's coming next? 

On 19 November 2025, the European Commission presented its proposal for a comprehensive Digital Omnibus package. The initiative aims to simplify, harmonise, and modernise key elements of the EU’s digital regulatory framework. 

At its core, the package consists of two major legislative proposals: 

• A Digital Omnibus Regulation addressing data protection, data sharing, and cybersecurity; and 
• A separate AI Omnibus proposal adapting and aligning the AI Act. 

This article focuses on the Data Protection Omnibus, which proposes targeted amendments to the General Data Protection Regulation (GDPR). The stated goal is to reduce regulatory overlap, clarify interactions between existing frameworks, and ease administrative burdens while maintaining a high level of protection for individuals. 

What are the key proposed changes?

Re-defining the definition of personal data: The proposal refines the concept of “personal data” by linking it more closely to the actual ability of a specific controller to identify an individual. Building on recent case law of the Court of Justice of the European Union, data would only qualify as personal data for an entity if that entity has means reasonably likely to be used for identification. 

This could allow broader use and sharing of anonymised or pseudonymised data—though it also raises questions about legal certainty and consistent application.  

Legitimate interests as a basis for AI development: The Commission proposes to expressly recognise legitimate interests as a lawful basis for processing personal data when training and operating AI models. Controllers would still need to carry out a balancing test, and consent requirements under other laws would remain unaffected. 

This clarification is intended to provide much-needed certainty for AI developers, although practical challenges remain—particularly around transparency and the right to object. 

Simplified data breach notification obligations: Under the proposal, personal data breaches would only need to be reported to supervisory authorities if they are likely to result in a high risk to individuals’ rights and freedoms. The notification deadline would be extended from 72 to 96 hours. 

In addition, the European Data Protection Board would develop standardised notification templates, and a single EU reporting entry point, managed by European Union Agency for Cybersecurity, would allow organisations to meet multiple incident-reporting obligations with one submission.  

Limiting abusive access requests: The right of access would be adjusted to allow controllers to refuse requests that are clearly unrelated to data protection purposes. While intended to curb abuse, this change may significantly affect litigation strategies and raises important questions about how narrowly or broadly the exception will be interpreted in practice. 

Special category conditions for AI and biometrics: The proposal also changes some requirements regarding sensitive data ("special categories of data"). A new provision is being added that permits the processing of sensitive data for AI training. However, measures must be taken to prevent the collection and processing of this sensitive data as far as possible and to delete it from the dataset if the controller becomes aware that this data has been collected.  

If removing the data proves too costly, at least measures must be taken to prevent sensitive data from being disclosed. The processing of biometric data under the sole control of the data subject will also be permitted under the new proposal. 

Reducing cookie fatigue: The proposal also seeks to address widespread “consent fatigue” caused by repetitive cookie banners. Under the new rules, users must be able to refuse non-essential cookies with a single click, and where consent is denied, controllers may only request consent again after a period of six months. In addition, user consent would no longer be required for cookies used solely for aggregated audience measurement or for security purposes. The proposal further introduces the possibility of automatically transmitting cookie preferences, for example via browser settings, so that users no longer need to interact with cookie banners on every website. Media service providers, however, would be exempt from this obligation. If adopted, these changes could significantly alter current consent management practices and reduce the overall burden on users and organisations alike.  

What happens next?

The Digital Omnibus is still a proposal. It will now be debated by the European Parliament and the Council, and significant amendments, or even rejection, remain possible.  

What will these changes mean in practice for organisations, compliance strategies, and enforcement? 

We will explore these questions in depth during our webinar on 28 January 2026, where we will break down the proposal, discuss open issues, and share practical insights on what organisations should prepare for next.  

Join our free Digital Omnibus Masterclass Series

To help organisations understand the Digital Omnibus and prepare for the proposed changes, we are hosting a free Digital Omnibus Masterclass Series.

Register now to access the recordings of previous sessions and to receive reminders for the upcoming webinars as they are announced.