Alert: EU Digital Omnibus Proposals seek to streamline compliance

On 19 November 2025 the European Commission presented their Digital Omnibus and their Digital Omnibus on AI, which seek to streamline and simplify rules on AI, cybersecurity and data.

This is a significant and highly scrutinised step in the EC’s aim to boost competitiveness, growth, and technological innovation for European companies while also upholding and protecting fundamental rights.   

The Digital Omnibus legislative proposals now go through the EU’s ordinary legislative procedure and will be submitted to the European Parliament and the Council for adoption, so the final text will likely be different to that of the proposed Omnibus.  This is also likely to take time – some commentators suggest that it may take 1-2 years to go through the legislative process with possible phased implementation into 2028.

What is the EU Digital Omnibus and EU Digital Package?

In a legal context, an omnibus is a legislative tool or proposed law that amends several different regulations.  In this case there are in fact two documents: the Digital Omnibus Regulation Proposal and the Digital Omnibus on AI Regulation Proposal.  It is important to note that these are both proposals – no changes have yet been made and nothing is set in stone.

The EU Digital Omnibus is part of the larger Digital Package, which overall aims to lessen the administrative burden of compliance, and encourage growth and innovation.  This Digital Package also includes plans for a European Business Wallet which aims to streamline processes like ID verification and certification sharing. The Package also includes a digital fitness check Call for Evidence and public consultation, which the European Commission opened on 19 November 2025, and which will close on 11 March 2026.

Some of the key pieces of legislation affected by the Digital Omnibus include GDPR and the EU AI Act.

What has the reaction been?

The proposals have already received scrutiny and strong opinions from pressure groups including NOYB the organisation founded by privacy activist Max Schrems. Somewhat predictably the reaction from consumer advocacy groups has not been favourable and this could signal some changes to the proposals, particularly when they come before the European Parliament.

NOYB has also published two open letters in November 2025 signed by 127 civil society organisations detailing their concerns about the proposed changes on data protection rules.  NOYB believes that the proposals would add complexity not simplification and there is likely to be wider support for those views.

In addition, the EU institutions are likely to want to take into account the views of the European Data Protection Board (EDPB).  The EDPB looked at the proposals at its meeting on 4 December 2025 and plans to issue a Joint Opinion with the European Data Protection Supervisor (EDPS).  The EDPB has previously been critical of some aspects of these proposals and issued a statement on 4 December 2025 repeating some of those concerns:

“the EDPB and the EDPS can already underline that the proposed modification of the definition of personal data seems to go further than the recent CJEU case law, and beyond a targeted modification of the GDPR, which may risk to adversely affect the fundamental right to data protection.”

How are AI rules affected?

The proposals suggest that there could be some changes to the EU rules on AI including:

1. Timeline for high-risk AI – The timeline for applying the EU AI Act’s high-risk AI rules would be adjusted. If the changes go through in general terms the rules would start to apply once the European Commission confirms the necessary standards and support tools are in place. Currently, most of the high-risk AI rules are due to apply on 2 August 2026, and the proposals could extend the deadline to 2 December 2027, assuming the process of adopting these changes happens in time. In our view however this is by no means guaranteed and organisations may be unwise to abandon their work preparing for this stage of AI regulation given the uncertainty that the Omnibus will reduce or postpone their obligations and given that it might not pass in time. The high-risk AI rules concerning product safety regulations are currently due to apply from 2 August 2027, and the proposals could potentially change the deadline to 2 August 2028.  
2. AI literacy obligations – There is also a proposal to remove some of the AI literacy burdens from AI providers and deployers and to give the European Commission and Member States some obligations to foster AI literacy.  The literacy obligations under the EU AI Act are already in force since February 2025.  There are details of the current legal obligations at: What are the AI Literacy Obligations from the EU AI Act?.

But it is AI is already regulated in the EU in part by regulators using GDPR to police AI.  We have had substantial fines for AI businesses using AI including Clearview, Deliveroo, Foodinho, OpenAI and Replika AI.  We have also had suspensions or investigations for a large number of AI applications including those from Deepseek, Google, Grok/X, Meta and OpenAI.

How is GDPR affected?

The proposals also would see changes to GDPR.  In some respects, the European Commission is recognising the concerns that the UK Government has also had about the considerable uptick in the use of aggressive SARs.  This is something that we are seeing too.  The UK Government has tried to deal with this in part by the passing of the Data Use and Access Act 2025.  You can see our summary of that here – Alert: UK Data Use and Access Act new provisions coming into force.

The European Commission is also proposing other changes:

• Changes to the definition of personal data – The Omnibus is proposing a revised GDPR definition of “personal data”. It proposes to clarify that not all information relating to a natural person is necessarily personal data for every other person or entity “merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.”  So, in effect this moves some data which would currently be regarded as pseudonymised to be anonymised.  There is a review of current GDPR definitions in our GDPR Glossary: EU data protection key terms & acronyms.  Whether the proposal would in fact add clarity remains to be seen.  If the changes are implemented this may result in complex litigation as the courts or regulators try and work out a data controller’s means of identification.
• Abuse of the right of access – The proposed Omnibus has taken into consideration where the right of access can be abused by data subjects for purposes other than the protection of their personal data. It proposes that in such situations, a controller can refuse to comply with the request or charge a reasonable fee.
• AI and legitimate interests – There is also a proposed new provision to recognise the processing of personal data to develop AI systems and models as a legitimate interest (though a demonstrable balancing test or impact assessment would still be required).

How are breach notification rules affected?

There are also proposed changes to the Data Breach Reporting Rules. 

These include:

1. Streamlined reporting portal – The Omnibus proposes a single interface where entities can fulfil their incident and breach reporting obligations under GDPR, NIS2, DORA, the Critical Entities Resilience Directive, and the upcoming Cyber Resilience Act.
2. Timeline for GDPR breach notification – For GDPR, it also proposes to require data controllers to notify breaches that present a high risk to individuals, and also to extend the reporting deadline to 96 hours, from the current deadline of 72 hours.

How is NIS2 affected?

While there are proposed changes to help streamline NIS2’s incident reporting obligations, there were no proposals in the Omnibus to amend the registration requirements or the one-stop-shop provisions under NIS2 Article 27. Our FAQs on the current NIS2 regime are here: FAQs: the EU’s NIS2 Directive.

How is the EU Data Act affected?

The changes affecting the Data Act are part of the larger proposal that affects various other legal acts that touch upon similar topics. This Omnibus noted that Europe’s ‘data legislative acquis’ (also known as the Digital Rule book, the body of laws and regulations regarding digital matters and markets) has some complexities, overlaps, and unaligned definitions. Our FAQs on the EU Data Act are here: FAQs: the EU Data Act.

The Omnibus proposes to repeal the Free Flow of Data Regulation, the Data Governance Act, the Open Data Directive, and to consolidate and absorb their substantive rules into the Data Act.

The Omnibus also proposes changes regarding the Data Act’s rules on:

1. Strengthening safeguards against the risks of trade secret leaks to third countries in the context of mandatory internet of things data-sharing provisions. The Omnibus proposes a new rule where a data holder can refuse disclosure of trade secrets to a user when there is a high risk of disclosure to third countries.
2. The scope of the business-to-government framework. The Omnibus proposes to narrow the scope of the Data Act’s regime for when a public sector body can request data from data holders, from “exceptional need” to “public emergency”.
3. Essential requirements for smart contracts executing data sharing agreements and proposes removing those requirements by deleting Article 36 of the Data Act.
4. Switching between data processing services. The Omnibus proposes the insertion of a lighter, specific regime for custom-made data processing services.

What are the chances of the Digital Omnibus passing?

In many respects that’s the million dollar question. Tech firms are lobbying hard for a relaxation of the rules, but this won’t be unopposed. Whilst the European Commission are in favour it still needs to pass in both the European Parliament and be agreed by the Council of the EU (i.e. the member states). EU lawmaking is known for the length of time it takes to get a proposal into law. In our view it is likely that the Digital Omnibus will pass but in a modified form and even then significant progress is unlikely this year.

Next steps for organisations

It is important to remember that at this stage the Digital Omnibus represents a set of proposals rather than hard law.  As a result, businesses will want to:

1. Make sure employees know that these are proposals not law.  Organisations need to make sure that they are still meeting their current legal obligations.  For example, the proposed relaxation of rules on AI literacy and SARs are not law and people in the business need to know that so that they don’t take shortcuts.
2. Businesses will want to monitor these changes and possibly consider making representations to the European Commission and MEPs.

More information:

See the Digital Omnibus Regulation Proposal: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal

See the Digital Omnibus on AI Regulation Proposal: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal

The EC’s digital fitness check call for evidence and public consultation: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/15554-Digital-fitness-check-testing-the-cumulative-impact-of-the-EUs-digital-rules_en

We are data protection & privacy lawyers

Learn more about our regulatory compliance work at Data Protection & Privacy Services or Contact Us to speak with an expert.