EU Digital Omnibus Implications for MedTech Companies

The European Commission (Commission) released its Digital Omnibus package, which aims to streamline and recalibrate certain aspects of the fast-growing body of EU digital regulations, on November 19, 2025. Rather than rewrite the core legislative instruments, including Regulation (EU) 2024/1689 (AI Act), Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2023/2854 (Data Act) and Directive (EU) 2022/2555 (NIS2), the Commission has opted for a series of targeted amendments intended to reduce overlap, smooth implementation and increase legal certainty. The Digital Omnibus package is now open for review for an eight-week period, which is being extended until the proposals are available in all EU languages, allowing stakeholders to comment directly on the Commission-adopted texts before negotiations progress in the Parliament and Council.

As a part of stress‑testing the EU’s digital rulebook, the Commission has also launched the Digital Fitness Check, a broader review running in parallel with the Digital Omnibus package. The Digital Fitness Check assesses the cumulative impact of the EU’s digital legislation, how rules interact in practice and where more structural adjustments may be needed. A call for evidence and a public consultation on the Digital Fitness Check are open from November 19, 2025, to March 11, 2026, with Commission adoption planned for Q1 2027.

The Digital Omnibus package consists of two proposals – a Digital Omnibus on AI (AI Omnibus) and a general Digital Omnibus (Digital Legislation Omnibus). This package aims to address the growing criticism from both industry and authorities, including concerns raised in the recent Draghi Report on European competitiveness, which warned that regulatory fragmentation and overregulation risk slowing innovation.

For a sector-agnostic overview of the Digital Omnibus package, see Sidley Update The European Commission Proposes Important Changes to the EU’s Digital Rulebook.

Implications for the MedTech Industry

The Digital Omnibus package has several direct and practical implications for the MedTech industry. Although just a proposal from the Commission, now to be reviewed and approved by the EU co-legislators, the package looks at how the AI Act’s high-risk obligations may be delayed, how they will interface with the Medical Devices Regulation (EU) 2017/745 (MDR) and In Vitro Diagnostic Medical Devices Regulation (EU) 2017/746 (IVDR), and how data protection, cybersecurity and reporting frameworks may be streamlined.

(1) AI Omnibus

Extended Timelines for High-Risk AI Systems

The AI Omnibus proposes to modify the implementation timelines of the AI Act’s high-risk requirements. A key reason for this adjustment is the current absence of many of the harmonized standards, guidelines and common specifications needed to operationalize the AI Act’s high-risk obligations, which in many instances are still under development by the Commission and European standardization bodies.

Under the rules currently in force, the AI Act’s core requirements for high-risk AI systems apply as from August 2026 for products falling within the use cases in Annex III (e.g., certain biometric uses) and as from August 2027 for high-risk AI systems falling within the scope of Article 6(1) and Annex I, including AI systems that are themselves medical devices or safety components integrated into medical devices. The AI Omnibus proposes a conditional approach, with a staggered schedule that differentiates between:

• High-risk AI systems based on use case (Annex III): Requirements will apply six months after the Commission confirms that “support measures” (e.g., harmonized standards/guidelines/common specifications) are available, with a long-stop of December 2, 2027.
• High-risk AI systems that are medical devices, or integrated into medical devices (Article 6(1) and Annex I): Requirements will apply 12 months after the confirmation of “support measures,” with a long-stop of August 2, 2028.

In both cases, the MedTech industry would receive a longer compliance runway than originally anticipated. The underlying obligations remain unchanged, but their application will be phased in when “supporting measures” become available. Where those measures are available earlier, the related obligations start earlier; where they are not yet available, the AI Act still applies, but the affected obligations are triggered later or by defined long-stop dates.

Sectoral Conformity Assessments and Quality Management Systems (QMS)

The AI Omnibus confirms that sectoral conformity assessments (such as under the MDR and IVDR) take precedence for high-risk AI systems integrated into products. This means that the AI Act’s substantive high-risk requirements which are not covered by the MDR and IVDR, such as those on data governance, risk management, technical documentation, transparency, human oversight, and robustness, do not have to be addressed through a standalone AI-only assessment. Instead, they can be integrated into the existing MDR and IVDR conformity assessments.

The same integrated approach applies to QMS. The AI Omnibus clarifies that the AI Act’s QMS-related obligations can be implemented through the QMS required under sectoral legislation such as the MDR and IVDR. This means a single QMS can cover both device and AI requirements, removing duplication.

Pre-Clinical Research and Development Exemptions and Real-World Testing

The Commission, in addition to adopting legislative measures, will support compliance with the AI Act by issuing guidance. A priority topic for that guidance will be the practical application of the research exemption, including its application in the pre-clinical research and product development in the field of medical devices. These efforts are intended to address concerns from the MedTech industry that the AI Act could disrupt the process of clinical and performance studies for AI-enabled medical devices if studies would be seen as “placing on the market,” hence triggering AI Act requirements during the MDR and IVDR clinical and performance study phase.

Relatedly, the AI Omnibus allows (prospective) providers to conduct testing in real world conditions of certain high-risk systems, including those covered by the MDR and IVDR, “at any time” before placing them on the market.

(2) Digital Legislation Omnibus

The second part of the Digital Omnibus package, the Digital Legislation Omnibus, also makes some important proposed amendments, in relation to both the GDPR and other digital data laws, such as the Data Act, and cyber laws such as NIS2.

For the MedTech industry, one of the more important GDPR proposals includes the fact that information is not to be considered personal data for a given entity where that entity does not have the means “reasonably likely to be used” to identify the natural person to whom the information relates. The proposal further clarifies that such an entity, i.e., an entity that cannot re-identify a data subject, would not in principle be subject to the GDPR. These proposals are in line with recent CJEU case law (Case C-413/23 P, EDPS v SRB) that provide a more relative view that pseudonymized data should not be regarded as personal data in all cases. Due to the importance of pseudonymized data in the MedTech sector, these proposals, if adopted, should provide increased certainty as to the application of the GDPR.

A key area for the MedTech Sector is the ability to carry out scientific research in compliance with the GDPR. Although the GDPR does contain some provisions on scientific research, there has been criticism that there is a lack of clarity on how to apply these provisions in practice (including at a Member State level). The Digital Legislation Omnibus looks to provide a more practical definition of scientific research in the GDPR, such that an activity does not stop being scientific research when conducted for “commercial interests” which could be viewed as being broader than for “privately funded research” as currently stated in the GDPR.

In addition, the Digital Legislation Omnibus clarifies that scientific research can constitute a legitimate interest under the GDPR and, importantly, also provides that legitimate interest can be the lawful basis under the GDPR for processing of personal data for the development or operation of an AI system or AI model. The proposals also allow for the incidental processing of special category personal data (e.g., health data) in the development of AI systems and models, subject to the implementation of certain safeguards. Further, the proposals permit special category personal data to be used in AI bias detection and correction more widely (i.e., not only in the development of AI models and systems).

Finally, the Digital Legislation Omnibus also removes the need for controllers to provide transparency information to data subjects – where such information is collected directly from those data subjects – if the processing takes place for scientific research purposes and, for example, the provision of information proves impossible or would involve a disproportionate effort.

Other MedTech Developments

Finally, it is worth noting that the Digital Omnibus package comes just weeks before the Commission is expected to adopt its proposed revisions to the MDR and IVDR, scheduled for adoption on December 16, 2025. Together with the Digital Omnibus package, these initiatives indicate the EU legislators’ intentions to streamline regulations impacting the MedTech sector.

Next Steps?

The Digital Omnibus package is now with the co‑legislators (the Council of the European Union and the European Parliament) for review under the ordinary legislative procedure. As mentioned, a simultaneous eight-week feedback period on the Digital Omnibus package is open (closing date to be extended until the Omnibus is available in all EU languages) – feedback received will be summarized by the Commission, presented to the Council and European Parliament, and fed into the legislative debate.

Trilogue negotiations are expected to commence mid-2026, with final adoption potentially by mid‑ to late-2026. The timeline could be expedited if the European Parliament applies its urgency procedure, as it has done for other omnibus packages.

MedTech companies may wish to consider providing feedback on the Digital Omnibus package. Moreover, to ensure readiness with the rules that undoubtedly will apply at some point, MedTech companies may also wish to consider mapping existing and planned AI systems against the AI Act’s categories, including identifying which devices are likely to be or incorporate Annex I high-risk systems and assessing their readiness against the core high-risk requirements. It also means integrating AI-specific considerations into existing quality management and risk management systems.