EU Digital Omnibus: The European Commission Proposes Important Changes to the EU's Digital Rulebook

On November 19, 2025, the European Commission officially adopted a proposal for the Digital Omnibus package. Specifically, the Digital Omnibus package consists of two legislative proposals, a Digital Omnibus on AI and a general Digital Omnibus (Digital Legislation Omnibus). The proposed package marks the Commission’s first step toward optimising the EU’s digital rulebook. It draws on more than a year of preparatory work and extensive stakeholder feedback: businesses across a number of different sectors have highlighted concerns about regulatory overlap, uneven national implementation and the need for clearer cross-regime rules and streamlined reporting.

As a part of stress‑testing the EU’s digital rulebook, the Commission has also launched the Digital Fitness Check, a broader review running in parallel with the Digital Omnibus. The Digital Fitness Check assesses the cumulative impact of the EU’s digital legislation, how rules interact in practice and where more structural adjustments may be needed. A call for evidence and a public consultation on the Digital Fitness Check are open from November 19, 2025 to March 11, 2026, with Commission adoption planned for Q1 2027.

Key Proposals in the Digital Omnibus Package

1. AI Act – Breathing Room and Targeted Adjustments

The Commission proposes several material changes to how the AI Act will apply, aimed at easing immediate compliance pressure, while improving long-term operability:

• “Stop-the-Clock” Transition Period. Certain AI Act obligations for high-risk systems will be linked to the adoption by the Commission of a decision confirming that support measures (e.g., harmonised standards/guidelines/common specifications) are available. Specifically, the application to high-risk AI systems in Annex III will be 6 months after the decision – with a long-stop of December 2, 2027 – and to high-risk systems in Annex I 12 months after the decision – with a long-stop of August 2, 2028.
• Extended GPAI timelines. Providers of general-purpose AI (GPAI) systems placed on the market before August 2026 will have until February 2027 to update documentation and governance processes.
• Reduced Registration Burden. Certain AI systems not considered by the provider to be high-risk will no longer require mandatory registration in the EU high-risk AI database, shifting thus to a more pragmatic self-assessment model.
• “Small Mid-Caps” (SMCs) Relief. SMCs (up to 750 employees / €150 million turnover) will benefit from a streamlined technical documentation requirement for high-risk AI systems. Additionally, other benefits currently enjoyed by small and medium-sized enterprises (SMEs) will be extended to SMCs, including regarding how fines are calculated.
• EU-Level GPAI Sandbox. A new EU-wide sandbox will allow GPAI developers to test systems under the supervision of the AI Office – a step aimed at harmonisation and innovation.
• AI Office. The Digital Omnibus on AI strengthens the position of the AI Office that will, for example, be given exclusive competence to oversee AI systems based on GPAI developed by the same provider.

2. GDPR and ePrivacy – Narrower Scope, Clearer Paths for AI Training

The Digital Legislation Omnibus proposes notable clarifications to EU data-protection rules – changes that could significantly reshape analytics, advertising, and AI development practices:

• A relative interpretation of “Personal Data.” Consistent with recent CJEU case law, data will only be considered “personal” for an entity if that entity can identify an individual from it taking into account the means reasonably likely to be used. Due to the importance of pseudonymised data in many sectors, these proposals, if adopted, should provide increased certainty as to the application of the GDPR.
• A new “legitimate interest” ground for AI Training. Companies can rely on a “legitimate interest” to process personal data for training and operating of AI systems, for example, to improve bias detection, accuracy, or to test AI’s performance. This is subject to safeguards, such as data minimisation, risk assessments, and providing data subjects with an unconditional right to object to the processing. The proposals also allow for the incidental processing of special category personal data (e.g., health data) in the development of AI systems and models, subject to the implementation of certain safeguards. Further, the proposals permit special category personal data to be used in AI bias detection and correction more widely (i.e., not only in the development of AI models and systems).
• ePrivacy and Cookies. The proposals include moving the requirements in relation to cookies and tracking technologies from the ePrivacy Directive to the GDPR where personal data are processed. To try and address “cookie consent fatigue,” the proposals provide that where a data subject provides consent, a controller should not request consent again for the same purpose, and if a data subject declines consent, the controller should not make a new request for at least six months. The proposals would also permit the storing of personal data, or gaining access to personal data stored in terminal equipment without consent in a number of circumstances including, among others, aggregated audience measuring and security of the service or the user’s device.
• Transparency. The proposals also provide a narrow exception from the need for controllers to provide transparency information to data subjects where there is a clear relationship between a controller and a data subject, the controller’s activity is not data-intensive, and there are reasonable grounds to assume the data subject has the relevant information. There are similar exceptions from providing information to data subjects in relation to scientific research where, for example, the provision of information proves impossible or would involve a disproportionate effort.
• DPIAs and DSARs. The European Data Protection Board (EDPB) will be required to develop an EU-wide list of processing activities that do or do not require a Data Protection Impact Assessment (DPIA), to replace the current national lists in EU Member States. In addition, controllers can reject Data Subject Access Requests (DSARs) and treat them as “manifestly unfounded or excessive” in scenarios where a DSAR is submitted for a purpose other than protecting a requestor’s data (or if submitted excessively).

3. Data Act, Data Governance Act, and Open Data Directive – merging into a single EU data framework

The Digital Legislation Omnibus consolidates the EU’s fragmented data-sharing regime into one system under the Data Act. Key proposals include:

• Consolidation of Frameworks. The Digital Legislation Omnibus incorporates rules governing the reuse of protected data from the Data Governance Act and certain obligations from the Open Data Directive (which will both be repealed) into the Data Act to create a unified framework. The Digital Legislation Omnibus streamlines the rules further by repealing the Free Flow of Non-Personal Data Regulation, only maintaining the prohibition on data-localisation that requires companies to store data in specific EU countries.
• Stronger Trade-Secret and Third-Country Protections. Companies may refuse to share data where there is a high risk of exposing trade secrets or exposure of sensitive data to countries with weak or non-equivalent data protection rules to those in the EU.
• Cloud Switching Adjustments. The Data Act’s cloud interoperability and switching requirements have been refined to make them applicable for highly customised services, for example, introducing a lighter regime for custom-made data processing services and for SME and SMC data processing service providers. This may reduce the compliance burden on SMEs and SMCs and clarify how smart contracts used in data-sharing agreements should be treated.
• Stricter Conditions for Very Large Commercial Data Users. Public-sector bodies will be able to charge higher fees or place stricter conditions on very large companies that want to re-use public-sector data for analytics or commercial purposes.
• Business to Government (B2G) Data Sharing. The scope of B2G data sharing will be narrowed under the proposals. For example, limiting the condition for B2G sharing from when in “exceptional need” to “public emergency.”

4. Cybersecurity – Streamlined Reporting Across the EU

The Digital Legislation Omnibus attempts to streamline how companies report cybersecurity incidents across major EU laws. Key proposals include:

• GDPR Reporting Requirements: The timeframe under the GDPR for notifying personal data breaches to Data Protection Authorities (DPAs) will be extended from 72 hours to 96 hours from becoming aware of a reportable breach. Importantly, only personal data breaches likely to result in a “high risk” to data subjects would need to be notified to DPAs which would be in line with the threshold under the GDPR to notify data subjects of a personal data breach. Finally, the EDPB will be required to develop a standardised template for notifications under the GDPR and to draw up a common list of scenarios that are to be considered as high risk.
• Single EU Reporting Portal. Building on the single reporting platform existing under the Cyber Resilience Act (CRA), the proposals include the development of a single-entry point (SEP) to be developed by ENISA (the European Union Agency for Cybersecurity). The SEP would enable organisations to satisfy incident reporting obligations to regulators under different EU cyber-related laws including, among others, the GDPR, the Network and Information Security Directive (NIS2), the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER) and the eIDAS Regulation.

What Are The Next Steps?

The Digital Omnibus package has now entered the ordinary legislative procedure in the European Parliament and Council, where it will be examined, debated, and amended before any final text is adopted. The Commission is asking in parallel for feedback on both the Digital Omnibus on AI and the Digital Legislation Omnibus. As mentioned, the Digital Omnibus package is now open for review for an eight-week period during which stakeholders will have the possibility to comment directly on the Commission’s proposed texts and these comments will then be presented to the Parliament and Council. For companies, this is a key opportunity to present concrete asks before the text enters the proper legislative phase.