One bus, many passengers: how the digital omnibus rewrites the EU digital rulebook

Partnerblog

1. Context

“How do you keep up?” – that’s the question many digital rights lawyers have been asking themselves over the past few years.

The EU’s digital acquis has exploded: DSA, DMA, Data Governance Act, Data Act, eIDAS, NIS2, DORA, etc. – each with its own definitions, notification duties, competent authorities and tricky compliance questions. With its proposal for a Digital Omnibus, the European Commission now wants to take a big step towards a simpler and more coherent digital regulatory framework.

This initiative to simplify EU legislation on data, cybersecurity and artificial intelligence forms part of the Commission’s broader simplification agenda to “create a more favourable business environment by lightening administrative burdens and costs on companies”.

Within the Digital Omnibus initiative, the Commission has opted for two separate legislative proposals:

  • a Digital Omnibus for the digital acquis, and
  • a Digital Omnibus for AI.

This blogpost focuses on the first of these. To avoid confusion, we will simply refer to it here as the “Digital Omnibus”. The AI Digital Omnibus will be discussed in another blogpost on the Timelex website.

The core idea of the Digital Omnibus is straightforward but ambitious: one digital rulebook, leading to fewer overlapping obligations, lower administrative burdens, and better interoperability of rules.

2. High-level overview of the changes

In a nutshell, the Digital Omnibus is meant to break the fragmentation across EU data legislation through a set of targeted amendments:

V Checkmark with solid fill

Merging of several legal frameworks, mainly those on access to data (Data Governance Act, Open Data Directive, etc.), into a single framework: the Data Act.

V Checkmark with solid fill

Repealing of obsolete instruments that have become redundant.

V Checkmark with solid fill

Harmonising of definitions and obligations, and simplification of the cybersecurity reporting obligations by introducing a single digital notification point (“Single Entry Point” or “SEP”) for all incidents.

This first section of the blogpost will focus on the general amendments to the digital (data) laws, section 3 below will zoom into the GDPR and ePrivacy specific amendments.

A. Data Act

Under the Digital Omnibus, the Data Act becomes the core of EU data law. Several existing frameworks are folded into the Data Act and repealed (see below).

A number of targeted amendments are proposed to improve legal certainty and competitiveness:

  • Trade secrets & third-country access requests:
    A new regime is introduced for the protection of trade secrets where data access requests come from entities in third countries  or there is a risk to disclosure to entities in third countries. Data holders will be able to refuse such requests where they can demonstrate a high risk of unlawful acquisition, use or disclosure of the data to entities subject to regimes with insufficient protection – that is, non-equivalent or weaker legal frameworks than the applicable EU rules – and where there is a significant risk of serious economic harm.
  • Narrower scope of Chapter V – from “exceptional need” to “public emergency”:
    The scope of Chapter V is narrowed: the criterion for disclosure of data to public sector bodies, the Commission, the European Central Bank or an EU body shifts from “exceptional need” to “public emergency”. The proposal also introduces a mechanism for fair compensation of the technical and organisational costs incurred by data holders in complying with such requests.
  • Smart contracts provision deleted:
    Article 36 of the Data Act, which dealt with smart contracts, is removed in its entirety. In recital 16, the Commission acknowledges the need to reconsider the regulatory approach to smart contracts rather than maintaining the original provision.
  • Cloud switching rules and “custom-made services”:
    The “switching” rules in Chapter VI of the Data Act will not apply to contracts for “custom-made services” that were concluded before or on 12 September 2025. These are services that are not off-the-shelf and would not function without prior adaptation to the needs and ecosystem of the user. In practice, this means providers of custom-made services will not be required to amend or renegotiate such contracts in order to comply with Chapter VI.
  • More flexibility for SMEs and small mid-caps.
    SMEs (small and medium-sized enterprises) and SMCs benefit from more flexible rules on contractual terms, including fixed terms and early termination fees. They are similarly as the custom-made services not obliged to adapt or renegotiate contracts concluded before or on 12 September 2025 to make them compliant with Chapter VI.

B. E-privacy directive

The ePrivacy Directive will be repealed, and certain rules – for example those on cookies – will be incorporated into the GDPR.

C. Nis 2 Directive

NIS 2 is operationally simplified through structural integration into the Single Entry Point (SEP).

Every notification of a significant incident will have to be made via the SEP (see below). If the SEP is technically unavailable, entities must be able to fall back on alternative reporting channels.

D. AI act

We will provide a short summary of (some off) the amendments to the AI Act here:

  • Small Mid-Caps (SMCs) are brought under the lighter compliance regime that already exists for SMEs under the AI Act.
  • Incident notifications under the AI Act will be routed through the Single Entry Point.
  • Alignment with GDPR for AI training purposes (see below section 3).

E. Dora / EUID/eIDAS 2.0 / CER Directive

The notification obligations under these three frameworks will also run via the SEP going forward.  

F. Free Flow of non-personal data Regulation (2018/1807)

The Free Flow of Non-Personal Data Regulation is incorporated into the Data Act. Certain rules have become redundant in light of the Data Act, such as the ban on data localisation requirements for non-personal data.

G. The platform-to-business (P2B) Regulation

The Platform-to-Business (P2B) Regulation will be fully repealed:

  • The DSA and DMA now essentially cover the same subject matter.
  • The Commission considers the P2B Regulation to have only “residual value”.
  • Evaluations showed limited effectiveness and low awareness.

References to the P2B Regulation in other legislation remain in force until 2031 at the latest, to avoid legal uncertainty.

H. Data Governance Act (2022/868)

The Data Governance Act (DGA) is incorporated into the Data Act. The Commission also ensures alignment with the Open Data Directive, in particular on re-use rules.

The DGA’s own rules are adjusted in several ways:

  • Redefined “data intermediation service” and lighter conditions: The definition of “data intermediation service” is revised and the conditions are made less strict. For example, a legal separation of activities is no longer required; a functional separation is now sufficient. The regime also becomes voluntary: adopting the label “data intermediation service” becomes a choice for providers that want to differentiate themselves on the market.
  • From national registers to a single EU register: The national public registers for data intermediation service providers and data altruism organisations are abolished. Instead, there will only be a single EU-level public register, recognised across all Member States.
  • Data altruism: goodbye national guidance and templates: For data altruism, national guidelines, the Rulebook and the data altruism consent form templates are phased out. The Commission implicitly acknowledges that this was a form of over-regulation.

I. Open Data Directive (2019/1024)

The Open Data Directive is folded into the Data Act.

Here too, the Commission provides for harmonisation with the Data Governance Act, mainly on the rules governing re-use.

J. Single Entry Point (SEP)

Finally, the Commission introduces a Single Entry Point (SEP) for notifications under various legislative frameworks. The SEP will be the central digital portal for incident notifications under:

  • GDPR
  • NIS 2
  • DORA
  • eIDAS / European Digital Identity (EUID)
  • AI Act
  • CER Directive
  • Sectoral network codes (energy, aviation, etc.)

The material scope of the underlying notification obligations does not change. What changes is the workflow and the tools used by the different competent authorities: instead of navigating multiple notification portals and procedures, entities will file via one SEP, after which the information is distributed to the relevant authorities.

3. Amendments to the GDPR in 5 key points

According to the European Commission, the proposal to amend the GDPR is intended to address the concerns of SMEs. According to the Commission, the Digital Omnibus therefore aims to:

V Checkmark with solid fill

Clarify key definitions

V Checkmark with solid fill

Facilitate compliance

V Checkmark with solid fill

Provide clarity on the processing of personal data for AI training and development

The Digital Omnibus aims to address these topics in its Article 3. Below are some of the main changes and an overview of their potential impact on data protection.

 i. Amended definition of personal data (art.4 GDPR)

The proposal modifies the definition of personal data by making identifiability entity specific. This means that information is no longer automatically considered “personal data” simply because an entity could identify the individual. Data will not be considered personal data for a given controller if that controller cannot reasonably identify the person with the means it has or is likely to use.

This change aligns with the CJEU’s judgment in C-413/23 P, EDPS v. SRB, where the Court already introduced a relative, entity-based concept of identifiability. The Omnibus now transposes this principle explicitly into the GDPR.

The Commission would also gain the power to adopt implementing acts determining when pseudonymised data still qualifies as personal data for specific entities.

The potential impact of these changes is that:

  • The definition of personal data becomes more subjective and context-dependent, potentially narrowing the GDPR’s scope.
  • Sectors using pseudonyms or ID systems could partially fall outside the GDPR.
  • Entities will need to perform a risk-based identifiability assessment to assess whether they are processing personal data, and hence whether their activities are in scope of GDPR.

ii. New provision on ai development

1. Article 9 (2)

Under the amended Article 9(2), controllers may rely on legitimate interests when processing special categories of personal data for AI training, but only if strict safeguards are applied. Controllers must:

  • Avoid collecting or processing special categories of personal data during AI training
  • Remove any sensitive data that nonetheless appears in training, testing, or validation datasets
  • Where removal would require disproportionate effort, they must ensure that such data is effectively blocked from influencing outputs or being disclosed to third parties.
2. New article 88 c

Article 88c creates a dedicated clause governing the use of legitimate interests for AI development under article 6 (1) (f). Processing of personal data may be carried out for the controller’s legitimate interests when developing or operating an AI system or AI model, unless another EU or national law explicitly requires consent.

However, this ground can only be used where:

  • The controller’s interest is not overridden by the interests or rights of the data subject;
  • Technical and organisational safeguards are implemented, including:
    • Data minimisation in source selection, training and testing,
    • Protection against disclosure of residually retained data in AI systems/models,
    • Enhanced transparency obligations,
    • An unconditional right to object for data subjects.

This effectively creates a bespoke legitimate-interest framework for AI, giving developers a clearer path to process data-while relying heavily on internal controls.

Although individuals retain an unconditional right to object to this processing, it is unclear:

  • To what extent individuals will even know that their data is used in AI training;
  • How this right can be exercised effectively in practice, especially where training datasets are large, opaque, or sourced indirectly.

iii. Commercial interest in scientific research (art.4- & 5 (1B) GDPR)

The proposal amends the definition of “scientific research” to clarify that research may also pursue a commercial interest. This reflects the EDPS’s 2019 Study on the secondary use of personal data in the context of scientific research.

Combined with the updated wording on purpose limitation, the proposal confirms that scientific research is presumed compatible with the original purpose of data collection. As a result, research activities – including those outside academia – may reuse personal data, even where commercial objectives are involved.

iv. Integration of e-Privacy concepts into the GDPR

The proposal imports key rules of the e-Privacy Directive into the GDPR, creating one framework for data that is obtained via terminal equipment (phones, laptops, smart devices). Consent remains the default for storing or accessing data on a device, but the proposal introduces explicit exemptions for:

  • Transmission of electronic communications. Eg: telecom providers storing data on your phone to maintain a stable connection during phone calls.
  • Providing a service explicitly requested by the user. Eg: A session cookie that keeps you logged in during a visit to an online webshop.
  • Aggregated audience measurement only available to the controller. Eg: a streaming platform counts the amount of visitors to particular videos to understand its popularity.
  • Maintaining or restoring the security of a service or device. Eg: A website stores a temporary token to detect repeated login attempts.

v. Streamlined Consent, “abusive” Rights, and Higher Notification Thresholds

The Digital Omnibus also introduces several measures aimed at simplifying day-to-day GDPR compliance. First, to address persistent “consent fatigue”, browsers and similar user agents would be required to offer built-in tools that allow individuals to give or withdraw consent – including a single-click refusal option. This centralised consent mechanism shifts part of the burden away from individual websites and is intended to reduce the proliferation of intrusive cookie banners.

Second, the proposal clarifies when access, rectification and erasure requests may be considered abusive. Controllers may refuse requests that are used for purposes unrelated to data protection though they retain the burden of demonstrating that a request is manifestly unfounded or excessive.

Finally, the proposal raises the threshold for notifying personal data breaches. Controllers must notify the supervisory authority only when a breach is likely to result in a high risk to individuals’ rights and freedoms. Notifications must be submitted via the new Single Entry Point under the NIS2 Directive within 96 hours of becoming aware of the breach, with any delay requiring justification. Until the Single Entry Point is operational, the current notification process continues to apply. Overall, the change reduces the number of reportable breaches and eases administrative burden, but may also limit supervisory insight into lower-risk incidents.

4. Takeaways

The Digital Omnibus aims to streamline the EU’s digital rules by removing duplication and introducing a Single Entry Point for incident reporting. For the GDPR, some amendments may genuinely ease the burden on SMEs, while others, such as the new definition of personal data and the legitimate interest basis for AI raise concerns about a potential narrowing of data protection. Civil society is already sceptical: 127 civil society organisations have criticised earlier versions of the proposal for weakening safeguards. How the text will evolve in the legislative process is uncertain, but it will shape the next phase of EU data protection.

Lotte De Graeve and Jolien Clemens

Delen

Recente artikels van Timelex:
15 December 2025
First FAQ on the Cyber Resilience Act