Partnerblog
The European Commission’s Digital Omnibus proposal, published on 19 November 2025, marks a significant shift in the EU’s approach to digital regulation. Designed to simplify and harmonize existing frameworks, it introduces changes that will affect consumer law, data protection, and AI governance. Although the Digital Omnibus on AI and the Digital Omnibus on i.a. GDPR, e-privacy, and the Data Act is still a proposal and may change during EU legislative negotiations, understanding these potential updates now is essential for legal professionals advising businesses.
Key changes in the Digital Omnibus (without being exhaustive):
- AI & high risk
The Digital Omnibus would water down the obligation on ensuring AI literacy. It is rather the EU Member States and the Commission to “encourage” such measures instead. This change may come too late because the obligation to assure AI literacy is already in force since the beginning of February 2025.
More importantly, and as expected, a “stop the clock” mechanism is foreseen on high risk AI provisions, pushing the entry into force from August 2026 to August 2027 (subject to the Digital Omnibus being adopted in time).
- Harmonized Breach Reporting
The proposal introduces a single-entry portal for incident notifications, operated by ENISA (European Union Agency for Cybersecurity). This aims to simplify overlapping reporting obligations under GDPR, NIS2, DORA, and the Cyber Resilience Act (CRA) by applying the principle of “report once, share many.”
Under the proposal, the threshold for notifying data protection authorities about personal data breaches would increase: only incidents that pose a high risk to individuals’ rights and freedoms would require reporting. The reporting window would be extended from 72 to 96 hours, and a standardized single reporting form would be introduced to streamline submissions.
- Cookie consent reform
To address “consent fatigue”, the Commission proposes moving and adapting cookie rules from the ePrivacy Directive into the GDPR. In practice, this means:
- Placing/using cookies for natural persons will fall fully under GDPR; a basis of lawfulness under the GDPR is necessary. Hence, the Digital Omnibus leaves it up to the data controllers to choose the adequate ground. This leads to some legal uncertainty and consent may still be needed in many cases of non-essential cookies. In order to alleviate this legal uncertainty, it is foreseen that cases of low-risk deployment of non-essential cookies will be whitelisted and will not need consent (and thus could be based on legitimate interest).
- One click to accept or refuse all non-necessary cookies.
- Cookie banners could eventually disappear as browsers and operating systems take over consent management, using standardized privacy settings that automatically communicate your choices to websites.
- Compliance with rules on cookies will be subject to the same sanctions as under the GDPR (including fines up to 4% of the organisation’s global turnover).
While this simplifies compliance, it also raises privacy concerns: less upfront control for individuals and greater reliance on post-hoc objections. Businesses should start preparing by:
- Revising cookie policies and consent flows.
- Assessing legitimate interest for tracking and profiling.
- Monitoring standards for automated consent signals.
- Repeal of the P2B regulation
The so-called P2B Regulation (EU) 2019/1150 governing the practices of platform to their business customers, for example the Amazon marketplace towards the third-party vendors that are active on that platform, will be abolished. The Commission considers that competition law, as well as the Digital Services Act and the Digital Markets Act provide for sufficient tools to tackle problematic practices of the platforms towards their business customers.
- Integration of Data Governance Act and the Open Data Directive will be integrated into the Data Act -reduction of cloud switching obligations for SMEs
The Open Data Directive governing access to public sector data for reuse, complemented by the Data Governance Act (for special data such as personal and confidential data) will be integrated into the Data Act which covers a wide array of other topics such as the access to IoT generated data and provisions on cloud switching.
In relation to cloud-switching, some obligations are watered down for SMEs and in case of custom-made cloud services.
- Scope of Personal Data
The proposal introduces a targeted clarification to GDPR’s core definition of personal data, which could significantly narrow its scope. The definition would focus on whether the controller has “means reasonably likely” to identify an individual. This reflects a subjective approach, meaning data may fall outside GDPR if the organization itself cannot identify the person, even if others could. This could exclude pseudonymized identifiers or certain tracking data from GDPR’s reach. This subjective approach has also been upheld in the recent SRB case of the EU Court of Justice.
- Personal data subject rights
Another important change is the rule that the right of data subjects to access their personal data will be subject to the requirement that (s)he can only do so for “data protection purposes”. Therefore, and by way of example, an employee seeking access to her/his yearly assessment or other personal data in view of starting a court case, may become more difficult.
- AI and Data Processing
One of the most debated elements of the Digital Omnibus is the introduction of a new legal basis for AI-related data processing:
- AI training, testing, and validation can rely on legitimate interest rather than consent, provided that strict safeguards are in place (such as balancing tests, transparency, data minimization, and data subject rights)
- If removing special-category data (such as health or ethnicity information) would be “disproportionate,” processing may still occur under additional protective measures. These measures could include measures like stronger encryption, limited access, and transparency obligations to reduce risks of misuse.
This raises critical questions:
- How would “disproportionate” be interpreted in practice?
- Could this open the door to profiling or bias risks if special-category data is used in AI models?
- What compliance strategies would businesses need to adopt to balance innovation with fundamental rights?
In any case this change would entail that companies will need to develop structured frameworks for Legitimate Interest Assessments (LIA) tailored to AI processing.
- SME Compliance Relief: GDPR record keeping and sanctions
Currently, under Article 30(5) GDPR, organizations with fewer than 250 employees are exempt from maintaining records of processing activities (RoPA) unless:
- The processing is likely to result in a risk to individuals’ rights and freedoms.
- The processing is not occasional.
- Special-category or criminal conviction data is involved.
The Digital Omnibus proposal significantly raises this threshold and introduces a risk-based approach:
- New threshold: The exemption will apply to organizations with fewer than 750 employees, provided they also meet financial criteria (annual turnover ≤ €150 million or balance sheet total ≤ €129 million).
- Risk-based condition: These organizations will only need to maintain RoPA if their processing activities are likely to result in a high risk to individuals’ rights and freedoms (as defined under Article 35 GDPR for DPIAs).
Under the proposal, many mid-sized companies that previously had to maintain detailed processing records would be exempt. Nevertheless, it is strongly recommended to start preparing internal guidelines to identify when processing activities could trigger a Data Protection Impact Assessment (DPIA) or fall outside the proposed exemption for high-risk processing.
On a more general note, the Digital Omnibus foresees a more lenient regime on the sanction end, fully taking into account the principle of proportionality.
Bottom Line
The Digital Omnibus signals a clear move toward simplification and harmonization of EU digital regulations, aiming to reduce compliance burdens and address “consent fatigue.” However, critics warn that these changes could weaken core GDPR protections, particularly around sensitive data, profiling, and user control over tracking.
For legal professionals, this means two things:
- Stay ahead of the curve: Even though the proposal is not yet law, businesses should begin assessing how these changes might affect their compliance frameworks.
- Future-proof compliance strategies: Develop risk-based approaches, update internal policies for legitimate interest assessments, and prepare for new reporting and consent mechanisms.
While the legislative process is still ongoing and the final text may evolve, proactive planning today will position organizations to adapt quickly when the rules take effect.
Authors:
