Introduction
On November 19, 2025, the European Commission published its Digital Omnibus Regulation Proposal and its accompanying Digital Omnibus on AI Regulation Proposal. This comprehensive initiative represents a strategic effort to streamline, simplify, and harmonize the fragmented EU’s digital regulatory landscape.
These proposals are aimed to cut administrative costs and enhancing legal certainty. If adopted, the proposals will introduce significant changes to the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive, Data Act, and the EU AI Act.
Below is a deep dive into the most critical amendments your organization needs to assess.
I. Targeted Amendments to the GDPR (Regulation (EU) 2016/679)
The amendments to the GDPR are primarily technical, aiming to clarify definitions and simplify compliance for low-risk processing while maintaining high protection standards.
1. Clarity for AI Development
- Explicit Legitimate Interest: The proposal introduces a new provision that explicitly recognizes processing personal data to develop and deploy AI systems and models as a legitimate interest under the GDPR. Necessity and proportionality must still be established via a balancing test.
- Special Categories Exception: A new exception allows the residual processing of special categories of personal data for AI development, provided appropriate safeguards (minimization and removal) of any identified sensitive data are in place.
2. Relaxed Obligations for Specific Processing
- Revised Definition of Personal Data: Clarifies that information is not personal data for an entity if that entity does not have the means reasonably likely to be used to identify the natural person. It means that information does not become personal data for an entity just because a subsequent recipient has the means to identify the person.
- Biometric Verification: Allows an exception for processing biometric data when necessary for confirming identity (verification), provided the means are under the sole control of the data subject.
- Scientific Research: Provides a clear, broad definition of "scientific research" and clarifies that processing for this purpose is both a legitimate interest and compatible with the initial purpose (Article 5(1)(b) clarification).
- Expanded Exemptions to Data Subject Rights: Clarifies that the data controller may refuse or charge a fee for access requests deemed excessive (due to repetitive character) or where the data subject is abusing the right of access for purposes other than data protection. Additionally, it also extends the exemption from the information obligation (Article 13) for processing for scientific research where it is impossible or involves disproportionate effort.
II. An End to the Cookie Fatigue via e-Privacy Directive (Directive 2002/58/EC) Overhaul
The primary goal of the e-Privacy Directive amendments is to tackle the pervasive issue of 'consent fatigue' and move towards a single, unified regulatory framework.
1. Single Regulatory Framework
- Unified Cookies Storage Rules: The Digital Omnibus Regulation Proposal streamlines the rules for the storing or accessing of personal data on a person's terminal equipment (i.e., cookies and similar trackers) under one regime by moving it to a new Article 88a in the GDPR.
2. Simplified Consent Requirements
- Single-Click Refusal: Controllers must ensure data subjects can refuse consent easily (single-click or equivalent). In addition, where a data subject has declined a request for consent for a specific purpose, the controller shall not request consent for the same purpose for at least six months.
- Automated Choices: The proposal mandates all controllers, except media service providers, to respect automated and machine-readable indications of consent/objection (e.g., via browser settings) once technical standards are available. This would revolutionize the user experience by minimizing intrusive pop-ups.
- Low-Risk Exceptions: Defines a limited list of purposes where processing is lawful without consent (e.g., necessary for network transmission, service explicitly requested, security, and aggregated audience measurement solely for the controller's use).
A key theme of the Digital Omnibus Proposal is to reduce reporting complexities by harmonizing overlapping reporting and governance structures.
- Single-Entry Point for Incident Reporting: Mandates the European Union Agency for Cybersecurity (ENISA) to develop and maintain a centralized platform for incident and event reporting.
- One Stop Shop Reporting: Entities will use this single-entry point for reporting obligations under General Data Protection Regulation (GDPR), Network and Information Systems Directive (NIS2), Digital Operational Resilience Act (DORA), Electronic Identification, Authentication and Trust Services (eIDAS), and Critical Entities Resilience Directive (CER).
- Harmonized Thresholds: The GDPR breach notification threshold is aligned: reporting is now only required if the breach is likely to result in a high risk to data subjects' rights and freedoms (previously, notification was required unless the risk was unlikely).
- Extended Deadline: The GDPR supervisory authority notification deadline is extended from 72 to 96 hours.
1. Data Act Consolidation & Simplification
The Data Act (Regulation (EU) 2023/2854) expands its role to become the singular rulebook for the EU data economy.
- Major Consolidation: It will repeal and consolidate the rules currently found in the Regulation (EU) 2018/1807 (Free Flow of Non-Personal Data Regulation), the Regulation (EU) 2022/868 (Data Governance Act), and the Directive (EU) 2019/1024 (Open Data Directive).
- B2G Sharing Narrowed: The scope of mandatory business-to-government (B2G) data sharing is significantly narrowed from "exceptional needs" to only "public emergencies or for the production of statistics in relation to public emergencies."
- Trade Secret Protection: Data holders can now refuse disclosure of trade secrets if there is a high risk of unlawful acquisition by third-country entities subject to weaker protection. The refusal needs to be substantiated on the basis of objective elements, such as the enforceability of trade secrets protection in third countries, the nature and level of confidentiality of the data requested, and the uniqueness and novelty of the connected product.
IV. Targeted Updates to the EU AI Act (Regulation (EU) 2024/1689)
The Digital Omnibus on AI aims to ensure the timely and innovation-friendly implementation of the landmark AI Act.
1. Compliance Timelines and Support
- Clarity on High-Risk AI Rules: The applicability of high-risk AI rules is now linked to the availability of compliance support tools (standards, guidelines) rather than fixed dates. However, this flexibility will only be extended until 2 December 2027 as regards AI systems classified as high-risk pursuant to Article 6(2) and Annex III and until 2 August 2028 as regards AI systems classified as high-risk pursuant to Article 6(1) and Annex I of the EU AI Act. This gives providers a more realistic compliance pathway, providing immediate clarity and readiness before enforcement.
- SME Support Extended: The regulatory privileges (e.g., simplified documentation, adjusted quality management) are extended to Small Mid-Caps (SMCs), mirroring those granted to SMEs.
2. Centralized Governance & Bias Detection
- Exclusive AI Office Competence: The AI Office will gain competence for supervising and enforcing rules related to General-Purpose AI (GPAI) models and AI systems integrated into Very Large Online Platforms/Search Engines (VLOPs/VLOSES). It is important to note that for the latter, while the risk assessments and audit obligations under the Digital Services Act apply, the AI Office is responsible for ex-post non-compliance and investigation.
- Bias Detection Exception: Includes a new provision allowing the necessary processing of special categories of personal data for bias detection and correction, subject to strict safeguards.
Conclusion: Time to Assess and Prepare
While the Digital Omnibus Proposals are aimed at simplification, they are introducing fundamental shifts in key compliance obligations. Now that the proposals are public, they will proceed through the Ordinary Legislative Procedure involving the European Parliament and the Council of the EU. The finalization and adoption of these proposals might happen around mid to late 2026.
Organizations must not wait for the final adoption. Strategic teams within each organization should immediately begin assessing the impact of:
- The revised 'personal data' definition on their data inventory mapping.
- The new AI-specific legal basis within GDPR for their AI development teams.
- The single-click/automated consent mandates for their website and app interfaces.
- The new single incident reporting platform for their cyber incident response plans.
- The flexible timelines for the applicability of high-risk AI rules subject to the availability of compliance support tools.
