Introduction
The European Unionβs digital rulebook is undergoing a significant transformation. At the heart of this effort lies the EU Digital Omnibus proposal, a legislative initiative introduced by the European Commission seeking to simplify, rationalise, and modernise the EUβs framework for data protection, artificial intelligence (AI), cybersecurity, and broader digital governance.
This legislative initiative forms part of a broader Digital Omnibus Package, which also includes a parallel Digital Omnibus on AI that proposes targeted amendments to the EU AI Act. The package is designed to boost the EU digital economy, reduce administrative burdens on businesses, and clarify legal uncertainty in a complex digital regulatory landscape shaped by overlapping laws such as the General Data Protection Regulation, Data Act, ePrivacy Directive, and the AI Act itself.
The EU Digital Omnibus proposal
On 19 November 2025, the European Commission published the Digital Omnibus regulation proposal, a cornerstone of its digital policy agenda aimed at streamlining and updating the European Unionβs digital rules. Rather than introducing wholly new frameworks, this proposal focuses on amendments and consolidation of existing legislation to ensure coherent application across domains such as personal data protection, AI regulation, cyber incident reporting, and data sharing.
The impetus for the Digital Omnibus stems from concerns that the EUβs digital regulatory landscape had become overly fragmented, with multiple intersecting digital laws leading to duplication, regulatory complexity, and increased compliance costs for organisations. By rationalising these EU laws, the proposal aims to reduce administrative burdens while maintaining a high level of protection for fundamental rights, including data protection, consumer protection, and the rights of the natural person.
The Digital Omnibus proposal is also part of the European Commissionβs broader strategy to boost competitiveness, innovation, and growth across the EU economy, as outlined in its long-term digital policy agenda. Particular attention is paid to organisations operating across multiple Member States, which often face inconsistent interpretations of EU digital rules.
The proposal is now subject to the legislative process involving the European Parliament and the Council. It is expected to undergo revisions before possible adoption, meaning businesses should closely monitor developments to anticipate compliance and operational changes.
Data Protection and Data Subject Rights
A core element of the Digital Omnibus Proposal concerns targeted reforms to data protection law, primarily through clarifications and adjustments to the General Data Protection Regulation. The proposal aims to modernisethe GDPR application without undermining the protection of data subject rights.
One significant clarification concerns the definition of personal data and the consideration of personal data, particularly where data has been pseudonymised or aggregated. The proposal seeks to reduce legal uncertainty by clarifying when such data remains identifiable and therefore subject to GDPR obligations. This has direct implications for organisations engaged in data processing, creating aggregated information, and large-scale analytics.
The proposal also introduces limited derogations for processing special category data, including biometric data, in narrowly defined circumstances. One example is biometric verification mechanisms that remain under the sole control of the user, provided appropriate safeguards are implemented. These changes aim to reflect technological realities while maintaining strong protections for sensitive data.
Data subject access requests, including access requests and portability rights, will be simplified through procedural harmonisation. The proposal introduces a single entry point for handling personal data breach notifications, allowing organisations to notify supervisory authorities through one coordinated mechanism rather than multiple parallel systems.
To promote consistency across the European Union, the European Data Protection Board will be empowered to issue EU-wide blacklists and whitelists of processing operations that require mandatory data protection impact assessments. This is intended to reduce divergent national practices and help organisations better assess high-risk processing activities.
- No coding required
- Works with all Shopify themes
- Blocks tracking before consent
- Google Consent Mode v2 ready
- Trusted by 170k+ stores
- 2,600+ 5-star reviews
- Google CMP Partner
AI Regulation and Development
The Digital Omnibus Package introduces targeted changes to the AI Act to ensure coherence between AI regulation proposal requirements and existing data protection obligations. These changes aim to support responsible AI development while ensuring compliance with GDPR and other EU digital legislation.
The proposal clarifies how AI systems built and deployed in the EU may lawfully process personal data, including special category data, when appropriate safeguards are in place. It explicitly recognises training AI models as a legitimate interest in certain contexts, allowing organisations to rely on an opt-out mechanism rather than requiring explicit consent, provided that fundamental rights are respected.
This clarification is particularly relevant for organisations training AI models, including general-purpose AI models, that rely on large volumes of data. The proposal seeks to strike a balance between innovation and data protection by requiring transparency, documentation, and proportionality assessments.
To further encourage innovation, the proposal strengthens the framework for AI regulatory sandboxes, enabling controlled real-world testing of AI systems under regulatory supervision. An EU-level sandbox is foreseen from 2028, complementing national initiatives and reducing barriers to cross-border AI experimentation.
Digital Omnibus on AI and AI Models
The Digital Omnibus on AI aims to consolidate and simplify the EUβs AI regulatory framework, ensuring that obligations under the AI Act are proportionate, enforceable, and aligned with technological realities.
New rules are proposed for high-risk AI systems, reinforcing requirements for transparency, explainability, bias detection, and human oversight. These obligations are intended to protect fundamental rights, particularly in contexts where AI systems may significantly affect individuals, such as biometric identification, access to services, or automated decision-making.
The proposal also introduces clearer governance for AI models, including those integrated into very large online platforms. The European AI Office will act as the primary supervisory authority for general-purpose AI models and platform-integrated systems, ensuring consistent enforcement and reducing fragmentation across Member States.
In parallel, the proposal promotes AI literacy and the development of technical and organisational support tools, enabling organisations to meet compliance requirements while fostering trustworthy artificial intelligence across the EU.
Data Act and the EU Data Economy
The Digital Omnibus Proposal introduces targeted adjustments to the Data Act with the aim of improving legal clarity and supporting a competitive and innovative EU data economy.
The proposal consolidates related data governance instruments, including rules on data sharing, reuse, and access, into a more coherent framework. This includes alignment with the Free Flow of Non-Personal Data regime, ensuring smoother interaction between personal and non-personal data obligations.
Simplification of the Data Act focuses on reducing fragmentation while preserving safeguards for personal data and trade secrets. Public sector access to private-sector data is narrowed to exceptional circumstances, and clearer exemptions are introduced where disclosure would cause serious economic harm.
These reforms are designed to encourage lawful data reuse, scientific research, and innovation, while ensuring that data protection law remains fully applicable whenever such data relates to an identifiable natural person.
AI Regulation Proposal and Governance
The broader AI Regulation Proposal establishes a comprehensive governance framework for artificial intelligence across the European Union. The Digital Omnibus builds on this by refining institutional roles and enforcement mechanisms.
The European AI Office will play a central role in supervising high-impact AI systems, issuing guidance, coordinating enforcement, and supporting consistent application of the rules. This centralisation aims to reduce compliance fragmentation and legal uncertainty for organisations operating across multiple jurisdictions.
The proposal also reinforces requirements for transparency, explainability, and human oversight across the AI lifecycle, from design and development to deployment and monitoring. These standards apply particularly to high-risk AI systems that may affect fundamental rights or public safety.
Overall, the governance framework seeks to promote trust, accountability, and responsible AI innovation, while ensuring that AI systems are aligned with European values and legal standards.
Cybersecurity and Data Breach Notifications
Cybersecurity and incident response are another major focus of the Digital Omnibus Proposal. The proposal introduces a harmonised approach to incident reporting and personal data breaches across multiple EU legal instruments.
A central reform is the creation of a single entry point for breach reporting, allowing organisations to notify relevant authorities through one coordinated mechanism. This applies to GDPR personal data breach notifications, cybersecurity incidents, and obligations under sector-specific legislation.
The proposal extends notification deadlines to 96 hours in certain cases, focusing regulatory attention on incidents that pose a genuine high risk to individuals or essential services. It also aims to reduce duplicate reporting and administrative burdens for organisations operating under multiple regulatory regimes.
Amendments to the Critical Entities Resilience Directive further strengthen requirements for incident response and resilience planning, promoting a more robust cybersecurity culture across the EU.
ePrivacy Integration and Cookie Reform
The Digital Omnibus Proposal integrates key elements of the ePrivacy Directive into the GDPR framework, aiming to harmonise cookie and tracking rules across the European Union.
The proposal introduces clearer standards for cookie consent, focusing on transparency, user control, and simplicity. Certain low-risk uses may be exempt from consent requirements while maintaining strong protections for tracking that involves processing personal data.
To address widespread βcookie fatigue,β the European Commission plans to develop standardised, machine-readable consent and objection signals. These signals would allow browsers and devices to communicate user preferences automatically, improving enforcement consistency and user experience.
This reform aims to create a more user-centric privacy framework while maintaining effective consumer protection and compliance clarity for organisations.
Business Implications and Compliance
The Digital Omnibus Proposal carries significant practical implications for businesses. Organisations will need to reassess compliance strategies across data protection, AI governance, cybersecurity, and data sharing.
Key areas of impact include handling data subject rights, managing data subject access requests, conducting data protection impact assessments, and adapting internal processes to new breach notification mechanisms. AI developers must also evaluate whether their systems qualify as high-risk AI systems and adjust governance accordingly.
While the proposal seeks to reduce administrative burdens, it also raises expectations around accountability, documentation, and transparency. Organisations operating in the EU should invest in compliance planning, staff training, and technical safeguards to prepare for the evolving digital regulatory framework.
Conclusion
The Digital Omnibus Proposal is still undergoing legislative review and is expected to be revised before final adoption. Implementation timelines will depend on negotiations between the European Commission, European Parliament, and the Council.
Businesses should proactively monitor legislative developments, assess potential impacts on their operations, and prepare for transitional periods once the final text is adopted. Early preparation will help minimise disruption and support continued innovation and competitiveness.
Ultimately, the EU Digital Omnibus aims to deliver a coherent, future-proof digital regulatory framework that supports growth, innovation, and trust across the European Union, while ensuring robust protection of fundamental rights in the digital age.
