Digital Omnibus: simplifying compliance and secure data identity management

The Digital Omnibus: streamlining some proposals on AI, cybersecurity and data

A) Targeted GDPR amendments

Clarifying personal data and pseudonymisation. The GDPR reform proposals constitute some of the most significant elements of the Digital Omnibus, as they seek to redefine the very core concept of “personal data.” Under the Commission’s proposals, information will no longer qualify as personal data for a controller if the latter lacks reasonable means to identify the individual to whom the data relates. Consequently, GDPR obligations would not apply. In addition, the proposed Digital Omnibus introduces a new Article 41a GDPR, establishing a mechanism to ensure that GDPR keeps pace with technological developments in pseudonymisation.

Training AI systems using personal data. The reforms also propose a new Article 88c, clarifying that entities may rely on legitimate interests under Article 6(1)(f) GDPR to process personal data specifically for the training, testing, and validation of AI systems and models.

Amending rules on sensitive data. The reform envisages a reduction of constraints on processing special categories of personal data under Article 9 GDPR, when processing occurs in connection with AI development and deployment. In parallel, the proposed Digital Omnibus introduces a new Article 4a in the AI Act, permitting the processing of sensitive data for purposes of detecting and mitigating bias.

Flexibility on abusive Data Subject Access Requests (DSARs). The proposal seeks to amend Article 12 GDPR, related to data subject access requests, to allow controllers to refuse requests or charge a reasonable fee if a data subject abuses their rights for purposes unrelated to data protection. Such requests could be designated as “manifestly unfounded or excessive,” thereby alleviating compliance obligations, and lowering the burden of proof: controllers must show “reasonable grounds” to argue a request is excessive.

New transparency rules. Article 13(4) GDPR is proposed to be amended to expand exceptions to transparency obligations, and controllers would be exempt from providing information if the data subject already reasonably possesses it.

Reporting obligations limited to critical incidents. The draft Digital Omnibus includes a measure to limit GDPR breach notification requirements to critical incidents only, a reform that should reduce unnecessary administrative work for businesses and regulators alike. 

B) Modernising cookie consent and improving user experience

The Commission’s reform package targets the EU’s legal framework on cookies, aiming to reduce “consent fatigue” and the proliferation of cookie banners.

From ePrivacy to GDPR. The reforms propose transferring the legal regime governing information on end-user’s terminal equipment from the ePrivacy Directive into GDPR.

Extended list of exceptions to cookie consent. A proposed new article 88a GDPR would broaden the exceptions to consent requirement for cookie-based data processing. Under this expansion, processing activities related to audience measurement conducted by a controller for its own purposes, maintaining or restoring the security of a service, or fulfilling a service explicitly requested by a user, would be considered “necessary.” As a result, such processing would no longer require user consent.

Machine-readable consent signals. The package also proposes amendments requiring service providers to respect users’ consent preferences in an automated, machine-readable format once technical standards are established. This means consent choices set at the device or browser level must be automatically recognised and respected. Businesses will need to update their systems to automatically recognise and respect users’ machine-readable consent signals, reducing reliance on traditional consent banners.

C) A unified cross-legislation reporting interface

Currently, organisations face multiple, overlapping incident reporting obligations under a long list of legislations: NIS2, DORA, EIDAS, and GDPR.

The proposed Digital Omnibus aims to streamline these. Proposed amendments to Article 33 GDPR would align breach notifications for IT security and data protection incidents. Controllers would notify the supervisory authority via a single-entry point established by ENISA, and the reporting deadline would be extended from 72 to 96 hours. This would reduce administrative burdens for businesses and enable a more focused approach to incident reporting.

D) More innovation-friendly AI regulation

The Digital Omnibus proposal introduces a series of practical adjustments to the AI Act, aimed at easing implementation and giving organisations a more predictable and innovation-friendly regulatory environment.

A clearer legal basis for training AI models. The proposal confirms that personal data may be processed for AI training, testing and validation on the basis of legitimate interest. This clarification is significant for organisations that rely heavily on data-driven model development. The use of legitimate interest still requires full GDPR compliance, including transparency, necessity assessments, data minimisation and the ability for individuals to object. The Commission notes that the balancing test may more easily favour organisations where model training enhances societal value, such as improving security, accessibility or fairness.

Using sensitive data to improve fairness. The Digital Omnibus introduces a narrow exception allowing limited use of special category data strictly for detecting or correcting bias in AI systems. This recognises that fairness assessments often cannot be performed meaningfully without reference to sensitive characteristics. The processing must remain proportionate and safeguarded, and it cannot be repurposed for other objectives. This change might give businesses a realistic route to verify and strengthen the fairness of their models.

Postponement of compliance deadline for high-risk AI. The proposal introduces a degree of flexibility to the start dates of high-risk AI obligations. Rather than having obligations apply automatically on fixed dates, deployment requirements will begin once the Commission confirms that adequate harmonised standards, technical guidance and support tools are in place. Notably, longstop deadlines remain: high-risk systems under Annex III would need to comply by December 2027, and systems under Annex I by August 2028. For high-risk AI already lawfully on the market, the proposal also gives providers additional time to comply, allowing continued availability without redesign unless substantial changes are made.

Grace period for generative AI transparency rules. Providers of generative AI systems placed on the market before August 2026 will benefit from an additional six months before the watermarking and content-labelling requirements start to apply. This adjustment reflects the fact that technical standards for watermarking are still under development. The Commission is preparing a dedicated Code of Practice to guide implementation once the standards are operational.

Registration relief for non-high-risk systems. The Digital Omnibus removes the obligation to register AI systems that are used in a high-risk environment but are not themselves high-risk. Under the proposed change, organisations will still need to document their assessment internally but will no longer be required to add such systems to the AI Office’s high-risk database. This is aimed to reduce administrative burdens and avoids unnecessary filings.

A centralised AI Office. The AI Office’s authority will expand significantly. It will become exclusively competent for systems based on general-purpose AI models and for AI systems that are, or form part of, very large online platforms and search engines. This centralisation aims to reduce fragmentation between Member States and create a more consistent supervisory environment for organisations operating across borders.

Streamlined conformity assessments. Bodies responsible for conformity assessments will be able to submit a single application and undergo a single designation procedure for both the AI Act and related EU harmonisation legislation. This is aimed at reduceing duplication and should accelerate the designation process, lowering compliance barriers for organisations seeking certification.

More flexible post-market monitoring. The obligation to follow a harmonised Commission template for post-market monitoring plans will be removed. Instead, providers may maintain their own monitoring approach within their technical documentation, guided by Commission recommendations rather than formal templates. This shift should give businesses more operational flexibility while maintaining oversight.

Expansion of regulatory sandboxes. The Digital Omnibus enhances the role of regulatory sandboxes. The AI Office may establish an EU-level sandbox to support real-world testing of innovative systems, including GPAI. Member States will also be able to enter voluntary arrangements that allow extended real-world testing outside national sandbox programmes. An EU-wide sandbox planned for 2028 will enable cross-border experimentation under consistent supervision.

SME and mid-cap relief. The package also broadens the existing simplifications for smaller organisations. Measures previously available only to SMEs will now extend to mid-cap companies, including simplified documentation, proportional fines and tailored guidance. Micro-enterprise simplifications for quality management systems will also be expanded to all SMEs and start-ups, reducing compliance burdens while maintaining essential safeguards.

E) Improving access to data and clarifying the Data Act

Another significant element of the Commission’s proposal is the intention to consolidate several existing instruments, including the Data Governance Act, the Regulation on the Free Flow of Non-Personal Data, and the Open Data Directive, into a single, consolidated Data Act. This updated framework would not only unify these texts but also amend the current Data Act itself. Overall, these reforms reflect a clear ambition: to enable more fluid data sharing while reducing unnecessary burdens on businesses. The proposed changes include:

A broader definition of “data holder”, no longer defined as a natural or legal person required to both “use and make data available”, but instead as to “use or make data available”.

Enhanced trade secret protection, allowing data holders greater flexibility to refuse data disclosures when sensitive information or competitive interests may be at risk.

Expanded exceptions to cloud switching and portability rules for custom-made data processing services, those heavily tailored to a customer’s specific needs and not offered “off the shelf.”

Most obligations under Chapter VI, which govern switching between data processing providers, would not apply to contracts concluded on or before 12 September 2025, with limited exceptions.

F) Proposal to repeal the P2B Regulation

The Digital Omnibus proposes to repeal the P2B Regulation with the aim of eliminating overlaps and multiple layers of regulation. The introduction of the P2B Regulation in 2020 is recognized by the Commission as an important first step towards a comprehensive legal framework for the platform economy, but the Commission notes that in the meantime other acts that regulate online intermediation services and online platforms have entered into force, most notably, the Digital Services Act (DSA) and the Digital Market Act (DMA).

The DSA and DMA have largely overtaken the provisions in the P2B Regulation, although the Commission proposes to leave certain provisions of the P2B Regulation in place and envisages a transitory period up until 2032. According to the Staff Working Document accompanying the draft Digital Omnibus, the P2B Guidelines on ranking transparency should remain as a reference even after the repeal of the P2B Regulation. Repeal of the P2B Regulation.

Outlook

The Digital Omnibus package will now be reviewed by the European Parliament and the Council.

In parallel, the Commission has launched a broad Digital Fitness Check, until 11 March 2026, to assess the coherence and cumulative impact of the EU’s digital rulebook.

This initiative forms part of the Commission’s broader objective to reduce administrative burdens by 25% overall, and by at least 35% for SMEs by the end of 2029.

Would you like to learn more?

The renewed determination of European decision-makers to prioritise pragmatism and competitiveness can’t help but add a new layer of legal uncertainty for businesses operating in Europe. As the Digital Omnibus moves through the legislative process, organisations will need to rely on strong scenario planning and a clear understanding of how each proposal may evolve.

To help clients navigate this landscape, we are planning a dedicated Digital Omnibus article series. We will publish four in-depth articles exploring the most important aspects of the Digital Omnibus:

• GDPR & ePrivacy reforms;
• A unified EU reporting interface for digital incidents;
• Targeted adjustments to the AI Act;
• Clarifying and consolidating EU data rules.

Each article will take a focused look at one element of the package, from the AI Act amendments to the GDPR changes and the sector-specific effects. If you want to stay ahead of these developments, keep an eye out for our upcoming content.