The publication of the EU Digital Omnibus Proposal (“Omnibus”) on 19 November set out a two-part package of simplifications to its data protection rulebook. Pitched as a means to reduce regulatory friction and foster innovation, the initiative represents the EU’s ambition to reap the benefits of the digital revolution.
Following the Draghi report’s warning that the EU was trailing behind US and Chinese markets due to overregulation, the EU has course corrected its approach to digital regulation, overhauling its flagship data legislation to strengthen its position in the global market. The Omnibus thus forms part of the Commission’s wider promise to reduce administrative burdens by at least 25% for all businesses—and at least 35% for small and medium-sized enterprises (“SMEs”)—by 2029.
The EU’s double-decker Omnibus splits reforms down two tracks:
- Track 1: an immediate set of reforms that would simplify and harmonise current EU digital laws, including the GDPR, the EU AI Act, the Data Act, among others; and
- Track 2: a “Digital Fitness Check” to assess the cumulative impact of the EU’s digital regulations.
GDPR
Refined Definition of Personal Data
The Omnibus refines the GDPR’s definition of personal data by introducing a more contextual test for identifiability. Pseudonymised data would thus fall outside the scope of the GDPR if an entity has no realistic means of re-identification.
New Basis for Training AI Systems and Scientific Research
A new article would recognise scientific research and the development of AI systems as a legitimate interest basis for processing personal data under the GDPR, subject to the usual balancing test and technical safeguards. The Omnibus also updates Article 5(1)(b) to specify that personal data can be reused for scientific research without breaching purpose limitations.
Greater Control over Excessive DSARs
To address an increase in tactical DSARs, the Omnibus would adjust controller obligations to ease the compliance burden for businesses. The Omnibus reinforces controllers’ authority to refuse or charge a reasonable fee where requests are excessive and/or abused for purposes other than the protection of the individual’s data. It also lowers the burden to prove a request is excessive and makes clear that overly broad DSARs would count as such.
Harmonised Cookie Rules
The Omnibus would streamline cookie rules by folding ePrivacy’s requirements into a new GDPR Article 88a. Any storage of or access to personal data on user devices would instead fall squarely under the GDPR, with the ePrivacy Directive applying only where users are not natural persons or no personal data are processed.
Relaxed Breach Reporting Obligations
The GDPR currently requires organisations to report any personal data breach within 72 hours unless it is “unlikely to result in a risk” to data subjects. The Omnibus would ease this burden by requiring notification only when a breach is likely to pose a “high risk” to individuals’ rights and freedoms and would allow controllers up to 96 hours from detection to report it.
AI Act
Extended Timelines for High-Risk AI Compliance
The AI Act’s compliance deadlines for high-risk AI systems would be pushed back. The new long-stop dates extend timelines by up to six months for certain high-risk use cases and twelve months for systems embedded in or comprising regulated products, but to no later than 2 December 2027 and 2 August 2028.
Expanded Basis for AI Debiasing
A new narrow derogation will allow all systems to use sensitive data in AI training for bias detection and correction. It also lowers the bar to trigger this provision from “strictly necessary” to “necessary,” provided that safeguards are in place to prevent misuse or unauthorised access to sensitive data.
Grace Period for AI Transparency Requirements
Providers of AI systems that produce synthetic audio, images, video, or text would benefit from a grace period of six months until 2 February 2027 to ensure their outputs are identifiable as artificially generated, using machine-readable markers such as watermarks or metadata identifiers.
Streamlined Obligations for SMEs and Mid-Cap Companies
Reliefs currently available to SMEs under the AI Act will extend to mid-cap companies, such as simplified documentation obligations and proportional fines. Current quality management system concessions for micro-enterprises will now cover all SMEs and mid-cap companies, with requirements scaled to the organisation’s size.
Data Act and Other Laws
Enhanced Safeguards Against Trade Secret Disclosures
The Omnibus tightens trade secret protections under the Data Act by giving data holders a clear right to refuse disclosure where there is a high risk that their trade secrets could be unlawfully accessed, used or leaked to third countries with weaker safeguards. Crucially, this risk test also covers EU-based entities under the direct or indirect control of companies in third countries that do not offer equivalent protections, closing a loophole that previously left businesses’ intellectual property exposed.
Exemptions for Custom-Made Cloud Services
A new carve-out exempts providers of custom-made cloud services from most Data Act switching requirements. Highly customised data processing services that are not offered “off the shelf,” and are supplied under contracts concluded before or on 12 September 2025, would fall outside most of the obligations on cloud switching and data portability.
Unified Breach Notifications
The Omnibus plans to consolidate the current patchwork of breach reporting requirements through a single-entry point, complementing the broader move to simplify GDPR breach-reporting duties. Under this model, affected entities would submit one report through a unified EU portal, which would then be routed to the relevant authorities across all applicable frameworks, comprising the GDPR, the NIS 2 Directive, the Digital Operational Resilience Act, the Cyber Resilience Act and the Critical Entities Resilience Directive.
Looking Ahead
As the Omnibus is still in draft form, there are no immediate actions required before its provisions become enforceable.
Many of the amendments are still tightly scoped, so the practical benefits may be limited, but they signal to the wider market that the EU digital regime is now focused on AI growth; a clear shift in Brussels’ stance from the caution of previous years. For most, the question now is not whether a streamlined digital acquis is necessary—it is—but whether the EU’s reforms will continue to set market standards rather than merely chase them. We will watch this space and provide updates as they arise.