European Commission presents "Digital Omnibus" package – what's proposed and what it could mean

Spotlight on the Digital Omnibus

The Digital Omnibus proposes targeted amendments across the EU's data protection, data sharing and cybersecurity frameworks to reduce duplicative obligations and clarify how the rules interact. Specifically, it proposes to integrate key ePrivacy Directive cookie rules into the GDPR, update and clarify the GDPR, amend and consolidate the Data Act (folding in the Data Governance Act, the Free Flow of Non‑Personal Data Regulation and the Open Data Directive/PSI regime) and create a single entry point for incident notifications required under NIS2, GDPR, DORA and CER (with later onboarding of eIDAS2 and sector‑specific regimes).

Key proposed changes include:

• Cookie and tracking rules modernisation. The Commission seeks to tackle "consent fatigue" by moving core terminal‑equipment access rules into the GDPR framework and creating a simpler, more harmonised consent experience. Proposed features include a "single‑click" refusal option, prohibitions on repetitive consent prompts for the same purpose within a set period, and the groundwork for machine‑readable, automated preference signals that controllers must honour once standards are adopted. A limited whitelist would allow consent‑free use for specific purposes, such as audience measurement for a controller's own analytics and security.
  
  
• Clarifications to the GDPR to ease compliance. Draft amendments would bring greater legal certainty on pseudonymisation and the point at which data can be treated as non‑personal for a given entity, streamline information obligations where individuals can reasonably be assumed to be already informed, and introduce EU‑wide, EDPB‑led templates and lists for data protection impact assessments. Finally, the Commission proposes to adjust breach notification by extending the authority notification deadline to 96 hours and aligning thresholds to focus on higher‑risk incidents, coupled with a common EU reporting form.
  
  
• Lawful basis for AI development and operation under the GDPR. To resolve long‑running uncertainty, the proposal clarifies how "legitimate interests" may apply to processing personal data for developing and operating AI systems, subject to safeguards and individuals' right to object. In parallel, a narrowly framed derogation would allow residual special‑category data present in datasets to be handled for bias detection/correction or where removal is disproportionate, with technical measures to minimise and prevent disclosure of such data in outputs.
  
  
• Streamlining the data acquis through the Data Act. The proposal consolidates elements of the EU's public‑sector re‑use and data intermediation frameworks into the Data Act to reduce fragmentation, remove outdated provisions and simplify re‑use conditions. It narrows business‑to‑government data access to clearly defined "public emergencies" and introduces reinforced trade secret protections, including the ability to refuse disclosure where there is a substantial risk of unlawful acquisition or third‑country leakage. It also calibrates the cloud switching rules under the Data Act with targeted exemptions for custom‑made services and certain SME/SMC providers under legacy contracts.
  
  
• Single entry point for cyber incident reporting. To halve reporting burdens and improve timeliness, entities would notify once via an EU‑level single interface operated by ENISA, which forwards reports to the competent national authorities to meet obligations under overlapping instruments (e.g. NIS2, GDPR, DORA and CER). The reform does not expand the scope of reporting but rationalises the channel and formats through implementing acts.

Spotlight on the Digital Omnibus on AI

The AI‑focused proposal aims to ensure a workable rollout of the AI Act by realigning timelines to the availability of standards, centralising oversight where appropriate and extending practical support measures, particularly for smaller players.

Key proposed changes include:

• Timeline alignment and transitional relief. The Commission proposes linking the full application of "high-risk" AI rules to the adoption of harmonised standards, common specifications or guidance. For Annex III systems, the rules would apply six months after a Commission decision on standards, but no later than 2 December 2027. For Annex I systems (regulated products), the deadline would be 12 months after that decision, or by 2 August 2028 at the latest. The Commission justifies this delay on grounds that support tools (standards, technical specifications, guidelines) are not yet sufficiently mature.
  
  
• Centralised oversight at EU level. The AI Office's mandate would be expanded. It would oversee not only general-purpose AI models, but also AI embedded in Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) under the Digital Services Act. The proposal enables pre-market conformity assessments by the AI Office for certain AI systems. The Commission also proposes broader use of regulatory sandboxes, including an EU-level sandbox beginning in 2028, to support real-world testing.
  
  
• Proportionate compliance pathways. Simplified technical documentation requirements, originally only for SMEs, would be extended to small mid-caps (SMCs). Quality-management system obligations would become more flexible for SMEs/SMCs. In addition, the "AI literacy" obligation on providers and deployers would be removed. Instead, the Commission and Member States would be encouraged (but not mandated) to promote AI literacy more broadly.
  
  
• Lawful processing for bias mitigation. The proposal would allow providers and deployers of all AI systems – not only high-risk ones – to process special category personal data (e.g. health data, biometric data, racial or ethnic origin) for the purpose of detecting and correcting bias. Use of this data must be subject to "appropriate safeguards" (technical and organisational), as well as the principles of data minimisation and proportionality.

Legislative process and expected changes

At this stage, these texts are Commission proposals. They will proceed through the ordinary legislative procedure in the European Parliament and the Council, where material amendments are likely. Timelines will depend on political prioritisation, the pace of trilogues and whether any fast‑track procedures are invoked. Stakeholder positions already diverge on several aspects – particularly GDPR‑related clarifications, cookie reforms and AI timelines – so revisions should be anticipated.

What businesses should do now

While the package signals a clear direction of travel, these are not yet binding changes. Until the Digital Omnibus and the Digital Omnibus on AI are negotiated, adopted and enter into application, businesses should continue to comply with existing EU digital laws and timelines as they stand today.

authors: Daniela Birnbauer, Günther Leissler