ARTICLE
24 December 2025

The Digital Omnibus Package: Understanding The EU's Proposals

MG
Maples Group

Contributor

Maples Group logo
The Maples Group is a leading service provider offering clients a comprehensive range of legal services on the laws of the British Virgin Islands, the Cayman Islands, Ireland, Jersey and Luxembourg, and is an independent provider of fiduciary, fund services, regulatory and compliance, and entity formation and management services.
Explore Firm Details
The EU's proposed Digital Omnibus Package will align and tighten cross-regulation obligations in 2025, with immediate impact on data governance...
Ireland Finance and Banking
Claire Morrissey,Stephen Carty,Philip Keegan
+1 Authors
 Your Author LinkedIn Connections
Claire Morrissey’s articles from Maples Group are most popular:
  • with Finance and Tax Executives
  • in United States
  • with readers working within the Insurance industries

What you Need to Know

The EU's proposed Digital Omnibus Package will align and tighten cross-regulation obligations in 2025, with immediate impact on data governance, AI deployment and incident readiness across financial services and other regulated sectors.

It streamlines overlapping requirements under the GDPR, the ePrivacy Directive, the Data Act, the AI Act, NIS2 and DORA, while clarifying enforcement and redress, including in light of recent CJEU developments.

Introduction

On 19 November 2025, the European Commission published its proposed (i) Digital Omnibus and (ii) Digital Omnibus on AI ("Digital Omnibus Package") which form part of the European Union's ("EU") wider simplification agenda. The Digital Omnibus Package proposes targeted amendments to EU digital legislation including the GDPR, the ePrivacy Directive, the Data Act, the AI Act, NIS2 and DORA.

The driving force behind the Digital Omnibus is improving EU competitiveness by simplifying, consolidating and streamlining digital legislation. The proposed amendments seek to ease administrative burdens on EU businesses while preserving core safeguards. With respect to the Digital Omnibus on AI, the driving force is to clarify certain elements of the AI Act which came into force in August 2024 and to ease the roll-out of high-risk AI obligations which come into force in August 2026.

Digital Omnibus1

The Digital Omnibus proposes to amend legislation such as the GDPR, the ePrivacy Directive, the Data Act, NIS2 and DORA.

GDPR and ePrivacy

The Digital Omnibus proposes a number of amendments to the GDPR and the ePrivacy Directive such as:

  • Personal Data Breaches: It is proposed that these would be reportable to national data protection supervisory authorities only where the breach poses a high risk to data subjects rather than simply posing a risk to data subjects. Furthermore, it is proposed to extend the timeline for reporting a personal data breach to within 96 hours of becoming aware rather than 72 hours. It is also proposed to create a new platform for reporting such breaches which would also be used for reporting incidents under other legislation such as NIS2 and DORA.
  • Privacy Notices: It is proposed that (i) where personal data has been collected from the data subject in the context of a clear and circumscribed relationship; (ii) the activity is not data intensive; and (iii) there are reasonable grounds to believe that the data subject already knows the controller's identity and the purposes and legal bases for the processing, controllers will not be required to provide a privacy notice. However, this would not apply where the personal data is transmitted to other recipients or non-EEA countries or where there is automated processing or the processing is likely to result in a high risk to the data subject.
  • Data Subject Access Requests: It is proposed to extend the circumstances where a controller may reject a data subject access request or charge a reasonable fee to respond to such requests (such as where the underlying motive does not relate to protection of their data protection rights).
  • Definition of Personal Data: It is proposed to amend the definition of personal data to align with case law of the Court of Justice of the European Union ("CJEU") such as the recent SRB case (C-413/23 P)2 which held that information will not be considered personal data for an organisation where that organisation cannot identify a natural person using means reasonably likely to be used to make such identification.
  • Processing Personal Data in AI Systems: It is proposed to expressly recognise legitimate interests as a legal basis for processing personal data for the development and operation of AI systems. However, it is worth bearing in mind that controllers will still need to conduct legitimate interest assessments prior to using personal data for this purpose and the draft wording provides that the processing must be subject to appropriate safeguards such as data minimisation, enhanced transparency to data subjects and an unconditional right to data subjects to object to the collection of their personal data for this purpose. It is also proposed to include a new legal basis for processing special category personal data – this legal basis being where the processing is in the context of the development and operation of an AI system. This is subject to implementation of appropriate technical and organisational measures to avoid to the greatest extent possible the processing of such data and the removal of such data when identified in datasets unless the removal requires disproportionate effort.
  • Additional Legal Basis for Processing Biometric Data: It is proposed to include an additional legal basis for processing biometric data where this is necessary for identity verification, where the biometric data or the means needed for such verification is under the sole control of the data subject.
  • Data Protection Impact Assessments ("DPIAs"): It is proposed that the European Data Protection Board ("EDPB") will prepare lists of processing activities that do or do not require a DPIA. Furthermore, it is also proposed that the EDPB will create a common template and common methodology for conducting DPIAs.
  • Cookies: It is proposed:
    • to insert a new Article 88a of the GDPR to provide for consent to be required where personal data is to be stored or accessed on terminal equipment of individuals. This is essentially moving the consent requirement from the ePrivacy Directive to the GDPR;
    • that data subjects must have the ability to refuse all cookies with a single click button. Furthermore, where data subjects refuse consent, the controller must not make a new request for consent for the same purpose for a period of at least 6 months;
    • that consent will not be required where cookies are used for aggregating information about online usage, security purposes, the transmission of a network communication and providing a service specifically requested by a data subject;
    • that any Article 6 GDPR legal basis for processing can be relied upon to deploy cookies where this is necessary to safeguard the objectives in Article 23(1) of the GDPR, such as national security, the prevention, investigation, detection or prosecution of criminal offences and the protection of data subjects or the rights and freedoms of others; and
    • automated and machine-readable consent management can be used by controllers once standards become available.
  • Pseudonymisation Guidance: It is proposed that the European Commission may adopt implementing acts to specify the means and criteria for determining whether data resulting from pseudonymisation no longer constitutes personal data.

Data Act

The Digital Omnibus also proposes a number of amendments to the Data Act such as:

  • Protection of Trade Secrets: It is proposed to allow the holders of trade secrets to refuse requests for disclosure of trade secret data where the disclosure is highly likely to cause serious economic damage or the disclosure poses a high risk of unlawful acquisition, use or disclosure to third country entities. This refusal must be on a case-by-case basis and based on objective factors.
  • Switching Data Processing Services: It is proposed that:
    • exemptions for custom made data processing services be expanded for contracts concluded before or on 12 September 2025; and
    • exemptions are provided to SMEs and small mid-caps providing services other than infrastructure as a service under contracts signed before or on 12 September 2025. SMEs and small mid-caps can include early-termination penalties in fixed-term contracts.
  • Access to Data by Public Authorities: It is proposed to further restrict access to data by public authorities by narrowing the right from an exceptional need to where there is an exceptional need to use data to carry out duties in the public interest where there is a public emergency.
  • Legislative Consolidation: It is proposed to consolidate the Data Governance Act, the Free Flow of Non-Personal Data Regulation and the Open Data Directive into the Data Act.

NIS2 and DORA

It is proposed to establish a single platform for incident reporting under data protection and cybersecurity legislation to streamline the process and reduce administrative burden for organisations. It is proposed that ENISA will be responsible for developing and maintaining this platform.

Digital Omnibus on AI3

Some of the key proposed amendments to the AI Act include:

AI Literacy: It is proposed that organisations will no longer have to comply with AI literacy obligations (except in respect of high-risk AI). Instead, the European Commission and EU member states will be required to foster AI literacy.

  • Stopping the Clock on High-Risk AI: It is proposed to delay the entry into force of the obligations relating to high-risk AI by introducing a long-stop date of 2 December 2027 (Annex III) and 2 August 2028 (systems comprising or embedded in regulated products).
  • Grace Period for Transparency Obligations: It is proposed to introduce a 6 month grace period for transparency obligations in respect of entities that have already placed their systems on the market before 2 August 2026.
  • Processing of Special Category Personal Data: In addition to the amendment to the GDPR set out above, it is proposed to introduce an explicit legal basis to allow organisations to process special category personal data for bias detection and correction where no alternative exists.
  • Regulatory AI Sandboxes: It is proposed that the EU AI Office will also be responsible for creating AI regulatory sandboxes rather than solely EU member states.
  • EU AI Office Competence: The Digital Omnibus on AI reinforces the EU AI Office's competence in respect of AI systems based on general-purpose AI models developed by the same provider and introduces a new competence in respect of AI systems integrated in very large online platforms and very large online search engines regulated under the Digital Services Act.

Next Steps

The Digital Omnibus Package will now make its way through the EU's trilogue legislative process. This process can often be lengthy, but we expect that the legislation will be in place by mid-2026 given that the high-risk AI obligations under the AI Act enter into force in August 2026.

It is likely that the contents of the Digital Omnibus Package will change as it goes through the legislative process and, therefore, there is no requirement for organisations to implement any changes to their compliance frameworks as of yet. In the meantime, we recommend that organisations:

  • keep up to date with developments during the legislative process;
  • organise an internal working group or committee to begin an initial analysis of how the proposed changes might impact business operations and what resources will be required next year to implement changes to the organisation's compliance framework;
  • identify key contracts and customer/employee-facing policies that may require amendment; and
  • communicate the existence of the Digital Omnibus Package with key personnel.

Footnotes

1. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal

2. https://curia.europa.eu/juris/liste.jsf?num=C-413/23

3. https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-ai-regulation-proposal

4. https://maples.com/knowledge

5. https://maples.com/services/specialty-services/ai-advisory

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Claire Morrissey
Claire Morrissey
Photo of Stephen Carty
Stephen Carty
Photo of Lorna Smith
Lorna Smith
Photo of Philip Keegan
Philip Keegan
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More