- with Senior Company Executives, HR and Finance and Tax Executives
- in Turkey
- with readers working within the Retail & Leisure industries
For the past decade, the European Union's ("EU") digital-world regulatory motto has actually been very clear: "Regulate first, then watch the market emerge."
This process — beginning with the GDPR and continuing with the Digital Services Act (DSA), Digital Markets Act (DMA), Data Act, and finally the AI Act — embodied the global standard-setting power known in the literature as the"Brussels Effect."
However, as of November 2025, the "Digital Omnibus" ("Package") proposal on the table has emerged as the clearest sign that this paradigm is no longer sufficient and that the EU has been forced to pivot its regulatory approach to the digital world.
It is possible to describe the Digital Omnibus as a surgical intervention package aimed at eliminating the cacophony created by the existing acquis in the digital field, removing duplicative notification obligations, and treating Europe's "regulatory obesity."
So what happened that the EU suddenly moved toward this path of simplification?
The Draghi Report and the Call to "Simplify the Acquis"
It is a well-known and now almost uncontested fact that the EU has difficulty keeping pace with giants such as the US and China in the digital economy. Mario Draghi's 2024 report, "The Future of European Competitiveness," added both urgency and political weight to this situation.
The report discusses why the EU has recently failed to compete globally and which policy tools need to be activated to remove these obstacles.
In the chapter on digital regulations, the core argument is that the EU's current digital rules may pose a potential barrier to innovation and growth, and Draghi — formally and in writing — records a long-standing debate:
"Europe is dying of over-regulation."
Indeed, there are critical differences between the EU and the US in regulation-making. The EU performs extensive impact assessments, invites interdisciplinary stakeholders, applies human-rights-based approaches, and tries to regulate each area in highly detailed, casuistic fashion.
The US, in contrast, follows a more liberal and pragmatic logic — "fix the caravan on the road" — and enacts more targeted rules once the field matures.
One critical finding in Draghi's report stands out:
"EU companies spend more resources on compliance than on innovation. The compliance costs incurred by an SME navigating the GDPR, Cyber Resilience Act, NIS2, and AI Act may exceed the R&D budgets of its US or Chinese competitors."
Another striking passage:
While no company founded in the European Union in the last fifty years has exceeded a market value of €100 billion, all six companies exceeding €1 trillion in the United States were founded during this period.
After presenting these findings, Draghi gave the Commission a single strategic prescription:
Simplify the regulatory framework.
The Commission's response to this strategic imperative was the Digital Omnibus, a comprehensive revision package presented in November 2025 that aims to rewrite the EU's digital rulebook.
The legal purpose of the reform is no longer only to protect fundamental rights, but also to ensure the competitiveness and survival capacity of European industry by enhancing legal certainty and simplification.
Thus, with the Digital Omnibus, the EU is undergoing a subtle yet significant paradigm shift from the precautionary principle to the innovation principle.
The Package aims to consolidate the increasingly complex and fragmented "digital acquis" under one roof, eliminating duplicative obligations and creating a more predictable and manageable legal environment for businesses.
It should also be noted that while the Commission presents these changes as innovation-friendly, digital rights groups like NOYB describe them as "the biggest attack on Europeans' digital rights in recent years."
They argue the proposal creates legal loopholes that benefit large technology companies.
So, what does the Digital Omnibus foresee in the areas of personal data, artificial intelligence, and cybersecurity?
Proposed Changes in the Personal Data Sphere
"Personal Data" Definition Narrowed
The Package proposes codifying the "relative approach" to determining whether data is personal, following Breyer and the recent EDPB v SRB decision.
According to this approach, if a party processing data does not have the "means reasonably likely to be used" to identify a person, then the data is not considered personal data for that party.
This would strategically narrow the scope of the GDPR, and may push sectors using pseudonymized or unique ID data — health, advertising, ad-tech — outside the GDPR's scope.
Critics describe this as a"gift"to US-based tech companies with massive legal departments.
"Legitimate Interest" Basis for AI Training
The Package adds a new Article (Article 88c) to the GDPR, allowing processing for AI development and operation to rely on the controller's legitimate interest, provided certain safeguards exist (data minimization, transparency, unconditional right to object, etc.).
This aims to remove one of the major legal barriers for AI companies working with large datasets.
However, it is heavily criticized for:
- Weakening individual control over personal data
- Allowing data to be used in large-scale algorithmic systems without consent
- Increasing tension between consumer consent and industry data needs
Modernization Against "Cookie Fatigue"
The Package aims to reduce "cookie fatigue", simplifying consent mechanisms via automatic and machine-readable signals sent through browser or device settings, allowing centralized preference management.
Further measures include:
- One-click acceptance/rejection mechanisms
- A whitelist of low-risk cookies (measurement, security, service delivery) exempt from consent
Critics warn that expanding consent exemptions could weaken meaningful user control and benefit the advertising and tracking industry.
Protection Against Abuse of DSAR (Data Subject Access Requests)
Controllers may refuse or charge a fee for "abusive" requests — those not genuinely aimed at protecting rights (e.g., gathering evidence in a commercial dispute or harming a company).
This offers companies critical protection from access requests that consume resources and deviate from their purpose.
Extending Breach Notification Deadlines
The breach notification requirement extends from 72 hours to 96 hours after becoming aware of an incident.
More importantly, the threshold for notifying authorities is aligned to the "high risk" threshold:
Only breaches posing "high risk" to individuals must be notified to the authority.
This offers companies operational relief but may cause supervisory authorities to overlook lower-risk yet cumulatively significant incidents.
Exemption from Privacy Notice Obligations
The Package introduces a privacy notice exemption where the controller already has an existing and limited relationship with the data subject, the processing is simple, and it is reasonably assumed that the data subject knows the controller's identity and purpose.
This does not apply where:
- Data is shared with third parties
- Automated decision-making is involved
- The processing poses high risk
Removed From Official Text — Narrowing Special Categories of Data
A leaked earlier version proposed narrowing Article 9 sensitive-data scope so that only data directly revealing a trait (racial origin, health, sexual orientation) would qualify; inferred characteristics (e.g., profiling revealing political views) would not.
This change is not present in the official draft.
Adjustments to the AI Act
Delayed Compliance Deadlines
High-risk AI systems will have compliance timelines linked to the availability of technical standards:
- High-risk systems: no later than December 2027
- Integrated systems: no later than August 2028
This provides companies crucial time.
Centralizing Supervision
To reduce fragmentation in governance and ensure consistency in enforcement, the supervisory powers of the newly established EU AI Office are centralized.
The EU AI Office will have exclusive oversight over AI systems used by, or integrated into, very large online platforms and search engines. The aim is to reduce the risk of fragmented national enforcement and establish a more consistent governance framework.
Extending SME Advantages to Small Mid-Caps (SMCs)
The Package proposes extending AI Act SME benefits to SMCs, defined as:
- Fewer than 750 employees
- Annual turnover under €150 million (or balance sheet total under €129 million)
Thus, around 8,250 additional companies will benefit from:
- Simplified documentation
- Proportionate quality management systems
- Lower administrative fine ceilings
Practical Tweaks to Compliance Obligations
Administrative burdens are eased by, for instance, removing the obligation to register non-high-risk AI systems in the EU database — allowing resources to be redirected to more critical areas.
In addition, the exception that allows processing of special-category data to detect and correct bias is expanded: it would apply not only to certain high-risk providers but to all AI providers and operators.
Consolidating the Data Ecosystem: Data Act and Cybersecurity Reforms
Beyond revising existing rules, the Digital Omnibus presents a structural reform aiming to unify the EU's fragmented, complex data and cybersecurity law under a single, more coherent umbrella.
This broad reform has two pillars:
Expanding and Rationalizing the Data Act
The Package proposes radically simplifying data law by consolidating several EU data-governance instruments under the Data Act and repealing some others.
Three core instruments would be integrated into the Data Act:
- The Data Governance Act (DGA)
- The Open Data Directive
- The Regulation on the Free Flow of Non-Personal Data
In addition, the Platform-to-Business (P2B) Regulation would be repealed entirely because its provisions have been rendered practically redundant by the DSA.
Centralizing Cybersecurity Incident Reporting: Single Entry Point (SEP)
The Package aims to merge overlapping cybersecurity incident-reporting obligations under different legal instruments into a single channel.
The Single Entry Point (SEP), to be managed by ENISA (the EU Agency for Cybersecurity), is intended to eliminate the burden on companies of filing separate notifications with multiple authorities when a cyber incident occurs.
Through this platform, notifications required under the GDPR (personal data breaches), the NIS2 Directive (network and information systems incidents), the DORA Regulation (digital operational resilience incidents), and the CER Directive (critical entities resilience incidents) would all be channeled through one interface.
This centralization is expected to significantly reduce the operational load on businesses, especially in crises when they would otherwise need to report to multiple regulators in different formats and timeframes. According to the European Commission's estimate, this change would "reduce incident-reporting effort by roughly half."
Overall Assessment
Taken together, the Digital Omnibus appears to be not only a technical regulation for the EU but also a strategic statement of identity.
The proposals signal a strategic shift from the strict, rule-driven regulatory model — culminating in the GDPR and prioritizing fundamental rights — toward a more pragmatic model centered on economic benefit, flexibility, and competitiveness.
In this frame, the EU seeks to maintain the sustainability of its normative leadership born of the "Brussels Effect," while also preventing its own companies from falling completely behind in the global technology race.
This new approach aims to give European industry breathing room through legal certainty, reduced administrative burden, and rationalized compliance costs.
On the other hand, the effective lowering of data-protection standards, reduced supervisory intensity, and potential asymmetries favoring large technology companies are causing serious concern on the digital-rights front.
In other words, the Package constitutes a two-sided stress test along the axes of competitiveness and innovation on the one hand, and fundamental rights and privacy on the other.
Will this risky move for competitiveness truly invigorate technological innovation, or will it amount to a difficult-to-reverse concession from the fortress of digital rights that the continent has built over years and made into a global standard?
Only time — through both legal practice and market response — will tell.
Sources;
https://digital-strategy.ec.europa.eu/en/policies/digital-rulebook
https://digital-strategy.ec.europa.eu/en/faqs/digital-package
https://www.hunton.com/privacy-and-information-security-law/eu-digital-omnibus-introduces-a-single-reporting-point-for-cybersecurity-incidents
https://www.cooley.com/news/insight/2025/2025-11-24-eu-ai-act-proposed-digital-omnibus-on-ai-will-impact-businesses-ai-compliance-roadmaps
https://www.mwe.com/insights/eu-proposes-sweeping-reforms-to-the-gdpr-cookie-rules-data-act-and-breach-reporting/
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
