Cutting Through Complexity: Inside The EU's Digital Omnibus Package

On 19 November 2025, the European Union introduced two "Omnibus" reform packages, each targeting different regulatory domains but united by a common goal: regulatory simplification across the European Union. The European Commission's (Commission) Digital Omnibus Package (seehereandhere) (Omnibus), is designed to allow European businesses to direct more energy towards innovation and growth, rather than managing heavy administrative and compliance burdens.

The purpose of the Omnibus is to simplify existing rules on artificial intelligence, data protection and cybersecurity. The Omnibus consists of two proposed regulations: (1) a "Digital Omnibus" that would amend several key pieces of legislation, including the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Network and Information Security Directive (NIS2) and the EU Data Act; and (2) a "Digital Omnibus on AI" which would introduce amendments to the EU AI Act.

In this article, we highlight the key takeaways from the Omnibus package.

Key Takeaways

1. GDPR

• Narrowing the definition of personal data:The Omnibus proposes various amendments to the GDPR. Notably, it amends the definition of personal data to exclude information where the entity holding it does not have 'means reasonably likely to be used' to identify the individual. The Commission has taken a bold step to amend one of GDPR's fundamental definitions. However, this amendment is reflected in recent case law – notably, the Court of Justice of the European Union's (CJEU) decision inSRB (Case C-413/23)(see our previous articlehere).
• Harmonised requirements for conducting data protection impact assessments (DPIA):The Commission proposes assigning the European Data Protection Board (EDPB) responsibility for developing EU-wide lists of processing activities that require or do not require a DPIA, replacing the existing national lists. The EDPB would also create a standardised DPIA template and methodology, which the Commission could formalise through legislation. These tools would be reviewed and updated at least once every three years to keep pace with technological developments.
• Broadening exemptions to data subject rights:The proposal expands the existing exemptions from transparency obligations, particularly where the personal data is low risk and processing is carried out for scientific research. It also clarifies when controllers may refuse access requests or charge a reasonable fee for responding. According to the Commission, this is especially relevant where a data subject seeks to misuse their GDPR rights for purposes unrelated to the protection of their personal data. The burden will remain with the controller to show that a request is manifestly unfounded or excessive.
• AI development explicitly recognised as a "legitimate interest":The proposal clarifies that the legitimate interests legal basis under Article 6 may be used for developing and operating AI systems. However, this is not a blank cheque and controllers would still need to demonstrate necessity and proportionality through a balancing test whilst also implementing appropriate safeguards, such as minimising data used for AI training and granting data subjects an unconditional right to object. More significantly, the proposal indicates that, in this context, the use of special category personal data could also meet the conditions for lawful processing under Article 9, marking a potentially notable shift in regulatory interpretation.
• New conditions under Article 9 GDPR:The Commission highlights two new derogations from the prohibition on processing special category data: (1) special category data may be processed to build and run AI systems, provided efforts are made to identify and remove it and where removal would be disproportionate, measures must be taken to prevent any unlawful disclosure in the outputs; and (2) processing is permitted when biometric data is used solely under user's control (e.g., on-device biometrics).

2. ePrivacy Directive

The Omnibus seeks to modernise the cookie rules to enhance users' experience online by reducing the frequency of cookie banners pop-ups and allowing users to manage their preferences centrally through a browser or operating system setting. When storing personal data on a user's device is based on consent, the following conditions apply:

• Individuals must be able to refuse consent easily and clearly, using a single-click option or an equivalent method;
• If consent is granted, controllers cannot request consent again for the same purpose during the period in which the original consent remains valid; and
• If consent is refused, controllers must not repeat the request for the same purpose for at least six months.

3. Cybersecurity and Data Breach Reporting

The Commission highlighted that the Omnibus introduces a single-entry point for companies to fulfill all incident-reporting obligations. Currently, companies must report cybersecurity incidents under multiple frameworks, including the NIS2, the GDPR, and the Digital Operational Resilience Act (DORA).

The Omnibus further specifies that where a personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the controller must notify the breach via the single-entry point without undue delay and, where feasible, within 96 hours of becoming aware of it.

4. Data Act

• A new safeguard for trade secrets:Data holders would gain a clearer right to refuse sharing trade-secret-protected information with users where they can show a significant risk that the information could be unlawfully accessed, misused, or transferred to jurisdictions with insufficient protections.
• Targeted exemptions from cloud-switching obligations:Certain data processing services (where contracts were signed before 12 September 2025) would benefit from reduced switching requirements. This includes: (i) bespoke data processing services, meaning highly customised solutions that cannot operate without prior configuration to a user's specific environment; and (ii) services offered by SMEs and small mid-caps, with the Omnibus confirming that these providers may continue to include early-termination fees in fixed-term agreements.
• Smart Contract Requirements Removed:The proposal removes the Data Act's earlier smart-contract compliance obligations for data-sharing agreements, reducing complexity for industries using automated data exchange.
• Consolidation of the EU Data Framework:In a substantial regulatory simplification, the Omnibus repeals and integrates major instruments, including the Data Governance Act, Free Flow of Non-Personal Data Regulation, and the Open Data Directive, folding much of their substance into the Data Act. The Platform-to-Business Regulation will also be repealed on the basis the provisions are mostly covered by the Digital Markets Act and Digital Services Act.

5. AI Act

• Delay to the commencement of the obligations applicable to high-risk AI systems:The delay is expected to last from August 2026 until 6 months after the Commission makes its decision setting out the technical requirements for the specific high-risk AI systems listed in Annex III (remote biometric identification systems), and 12 months after its decision for the AI systems subject to the EU harmonisation regime listed in Annex I (e.g. medical devices, toys). This adds a degree of uncertainty to the compliance timeline, but in any event, the latest the obligations would come into effect is December 2027 (for AI systems used in law enforcement and education) and August 2028 (for other use cases).
• Broadened powers for the Commission's AI Office:Subject to certain carve-outs for sector-regulated products, the AI Office would have exclusive authority to supervise and enforce rules for: (i) general-purpose AI models and any systems built on them by the same provider; and (ii) AI systems integrated into designated very large online platforms (VLOPs) or search engines (VLOSEs) under the Digital Services Act. The AI Office's powers would include requesting documentation, overseeing pre-market conformity checks, and imposing penalties, enabling more focused, EU-wide oversight of major AI developers.
• Removal of Mandatory AI Literacy Requirements:Instead of imposing a binding obligation on companies regarding AI literacy, the proposal encourages the Commission and Member States to promote AI literacy through training initiatives and the sharing of best practices.

Next Steps

The Omnibus will now be submitted to the European Parliament and the Council (comprising of representatives from each of the EU Member States) for review, amendment and adoption. EU policymakers are anticipating a tight timeline for negotiations, particularly for the targeted AI Act amendments, which must be finalised before August 2026 when the majority of the AI Act provisions take effect. However, there remains significant division within the European Parliament as factions debate the merits of the EU's much vaunted data protection rules versus competitiveness, which could delay the progress of the Omnibus. Once adopted through the ordinary legislative procedure, the amendments will enter into force almost immediately. It is noted that the final Omnibus text may be subject to substantive amendments during this legislative process.

We would like to thank Geng To Law for their assistance with this alert.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.