The EU Digital Omnibus: Change has arrived

This article explores the detail of the proposals and when they are likely to take effect. One of our forthcoming thought leadership pieces, set to be unveiled at the DAC Beachcroft 2026 Data, Privacy and Cyber Conference, will explore the broader policymaking landscape surrounding the Digital Omnibus proposals, and explore the global dynamics behind current regulatory tensions.

First, it is important to note that the Commission's proposals are not final and may change before adoption. The proposals will now be submitted to the European Parliament and Council for their response, with further informal and formal negotiations occurring before a final agreement.

We expect that concerns over the proposals will be raised in either the Parliament or Council. A group of MEPs¹ have already expressed disappointment with the proposals, and privacy activists have also had their say. Amnesty International argues² that accountability on digital rights will be affected, and noyb³ responded to the proposals by suggesting they would 'wreck' the core principles of the GDPR.

So, what does the Digital Omnibus propose, and when might the changes take effect?

What is the Digital Omnibus?

The Digital Omnibus Package is made up of two proposed regulations:

• Digital Omnibus covering data, cybersecurity and privacy rules
• Digital Omnibus on AI

The Digital Omnibus proposals are the most recent in a series put forward by the Commission as part of their efforts to recalibrate and simplify certain EU rules to boost economic growth and reduce administrative burdens. Other proposals have covered sustainability and costs for small and medium enterprises.

What is proposed?

Digital Omnibus covering data, cybersecurity and privacy rules

Data protection

The fundamental principles of the GDPR will remain in place, but there are a number of significant and targeted amendments. These changes are aimed at reducing compliance burdens for organisations to promote innovation.

The key proposals are as follows:

• The definition of 'personal data' will be amended, meaning that information is not personal data for an entity if that entity cannot identify the individual, even if another entity could. This is particularly relevant for pseudonymised data and follows the recent CJEU decision in SRB v EDPS which clarified that pseudonymised data is not automatically personal data for any party who processes it.

• Linked to this proposal, the Commission and European Data Protection Board will specify means and criteria to determine when pseudonymised data is no longer personal data.

• A new definition of 'scientific research' is suggested. The definition is as follows: "...any research which can also support innovation, such as technological development and demonstration. These actions shall contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society's general knowledge and wellbeing and adhere to ethical standards in the relevant research area. This does not exclude that the research may also aim to further a commercial interest." Further processing for scientific research purposes is explicitly considered compatible with the original purpose, and scientific research is recognised as a legitimate interest. This measure is similar to that introduced in the UK via the Data (Use and Access) Act.

• Processing of personal data for the development, training, testing and operation of AI systems or models is explicitly recognised as a legitimate interest. The processing of the data needs to be subject to a balancing test, appropriate safeguards and an effective right to object.

• There is a new exemption for residual processing of special categories of personal data in AI training, with strict requirements for removal or protection of such data. If removal requires disproportionate effort, then the controller is required to effectively protect such data from being used to infer outputs, being disclosed or otherwise made available to third parties.

• The restriction on the processing of biometric data will be subject to a limited exemption where the verification of the claimed identity of the data subject is necessary for a purpose pursued by the controller, and suitable safeguards apply to enable the data subject to have sole control of the verification process.

• Controllers will be exempt from providing certain information to data subjects where the data has been collected in a 'clear and circumscribed' relationship, and it is reasonable to assume the data subject already has the information. This exemption will not apply where the data is transferred to third parties, used for automated decision-making, or poses a high risk to the rights of data subjects.

• When dealing with subject access requests, in addition to the existing provisions regarding a request being manifestly unfounded and excessive, controllers may charge a 'reasonable fee' for or refuse to act where the right of access is abused for a purpose other than the protection of their data, such as requests for compensation. This is similar to measures introduced in the UK as part of the DUA Act.

• In respect of automated decision-making, clarification will be added that decisions based solely on automated processing will be permitted in specific circumstances. In addition, automated decisions will be permitted if necessary for the entry into, or performance of a contract, even if a human could have made the decision.

• In the event of a personal data breach, notification to a supervisory authority is required only if the breach is likely to result in a high risk to data subjects’ rights. The existing provision requires notification unless the breach is unlikely to result in a risk to data subjects' rights. The deadline for making the notification will be extended from 72 to 96 hours. Notification must be made via the single-entry point (discussed below).

• The EDPB will prepare proposals for harmonised EU-wide lists of processing operations that do or do not require a Data Protection Impact Assessment, along with a common template and common methodology for conducting data protection impact assessments. The Commission will then be expected to adopt them.

Privacy / cookie rules

Following the aborted efforts to introduce the ePrivacy Regulation, the Omnibus introduces a number of proposed reforms to the operation of cookies and similar technologies.

New articles (88a and 88b) will be inserted into the GDPR, absorbing the ePrivacy Directive requirements. In aiming to reduce “cookie fatigue” and improve user experience, a number of changes have been proposed:

• Users must be able to refuse consent easily, with a single click or equivalent means.

• If a user declines consent, the controller cannot make a new request for consent for at least six months.

• Users will, in time, be able to manage cookie preferences centrally through browser settings or other automated, machine-readable means (once standards are available).

• Controllers must respect these automated choices, except for media service providers (to protect the economic basis of independent journalism).

• The Commission will mandate standardisation bodies to develop the necessary technical standards for machine-readable consent signals.

• Where controllers comply with these standards, they benefit from a presumption of compliance.

The processing of personal data on or from terminal equipment will be permitted and not require consent where necessary for transmission, an explicitly requested service, first-party audience measurement or service / terminal security.

The provisions are formulated in a technologically neutral manner so that also other tools, e.g. agentic AI, could support users in making consent choices, should they be fit for ensuring compliance with the requirements of the GDPR.

Cybersecurity reporting

As referenced above, there is a proposal for the introduction of a single entry-point for incident reporting. Managed by ENISA, the EU agency for cybersecurity, companies will be able to fulfil all incident-reporting requirements under numerous EU laws such as the GDPR, Digital Operational Resilience Act, NIS2 Directive.

The entry point will assist entities in retrieving information already submitted to ensure they can track their reporting obligations. ENISA will be expected to undertake pilot schemes for the single-entry point. The Commission will be expected to assess the property functioning, integrity and confidentiality of the entry point, and approve operation before widespread use.

Digital Omnibus on AI

The rules established by the AI Act are being implemented in stages, with all rules expected to be in place by 2 August 2027. As part of the implementation process, the Commission held a series of consultations and other actions to identify stakeholder concerns.

In response, a series of targeted simplification measures have been proposed in respect of certain provisions within the AI Act.

• The introduction of obligations relating to high-risk AI systems (Chapter III of the AI Act) will be linked to the availability of harmonised standards, common specifications, or Commission guidelines. Once the Commission makes these support materials available, the rules will apply following specified transition period (6 months for Annex III high-risk systems, 12 months for Annex I high-risk systems). However, there are final deadlines after which the rules will apply regardless: 2 December 2027 (Annex III) and 2 August 2028 (Annex I).

• The simplified regulation applicable to SMEs (small and medium enterprises) would be extended to SMCs (small mid-cap enterprises). SMCs are identified as having a higher rate of growth and level of innovation but still face similar administrative burdens to SMEs. Definitions for SMEs and SMCs will be introduced, allowing both categories access to simplified technical documentation requirements and special consideration in the application of penalties.

• Requiring the Commission and Member States to foster AI literacy but diverging from the proposed imposition of a one-size-fits-all approach for providers and deployers. Again, this was identified as creating additional compliance burdens, particularly for smaller enterprises. This approach would be replaced by requirements on the Commission and Member States to foster AI literacy by encouraging deployers/providers to supply training, sharing of information and good practice.

• Providers of AI systems used in high-risk areas but only for narrow or procedural tasks (Article 6(3)) would be exempted from the EU database for high-risk systems. The provider must document that assessment for national authorities if required.

• Providers and deployers of all AI models and systems would be permitted to process special categories of personal data for the purposes of bias detection and correction. This processing would be subject to strict safeguards including pseudonymisation, deletion after use, and records of the processing activity.

• Greater flexibility would be introduced by the removal of a prescription for harmonised post-market monitoring plans. This will allow providers of high-risk AI systems to put in place a system for post-market monitoring that is tailored to their organisation.

• The AI Office will be given greater power through centralised oversight of AI systems built on general-purpose AI models (excluding those covered in Annex I) or embedded in very large online platforms and very large search engines (as defined in the Digital Markets Act). The Commission will also be empowered to define the enforcement powers and procedures of the AI Office including the ability to impose fines and other sanctions.

• The AI Office will also be involved in the extension of AI regulatory sandboxes and real-world testing. An EU-level sandbox for AI models based on GPAI, where the model and system are deployed by the same provider, will be facilitated by the AI Office to facilitate cross-border collaboration. The scope of real-world testing that is permitted outside regulatory sandboxes will be extended to providers/prospective providers of high-risk AI systems covered in Annex I.

• Targeted changes clarifying the interplay between the AI Act and other EU legislation such as GDPR, Cyber Resilience Act and Machine Regulations.

When will the changes take effect?

Time is of the essence for some of the proposals as the existing requirements of the EU AI relating to high-risk AI systems are due to take effect in August 2026. The Digital Omnibus for AI proposals makes clear that the timeline for implementation relating to high-risk AI systems needs to be linked to the necessity and availability of support materials. We expect these proposals will be given urgent consideration.

If the proposals are passed, then the large majority would take effect immediately (three days after publication in the Official Journal). The amendments to the ePrivacy Directive would take effect after a 6 month transitional period, and there would be a minimum 18 month implementation period for the creation of the single entry point for incident reporting.

It is important to reiterate that these proposals are subject to amendment and may change from what is currently proposed. However, many of the proposals are common sense and reflect the experience and frustrations of data protection practitioners. It remains to be seen, however, whether the proposals will achieve the stated aims of fostering innovation and making the regulatory environment substantively more efficient and business friendly.

[1] Digital Omnibus: Greens/EFA call for digital enforcement - not a blank cheque for Big Tech | Greens/EFA

[2] EU: Digital omnibus proposals will tear apart accountability on digital rights - Amnesty International

[3] Digital Omnibus: EU Commission wants to wreck core GDPR principles