Cutting Through Complexity: Inside the EU’s Digital Omnibus Package

On 19 November 2025, the European Commission (the Commission) introduced two proposed regulations in the Digital Omnibus Package (the Omnibus), each targeting different regulatory domains but united by a common goal: regulatory simplification across the European Union. The Commission’s Omnibus is designed to allow European businesses to direct more energy toward boosting innovation and growth, rather than managing heavy administrative and compliance burdens.

The purpose of the Omnibus is to simplify existing rules on artificial intelligence (AI), data protection, and cybersecurity. The Omnibus consists of two proposed regulations: (1) the “Digital Omnibus Regulation Proposal,” which would amend several key pieces of legislation including the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Network and Information Security Directive (NIS2), and the EU Data Act, and (2) the “Digital Omnibus on AI Regulation Proposal,” which would introduce amendments to the EU AI Act.

In this article, we highlight the key takeaways from the Omnibus.

Key Takeaways

1. GDPR

• Narrowing the definition of personal data: The Omnibus proposes various amendments to the GDPR. Notably, it amends the definition of personal data to exclude information when the entity holding it “does not have means reasonably likely to be used to identify” the individual. The Commission has taken a bold step to amend one of the GDPR’s fundamental definitions. However, this amendment is reflected in recent case law — notably, the Court of Justice of the European Union’s (CJEU) decision in EDPS v. SRB (for more information, read our September 2025 alert “Personal Data or Not? CJEU Weighs In on Pseudonymisation in EDPS v. SRB”).
• Harmonised requirements for conducting data protection impact assessments (DPIA): The Commission proposes assigning the European Data Protection Board (EDPB) responsibility for developing EU-wide lists of processing activities that require or do not require a DPIA, replacing the existing national lists. The EDPB would also create a standardised DPIA template and methodology, which the Commission could formalise through legislation. These tools would be reviewed and updated at least once every three years to keep pace with technological developments.
• Broadening exemptions to data subject rights: The proposal expands the existing exemptions from transparency obligations, particularly when the personal data is low-risk and processing is carried out for scientific research. It also clarifies when controllers may refuse access requests or charge a reasonable fee for responding. According to the Commission, this is especially relevant when a data subject seeks to misuse their GDPR rights for purposes unrelated to the protection of their personal data. The burden will remain with the controller to show that a request is “manifestly unfounded or excessive.”
• AI development explicitly recognised as a “legitimate interest”: The proposal clarifies that the legitimate interest legal basis under Article 6 may be used for developing and operating AI systems. However, this is not a blank cheque, and controllers would still need to demonstrate necessity and proportionality through a balancing test while also implementing appropriate safeguards, such as minimising the data used for AI training and granting data subjects “an unconditional right to object.” More significantly, the proposal indicates that, in this context, the use of special category personal data could also meet the conditions for lawful processing under Article 9, marking a potentially notable shift in regulatory interpretation.
• New conditions under Article 9 GDPR: The Commission highlights two new derogations from the prohibition on processing special category data: (1) special category data may be processed to build and run AI systems, provided efforts are made to identify and remove it and, when removal would be disproportionate, measures are taken to prevent any unlawful disclosure in the outputs; and (2) processing is permitted when biometric data is used solely under a user’s control (e.g., on-device biometrics).

2. ePrivacy Directive

The Omnibus seeks to modernise the cookie rules to enhance user experience online by reducing the frequency of cookie banner pop-ups and allowing users to manage their preferences centrally through a browser or operating system setting. When storing personal data on a user’s device is based on consent, the following conditions apply:

• Individuals must be able to refuse consent easily and clearly, using a single-click option or an equivalent method.
• If consent is granted, controllers cannot request consent again for the same purpose during the period in which the original consent remains valid. 
• If consent is refused, controllers must not repeat the request for the same purpose for at least six months.

3. Cybersecurity and Data Breach Reporting

The Commission highlighted that the Omnibus introduces a single-entry point for companies to fulfill all incident-reporting obligations. Currently, companies must report cybersecurity incidents under multiple frameworks, including the NIS2, the GDPR, and the Digital Operational Resilience Act.

The Omnibus further specifies that when a personal data breach is likely to pose “a high risk to the rights and freedoms of” individuals, the controller must notify the breach via the single-entry point “without undue delay” and, when feasible, within 96 hours of becoming aware of it.

4. Data Act

• A new safeguard for trade secrets: Data holders would gain a clearer right to refuse sharing trade secret–protected information with users when they can show a significant risk that the information could be unlawfully accessed, misused, or transferred to jurisdictions with insufficient protections.
• Targeted exemptions from cloud-switching obligations: Certain data processing services (in which contracts were signed before 12 September 2025) would benefit from reduced switching requirements. This includes (1) bespoke data processing services, meaning highly customised solutions that cannot operate without prior configuration to a user’s specific environment, and (2) services offered by small and medium-sized enterprises and small mid-cap companies, with the Omnibus confirming that these providers may continue to include early-termination fees in fixed-term agreements.
• Smart contract requirements removed: The proposal removes the Data Act’s earlier smart contract compliance obligations for data-sharing agreements, reducing complexity for industries using automated data exchange.
• Consolidation of the EU data framework: In a substantial regulatory simplification, the Omnibus repeals and integrates major instruments, including the Data Governance Act, Free Flow of Non-Personal Data Regulation, and the Open Data Directive, folding much of their substance into the Data Act. The Platform-to-Business Regulation will also be repealed because the provisions are mostly covered by the Digital Markets Act and Digital Services Act (DSA).

5. AI Act

• Delay to the commencement of the obligations applicable to high-risk AI systems: The delay is expected to last from August 2026 until six months after the Commission makes its decision setting out the technical requirements for the specific high-risk AI systems listed in Annex III (e.g., remote biometric identification systems) and 12 months after its decision for the AI systems subject to the EU harmonisation regime listed in Annex I (e.g., medical devices, toys). This adds a degree of uncertainty to the compliance timeline, but in any event, the latest the obligations would come into effect is December 2027 (for AI systems used in law enforcement and education) and August 2028 (for other use cases).
• Broadened powers for the Commission’s European AI Office: Subject to certain carve-outs for sector-regulated products, the AI Office would have exclusive authority to supervise and enforce rules for (1) general-purpose AI models and any systems built on them by the same provider and (2) AI systems integrated into designated very large online platforms or search engines under the DSA. The AI Office’s powers would include requesting documentation, overseeing pre-market conformity checks, and imposing penalties, enabling more focused, EU-wide oversight of major AI developers.
• Removal of mandatory AI literacy requirements: Instead of imposing a binding obligation on companies regarding AI literacy, the proposal encourages the Commission and member states to promote AI literacy through training initiatives and the sharing of best practices.

Next Steps

The Omnibus will now be submitted to the European Parliament and the European Council (comprising representatives from each of the EU member states) for review, amendment, and adoption. EU policymakers are anticipating a tight timeline for negotiations, particularly for the targeted AI Act amendments, which must be finalised before August 2026 when the majority of the AI Act provisions take effect. However, there remains significant division within the European Parliament as factions debate the merits of the EU’s much vaunted data protection rules versus competitiveness, which could delay the Omnibus’ progress. Once adopted through the ordinary legislative procedure, the amendments will enter into force almost immediately. It is noted that the final Omnibus text may be subject to substantive amendments during this legislative process.

We would like to thank Geng To Law for their assistance with this alert.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.