In November 2025, the European Commission proposed the Digital Omnibus, which aims to make parts of the EU’s digital regulation easier to work with. The proposal affects several key laws, including GDPR and the AI Act, and aims to simplify rules and reduce unnecessary administrative burden for businesses.
Over the past few years, the EU has introduced a large number of digital rules. While the overall goals are widely supported, many companies have struggled with overlapping requirements, unclear concepts and multiple reporting obligations. In practice, this has led to higher compliance costs and legal uncertainty, especially for companies operating across borders.
With the Digital Omnibus, the Commission signals a change in approach. Rather than introducing new rules, the focus is on improving how existing legislation works. The Commission is clear that the proposal is not intended to lower the level of protection for personal data, consumers or fundamental rights, instead, make the rules more consistent, clearer and less burdensome to comply with.
The changes focus on areas that are particularly important for competitiveness, such as data sharing, AI development and more efficient compliance processes.
Below are some of the proposals that are likely to be most relevant for companies.
GDPR – clearer rules and fewer formal requirements
New definition of “personal data” – One of the more practical changes concerns the definition of “personal data”. The proposal clarifies that information should not be considered personal data for a specific organisation if that organisation cannot reasonably identify the individual concerned, taking into account the means available to it.
Importantly, information would not automatically be treated as personal data for one party simply because another party may be able to identify the individual. This clarification could make it easier for companies to assess data sharing arrangements and internal data use.
Data breach notifications – The proposal also introduces changes to personal data breach notifications. Today, breaches must generally be reported unless they are unlikely to pose a risk to individuals. Under the proposal, only breaches that are likely to result in a high risk would need to be reported. The reporting deadline would also be extended from 72 to 96 hours. To support a more consistent application, the European Data Protection Board (EDPB) is expected to develop a binding reporting template and provide practical guidance.
AI data processing – For companies working with AI, the proposal clarifies that personal data may, under certain conditions, be processed on the basis of legitimate interests for the purpose of training and using AI systems. This is subject to a standard balancing test and appropriate safeguards, but the clarification is intended to reduce legal uncertainty in an area that many companies have found difficult to navigate.
Cookie consent – Finally, the Commission proposes simplifying the rules on cookies and similar technologies. Certain provisions would be moved from the ePrivacy Directive into GDPR, and consent requirements would be simplified to reduce so-called “consent fatigue”. For example, users should be able to express their choice more easily, and consent should not need to be requested repeatedly. These changes apply only where personal data is involved.
AI Act – more time to prepare
As regards the AI Act, the Digital Omnibus proposes postponing the application of the requirements for high-risk AI systems by 16 months instead of 2 August 2026. The idea is that companies should not be expected to comply fully before relevant standards, guidance and technical tools are in place.
In addition, providers that conclude that their AI systems are not high-risk would no longer need to register this assessment in an EU-level database. The assessment would still need to be documented internally and shown to authorities if requested, but the administrative burden would be reduced.
What should companies take away from this?
The Digital Omnibus is still only a proposal, but it clearly shows the Commission’s intention to make EU digital regulation more workable in practice. Alongside the legislative process, the European Commission has launched a public consultation on the Digital Omnibus, inviting stakeholders and the wider public to submit comments on the proposal. This will be open until 4 February 2026. Hopefully, the negotiations will be finalized in early 2027.
Further reviews of major digital acts, such as the Digital Markets Act (DMA), Digital Services Act (DSA) and the Data Act, are expected in the coming years.
Key takeaways
