Digital Omnibus: More efficiency instead of deregulation

Updated on 27.05.2026

The EU Commission wants to streamline digital laws. On November 19, 2025, it presented its proposals for the “Digital Omnibus” (including a separate AI Omnibus). The Council and the European Parliament already agreed on the AI omnibus on May 7, 2026. This postpones the applicability of certain provisions of the AI Act.

The core of the reform package: the various pieces of digital legislation are to be simplified and more closely interlinked. The package also includes accompanying initiatives, including a data strategy and new tools for companies to facilitate practical implementation.

In response to the advancing digitalization, many new legal regulations have emerged within a short space of time, including the AI Act, the Data Act, the GDPR, the ePrivacy Directive and the Cyber Resilience Act. However, the many different pieces of legislation have so far had little interaction with each other. This is not only confusing for companies, it also results in duplicate obligations. The result is a high administrative burden.

Data protection level to be maintained

The EU Commission’s reform proposals are primarily concerned with efficiency and practicability. In terms of content, the requirements are not to be weakened. Only redundant regulations are to be deleted and overlapping requirements consolidated. The EU Commission wants to maintain the high level of data protection in the EU. At the same time, it is foreseeable that individual proposals – in particular on cookies and access to end devices as well as AI training constellations – will be the subject of controversial political and legal debate.

Planned changes to the GDPR and the ePrivacy Directive

The content of the GDPR is to be partially adapted. At the same time, certain rules on access to end devices (cookies and similar identifiers) are to be modernized and – insofar as personal data is processed in the process – transferred more strongly into the GDPR enforcement framework.

Among other things, the EU Commission wants information and documentation obligations for companies to be simplified in certain cases. There are also plans to simplify the reporting of data breaches, including through more harmonized and standardized reporting processes as well as thresholds and deadlines in order to reduce multiple reports and over-reporting.

Some ePrivacy rules are to be integrated into the GDPR, in particular requirements for storing and accessing information on end devices. Insofar as personal data is processed in the process, these end device access rules are to be transferred from the ePrivacy Directive to the GDPR. To counteract “consent fatigue”, consent pop-ups are to be significantly reduced: Banners should no longer be required for low-risk and harmless purposes (for example, pure reach measurement). In addition, uniform preferences via browser and system settings or one-click decisions should be possible, which websites must respect for at least six months. However, consent will still be required for accessing data on end devices.

Pseudonymized data should be easier to use for AI training

A planned amendment to the GDPR is already the subject of controversial debate: The EU Commission wants to clarify the rules on pseudonymization so that data records can be shared and used more easily under certain conditions (including in the context of AI training) following appropriate protective measures, without them automatically being considered personal data for each recipient. According to the Commission, this is a codification of a more recent ECJ approach. The decisive factor is whether the specific third party or recipient has means that can reasonably be used for re-identification. The controller who pseudonymizes the data record, on the other hand, should remain fully bound by the GDPR.

In addition, clarifications on data processing for AI purposes (for example through training and development) should be more operationalized, in particular on the basis of “legitimate interests” under certain safeguards and on effective objection options.

The protection of personal data is enshrined in fundamental rights under EU law, in particular in Art. 8 CFR and Art. 16 TFEU. Clarifications under secondary law must be measured against this. The extent to which the proposed clarification of the term will be effective will therefore depend largely on how it is specifically formulated in the legislative process and how the ECJ and supervisory practice apply the definition of “reasonably foreseeable means”.

Planned changes to the Data Act and Data Governance Act

The use of data is to be brought together in a bundled data legal framework in future. The approach is to consolidate several building blocks of the “data acquis” in the Data Act. In particular, the content of the Data Governance Act (DGA), the open data rules and the free flow of non-personal data rules are to be integrated into a restructured Data Act.

The EU would also like to address some of the industry’s concerns. For example, the strict requirements for data brokerage services under the DGA are to be significantly relaxed. Instead of highly formalized obligations, the focus should be on more risk-based requirements and voluntary evidence and trust approaches, depending on how they are structured.

Companies have also frequently criticized the obligation to disclose data under the Data Act and the resulting weakening of trade secret protection. The EU Commission now wants to strengthen the protection of trade secrets. Companies should be able to refuse to disclose data if they can prove that there is a high risk that the data could otherwise be used unlawfully.

Improvements are also to be made in other areas: The EU Commission wants to make it easier to reuse public data in order to strengthen data-driven business models. The switching obligations for cloud providers are to be clarified. In addition, government access to company data (B2G) is to be focused more on genuine emergencies in order to reduce legal uncertainty and burdens.

SMEs and the new category of small mid-caps are to be exempted from many obligations.

Easier reporting of cyber incidents

The EU Commission wants to make it much easier for companies to report security incidents by creating a central European reporting portal. All reports under the GDPR, EU Digital Identity Regulation, CER, NIS-2 and DORA are to be bundled there and then automatically forwarded to national authorities. It is important to note that the material reporting obligations are not to be eliminated as a result, but the submission is to become more centralized and consistent. Parallel reports to different authorities are to be reduced. Until now, companies may have had to report a single incident to several authorities.

Artificial intelligence

Adjustments are also planned for the AI Act. It has already been decided:

• The AI Act will be amended to prohibit AI practices that generate non-consensual sexual and intimate content or depictions of child sexual abuse.
• The regulations for high-risk AI systems have been postponed and will now only apply from December 2, 2027 for stand-alone high-risk AI systems and from August 2, 2028 for high-risk AI systems embedded in products.
• Providers will be obliged to register AI systems in the EU database for high-risk systems, even if they consider that their systems are not to be classified as high-risk systems.
• The standard of absolute necessity for the processing of special categories of personal data for the purpose of detecting and correcting distortions has been reinstated.
• The deadline for the establishment of AI laboratories by the competent authorities at national level is extended until August 2, 2027.
• The transitional period granted to providers for the implementation of transparency solutions for artificially created content will be reduced from six months to three months; the new deadline has been set for December 2, 2026.

The obligations for SMEs and small mid-caps will be simplified in certain areas. In this way, the EU Commission aims to promote innovation.

The Council and Parliament have also agreed on clearer responsibilities and procedures at EU level, particularly for systems based on general-purpose AI models. The AI Office is to take on a stronger coordinating role and contribute to a more uniform application of the regulations. The aim is to improve cooperation between national supervisory authorities and reduce fragmentation without fundamentally changing the existing decentralized enforcement structure.

What the Digital Omnibus would mean for companies

The EU Commission’s proposals would bring more clarity and predictability for companies. The strict obligations and high level of protection would essentially remain in place. However, the improved structure and interlinking of the individual legal acts as well as the simplified documentation requirements would make it easier for companies to handle them in practice.

While an agreement has already been reached on the AI Omnibus, the further timetable for the other proposals of the Digital Omnibus remains dependent on the progress of the legislative process.

The Commission has also launched a consultation on the Digital Fitness Check. This is also intended to simplify the EU’s digital regulation and ensure that overlaps and inconsistencies in existing digital legislation are reduced. New initiatives are also mentioned in the package, such as the “Data Union Strategy”, as well as an instrument such as the “European Business Wallets”, which are intended to facilitate administrative processes in the single market.