Digital Omnibus: More efficiency instead of deregulation

The EU Commission wants to streamline digital laws. On November 19, 2025, it presented its proposals for the “Digital Omnibus” (including a separate AI Omnibus). The core of the reform package: the various pieces of digital legislation are to be simplified and more closely interlinked. The package also includes accompanying initiatives, including a data strategy and new tools for companies to facilitate practical implementation.

In response to the advancing digitalization, many new legal regulations have emerged within a short space of time, including the AI Act, the Data Act, the GDPR, the ePrivacy Directive and the Cyber Resilience Act. However, the many different pieces of legislation have so far had little interaction with each other. This is not only confusing for companies, it also results in duplicate obligations. The result is a high administrative burden.

Data protection level to be maintained

The EU Commission’s reform proposals are primarily concerned with efficiency and practicability. In terms of content, the requirements are not to be weakened. Only redundant regulations are to be deleted and overlapping requirements consolidated. The EU Commission wants to maintain the high level of data protection in the EU. At the same time, it is foreseeable that individual proposals – in particular on cookies and access to end devices as well as AI training constellations – will be the subject of controversial political and legal debate.

Planned changes to the GDPR and the ePrivacy Directive

The content of the GDPR is to be partially adapted. At the same time, certain rules on access to end devices (cookies and similar identifiers) are to be modernized and – insofar as personal data is processed in the process – transferred more strongly into the GDPR enforcement framework.

Among other things, the EU Commission wants information and documentation obligations for companies to be simplified in certain cases. There are also plans to simplify the reporting of data breaches, including through more harmonized and standardized reporting processes as well as thresholds and deadlines in order to reduce multiple reports and over-reporting.

Some ePrivacy rules are to be integrated into the GDPR, in particular requirements for storing and accessing information on end devices. Insofar as personal data is processed in the process, these end device access rules are to be transferred from the ePrivacy Directive to the GDPR. To counteract “consent fatigue”, consent pop-ups are to be significantly reduced: Banners should no longer be required for low-risk and harmless purposes (for example, pure reach measurement). In addition, uniform preferences via browser and system settings or one-click decisions should be possible, which websites must respect for at least six months. However, consent will still be required for accessing data on end devices.

Pseudonymized data should be easier to use for AI training

A planned amendment to the GDPR is already the subject of controversial debate: The EU Commission wants to clarify the rules on pseudonymization so that data records can be shared and used more easily under certain conditions (including in the context of AI training) following appropriate protective measures, without them automatically being considered personal data for each recipient. According to the Commission, this is a codification of a more recent ECJ approach. The decisive factor is whether the specific third party or recipient has means that can reasonably be used for re-identification. The controller who pseudonymizes the data record, on the other hand, should remain fully bound by the GDPR.

In addition, clarifications on data processing for AI purposes (for example through training and development) should be more operationalized, in particular on the basis of “legitimate interests” under certain safeguards and on effective objection options.

The protection of personal data is enshrined in fundamental rights under EU law, in particular in Art. 8 CFR and Art. 16 TFEU. Clarifications under secondary law must be measured against this. The extent to which the proposed clarification of the term will be effective will therefore depend largely on how it is specifically formulated in the legislative process and how the ECJ and supervisory practice apply the definition of “reasonably foreseeable means”.

Planned changes to the Data Act and Data Governance Act

The use of data is to be brought together in a bundled data legal framework in future. The approach is to consolidate several building blocks of the “data acquis” in the Data Act. In particular, the content of the Data Governance Act (DGA), the open data rules and the free flow of non-personal data rules are to be integrated into a restructured Data Act.

The EU would also like to address some of the industry’s concerns. For example, the strict requirements for data brokerage services under the DGA are to be significantly relaxed. Instead of highly formalized obligations, the focus should be on more risk-based requirements and voluntary evidence and trust approaches, depending on how they are structured.

Companies have also frequently criticized the obligation to disclose data under the Data Act and the resulting weakening of trade secret protection. The EU Commission now wants to strengthen the protection of trade secrets. Companies should be able to refuse to disclose data if they can prove that there is a high risk that the data could otherwise be used unlawfully.

Improvements are also to be made in other areas: The EU Commission wants to make it easier to reuse public data in order to strengthen data-driven business models. The switching obligations for cloud providers are to be clarified. In addition, government access to company data (B2G) is to be focused more on genuine emergencies in order to reduce legal uncertainty and burdens.

SMEs and the new category of small mid-caps are to be exempted from many obligations.

Easier reporting of cyber incidents

The EU Commission wants to make it much easier for companies to report security-related incidents via a central European reporting portal. All reports under the GDPR, EU Digital Identity Regulation, CER, NIS-2 and DORA are to be bundled there and then automatically forwarded to national authorities. It is important to note that the material reporting obligations are not to be eliminated as a result, but the submission is to become more centralized and consistent. Parallel reports to different authorities are to be reduced. Until now, companies may have had to report a single incident to several authorities.

Artificial intelligence

Adjustments are also planned for the AI Act. In particular, the date of application of the obligations for high-risk AI systems is to be linked more closely to the availability of standards and support tools. A limited postponement of up to 16 months is planned for certain high-risk areas. This is intended to give companies more time for implementation.

The obligations for SMEs and small mid-caps are to be simplified. In this way, the EU Commission wants to promote innovation. The EU is also focusing on promoting innovation through regulatory sandboxes and real-life tests.

The AI Office is to be given a stronger, more central role in supervision and supervision is to be more centralized, especially for systems based on general purpose AI models. Among other things, clearer responsibilities and procedures are envisaged at EU level, particularly for certain GPAI constellations and for AI embedded in very large online platforms and search engines. Strengthened central enforcement in the context of Commission procedures is also planned.

What the Digital Omnibus would mean for companies

The EU Commission’s proposals would bring more clarity and predictability for companies. The strict obligations and high level of protection would essentially remain in place. However, the improved structure and interlinking of the individual legal acts as well as the simplified documentation requirements would make it easier for companies to handle them in practice.

Next, the EU Council and the EU Parliament will deal with the proposals. The further timetable depends on the legislative process. An agreement could be reached in 2026 at the earliest, but is not certain.

The Commission has also launched a consultation on the Digital Fitness Check. This is also intended to simplify the EU’s digital regulation and ensure that overlaps and inconsistencies in existing digital legislation are reduced. New initiatives are also mentioned in the package, such as the “Data Union Strategy”, as well as an instrument such as the “European Business Wallets”, which are intended to facilitate administrative processes in the single market.