The EU’s Digital Omnibus Proposals - What you Need to Know Now
21 November 2025
On the 19th November, the European Commission unveiled a comprehensive proposed overhaul of Europe's digital legislation in the form of the Digital Omnibus Regulation Proposal and Digital Omnibus on AI Regulation Proposal.
Rapid developments in artificial intelligence and the proliferation of digital regulations in the EU have led to competitiveness concerns – see the Draghi report of September 2024 – and calls from business leaders to "stop the clock". The Commission's response is proposals which pare back some of the data related regulation it considers too onerous for a competitive AI and tech driven economy.
Our expert teams will be analysing the proposals in detail over the coming days and then months, but here's our brief digest of the key changes and our reflections to date.
GDPR – Targeted amendments
Less than a decade after the GDPR's entry into force, a series of targeted amendments seek to assist companies in unlocking the power of data without undue regulatory restrictions.
Recognising the intersection between AI and data protection, the package contemplates allowing the processing of personal data to train AI models on the basis of legitimate interests. A new condition under article 9 would allow the processing of special category data for AI training if state of the art security is used and the data is subsequently removed and anonymised. These changes are notable as the GDPR was originally drafted as a technology-neutral piece of legislation and the introduction of AI-specific rules marks a departure from this position.
The proposal also provides for the possibility to process biometric data when it is necessary to carry out an identity check, if the biometric data, or the means for the verification, is under the control of the data subject.
Regarding the much discussed topics of anonymisation and pseudonymisation, the proposals confirm that information is not personal data if the recipient of the data does not have the means "reasonably likely to be used" to identify the individual in question. This change codifies recent case law and, for organisations active in both the EU and UK, will bring the interpretation of anonymisation closer to the latest guidance released by the UK Information Commissioner's Office.
Data controllers will be exempt from the duty to provide information to data subjects under Article 13 GDPR if they satisfy various conditions, including where their activities are not data-intensive and there are reasonable grounds that the data subject has been already informed.
On data subject requests, the proposal allows controllers to refuse data subject access requests where the data subject "abuses the rights conferred… for purposes other than the protection of their data".
Breach reporting – a genuine one stop shop?
The package proposes limiting the duty to report breaches to the authorities to high-risk breaches only (Art. 33 GDPR) to and will establish a single-entry portal with ENISA for data breach notifications within a 96-hour reporting window. Currently, organisations must navigate multiple incident reporting regimes under GDPR, the NIS framework, and the Digital Operational Resilience Act. The EDPB must also prepare a list of circumstances in which a personal data breach is likely to result in a high risk to individuals' rights and freedoms, a move which will help organisations decide whether to notify the regulators.
Cookie friction
The Commission also targets the consumer-facing friction in cookie banners. Under the proposal, users will be able to accept or refuse cookies on their devices with one click and organisations must respect those choices for six months. The intent is to restore meaningful user choice and reduce banner fatigue.
AI Act Changes
The proposed reforms for AI have been submitted in a standalone package to accelerate the timeline for adoption compared to the larger digital omnibus.
Most headline-grabbing is that the obligations and restrictions related to high risk processing will be postponed until 2027. The Commission has recognised the need for certification standards and "support tools" to be made available. Organisations will then have six months from their publication to achieve compliance.
The reforms will permit processing of special category data for bias mitigation purposes, building on an existing right under Article 10(5) which applies exclusively to providers of high-risk AI systems. This is a pragmatic recognition that fairness testing often requires sensitive attributes to detect and address discriminatory outcomes regardless of whether an AI system is high risk.
Other targeted amendments include simplifications for small and medium-sized enterprises and small mid-cap companies in the form of pared-back technical documentation requirements, sandboxes for real-world testing, and proposals to "reinforce the AI Office's powers and centralise oversight of AI systems built on general-purpose AI models, reducing governance fragmentation."
Data strategy
The package consolidates the regulatory framework in the Free Flow of Non-Personal Data Regulation, the Data Governance Act and the Open Data Directive. The Data Act will be the central piece of legislation for all data access, usage and sharing rights regarding personal and non-personal data. This aims to unlock the potential for innovation through high-quality and fresh data sets for AI. "Targeted exemptions" will be introduced to the Data Act's cloud-switching rules for SMEs and SMCs. These streamlined data rules will be supported by the Commission's model contractual terms for data access and use and standard contractual clauses for cloud computing contracts, available here. At the same time, a new digital enabler – the European Business Wallet – will allow the secure creation, storage and exchange of documents, as well as digital signing and timestamping, across all 27 Member States. By streamlining cross border administration, tax and dealings with authorities, it aims to save up to €150 billion for businesses a year. With the repeal of the P2B Regulation, which has been largely superseded by the Digital Markets Act and the Digital Services Act, duplicate obligations will be removed, compliance burdens lowered, rules for online intermediaries clarified, and enforcement facilitated.
Next steps
The packages will enter trilogue negotiations with the European Parliament and Council and the consultations are expected to go through an accelerated process over the next few months. Although we anticipate negotiations will be intense, the Commission’s direction is clear: a removal of some of the more onerous data requirements which were seen to have little benefit, such as multi-agency data breach reporting and certain cookie requirements, more realistic pathways to AI compliance, and a rebalanced data protection regime that better accommodates AI training and fairness testing while preserving core governance requirements.
