Privacy & Information Security Law Blog

On November 19, 2025, the European Commission (the “Commission”) unveiled the much-anticipated digital omnibus legislative package (the “Digital Omnibus”), setting the stage for a new era of digital governance and regulatory simplification across the European Union. According to the Commission, this initiative is designed to enable European businesses to devote more energy to innovation and growth, rather than navigating complex compliance landscapes.

The Digital Omnibus is complemented by the Data Union Strategy and the European Business Wallet proposal, each aiming to simplify organizations’ ability to conduct business across EU Member States.

Single Cybersecurity Incident Reporting Point

One of the key proposals within the Digital Omnibus is the introduction of a single-entry point for cybersecurity incident reporting. Presently, companies operating in the EU are subject to overlapping obligations under multiple frameworks, including the Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the EU (the “NIS2 Directive”), the EU General Data Protection Regulation (“GDPR”) and the Digital Operational Resilience Act, each requiring separate notifications in the event of a cyber incident.

With the Digital Omnibus, the Commission proposes a unified reporting interface enabling businesses to satisfy all their incident notification requirements through one secure portal. The Commission stated that the interface will be engineered with robust security safeguards and undergo comprehensive reliability and effectiveness testing prior to its launch.

Amendments to the AI Act

The Digital Omnibus package also addresses the implementation of the Artificial Intelligence Act (“AI Act”), aiming to foster responsible innovation while protecting society, safety and fundamental rights.

Targeted amendments to the AI Act include:

• Implementation Timeline Linked to Support Tools: The application of high-risk AI rules will be tied to the availability of necessary standards and support tools, ensuring that companies have the resources required for compliance. The timeline for enforcement of these rules is set at a maximum of 16 months, only beginning once the Commission confirms that the needed tools are in place.
• Simplified Compliance for SMEs and SMCs: Simplifications currently available to small and medium-sized enterprises (“SMEs”) will be extended to small mid-cap companies (“SMCs”), including streamlined technical documentation requirements and special consideration in the application of penalties.
• Processing of Special Category Data: Providers and deployers of all AI systems and models will be permitted to process special categories of personal data for the purpose of bias detection and correction, provided appropriate safeguards are implemented, thereby facilitating compliance with data protection laws.
• Promoting AI Literacy: Rather than imposing vague obligations on providers and deployers of AI systems, the Commission and Member States will take responsibility for fostering AI literacy while retaining targeted training obligations for deployers of high-risk AI systems.
• Flexible Post-Market Monitoring: Providers will be offered greater flexibility in post-market monitoring by removing the requirement for a harmonized post-market monitoring plan.
• Reduced Registration Burdens for Providers in High-Risk Areas: Providers of AI systems used in high-risk areas, but which are only deployed for narrow or procedural tasks, will benefit from reduced registration requirements.
• Centralized Oversight of General-Purpose AI Models: The AI Office will reinforce its powers and centralize oversight over a broad range of AI systems, particularly those built on general-purpose AI models or embedded in very large online platforms and search engines, reducing governance fragmentation.
• Expanded Regulatory Sandboxes: The amendments introduce expanded opportunities for regulatory sandboxes and real-world testing. The AI Office will set up an EU-level AI regulatory sandbox, which will be available from 2028.
• Clarifying Legislative Interplay and Procedures: Targeted changes will clarify the relationship between the AI Act and other EU legislation and adjust procedures under the Act to enhance its implementation and overall operation.

Enhanced Data Access

The Commission announced that the Digital Omnibus shall improve access to data, in particular simplifying data rules by:

• Consolidating EU Data Rules via the Data Act: The Digital Omnibus consolidates EU data rules via the Data Act, merging four pieces of legislation for greater legal clarity.
• Exemptions for SMEs and SMCs: Targeted exemptions from some cloud-switching rules are expected to yield 1.5 billion euro in one-off savings.
• Model Contractual Terms and Standard Clauses: New guidance for compliance with the Data Act will be provided through model contractual terms for data access, and use, and standard contractual clauses for cloud computing contracts.
• Boosting AI Innovation: Enhanced access to high-quality, up-to-date datasets will support the growth of European AI companies and strengthen EU-wide innovation potential.

GDPR Amendments and Modernized Cookie Rules

Other key proposals encompassed within the Digital Omnibus include:

• Targeted Amendments to the GDPR: The Commission proposes specific amendments to the GDPR aimed at, among others:
  • Extending the data breach reporting deadline from 72 hours to 96 hours;
  • Codifying the recent case law of the Court of Justice of the European Union with respect to the definition of personal data;
  • Clarifying the rules on the use of personal data for AI training purposes; and
  • Simplifying certain administrative obligations for businesses, such as the requirement to conduct data protection impact assessments.
• Cookie Consent Rules: The Commission proposes modernizing cookie consent rules by reducing the frequency of cookie banners and enabling users to provide and manage consent through one-click mechanisms and centralized browser or operating system preferences.

The Digital Omnibus, together with the Data Union Strategy and European Business Wallet, will be presented to the European Parliament and the European Council for further consideration and adoption.

Read the press release. Read the Digital Omnibus.