On 19 November 2025, the European Commission has presented the ‘Digital Omnibus’, an ambitious part of the new Digital Package, adjusting and streamlining existing EU digital legislation on AI, cybersecurity and data.
The aim is to ease compliance with simplification efforts save upon compliance costs.
The Digital Omnibus amends the GDPR, AI Act, cookie rules and the Data Act.
GDPR reforms
A change is made to the definition of personal data as a result of the recent case C-413/23 of the Court of Justice, including a relative concept of personal data.
AI developers are enabled to process (even sensitive) data under the legitimate interest basis (Article 6.1(f) GDPR).
Certain limitations are incorporated to data subject rights. Controllers shall be able to refuse data subject requests abused for other purposes than data protection and certain information requirements are reduced.
Exceptions and clarifications are made to data processing rules for scientific research (scientific research is a legitimate interest (Article 6.1(f) GDPR).
The proposal extends the notification period for data breaches from 72 hours to 96 hours.
AI Act reforms
Several changes to the AI Act are proposed, such as the delay in application of the obligations for high-risk AI systems with ultimate deadlines set on 2 December 2027 for Annex III systems and 2 Augustus 2028 for Annex I systems.
The Commission also proposes to simplify the obligations on AI literacy: instead of imposing a strict and unclear obligation on companies, the Commission introduces a requirement for the Commission and EU Member States to improve AI literacy (shift to an encouragement rather than an obligation).
The Digital Omnibus also broadens the existing simplifications for SMEs to small mid-cap companies. In addition, innovators would gain easier access to regulatory sandboxes and would be allowed to conduct more real-world testing, including through an EU-level sandbox expected in 2028.
Cybersecurity: a single reporting portal
To reduce multiple reporting under different legislation (such as GDPR, NIS2 Directive, DORA) and administrative burdens, the Digital Omnibus proposes a single-entry point for all cybersecurity-related incident reporting. (Together with the extension of the reporting period from 72 to 96 hours.)
Data Act: clearer data rules and stronger safeguards
The Digital Omnibus also includes amendments to the Data Act. It provides e.g. stronger safeguards for trade secrets in IoT data-sharing contexts. Public-sector access to business data would be significantly narrowed and permitted only in public emergencies. To improve legal clarity, the proposal consolidates three existing digital frameworks into the Data Act (Free Flow of Non-Personal Data Regulation, Data Governance Act and the Open Data Directive). The cloud-switching rules are made more practical by granting SMEs and small mid-caps targeted exemptions and by applying a lighter framework for custom-made data processing services covered by contracts concluded before or on 12 September 2025.
Cookie rules
The proposal modernises EU cookie rules, bring them into the GDPR, to improve user experience online. It aims to decrease the frequency of cookie banner consents, allow one-click consent and enable users to store their preferences directly in browsers or operating systems.
Want more details?
More information available on
https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2718.
For any questions, contact our Innovation lawyers.
