What is the European Commission’s Digital Omnibus package?

The recent leaks of the European Commission’s draft plans for digital reforms caused concern amongst digital rights advocates, especially as there was a notable shift of thinking inside the European Union (EU). The EU loves to be the first to regulate, but regulation of a new fast-moving technology can stifle adoption and innovation. It seems obvious now that the EU has harmed investment, because AI development and use is seen as more difficult in Europe. In addition, the arrival of the Trump administration which is willing to impose tariffs and look at non-tariff barriers to trade, like regulation, creates an additional tension. The harm to investment and the impact on US trade relations is a major reason why the EU is assessing its technology regulations.

On 19 November 2025, the European Commission published its digital omnibus legislative package (the Omnibus). According to the Commission, this initiative is designed to enable European businesses to devote more energy to innovation and growth, rather than navigating complex compliance landscapes.

The Omnibus is complemented by the Data Union Strategy and the European Business Wallet proposal, each aiming to simplify organisations’ ability to conduct business across EU Member States.

The proposed changes would impact the GDPR and the EU AI Act. In particular, this has signalled a change of attitude by the EU.  Privacy activist Max Schrems’ organisation, noyb, became a vocal critic describing them as ‘death by 1000 cuts’ for the GDPR. Criticism is made to changes which are said to constrain the definition of what qualifies as personal data; limit rights of access for journalists, employees, and researchers; and expand the ability for businesses to use personal data for commercial training of AI models.

Single cybersecurity incident reporting point

One of the key proposals within the Omnibus is a new cybersecurity incident reporting arrangement. This could see a new approach and guidelines on cybersecurity when we have only just finished getting ready for the NIS2 Directive.

The Omnibus proposes a unified reporting interface but the implementation timeframe is unknown.

The EU gave a list of the top 10 benefits:

1. Small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs) will be able to save money and time thanks to specific rules in the Data Act and the Artificial Intelligence Act and voluntary trust-marks for data intermediation services instead of regulatory obligation;
2. Simpler, streamlined rules on data, with targeted clarifications with two laws, instead of five: the Data Act and the General Data Protection Regulation (GDPR);
3. Better protections for companies’ trade secrets against potential leakage to third countries and clarification and focusing of rules where businesses need to share data with public authorities to emergency situations in the Data Act;
4. Added clarity on ‘pseudonymisation’ of personal data;
5. Clearer rules on how to handle personal data when developing AI systems and models and in the context of scientific research and innovation;
6. Simpler cookie requirements and ‘whitelist’ of harmless purposes for which business do not need to ask users for consent;
7. Support measures in the application of the AI Act, aligning obligations with availability of standards;
8. Innovation opportunities in developing trustworthy AI, with EU-sandboxes and real-life testing facilities;
9. European business wallets to identify, authenticate and exchange data in a secure and user-friendly way with public sector bodies, ease forms, compliance interactions with authorities;
10. Streamlining the reporting obligations in case of cyber incidents through a single-entry point.

AI: change is coming

The Omnibus signals a shift for the Artificial Intelligence Act (AI Act):

• Implementation & timeline changes: The high-risk AI rules timeline for enforcement is changing, the Commission is to give more thought to the ability for companies to comply and whether the resources and tools exist before they demand they be in place.
• Simplified compliance: Simplification of obligations will be made for small mid-cap companies.
• AI literacy: The Commission and Member States will foster AI.
• Reduced registration burdens for providers in high-risk areas: Where use is for narrow or procedural tasks, there will be reduced registration requirements.
• More sandboxes: There will be more regulatory sandboxes.

 GDPR amendments and ‘new’ Cookie Rules

A positive change to the GDPR arrangements is extending the data breach reporting deadline from 72 hours to 96 hours.

Cookie Consent Rules: As expected, the Commission proposes amended cookie consent rules by reducing the frequency of cookie banners and enabling users to provide and manage consent through one-click mechanisms and centralized browser or operating system preferences. Though this was never really a requirement.

The Strategy proposes measures that unlock data for AI across Europe, ensuring that the businesses in the EU have access to high-quality data to compete in the global markets and drive innovation. This will help optimise healthcare, improve energy systems and sustain our industrial leadership.

The EU’s data changes are centred around three areas of action:

1. Scaling up access to data for AI, with initiatives such as data labs, a strengthened focus on the development of Common European Data Spaces, including on defence, and developing synthetic data in areas where real-world data is scarce.
2. Streamlining data rules, making sharing data easier while protecting rights. Complementing the simplification proposals in the omnibus the Commission will produce further guidance and templates to help companies comply with data rules and introduce a Data Act legal helpdesk.
3. Strengthening the EU’s global position on international data flows, to ensure fair cross-border data flows while maintaining safeguards for EU sensitive non-personal data and boosting the EU’s voice in global data governance. This will complement the long-lasting EU approach to safe personal data flows developed through the EU data protection acquis.

If you have questions or concerns about the Omnibus, please contact James Tumbridge.