On 19 November 2025, as a result of the European Commission’s (the Commission) commitment to simplify the EU’s digital rulebook and the input gathered through the Digital Omnibus call for evidence, the Commission has published a Digital Package on Simplification, including a Digital Omnibus, a European Business Wallet proposal and a European Data Union Strategy.
The Digital Omnibus aims to simplify compliance with the bloc’s privacy, data, cyber and AI regulations, and includes some significant easements, especially for businesses developing and using AI models and systems. The package includes (i) a Regulation covering targeted amendments to the GDPR, ePrivacy rules, the Data Act, and cyber incident reporting rules across laws, and (ii) a Regulation amending the AI Act.
What businesses need to know about the Digital Omnibus
1. Data, privacy and cyber laws
Clarification on personal data and pseudonymisation. According to the Commission’s proposal, information should only count as personal data for an entity if that entity has means that are reasonably likely to be used to identify the individual to whom the data relates. If a business cannot identify an individual with the information held, that data would not need to be treated as personal data under the GDPR. However, if the same information is transferred to a third party who can identify the person, it would become personal data for that third party. Hence, personal data would now be judged in a “relative” approach, codifying recent ECJ case law. Alongside this, the Omnibus also adds a new Article 41a GDPR, implementing a mechanism intended to allow the GDPR to keep up with technological developments in pseudonymisation.
Amending rules on sensitive data. The Commission proposes new exceptions to the prohibition on processing sensitive data under Article 9 GDPR. Mainly, processing of sensitive data in developing and operating AI systems would be allowed, but only when strict safeguards are applied. Furthermore, the Omnibus Proposal includes a new Article 4a AI Act, which would permit the processing of sensitive data for the purpose of detecting and correcting bias.
Training AI systems by processing personal data. The proposal clarifies the legitimacy in this case: If a company needs to process personal data to create or run an AI model or system, it would be able to rely on the "legitimate interests" option, provided that all other applicable requirements under the GDPR are met.
Flexibility on Abusive Data Subject Access Requests (DSARs). The Commission proposes to amend the rules on DSARs under Article 12 GDPR, offering controllers greater flexibility when dealing with them. Controllers would be entitled to deny, or impose fees for, requests not only based on repetitiveness, but also when there are reasonable grounds to believe that a data subject is exercising their rights for non-data-protection purposes.
Streamlining data and cyber incident reporting. The draft streamlines cyber incident reporting via an ENISA single portal (NIS2/GDPR/DORA/eIDAS), and narrows GDPR breach notifications to high-risk cases only, while expanding the notification deadline to 96 hours. The single portal is to be piloted by ENISA and should start being used for reporting within 18 months of the Omnibus’ entry into force.
Data Act: The Data Governance Act and the Open Data Directive are planned to be consolidated into the Data Act. For the latter, stronger trade secrets safeguards are proposed. The Commission also suggests a revised, broader definition of 'data holder' under the Data Act. The Data Act previously required a natural or legal person to 'use and make available data', the new definition would change it to 'use or make available data'. The exemptions for custom-made data processing services (those heavily adapted to the specific needs of a customer and not offered "off-the-shelf") are planned to be expanded. Concretely, for services provided under contracts concluded before or on 12 September 2025, most of Chapter VI's obligations (which govern switching between data processing services) do not apply, except for Article 29 (which concerns the prohibition of obstacles to switching, particularly egress charges).
2. AI Act
Removal of mandatory AI literacy requirements. Instead, the Commission’s proposal replaces the binding obligation on companies with a non-binding encouragement for the Commission and Member States to promote AI literacy through training and best practice sharing.
Enforcement role of the AI Office regarding GPAI and VLOPs/VLOSEs. The proposal clarifies the AI Office’s role as the competent supervisory authority for certain AI systems based on general purpose AI (GPAI) models. The AI Office will oversee GPAI systems when the model and system are developed by the same provider, while AI systems related to products covered by product safety legislation listed in Annex I of the Act will be supervised by the sectoral authorities. The proposal also expands the supervision of the AI Office to AI systems integrated into very large online platforms (VLOPs) and very large online search engines (VLOSEs), as defined by the Digital Services Act (DSA). Still, the proposal clarifies that for these systems, the first point of entry for assessment of the AI systems is the risk assessment, mitigation measures, and audit obligations as required by the DSA (Articles 34, 35, and 37). At the same time, the AI Office’s powers remain untouched, and the proposal introduces obligations for regular exchange of views and information between authorities under the AI Act and those under the DSA, to avoid duplication and ensure proportionality in enforcement.
Postponing the entry into application of AI Act requirements on high-risk AI systems and fines on transparency obligations. The Commission introduces a mechanism that links the entry into application of high-risk AI systems’ requirements that were due to take legal effect on 2 August 2026, to the availability of compliance support measures such as harmonised standards, common specifications and Commission guidelines. This availability must be confirmed by a Commission decision. Requirements for high-risk AI systems in Annex III will apply six months after the Commission’s decision, or by 2 December 2027 at the latest, while those in Annex I linked to sectoral law will apply twelve months after the decision, or by 2 August 2028 at the latest.
The Commission suggests delaying the start date for fines for infringements of transparency and marking obligations under Article 50(2) of the AI Act, to six months later, starting on 2 February 2027, for AI systems that were placed on the market before 2 August 2026. This concerns the obligation for providers to ensure that AI-generated outputs are marked in a machine-readable format and detectable as artificially generated. The remaining transparency obligations under Article 50 of the AI Act will become fully enforceable by 2 August 2026, as planned.
Next steps
The simplification of the EU’s digital regulatory framework will take place in two steps: the first step being the targeted adjustments included in the “Digital Omnibus”, and a second step consisting of a broader exercise that will be undertaken by the Commission in 2026 to assess the coherence and cumulative impact of the entire EU digital acquis under the so-called “Digital Fitness Check”.
On the one hand, the Digital Omnibus needs to undergo the ordinary legislative procedure, requiring review and potential amendment by both the European Parliament and the Council. EU policymakers are expecting a tight timeline for negotiations, especially for the AI Act targeted amendments, which should be brought to a close before August 2026 when the majority of the AI Act provisions will have started to apply. Once approved via the ordinary legislative procedure, it will enter into force almost immediately (on the third day after its publication in the EU Official Journal).
On the other hand, the Commission has, in parallel to the Digital Omnibus, launched a public consultation on the Digital Fitness Check, which is open for feedback until 16 March 2026. Once the feedback has been gathered, the Commission will present its findings in the form of a report expected to be unveiled in Q1 2027, assessing the interplay between the different EU digital rules, their cumulative impact on businesses, and how effectively they support the EU’s competitiveness.
We would like to thank Lorenz Kammerl (Research Assistant) for his valuable contribution to this article.
