EU Commission unveils Digital Omnibus

On 19 November 2025, the EU Commission published a package aimed at simplifying the EU’s complex legislative framework on digital regulation. The package comprises three elements:

• (1) two regulation proposals aimed at streamlining rules on artificial intelligence, data and cybersecurity (Digital Omnibus and Digital Omnibus on AI);
• (2) a regulation proposal to give companies a single digital identity and simplify cross-border operations (European Business Wallets Regulation); and
• (3) a strategy to facilitate access to high-quality data for AI development (Data Union Strategy).

Background

The project is ambitious in scope, encompassing a comprehensive reform of the legislative framework through amendments to:

• four regulations: (i) AI Act,[1] (ii) Data Act,[2] (iii) Civil Aviation Regulation[3] and (iv) GDPR;[4] and
• two directives: (i) ePrivacy Directive[5] and (ii) NIS 2 Directive.[6]

At the same time, the Digital Omnibus simultaneously proposes to repeal four regulations and directives: (i) Data Governance Act,[7] (ii) Free Flow of Non-Personal Data Regulation,[8] (iii) Platform-to-Business Regulation,[9] and (iv) Open Data Directive.[10]

Key points

• Digital Omnibus on AI

The Digital Omnibus on AI proses to amend the AI Act notably by delaying its application to high-risk AI systems from 2 August 2026 until either 2 December 2026 or 6 August 2027. The proposal also removes AI literacy obligations from providers/deployers, shifting them to the EU Commission and Member States, and introduces a legal basis to allow providers and deployers of AI systems and AI models to process special categories of personal data exceptionally for bias detection and correction purposes, subject to specific conditions.

Other changes include:

• the deletion of the obligation for providers of AI systems to register them in the EU database for high-risk systems if they are only used for preparatory tasks;
• the extension of regulatory privileges of the AI Act for small and medium-sized enterprises (SMEs) to small mid-cap enterprises (SMCs)and medium-sized companies (i.e. companies with fewer than 750 employees and less than EUR 150 million in annual turnover);
• the removal of the EU Commission’s empowerment to adopt a harmonised template for a post-market monitoring plan;
• exclusive competence of the AI Office with regard to AI systems that constitute or are embedded in designated very large online platforms or very large online search engines within the meaning of the Regulation (EU) 2022/2065 on a single market for digital services (Digital Services Act); and
• the establishment of an AI sandbox at EU level.

It also amends the Civil Aviation Regulation to ensure that the AI Act’s mandatory requirements for high-risk AI systems are fully covered when adopting relevant delegated or implementing acts on the basis of this regulation.

The EU Commission notes in the final recital that the Digital Omnibus on AI should enter into force “as a matter of urgency”.

• Digital Omnibus
  • A new definition of personal data

The Digital Omnibus proposes to amend the definition of personal data provided in the GDPR. Where the latter currently encompasses “any information relating to an identified or identifiable natural person”, the new entity-dependent definition would introduce a subjective criterion and narrow down personal data to information where an entity can identify “the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity” [emphasis added].

The new definition is largely based on the Court of Justice of the EU (CJEU) case law, specifically the judgment of 4 September 2025 in C-413/23 EDPS v. SRB, where the CJEU found that data are to be considered personal only where the controller has actual means at its disposal to identify a natural person. The EU Commission will likely have to provide further details as to how these “reasonable means” should be interpreted.

• Clarification on pseudonymisation

A new article introduced in the GDPR would enable the EU Commission to adopt implementing acts specifying the “means and criteria to determine whether data resulting from pseudonymisation no longer constitutes personal data for certain entities”.

This provision, as well as the future implementing acts, should provide more knowledge on the state of the art of available pseudonymisation techniques and help further develop criteria to assess the risk of re-identification.

• Update of existing legislation on cookies

The Digital Omnibus also introduces substantial amendments to the ePrivacy Regulation to address consent fatigue by providing website and app operators with broader legal grounds to justify user tracking – thereby avoiding depending solely on consent. Cookie banners currently contain extensive information on personal data processing but remain difficult for most users to understand, defeating their purpose of informing and empowering data subjects.

Thus, it would expand the legal bases for accessing device data and deploying tracking technologies from consent alone to up to ten different grounds, including the six legal bases already encompassed in Article 6 of the GDPR (such as legitimate interest), whilst whitelisting processing for transmission of electronic communication, provision of explicitly requested services, aggregated statistics and security purposes.

A new article to be added to the GDPR identifies four circumstances in which storing personal data or accessing personal data already stored in a natural person’s terminal equipment, and the subsequent processing thereof, would be lawful without requiring the data subject’s consent, e.g. to provide a service explicitly requested by the data subject.

• Processing of special categories of data

The Digital Omnibus also proposes to introduce new provisions under the GDPR establishing that developing and operating AI systems or models qualifies as a legitimate interest of the controller when processing personal data, on the condition that processing personal data is necessary for this purpose and that the controller’s interest does not override the rights and freedoms of data subjects and that special categories of personal data should be removed or kept from AI datasets as much as possible.

Additionally, it introduces an exemption from the general prohibition on processing biometric data under the sole control of the data subject when such processing is necessary for confirming the identity of the data subject.

• Practical requirements

Furthermore, the Digital Omnibus provides for more practical changes, such as allowing data controllers to charge reasonable fees or refuse manifestly unfounded or excessive requests for personal data access requests. It also replaces the previous broad exemption to inform data subjects about processing where there are reasonable grounds to assume the data subject is already in possession of such information with a narrower one for low-risk, non-data-intensive processing, while explicitly excluding high-risk activities like profiling and third-country transfers. A new provision is added to allow scientific research controllers to make transparency information publicly available rather than providing it individually when doing so would be impossible or disproportionate. The Digital Omnibus also clarifies that automated individual decision-making is permitted when necessary to enter into or perform a contract regardless of whether the decision could be taken otherwise.

It would extend breach notification timeframes from 72 to 96 hours through a single-entry point system and raise the breach notification threshold to only those likely to result in high risk, as well as introducing templates for data breach notification and data protection impact assessments.

This single-entry point would also be applicable for several closely interconnected incident reporting obligations set out in the NIS 2 Directive, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), Regulation (EU) 2024/1183 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework, and Directive (EU) 2022/2557 on the resilience of critical entities.

The Digital Omnibus further stresses that the financial sector has established a harmonised and effective framework under DORA and that its incident reporting framework should be aligned with the single-entry point system, which would then be used for the notifications under GDPR, DORA, NIS 2 Directive and the DSA.

• Other regulations and directives

For all regulations and directives amended or repealed (excluding the AI Act and GDPR), the Digital Omnibus aims to create a unified framework for public sector data reuse. This framework prioritises streamlined procedures, reduced administrative burdens stemming from divergent national laws, safeguards against market dominance by large corporations, and provisions allowing public bodies to set specific conditions on data reuse. To achieve this, it proposes repealing the Data Governance Act and incorporating selected provisions into the Data Act.

The EU Commission asserts that this strengthened framework will deliver clarity and consistency throughout the EU’s data economy and ease compliance, especially for SMEs, while supporting businesses in fostering innovation and ensuring fair competition.

• European Business Wallets and Data Union Strategy

The European Business Wallets Regulation aims to promote the use of a unified digital tool to digitalise operations and interactions currently requiring in-person handling among public sector bodies and private sector businesses. It will make it possible to identify, authenticate and exchange data securely and with full legal effect with other businesses or public administrations across all Member States.

Finally, the Data Union Strategy seeks to unlock high-quality data for AI through expanded access mechanisms such as data labs, while also establishing a Data Act Legal Helpdesk to support its implementation. It also aims to strengthen the EU’s data sovereignty via a strategic international data policy framework, including an anti-leakage toolbox, measures to protect sensitive non-personal data, and guidelines for assessing fair treatment of EU data abroad.

Next steps

1. Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence

2. Proposed Article 2(17): (17) ‘trader’ means any person in the supply chain other than the operator or downstream operator who, in the course of a commercial activity, makes relevant products available on the market.

3. Regulation (EU) 2018/1139 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency

4. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

5. Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector

6. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union

7. Regulation (EU) 2022/868 on European data governance

8. Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the European Union

9. Regulation (EU) 2019/1150 on promoting fairness and transparency for business users of online intermediation services

10. Directive (EU) 2019/1024 on open data and the re-use of public sector information