Digital Omnibus: towards a simplified EU digital regulatory framework
1. Context
The Digital Omnibus proposal, which aims to promote regulatory simplification and cohesion of the European digital ecosystem, is part of the Commission's strategy to boost digital competitiveness and innovation in the EU by restructuring the regulatory framework and creating common mechanisms to facilitate compliance with regulatory obligations.
2. Key points of the proposals
(i) GDPR
The Omnibus Digital Regulation Proposal proposes relevant changes to Regulation (EU) 2016/679 (GDPR) in the interest of adapting the regulation to a more practical approach consistent with technological developments. Firstly, the concept of personal data is redefined, incorporating that information relating to a natural person will not necessarily be considered personal data for a given entity when it does not have reasonably likely means of identifying the data subject. This change implies moving away from a purely theoretical approach to a risk-based method, which will allow for a proportionate and contextual assessment of identifiability.
It is clarified that the category of health-related data should be understood in a strict way, comprising only data that directly reveal the physical or mental state of an individual. This excludes inferences, correlations or deductions obtained by statistical analysis or algorithms, unless the result explicitly reveals the health status.
The purpose limitation principle is also strengthened, confirming that further processing for scientific or historical research, public interest or statistical purposes will not be considered incompatible with the initial purpose, provided that the guarantees of the GDPR are respected.
Two new exemptions are added for the processing of special categories of data: (1) the processing of data for the development and operation of artificial intelligence systems under technical and organisational measures that minimise risks, and (2) the processing of biometric data where necessary to confirm the identity of the data subject (verification), provided that such data or the means necessary for the verification are under the sole control of the data subject.
Among other adjustments, measures are introduced to strengthen protection against abuse of rights by allowing for the rejection of repetitive or clearly unfounded requests, including by applying reasonable fees. The information obligations are also made more flexible in low-risk processing or when the data subject already has the data, and it is clarified that the need to execute a contract does not imply that decisions must be exclusively automated.
Furthermore, the harmonisation of impact assessments is strengthened by means of common criteria and models developed by the EDPB (known as "whitelist"), with the aim of providing greater consistency and reducing administrative burdens.
In the area of security, the deadline for breach notification in high-risk cases is extended from 72 to 96 hours.
(ii) IA REGULATION
The proposed Omnibus Digital Regulation on Artificial Intelligence includes the amendment of Regulation (EU) 2024/1689 ("AI Regulation"), introducing key adjustments to facilitate its implementation and strengthen governance.
First, it introduces a mechanism linking the entry into force of obligations for high-risk AI systems to the availability of standards, specifications and supporting guidance, with transitional periods of 6 and 12 months depending on the type of system, and deadlines in December 2027 and August 2028. In addition, measures are incorporated to reduce regulatory burdens and offer specific support to SMEs and mid-size companies, preventing regulatory requirements from slowing down innovation.
In the area of Generative AI, an additional six-month grace period is granted for the implementation of watermarking, extending the deadline to February 2027, and the role of the Code of Good Practice as a guide for its application is strengthened.
In addition, the competences of the European Commission's Office of IA are extended, which will assume the supervision of general purpose models and integrated systems in large platforms regulated by the Digital Services Act, centralising governance and ensuring regulatory coherence.
In the area of data protection, residual processing of special categories of data is allowed when their deletion would be disproportionate, under strict technical and organisational safeguards, in line with the GDPR.
Finally, the explicit obligation to ensure AI literacy is removed, although the practical need for qualified staff to comply with governance and risk management requirements is maintained, making internal training a strategic element to avoid non-compliance and sanctions.
(iii) EPRIVACY DIRECTIVE
The proposal to amend Directive 2002/58/EC (ePrivacy) seeks to improve user experience and reduce administrative burden, while enhancing consistency with the GDPR. Among the most prominent changes is the revision of the rules on cookies and consent, with the aim of combating consent fatigue arising from repetitive banners, through more efficient and less intrusive mechanisms for managing preferences.
In addition, the interactions between ePrivacy and the GDPR are clarified, eliminating duplication and aligning definitions and legal bases to ensure a complementary and coherent framework, especially in the processing of data for marketing and cookie management. The proposal also introduces simplified procedures for obtaining consent and user information, balancing privacy protection with burden reduction for businesses.
Finally, it incorporates the principle of "simplicity by design" at its core, aimed at providing clear and practical solutions without lowering standards of protection. The creation of templates and guides to facilitate compliance, especially in the management of consent and the drafting of privacy policies, is envisaged in order to achieve a more efficient regulatory framework that protects rights and fosters innovation in the European digital market.
(iv) NIS2, GDPR, DORA, EIDAS and CER
The Digital Omnibus Proposal seeks to harmonise and centralise essential processes, establishing common mechanisms that reduce duplication and facilitate compliance with cybersecurity and data protection obligations.
In this regard, the creation of a "single-entry point" for incident reporting is envisaged, which will centralise the communications required by various EU legal acts, including Directive (EU) 2022/2555 (NIS2), Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2022/2554 (DORA), Regulation (EU) 910/2014 (eIDAS) and Directive (EU) 2022/2557 (CER). This mechanism aims to ensure interoperability and regulatory consistency, reduce the administrative burden and avoid duplication of notifications by harmonising forms and information requirements, promoting synergies between the different regulatory frameworks.
The "European Business Wallet" is also incorporated as a means of interoperable business identification and authentication, developed within the framework of Regulation (EU) 910/2014 (eIDAS). This tool will not only allow obliged entities to securely access the single point of entry, but will also facilitate integration with other European digital services, enhancing trust in electronic transactions.
Finally, the European Union Agency for Cybersecurity (ENISA) will assume responsibility for ensuring technical interoperability between the single point of entry and the European Business Wallet, ensuring that authentication processes comply with applicable security standards and regulatory requirements.
(v) DATA ACT REGULATION (DATA ACT)
The Digital Omnibus Proposal foresees the integration of three legislative instruments into a single regulatory framework, consolidating them into Regulation (EU) 2023/2854 (Data Regulation). This integration will entail the repeal of Regulation (EU) 2018/1807 (Regulation on the flow of non-personal data), Regulation (EU) 2022/868 (Data Governance Regulation) and Directive (EU) 2019/1024 (Open Data Directive), eliminating duplication, and reducing regulatory burdens for businesses.
Among the main amendments, the protection of companies against access requests by public bodies is strengthened. Firstly, the concept of "exceptional need" as a requirement to activate the data request mechanism is redefined, restricting it exclusively to cases of "public emergency".
In this guaranteeing line, additional safeguards are incorporated that limit the scope of the requests, require a case-by-case assessment and provide for compensation, with the aim of protecting sensitive information -including trade secrets- and avoiding a disproportionate use of corporate data, thus reinforcing the autonomy of companies.
In relation to the possibility of changing data processing service providers free of charge with regard to portability, an exception is introduced for contracts concluded before 12 September 2025, allowing the parties to agree on compensation for early termination, given that these contracts were signed prior to the date of application of the regulation.
In the framework of the Data Governance Regulation, the prior authorisation it imposes as a requirement to operate as a data brokering service provider is abolished. In its place, the "trust-mark" is introduced, a voluntary accreditation mark that allows demonstrating good practices without being a requirement to start business.
In addition, in the framework of the Open Data Directive, the information altruism regime is simplified and the provisions on secondary use of public sector data are amended, allowing higher fees for "big re-users".
Next steps
After publication, the proposals for the Digital Omnibus Regulation on Artificial Intelligence and the Digital Omnibus Regulation will start the ordinary legislative procedure in the European Parliament and the Council, where the envisaged simplification and harmonisation measures will be discussed. It is expected that the implementation deadlines and transitional provisions for the adaptation of obliged entities will be defined during the procedure.
In addition, the European Commission has announced the opening of a public consultation on the digital fitness check, which will remain open until 11 March 2026. This exercise will assess the coherence of the digital regulatory framework, its cumulative impact on businesses and its contribution to competitiveness and innovation objectives, and may lead to new proposals for regulatory adjustment.
Information note prepared by the Data Protection area of ECIJA Madrid.
