On the 19th November 2025, the European Commission presented the Digital Omnibus Package to streamline the EU’s increasingly complex digital regulatory framework, which is characterised by overlapping rules on data protection, Artificial Intelligence, cybersecurity and data governance. The initiative seeks to reduce administrative burdens and improve legal clarity to make compliance easier, particularly for SMEs, while maintaining high standards of protection. It also aims to enhance the competitiveness of EU businesses by supporting faster innovation and reducing friction in cross-border digital operations within the single market.¹

Key measures proposed under the Digital Omnibus include:

1. GDPR AMENDMENTS EXPLAINED: ARTICLE-BY-ARTICLE GUIDE

Article 4: Updates to the Definition of Personal Data. The new proposal includes that information should not be regarded as personal data where the controller does not have access to reasonably likely means of identifying the individual. The mere possibility that another party may later identify the individual does not, in itself, determine the data’s status for the current holder.²

Article 5: Further processing of personal data. The proposal clarifies that reuse of personal data for research, archiving, or statistical purposes is deemed compatible with the original purpose of collection, removing the need for a separate compatibility assessment.

Article 9: Exemptions to Special categories of data. The proposal introduces two targeted Article 9 GDPR exemptions (while still adhering to strict safeguards): the incidental inclusion of special category data in AI training datasets will not automatically trigger restrictions where appropriate technical and organisational safeguards are in place to minimise, identify, and protect such data, and secondly, biometric data may be processed for identity verification where the process is fully under the data subject’s sole control.

Article 12: Additional right to refuse abusive access requests. The Proposal introduces a right allowing controllers to refuse or charge a reasonable fee where abusive access requests are clearly unrelated to data protection purposes.

Article 13: Privacy notices no longer required in obvious, low risk scenarios. The proposal introduces limited exceptions in cases where there is a clear and defined relationship between the controller and the data subject, the processing is not data-intensive, and it is reasonable to assume the individual already has the key information, as well as where personal data is processed for scientific research purposes.

Article 22: Automated decision-making gets a useful clarification. The GDPR restricts fully automated decisions with legal or similarly significant effects, subject to limited exceptions. The proposal clarifies the contractual necessity exemption, confirming that such processing is permitted where automated decision-making is necessary for the performance of a specific contract with the individual concerned.

Article 33: Increased thresholds. The proposed changes would raise the threshold to notify the supervisory authority only when a breach poses a high risk to individuals. The deadline would be extended from 72 hours to 96 hours. A new single EU entry point would eliminate the need to report to multiple authorities separately.

Article 35: Updates to the Data Protection Impact Assessment (DPIA). It is proposed to add a list of processing activities that do not require a DPIA, alongside the already existing list of activities that do. A single EU-wide DPIA list would also replace the current national lists, creating a more standardised approach.

New Article 41a. The proposed addition of this article would authorise the Commission to adopt implementing acts establishing the criteria and means for assessing when pseudonymised data may cease to qualify as personal data in relation to certain entities.

New Articles 88a, 88b and 88c. The proposal includes EU cookie and tracking rules into the GDPR, retaining consent as the default requirement while allowing limited exemptions for essential purposes. It also seeks to reduce consent fatigue through stricter banner rules and browser-based privacy preferences and clarifies that AI training on personal data may rely on legitimate interests, subject to transparency obligations and an unconditional right to object.³

2. AMENDMENTS TO THE AI ACT (REGULATION (EU) 2024/1689)

The proposed amendments to the AI Act are aimed at simplifying compliance and reducing administrative burdens, particularly for small and medium-sized enterprises (SMEs) and startups, through more proportionate documentation and reporting requirements. They also seek to improve alignment with other EU digital legislation, including the GDPR, cybersecurity, and data governance frameworks, to minimise overlapping obligations. In addition, the proposal clarifies key definitions and responsibilities across the AI value chain and streamlines conformity assessment procedures, particularly for high-risk AI systems, while preserving the Act’s core risk-based approach.

3. UPDATES TO THE DATA ACT (REGULATION (EU) 2023/2854)

The proposal positions the Data Act as the EU’s central legal framework on data, designed to create a clearer and more reliable system for improved data access. It also brings together the Data Governance Act, the Open Data Directive, and the Free Flow of Non-Personal Data Regulation under the Data Act. This consolidation helps reduce regulatory overlap while reinforcing trade secret safeguards and expands exemptions for SMEs from the Data Act’s stringent cloud switching requirements.

The Commission’s Digital Omnibus represents a significant step toward consolidating and streamlining Europe’s digital regulatory framework, with the potential to reduce fragmentation and enhance legal clarity for businesses and citizens. However, the proposals have not yet entered into force and remain subject to the EU’s ordinary legislative process. Accordingly, the existing regulatory framework continues to apply in full until the Digital Omnibus is formally adopted and takes legal effect.

¹ https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2718
² https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal
³ https://www.edpb.europa.eu/system/files/2026-02/edpb_edps_jointopinion_202602_digitalomnibus_en.pdf