On 19 November 2025, the European Commission published the long-awaited Digital Omnibus, an initiative to streamline and update key pillars of the EU's digital legal framework – especially the Data Act, the General Data Protection Regulation and the AI Act. The main drivers behind this initiative were the need to simplify overlapping regulations, reduce compliance burdens for businesses, and ensure greater legal clarity across the European Union.
The Commission's Digital Omnibus Package (the "Omnibus") proposes targeted, near-term amendments to simplify and align the EU's digital rulebooks. For data policy, it consolidates overlapping instruments into the Regulation (EU) 2023/2854 (Data Act) framework and streamlines operational requirements for incident reporting. For privacy, it recalibrates concepts and obligations under the Regulation (EU) 2016/679 (GDPR) to reduce compliance friction while preserving high protection standards. A new single-entry point will route incidents and breach notifications across several frameworks (NIS2, GDPR, DORA, eIDAS, CER),1 cutting duplicate reporting and harmonising templates and processes. The proposal also amends Regulation (EU) 2024/1689 (the AI Act) by clarifying compliance obligations, streamlining conformity assessment procedures, and updating requirements for high-risk AI systems. Overall, the Omnibus aims for legal clarity, cost reduction, and a more coherent legislative framework.
Data Act: A unified framework for data regulations
Structurally, the Omnibus repeals, merges, and streamlines certain rules by folding the Free Flow of Non-personal Data Regulation,2 the Data Governance Act,3 and the Open Data Directive4 into the Data Act via new chapters.
The proposal strengthens trade secret safeguards under the product and internet of things data sharing regime. Data holders may, on a case-by-case basis, refuse disclosure where there is a high risk of unlawful acquisition, use, or disclosure to entities subject to third country regimes with weaker or non-equivalent protections; provided they give a duly substantiated written rationale.
It also amends the business-to-government access regime in the Data Act from "exceptional need" to "public emergencies". The proposal clarifies the compensation regime for situations where data holders, including microenterprises and small enterprises are required to provide data to address a public emergency.
Cloud switching rules are adapted for custom-made services and for Small and Medium-sized Enterprises (SMEs)/Small Mid-Caps Enterprises (SMCs) providers (e.g. limited exemptions for pre-12 September 2025 contracts proportionate early termination fees). The draft also removes the prescriptive "smart contracts essential requirements".
A new Chapter "Free flow of non-personal data in the Union" codifies the prohibition of unjustified non-personal data localisation, formerly covered under the partially superseded and to be repealed Free Flow of Non-personal Data Regulation. The new chapter on the "re-use of data and documents held by public sector bodies" consolidates and harmonises the rules for the re-use of public sector data formerly contained in the Data Governance Act and the Open Data Directive, merging open data and protected data re-use under the Data Act with single information points, competent bodies, secure processing environments, and high-value datasets. Public sector bodies may now set higher fees and special conditions for very large enterprises. The European Data Innovation Board (EDIB) is integrated to coordinate consistent application, interoperability, and data space governance.
The Data Governance Act's data intermediation regime shifts to a voluntary EU label with lighter, functionally separate operations and EU-level registers. The proposal maintains the EU-wide label for organisations engaging in data altruism. Recognised organisations can continue to use the official label and benefit from inclusion in the EU's public register.
GDPR: Modernising privacy rules for the digital age5
Regarding the proposed amendments to the GDPR, the Omnibus proposes changes to the wording of the definition of "personal data" by anchoring identifiability in "means reasonably likely to be used to identify" and empowers the Commission (with input from the European Data Protection Board, EDPB) to specify criteria for when pseudonymised outputs are no longer personal for particular recipients.6 It introduces an exemption, permitting residual processing of special category personal data during AI development/operation, subject to specific safeguards. Biometric verification is permitted under the sole control of the data subject, subject to certain conditions. The Omnibus lowers the threshold for solely automated decisions in a contractual context, permitting automation as long as it is necessary for entering into or performing a contract, regardless of whether the same decision could also be made by human means. Information duties are streamlined for certain "not data-intensive" relationships. The proposal also curbs abusive or excessive requests for access by data subjects.
Operationally, breach notifications to supervisory authorities are limited to breaches with a high risk to the rights and freedoms of individuals, and the deadline is extended to 96 hours. The reporting is routed through the NIS2 single-entry point, with an EU-wide common template and periodic updates. The data protection impact assessment (DPIA) practice is harmonised via EU-level lists of processing that require, or do not require, a DPIA, plus a common template and methodology, subject to three-year reviews.
The ePrivacy rule on accessing or storing information via cookies and similar technologies in users' terminal equipment is migrated into the GDPR, maintaining consent as the default requirement for setting or reading cookies, but defining a specific set of consent-free, low-risk purposes. The proposal also introduces rules for handling refusal of cookie consent, including a minimum six-month "do-not-re-ask" period after a user declines consent. It further establishes that automated, machine-readable signals, such as browser settings, which indicate user choices regarding cookies, must be respected by controllers once standards exist, with exemptions for media service providers and future obligations for browser providers.
AI Act: streamlining AI governance
The Omnibus introduces changes to the AI Act primarily to address practical bottlenecks and align with other EU digital legislation. The responsibility for fostering AI literacy is shifted from individual organisations to the Commission and Member States, who are now responsible for encouraging sector-appropriate training and support, rather than imposing a uniform mandate. The proposal establishes a legal basis for processing special categories of personal data for bias detection and correction across all AI systems, not just those deemed high-risk, and extends relief measures for SMEs and SMCs – including simplified technical documentation, proportionate quality management obligations, and penalty mitigation.
Conformity assessment procedures are streamlined by allowing conformity assessment bodies to submit a single application and undergo a single assessment procedure to be designated under the AI Act and relevant Union harmonisation legislation. In addition, certain Notified Bodies that are already notified under sector-specific EU law may, for a transitional period, be permitted to temporarily carry out conformity assessments for high-risk AI systems until they obtain formal designation under the AI Act. The Omnibus further expands the possibilities for real-world testing of AI systems, including those embedded in regulated products, and strengthens centralised oversight by empowering the new AI Office to supervise general-purpose AI models and very large online platforms and search engines. Additional adjustments ease registration requirements for certain narrow-task high-risk AI systems – while maintaining robust internal documentation – and replace mandatory templates for post-market monitoring with Commission guidance.
The Omnibus also introduces a shift in the timing for the application of core requirements to high-risk AI systems. Instead of a fixed implementation date, obligations under the AI Act are now linked to the availability of harmonised standards, common specifications, or relevant Commission guidelines. Requirements will become effective six or twelve months after a relevant Commission decision confirming readiness – depending on the system category – or, in the absence of such decision, at the latest by December 2027 or August 2028, depending on the categorisation of the high-risk AI system. Depending on the length of the legislative process, these deadlines might be pushed back further.
Platform to Business Regulation: phasing-out
The draft proposes to repeal the Platform to Business (P2B) Regulation7 on promoting fairness and transparency for business users of online intermediation services, in two phases. Some provisions, including rules on restriction, suspension or termination of platform access and on internal complaint-handling systems, remain in force until the end of 2032. All other parts of the P2B Regulation are planned to be repealed immediately.
Outlook
The Digital Omnibus proposes targeted amendments to the EU's digital legal framework. Key changes include the consolidation of several data-related regulations into the Data Act, adjustments to trade secret protections, and a streamlined business-to-government data access regime. The proposal also modifies GDPR provisions, amending the definition of personal data, updating breach notification procedures, and integrating cookie rules into the GDPR. The introduction of a single-entry point for incident and breach of notifications is intended to reduce duplicate reporting and harmonise processes across multiple frameworks. For the AI Act, the Omnibus revises certain provisions, including relief measures for SMEs and SMCs, includes eased requirements for certain narrow-task high-risk AI systems, adjustments to conformity assessment processes, and changes to the timing of the applicability of requirements for high-risk systems. The proposed amendments will likely be subject to changes during the legislative proceedings in the Council of the European Union and the European Parliament. Furthermore, the European Commission has also initiated a consultation on a "Digital Fitness Check" with the intension to further examine the coherence and cumulative impact of the EU's digital rules. Going forward, companies may need to prepare a review of their processes and programmes.1 Directive (EU) 2022/2555 (NIS2), Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2022/2554 (DORA), Regulation (EU) 910/2014 (eIDAS), Directive (EU) 2022/2557 (CER).
2 Regulation (EU) 2018/1807.
3 Regulation (EU) 2022/868.
4 Directive (EU) 2019/1024.
5 For the GDPR-specific amendments proposed by the Omnibus, see also: "GDPR under revision: Key takeaways from the Digital Omnibus Regulation proposal".
6 Regarding pseudonymised data see also CJEU, judgment of 4 September 2025 – Case C-413/23 P.
7 Regulation (EU) 2019/1150.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
