European Digital Omnibus: A Package of Measures to Harmonize Digital Law

The Digital Omnibus is a legislative initiative of the European Commission aimed at simplifying the EU regulatory framework by amending several existing legal instruments. It is not a standalone regulation replacing current instruments, but rather a package of revisions simultaneously affecting data law, cybersecurity, electronic communications, and artificial intelligence.


The development of the European digital regulation has accelerated significantly over the past decade (GDPR, ePrivacy Directive, NIS2, Data Act, Data Governance Act (DGA), Digital Services Act (DSA), Digital Markets Act (DMA), Cyber Resilience Act, AI Act, etc.), resulting in increasing compliance costs and complexity for companies and public authorities.

In response, the European Commission has introduced a series of measures aimed at simplifying and streamlining interactions between these various instruments, targeting provisions deemed overly complex, fragmented, or costly particularly for SMEs and small mid-caps (SMCs).

This article aims to present the main proposals included in the Digital Omnibus, the next steps, and our recommendations for businesses.


1. What Is the Digital Omnibus Procedure? What Is Its Objective?

The Digital Omnibus is a legislative initiative of the European Commission intended to simplify the EU digital regulatory framework through amendments to several existing legal instruments.

It is not a standalone regulation replacing existing instruments, but rather a package of revisions simultaneously affecting data law, cybersecurity, electronic communications, and artificial intelligence. This initiative consists of two separate proposed regulations published by the Commission on November 19, 2025: a proposal relating to artificial intelligence (Digital Omnibus on AI) (1) and a general proposal covering the other instruments (General Digital Omnibus). (2)

The Digital Omnibus pursues a dual objective:
     - First, the Commission seeks to reduce compliance costs and eliminate overlaps between the various instruments, while maintaining the level of protection of fundamental rights. This includes, in particular, multiple reporting obligations, repetitive documentation requirements, fragmentation of cookie regimes, and overlapping timelines and enforcement mechanisms in the areas of AI, cybersecurity, and data;
     - Second, the Commission aims to strengthen European competitiveness, accelerate innovation, and respond to criticism regarding regulatory overload in the EU.


2. Main Proposals of the Digital Omnibus

    2.1 General Digital Omnibus Proposal

The General Digital Omnibus addresses the following areas: with respect to the GDPR, a narrower definition of personal data, the use of legitimate interest as a legal basis for training AI systems, and limitations on the right of access; with respect to the ePrivacy Directive, a relaxation of consent requirements for certain categories of cookies; with respect to the Data Act, the possibility to refuse access to certain data; and, finally, a proposal to harmonize security incident notification requirements.

    a) Main Proposals Relating to the GDPR

- Narrower definition of personal data: in line with CJEU case law, data would no longer be subject to the GDPR for a given organization if that organization does not have means reasonably likely to be used to identify the individual. As a result, certain pseudonymized data would no longer qualify as personal data for certain organizations. The Commission may further clarify the criteria under which pseudonymized data would no longer be considered personal data.

This is one of the most sensitive proposals, as it would affect the scope of application of the GDPR.

- Legitimate interest and development of AI models: the proposal provides for the recognition of legitimate interest as a possible legal basis for the development and deployment of AI systems, subject to compliance with the principles of necessity, proportionality, data minimization, transparency, etc.

It also introduces a derogation from the prohibition on processing special categories of personal data (sensitive data), where such data are processed incidentally in the context of the development or deployment of AI systems, in particular for the detection and correction of bias.

- Limitation of the right of access: the proposed regulation expands the possibility for controllers to refuse or charge for certain access requests where the right of access is exercised abusively, in particular for purposes unrelated to personal data protection, such as employment or pre-litigation matters.

Furthermore, the obligation to provide information to data subjects would be removed for low-risk processing operations where there are reasonable grounds to consider that the data subject already has the necessary information.

These proposals are subject to close scrutiny by supervisory authorities, which are concerned about potential impacts on individuals’ rights.

    b) ePrivacy: Relaxation of Cookie Consent Requirements

In order to limit the proliferation of cookie banners, certain cookies could be used without the consent of data subjects. Beyond cookies strictly necessary for the provision of a service or the transmission of a communication, cookies used for aggregated audience measurement and security purposes could fall within consent exemptions.

The proposal also seeks to improve user preference management through automated mechanisms at the level of operating systems, browsers, or app stores.

    c) Data Act: Possibility to Refuse Access to Certain Data

The proposal would allow data holders to refuse access, provided they can demonstrate a high risk of unlawful acquisition, misuse, or disclosure to third countries that do not provide sufficient safeguards for the protection of trade secrets.

    d) Cybersecurity: Harmonization of Incident Notifications

One proposal aims to harmonize incident and breach notification procedures under the GDPR, the NIS2 Directive (network and information systems security), the DORA Regulation (digital operational resilience for the financial sector), the Cyber Resilience Act, the European Digital Identity Regulation, and other related instruments, by applying a “submit once, share widely” approach.

A single security incident notification portal would be established, and a standardized notification form would be proposed by the European Data Protection Board (EDPB).

In addition, the deadline for notifying personal data breaches to the supervisory authority (CNIL) would be extended from 72 to 96 hours from the moment the breach is discovered.

    2.2 Digital Omnibus on AI

The main proposed amendments to the AI Act include the following: postponement of the timeline applicable to high-risk AI systems; strengthening of the role of the AI Office; simplification of compliance requirements; awareness-raising on AI; and provisions relating to AI-generated or manipulated content.

- Postponement of timelines for high-risk AI systems: the application of AI Act provisions relating to high-risk systems would be deferred. Instead of applying from August 2, 2026, the entry into application would be conditional upon the publication of implementing measures (technical standards, codes of conduct) to facilitate compliance.

Two deadlines are proposed: December 2, 2027 for high-risk AI systems under Annex III of the AI Act, and August 2, 2028 for high-risk AI systems under Annex I of the AI Act. (3)

- Strengthening of the role of the AI Office: the Digital Omnibus on AI significantly enhances the powers of the European AI Office. It would become competent for supervision and enforcement with respect to, on the one hand, general-purpose AI (GPAI) models and systems based on such models where they are developed by the same provider, and on the other hand, certain systems integrated into very large online platforms (VLOPs) or very large online search engines (VLOSEs) within the meaning of the DSA.

The AI Office would have powers to request documentation, oversee conformity assessments, and impose sanctions on providers.

This centralization aims to reduce fragmentation among competent national authorities and ensure a more consistent application of the AI Act, particularly for pan-European actors.

- Documentary and organizational simplifications: the proposal introduces several flexibilities for SMEs and SMCs, including simplification of technical documentation, a proportionate approach to quality management systems, mitigation of certain penalizing effects, and clarification of applicable definitions.

It also removes certain registration obligations for systems under Annex III of the AI Act that do not present significant risk. Finally, it facilitates conformity assessment procedures where a system falls under both the AI Act and other harmonized sectoral legislation.

- AI awareness: the proposal partially shifts the obligation to provide AI training by assigning Member States and the Commission the role of encouraging providers and deployers to raise awareness and train their staff in AI.

- Transparency and labeling of AI-generated or manipulated content: the Digital Omnibus proposal provides for a transitional period for certain transparency obligations applicable to AI-generated or manipulated content. This includes not only deepfakes but also text, images, audio, and video content generated or manipulated by AI, which must be identifiable as such through marking or machine-readable detectability mechanisms.

Providers of systems already placed on the market before August 2, 2026 would benefit from an additional compliance deadline until February 2, 2027 to meet these technical transparency requirements.


3. What Are the Next Steps?

The Digital Omnibus is currently at the proposal stage. Both texts are under review by the various EU institutions, although progress differs between them.

The General Digital Omnibus is currently under examination by the European Parliament. In parallel, the EDPB and the European Data Protection Supervisor (EDPS) issued a joint opinion on February 11, 2026, primarily addressing GDPR and ePrivacy aspects. The European Economic and Social Committee (EESC) adopted an advisory opinion on March 18 and 19, 2026.

Preparatory work in the European Parliament still needs to be consolidated, particularly as the text includes several sensitive issues, such as the definition of personal data, the right of access, information obligations toward data subjects, and cookie consent. By contrast, procedural and harmonization provisions are likely to be adopted more easily.

The review of the Digital Omnibus on AI is progressing more rapidly. While the Council adopted its position on March 13, 2026, the European Parliament is expected to examine the text on March 25. Given the tight timelines included in the proposal, it is likely that this text will be adopted before August 2026.


      In conclusion, companies are strongly advised not to prematurely anticipate a reduction in compliance requirements. As noted above, these are still proposals. The most politically sensitive adjustments are those most likely to be removed or revised during the legislative process.

Accordingly, companies should neither reclassify pseudonymized datasets as being outside the scope of the GDPR, nor relax their legal bases, nor reduce their information obligations based solely on the proposed texts.

It is also recommended to prioritize compliance projects based on their likelihood of adoption:
     - Data protection: documentation relating to legitimate interest assessments, data protection impact assessments (DPIAs), and procedures for handling access requests should be strengthened and/or updated. This documentation will be valuable in the event of an audit  by the supervisory authority or litigation.
     - Cookies and trackers: current consent mechanisms should be maintained pending any potential regulatory developments.
     - Cybersecurity: organizations may begin aligning internal data breach management processes in preparation for interaction with a future single reporting portal, bearing in mind that the current 72-hour GDPR breach notification deadline remains applicable.
     - AI systems: compliance efforts relating to the AI Act should not be suspended. Even with adjusted timelines, the overall direction remains toward a progressive implementation of the regulation.

Finally, compliance is no longer merely about applying each legal instrument in isolation, but about the ability to manage integrated and well-documented compliance across the entire body of EU digital law.

(1) Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules on artificial intelligence (Digital Omnibus on AI) 

(2) Proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725 and (EU) 2023/2854 and Directives 2002/2557 as regards the simplification of the digital legislative framework (Digital Omnibus).

(3) Deadlines provided in the Digital Omnibus proposal on AI: December 2, 2027: high-risk AI systems under Annex III of the AI Act (systems considered high-risk due to their use in sensitive areas such as employment, education, access to essential services, migration, administration of justice, or certain public authority uses); August 2, 2028: high-risk AI systems under Annex I of the AI Act (AI systems embedded in products or safety components of products already governed by EU harmonization legislation, such as machinery, medical devices, civil aviation, or automotive systems).

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

March 2026