After numerous digital legal acts were adopted at the European level in recent years, a confusing patchwork of partly contradictory and overlapping regulations has emerged. Now, the focus is shifting back to reducing the self-imposed bureaucratic hurdles for businesses and consolidating EU provisions. To this end, the European Commission plans to adapt several legal acts in a bundled manner through two so-called Digital Omnibus Regulations (omnibus:Latin for "for all"; several projects are combined into one) and thereby simplify practical application for economic operators.
Specifically, on November 19, 2025, the European Commission published a Proposal for a Digital Omnibus Regulation and a Proposal for a Digital Omnibus Regulation on AI . With this digital package, the Commission aims to harmonize fragmented digital regulation and ease the burden on companies in the field of digitalization.
The primary focus is on making compliance with regulations more cost-effective, achieving the existing regulatory objectives, and providing a competitive advantage to responsibly acting companies.
Below, we would like to provide an initial overview of the key changes:
Relaxed Reporting Obligations for Personal Data Breaches and Single-Entry-Point
According to Art. 33 (1) of the General Data Protection Regulation (GDPR), in the event of a personal data breach, a notification must be made to the competent supervisory authority without undue delay and, if possible, within 72 hours, unless this breach does not pose a risk to the data subjects. The European Commission's proposal now stipulates that the notification must be made within 96 hours and that the reporting obligation – in line with Art. 34 (1) GDPR – only applies if there is likely a high risk for the data subjects.
Of significant relevance is likely the fact that ENISA (European Union Agency for Cybersecurity) is intended to become the central point of contact for reporting data breaches in the future (a so-called Single-Entry-Point). ENISA acts as the operator of a central portal; however, the substantive responsibilities of the supervisory authorities remain unaffected. Particularly in cross-border cases (e.g., a cross-border data breach) where a large number of data protection authorities might need to be notified, the creation of a central point of contact should provide relief. This single entry point is intended to apply not only to notifications under the GDPR but also, among others, to notifications under the second Network and Information Security Directive (NIS2 Directive) or the Digital Operational Resilience Act (DORA).
Restricted Definition of "Personal Data"
Currently, the definition of personal data contained in Article 4(1) GDPR is very broad. According to this, personal data is
„any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“.
The scope is to be restricted by the Proposal for a Digital Omnibus Regulation , so that certain data will no longer fall within the scope of protection of the GDPR in the future. From a regulatory perspective, Article 4(1) GDPR is to be supplemented with the following restrictive addition:
„Information about a natural person is not necessarily personal data for every other person or entity merely because another entity can identify that natural person. Information is not personal for a specific entity if that entity cannot identify the natural person to whom the information relates, taking into account the means that can reasonably be expected to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means that can reasonably be used to identify the natural person to whom the information relates.“
The European Commission thus adopts a "relative approach" to the question of whether personal data exists. According to this approach, the identifiability of a natural person is also to be assessed based on reasonable effort, for example, with regard to costs and time. If, based on the data, the identification of a natural person by means that can reasonably be expected to be used by the entity is not possible,the data would no longer fall within the scope of the GDPR under Article 2(1) GDPR.
Right to refuse
At least according to the European Court of Justice (ECJ), exercising the right of access under Article 15 GDPR for purposes unrelated to data protection has generally not constituted an abuse of this right. Currently, therefore, such access requests must also be answered free of charge by the controller. The Proposal for a Digital Omnibus Regulation now provides that the controller may charge a reasonable fee or refuse to process the request if the data subject exercises their right of access for misused for purposes other than protecting their data.
Rules for Cookie Banners Now in the GDPR
With the Proposal for a Digital Omnibus Regulation parts of the ePrivacy Directive are to be incorporated into the GDPR. This particularly concerns regulations on the use of cookies and similar technologies, which are to be enshrined in the new Articles 88a and 88b of the GDPR.
This also brings about substantive changes: Under current legal provisions, consent based on clear and comprehensive information must be obtained before setting most cookies (see implementation of the ePrivacy Directive in Section 25 TDDDG). Exceptions to this consent requirement have so far only existed within very narrow limits. According to the Proposal for a Digital Omnibus Regulation in the future, however, no further consent will be required if the cookie is used to create aggregated information about the use of an online service to measure its reach is set exclusively for its own purposes .
Amendment of the Data Act
In the area of data usage law, the European Commission intends, among other things, to harmonize the provisions of the Data Act, the Data Governance Act, and the Open Data Directive, and to consolidate the regulations on non-personal data within the Data Act. This aims to eliminate existing inconsistencies and legal uncertainties. In this context, it will be clarified, among other things, that state bodies may only access company data in the event of a public emergency.
AI
Simultaneously with the Proposal for a Digital Omnibus Regulation a proposal for a Digital Omnibus Regulation on AI was introduced. Specifically, it is planned that the applicability of certain regulations concerning high-risk AI systems in terms of timing will be shifted to a later date. The timing depends on the publication of certain guidelines and standards.
Furthermore, the regulations on AI competence are to be somewhat relaxed. Currently, Article 4 of the Artificial Intelligence Regulation (AI Act) stipulates that providers and operators of AI systems must take measures to ensure, to the best of their abilities, that their staff, in particular, possess a sufficient level of AI competence. In the future, the Commission and the Member States are (merely) [SEG SEGMENT 10] to encourage providers and operators of AI systems to take measures to ensure a sufficient level of AI competence among their staff.
The European Commission's proposals will now be submitted to the European Parliament and the Council of the European Union. It remains to be seen to what extent the proposals will actually change European digital legislation and, if so, whether these changes are also practical. The new regulations are not expected to come into force before mid-2026.
Digital Omnibus Regulations – European Commission plans to simplify digital legislation
