The Digital Omnibus: Targeted Amendments to the EU Digital Rulebook

The European Commission has unveiled a new digital package designed to cut administrative burdens for companies across the EU and streamline the Union’s fragmented digital rulebook. The package centres on, amongst other things, amending existing requirements relating to GDPR, AI Act, Data Act, e-privacy directive and other data legislation such as the Data Governance Act.

The proposals will now move to the European Parliament and the Council for negotiation and adoption.

The following changes are suggested in the EU’s digital domains (non-exhaustive list).

GDPR

  • Key definitions, including narrowing the scope of “personal data” and specifying when pseudonymised data is no longer personal data. The proposal’s approach is that identifiability is assessed from the controller’s perspective (i.e., an entity relative approach), similar aspects were also examined in Case C-413/23 P, EDPS v SRB, of 4 September 2025.
  • Processing of special categories of personal data is, subject to certain conditions, allowed for development and operation of an AI system or an AI model, including, but not limited to, for the purposes of bias detection and mitigation.
  • Legitimate interest as a legal basis introduced for the development and operation of AI systems.
  • Amendments via GDPR to e-privacy directive in such way that tracking technologies (e.g., cookies), processing or leading to processing of personal data, can be used without the data subject’s consent to the extent necessary for:
    • transmission purposes;
    • provision of services requested by the data subject;
    • aggregated usage measurement; and
    • maintaining of service/device security;
  • The possibility for the controller to charge for or refuse “unfounded or excessive” data access requests, together with the concept of “abuse of the rights” by data subject “for purposes other than the protection of their data”.
  • Use by the controller of automated decision-making for entering into or performance of a contract, in particular regardless of whether the decision could be taken otherwise than by solely automated means.
  • For notification a personal data breach, change of the threshold from “a risk” to “high risk” and extension of the deadline for notifying the authority from 72 hours to 96 hours.

AI Act

  • Regulatory simplifications currently for small and medium-sized enterprises (SMEs) are extended to small mid-caps (SMCs).
  • Instead of imposing an open-ended literacy duty on providers/deployers, the obligation is moved to the Commission and Member States to foster AI literacy.
  • Providers who have duly concluded that their AI systems used in Annex III areas are not high-risk no longer need to register those systems in the EU database.
  • Oversight over a large number of AI systems built on general-purpose models or embedded in VLOPs/VLOSEs is centralised in the AI Office to streamline supervision.
  • Providers and deployers of AI systems and models are expressly allowed to process special-category data for bias detection/correction, subject to safeguards.
  • Broader use of AI sandboxes and real-world testing is enabled, including an EU-level sandbox operated by the AI Office as of 2028.
  • Notified bodies can use a single application and single assessment to obtain designation under both the AI Act and certain sectoral harmonisation legislation.
  • Transition period for synthetic-content AI systems is extended to 2 February 2027, and for high-risk AI systems to 6 (Annex III systems) and 12 month (Annex I systems) after the decision of the Commission confirming that adequate measures in support of compliance with Chapter III would be adopted (2 December 2027 and 2 August 2028 respectively – if it would not).

Data Act (and other data legislation)

  • The data regulatory framework is streamlined from five applicable acts to two core regulations: GDPR and the Data Act, to cut administrative costs and legal complexity.
  • Measures to ensure research data availability, machine-readable high-value datasets and APIs, and practical arrangements to search for reusable data/documents.
  • New voluntary EU-level registration regimes for data intermediation services and data altruism organisations, with common EU labels and logos, creation of a European Data Innovation Board (EDIB).
  • Amended rules on “public emergency” data access: mandatory data-sharing with public authorities, conditions, compensation rules and safeguards for trade secrets and personal data.
  • Strengthened safeguards for trade secrets across all Data Act data-sharing mechanisms, including reinforced confidentiality duties, tightened disclosure conditions and enhanced protection against misuse or onward transfer.
  • Strengthened protections against third-country access to non-personal data, including enforceability tests, model clauses, and restrictions on transfers.
  • Detailed charging and licensing principles for reusable public-sector data, including free re-use as default, restrictions on exclusive arrangements, and differentiated charges for very large enterprises.

Cybersecurity

  • Cybersecurity and related incident-reporting obligations (e.g., pursuant to GDPR, NIS2 and DORA) are streamlined under a single reporting mechanism/single-entry point (SEP), developed and maintained by European Union Agency for Cybersecurity (ENISA), which is also sets specifications (technical, operational, organisational), and must consider APIs, machine-readable standards and national platforms.
  • The specifications must ensure interoperability between different reporting obligations and systems, aligning with the once-only principle.

More about the proposed amendments can be found in the European Commission’s press release.

Digital Omnibus Regulation Proposal text is available here and Digital Omnibus on AI Regulation Proposal here.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure