On 19 November 2025, the European Commission published a Digital Omnibus Regulation Proposal (the “Digital Omnibus Package”), which seeks amendments to existing laws. The Digital Omnibus Package entails two distinct regulations: (i) Digital Omnibus covering data, cybersecurity and privacy rules, and (ii) Digital Omnibus on AI.
The European Commission has provided that the aim of the Digital Omnibus Package is to “provide immediate regulatory clarifications that stimulate innovation in the European Union market, and that cut administrative compliance costs in particular for businesses, while also streamlining supervisory and administrative costs for supervisory authorities and advisory bodies.”
Below is a brief outline of some of the key proposed amendments.

1. The definition of “personal data”
   The Digital Omnibus Package proposes to clarify the definition of ‘personal data’ under Article 4 of the GDPR by stating that information is not to be considered personal data for a given entity when the entity does not have means reasonably likely to be used to identify the natural person to whom the information relates.
2. Notification of data breaches
   The Digital Omnibus Package also proposes to amend the requirements for notification of data breaches; namely:
   • In the case of a data breach that is not likely to result in a high risk to the rights and freedoms of natural persons, the data controller will not be required to notify the relevant supervisory authority.
   • The timeframe for notification of data breaches is extended as follows: “In the case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall without undue delay and, where feasible, not later than 96 hours after having become aware of it, notify the personal data breach to the supervisory authority”.
   • It is also proposed that a single-entry point is used for notifying breaches.
   It is also proposed that the European Data Protection Board (the “Board”) prepare and submit to the European Commission a proposal for a common template for data breach notifications and a common list of circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of a natural person.
3. Processing activities that require a DPIA
   Article 35 of the GDPR requires data controllers to conduct a data protection impact assessment (“DPIA”) where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons.
   The Omnibus Package proposes that “in order to effectively contribute to the aim of convergence of the economies and to effectively ensure free flow of personal data between Member States, increase legal certainty, facilitate compliance by data controllers and ensure a harmonised interpretation of the notion of a high risk to the rights and freedoms of data subjects, a single list of processing operations requiring a DPIA should be provided at EU level.”
   In addition, the Omnibus Package proposes that the European Commission also publish a list of the type of processing operations for which no DPIA is required, and that the Board prepare a common template and a common methodology for conducting DPIAs.
4. Updates to cookie banners
   The Omnibus Package also proposes changes to existing rules on cookies and cookie banners. A new Article 88a is proposed to be inserted in the GDPR, which lays down the consent requirement for the storing or accessing of personal data on a user’s device, such as a computer or mobile phone. It is proposed that a definitive list of low-risk scenarios where consent is not required for cookies is provided.
   The proposed changes to cookie banners are as follows:
   • Users will be able to accept or reject cookies with one single click button or equivalent means.
   • If a user gives consent, the data controller will not make a new request for consent for the same purpose for the period during which the data controller can lawfully rely on the consent of the user.
   • If a user declines a request for consent, the data controller shall not make a new request for consent for the same purpose for a period of at least six months.
   The aim of these updates is to address cookie banner fatigue by enabling users to make more informed choices regarding the use of cookies on their devices.
5. “Legitimate interest” as a lawful basis for AI
   The Digital Omnibus Package proposes to amend the GDPR by inserting a section clarifying that the processing of personal data in the context of the development and deployment of AI may be carried out for purposes of “a legitimate interest” within the meaning of Article 6 of the GDPR, where appropriate. However, it is important to note that this should not affect the obligation of the data controller to ensure that the development or deployment of AI complies with other European Union or national laws. It also should not affect the data controller’s obligation to ensure that all other conditions of Article 6(1)(f) of the GDPR are met, such as the requirement to conduct legitimate interest assessments.
6. Changes to the right of access
   The Digital Omnibus Package also proposes to clarify that the ‘right of access’ under the GDPR should not be abused in the sense that the data subject abuses the right for purposes other than the protection of their personal data. For example, such an abuse of the right of access would arise where the data subject intends to cause the data controller to refuse an access request, in order to subsequently demand the payment of compensation, potentially under the threat of bringing a claim for damages. The Digital Omnibus Package proposes that data controllers should bear a lower burden of proof regarding the excessive character of a request than regarding the manifestly unfounded character of a request.
7. Single notification points for incident reporting
   Under current legislation, businesses are required to submit incident reports under multiple legal acts, such as NIS, the GDPR and DORA, among others. The Digital Omnibus Package proposes to streamline and simplify the process for incident reporting by proposing a single-entry point for such reporting. The European Union Agency for Cybersecurity, “ENISA”, will be tasked to establish and maintain the single-entry point for reporting.
8. Delayed enforcement of the EU AI Act
   The European Commission has confirmed that the rules for high-risk AI in sensitive areas like employment and law enforcement (Annex III of the EU AI Act) will apply 16 months later than originally envisaged. The rules for high-risk AI embedded in products like medical devices (Annex I) will also apply a 12 months later than originally envisaged.
9. European Business Wallets
   Together with the Digital Omnibus Package, the European Commission is also tabling a proposal for a European Business Wallets Regulation (the “Regulation”). It is proposed that “business wallets” will be used to digitally verify identities, sign documents, timestamp, and exchange verified digital information seamlessly across the EU. The Regulation places obligations solely on public sector bodies to accept its core functions, while companies remain free to decide whether to adopt the wallets for their commercial operations or interactions with public authorities.

The proposals under the Digital Omnibus Package have not yet been passed into law, so may be subject to change. It is likely that if the changes are passed into EU law, that there will be a transition period, which will give organisations time to comply. Overall, we believe that the proposals provide helpful clarification to current legislation and will hopefully reduce compliance costs for businesses. We will keep you updated of developments in this area so that you can plan and prepare accordingly.