The General Data Protection Regulation (GDPR), introduced in April 2016, has often been criticised for its complexity and demanding compliance obligations. Over the years, additional instruments, including the AI Act, the Data Act and other digital governance measures have been introduced with similar protective aims, resulting in overlapping obligations, fragmented requirements as well as duplicated reporting burdens.
In response, and as part of the EU’s broader Competitiveness Compass initiative to reduce administrative costs and enhance innovation, the European Commission unveiled the Digital Omnibus Regulation Proposal (the “Omnibus”) in November 2025. The proposal marks the EU’s first major attempt to consolidate and harmonise its digital regulatory framework while preserving strong individual rights.
This article seeks to examine the key reforms introduced by the Omnibus.
The Package Structure
The Digital Omnibus package is divided into two (2) distinct legislative proposals, each addressing different aspects of the EU’s digital regulatory landscape:
1. The Digital Omnibus Regulation Proposal: This proposal introduces a broad suite of amendments across the EU’s core digital laws, including data protection, privacy and cybersecurity. Its primary aim is to consolidate and harmonise existing legislation, reduce fragmentation and simplify compliance obligations for businesses.
2. The Digital Omnibus on AI Regulation Proposal: Running in parallel, this second proposal contains targeted amendments to the AI Act. It is designed as a “quickfix” package to address implementation challenges and refine compliance timelines.
This article focuses exclusively on the Digital Omnibus Regulation Proposal.
Harmonisation of Definitions and the Redefining of Personal Data
In its goal to simplify key definitions across the regulatory data landscape, the European Commission is proposing several important clarifications to key GDPR definitions, most notably the concept of “personal data”. These changes aim to provide greater legal certainty and ease compliance, particularly in scenarios involving pseudonymised data, by helping controllers more precisely determine when information actually qualifies as personal data. Alongside this, the proposal also seeks to expand certain lawful bases for processing, including recognising additional situations that may fall under the GDPR’s “legitimate interest” ground.
To support research and technological development, the Omnibus further introduces a clearer, Unionwide definition of “scientific research.” Under this revised approach, processing carried out for genuine scientific research purposes would be considered compatible with the original purpose of data collection and may itself constitute a legitimate interest. This is intended to simplify the legal basis for research driven processing while maintaining appropriate safeguards.
Building on these conceptual clarifications, the Omnibus also proposes a narrower, more context driven definition of the term “personal data”. The current GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person”. This has long resulted in a wide interpretation where data is deemed identifiable if any method exists, regardless of practicality, to link it back to an individual. In line with the CJEU’s decision in “EDPS v. Single Resolution Board (Case C413/23)”, the Omnibus aligns the definition with a more entity specific approach. Should the proposal be implemented data will not be categorised as “personal data” for a given controller if that controller does not possess, and cannot reasonably acquire, the means to reidentify the individual. In other words, identifiability depends on the actual capacities of the controller, not hypothetical possibilities, or the mere fact that someway somehow, the data can become identifiable.
This shift has the potential to create a less burdensome and more resource efficient compliance landscape, as certain pseudonymised datasets may fall outside the GDPR’s scope for specific entities. However, businesses will still be required to assess context carefully, identifying who the data holder is, what means of reidentification are reasonably available to them, and, whether in that specific scenario, the data should properly be treated as personal data.
Enhancements to Special Category Data
The Digital Omnibus introduces a significant expansion to Article 9 GDPR, in the form of two new Articles.
-
Article 9(2)(k)
This Article creates a derogation that permits the processing of special category data, such as health, biometric, or racial data, when strictly necessary for the development and operation of an AI system under the AI Act.
This new provision responds to practical challenges in modern AI development, where sensitive data may appear residually in large datasets or be required to test for fairness, bias and model safety.
-
Article 9(5):
This Article is more of a complement to Article 9(2)(k) wherein controllers would be required to avoid collecting special category data wherever possible. Should such data be present unintentionally, they must remove it, unless removal would require disproportionate effort, in which case enhanced safeguards, including strict access controls, pseudonymisation, data segregation and detailed accountability record, must be applied.
Importantly, the amendments do not relax the sensitivity of such data. Rather, they introduce a tightly constrained compliance pathway that balances AI innovation with individual rights protection. Businesses relying on this derogation will be expected to justify necessity, conduct Data Protection Impact Assessments and maintain auditable documentation demonstrating proportionality and risk mitigation.
Cookies Consent
The Omnibus also seeks to eventualise a less consent heavy based outlook. As the Commission put it in the proposal, the EU is looking to depart from the “consent-fatigue and proliferation of cookie banners”. The original GDPR had a strict opt-in resolve set in place whereby users had to specifically opt-in to what cookies are recorded when interacting with web resources, regardless of the data being gathered. The EU is now concerned that it is not only too burdensome on business-owners to set up and consumers to sift through, but also futile in achieving the regulations’ aim.
The EU has promulgated that excessive cookie banners, coupled with providing links to legislation and recourses, which would be considered to be too complex to lay-men and is therefore futile, falling on the performative side when considering the EU’s objective.
A solution propounded is the introduction of a more centralised cookie consent option linked specifically to browsers and devices, whereby consumers would merely need to set up their own setting once, which setting would then be automatically applied to websites throughout. This would inadvertently also reduce the burden on corporations having to set up their own cookie banner systems and resultant costs in compliance upkeep.
The presentation of such cookie rules would also achieve the streamlining of overlapping legislation as found in the ePrivacy Directive as opposed to that found in GDPR as well as repealing outdated provisions under the same Directive.
It is to be said, that such automatization is narrow in scope and cookies consent to high-risk tracking cookies, would still require the specific opt-in consent way. The idea is to minimize burden on businesses however the EU still acknowledges the importance of cookie consent.
One-Stop Shop for incidence reporting
As part of its drive to streamline and harmonise the EU’s digital regulatory landscape, the European Commission is proposing a more centralised and business friendly approach to incident reporting across key legislation. Under this initiative, the EU Agency for Cybersecurity (ENISA) will be tasked with developing a unified single-entry reporting platform designed to simplify how organisations fulfil their regulatory obligations. Built around the principle of “report once, share many” the platform will allow businesses to submit a single incident report which is then automatically distributed to all competent authorities responsible under the relevant EU laws. This modernised reporting architecture is intended to significantly reduce administrative overhead, eliminate duplicative reporting processes, and enable faster, more reliable information sharing across regulatory bodies.
For businesses, particularly those operating in highly regulated or crossborder sectors, this centralised system promises operational efficiency. ENISA will ensure that the system is fully aligned with GDPR requirements and incorporates robust cybersecurity safeguards, thereby supporting organisations in maintaining high standards of data protection and regulatory resilience. Importantly, the reform does not modify the underlying legal obligations, rather it optimises the way these obligations are met.
The single-entry platform would serve as the reporting channel for incidents captured under Directive (EU) 2022/2555 (NIS2 Directive), Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2022/2554 (DORA), Regulation (EU) 910/2014 (eIDAS Regulation), and Directive (EU) 2022/2557 (CER Directive). Should it be adopted, the Commission also envisions it to eventually encompass also sector specific requirements such as the Network Code on Cybersecurity for cross border electricity flows (NCCS) and aviation cybersecurity reporting frameworks. Taken together, these measures reinforce a more coherent and innovationfriendly compliance ecosystem, positioning businesses to operate with greater agility and reduced regulatory duplication.
Repeal of P2B Regulation
The Commission has also proposed to repeal the Platform to Business (P2B) Regulation. The P2B Regulation, in force since 2020, was originally introduced to promote fairness and transparency for business users of online intermediation services. However, since then, the EU has adopted far more comprehensive instruments governing online platforms, most notably the Digital Markets Act (DMA) and the Digital Services Act (DSA), which now substantially cover the same ground and, in practice, supersede the objectives of the P2B framework.
The Commission has therefore now concluded that maintaining the P2B Regulation creates unnecessary duplication of regulations. This repeal is intended to simplify the regulatory environment for online intermediaries, reduce compliance costs associated with navigating multiple overlapping regimes, and ensure more consistent and targeted enforcement through the DMA and DSA, which now function as the EU’s primary legal frameworks for platform governance.
In essence, the Digital Omnibus aims to streamline and modernise the EU’s digital regulatory landscape, reducing unnecessary administrative burdens while keeping strong data protection standards intact. For businesses, the reforms provide an opportunity to simplify compliance by reassessing how personal and pseudonymised data are classified, reviewing any AI workflows involving sensitive data and preparing for upcoming changes to cookie consent mechanisms and incident reporting processes. As the proposal progresses through the legislative cycle, companies should monitor developments and begin planning early, ensuring they can adapt efficiently and maintain a competitive edge in a more coherent regulatory environment.
Written by Dr. Lara Borg Bugeja(Team Lead, Legal Services) and Dr. Larkin Magro (Junior Lawyer)