Introduction
For years, a familiar complaint has echoed through European business circles. The EU has
become rather too fond of regulation.
Since the GDPR’s implementation in 2018, the EU has introduced and enacted a series of
legal instruments as part of its overarching European Digital Strategy. It may be best to think
of the EU’s framework for digital life in terms of concentric circles represented in Figure 1
below.
At the core is the GDPR itself, immediately beyond it are complementing legal instruments. These are the Law Enforcement Directive1 ratified along with the GDPR, the ePrivacy.
Directive first passed in 20022, and Regulation 2018/17253 which governs personal data processed by EU institutions. In the widest circle we find new digital legislation including the Digital Services Act4, the Digital Markets Act5, and the AI Act6. The potential for regulatory complexity to stifle both innovation and undermine certainty over actors’ responsibilities has been emphasised in the Draghi report on ‘The Future of European Competitiveness’ published in September 20247. The European Commission has heard the complaints and responded with a new Digital Package, known as the Digital Omnibus8.
What Is It?
The Digital Omnibus is two proposed regulations travelling together. The first takes aim at the EU AI Act, already generating anxiety about implementation timelines despite only being finalised in 2024 (Digital Omnibus on AI). The second proposes amendments to the GDPR, the ePrivacy Directive, the Data Act, and several other instruments (Digital Legislation Omnibus).Crucially though, this is a proposal, not law. It must still navigate the European Parliament and Council, with feedback periods open until 20 January 2026 and a broader Digital Fitness Check consultation running until 11 March 2026. Civil society groups are raising concerns about rollbacks to privacy rights. Business organisations want changes to go further. Thus the final text may look quite different.
Simplifying Data Protection
Several changes will interest GDPR veterans.
Breach Reporting (proposed amendments to Article 33 GDPR)
- Reporting threshold raised from “risk” to “high risk” breaches only
- Reporting window extended from 72 to 96 hours
- New single-entry point operated by ENISA: report once, notifications routed automatically
Cookies and Consent (proposed amendments integrating ePrivacy into GDPR)
- ePrivacy device rules brought under GDPR’s one-stop-shop mechanism
- Consent exemptions for first-party analytics, security cookies, and user-requested services
- Subsequent processing of lawfully obtained device data may rely on any GDPR legal basis, including legitimate interest
- Six-month wait required before re-requesting refused consent
- Online interfaces must recognise automated browser consent signals; media providers exempted
DSARs (proposed amendments to Article 15 GDPR)
- Controllers may refuse requests deemed abusive or made with intent to cause harm
- Requests for purposes other than data protection may be treated as manifestly unfounded
Automated Decision-Making (proposed amendments to Article 22 GDPR)
- Contractual necessity confirmed as legal basis for significant ADM, even where non-automated alternatives exist
Redefining Personal Data
The Commission proposes codifying a subjective approach to personal data (proposed amendment to Article 4 GDPR). Whether data counts as personal would depend on whether the specific entity holding it can identify the individual. Data that is personal in one organisation’s hands might not be in another’s
This is a substantial shift with implications for breach assessments, international transfers, and much else besides and can be seen as a clarifying approach to recent CJEU case law, particularly Case C-413/23 P, EDPS v SRB.
AI Training and the AI Act
The Omnibus would confirm that legitimate interest may serve as a legal basis for AI training and development under GDPR (proposed amendment to Article 6 GDPR), settling a contested question. It would also allow residual processing of special category data in training datasets, subject to safeguards (proposed amendment to Article 9 GDPR).
On the AI Act, high-risk AI requirements would be linked to availability of harmonised standards, with backstop dates of December 2027 and August 2028 (proposed amendments to EU AI Act Articles on timing and entry into force). AI literacy obligations would shift from operators to the Commission and Member States (proposed new Article 4, EU AI Act).
What Happens Next?
The Omnibus must pass through Parliament and Council, with substantial debate expected. High-risk AI provisions are currently set to apply from August 2026, pressuring lawmakers to move quickly.
For businesses, strategic choices loom about compliance preparations and policy engagement during feedback periods.
The Commission has called incident reporting the low-hanging fruit of simplification. Whether the rest of the harvest proves as easy to gather remains to be seen.
1Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and Repealing Council Framework Decision 2008/977/JHA [2016] OJ L119/89 (‘Law Enforcement Directive’).
2Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, as amended by Directive 2009/136/EC of 25 November 2009 [2002] OJ L201/37 (‘ePrivacy Directive’) .
3Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC OJ L 295.
4Regulation (EU) 2022/2065 of the European Parliament and of the Council on a Single Market For Digital Services [2022] OJ L277/1 (‘Digital Services Act’).
5Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 reference OJ L 265/1 (‘Digital Markets Act’).
6Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 OJ L, 2024/1689 (‘Artificial Intelligence Act’).
7European Commission, ‘The Future of European Competitiveness. Part A | A Competitiveness Strategy for Europe’.
8European Commission, ‘Digital Package | Shaping Europe’s Digital Future’ https://digital-strategy.ec.europa.eu/en/faqs/digital-package accessed 12 January 2026.
9‘Digital Fitness Check – Testing the Cumulative Impact of the EU’s Digital Rules’ (European Commission – Have your say, 6 January 2026)