The European Commission recently announced its “Digital Omnibus” proposal, a sweeping package to recalibrate and streamline the EU’s digital regulatory landscape. The legislation is designed to encourage innovation and reduce administrative burden and would impact cornerstone EU laws on AI, data protection, data sharing, cloud portability, platform regulation, cybersecurity, and product safety, including the GDPR, ePrivacy rules, the Data Act, cybersecurity reporting regimes, and the implementation timeline for the EU AI Act.
While the Digital Omnibus remains at the proposal stage and will evolve through the legislative process, it offers clear insight into the Commission’s regulatory direction: simplifying overlapping obligations, introducing risk-based flexibility, and aligning AI compliance timelines with technical standards. It is a very positive development for businesses that are operating or are planning to operate in the EU and should be closely monitored as it evolves in the legislative process.
This alert outlines practical impacts for businesses, based on the proposal as published.
GDPR adjustments: Clearer scope, more flexibility for AI development
The proposal suggests targeted amendments to the GDPR that could impact how companies classify data, build AI models, and manage individual rights requests, including:
REFINED DEFINITION OF “PERSONAL DATA”
Data that cannot be linked back to an individual without additional information possessed and that cannot be reasonably obtained, may fall outside the scope of GDPR. This may expand the categories of analytics and measurement data treated as non-personal but will largely depend on technical and organizational measures.
LEGITIMATE INTEREST BASIS FOR AI DEVELOPMENT
AI development and operation can serve as legitimate interests, with safeguards. Certain uses of special-category data for AI development may also be permitted under defined conditions. Thus, businesses relying on EU data to train or improve models could gain a more predictable legal basis, but robust governance and documentation would still be necessary.
ABILITY TO DECLINE “ABUSIVE” OR ILL-MOTIVATED REQUESTS
Controllers could more easily refuse data subject access requests (DSARs) used for purposes unrelated to data protection. This potentially reduces resource strain, but companies would need clear internal criteria and consistent processes.
SIMPLIFIED PRIVACY NOTICE OBLIGATIONS FOR LOW-RISK PROCESSING
Certain low-risk, contextual processing operations may no longer require full notice delivery. This provides opportunities to streamline employee and customer-facing disclosures without changing core compliance controls.
ePrivacy and cookies: Additional consent exemptions for low-risk uses
The proposal would partially align ePrivacy cookie rules with the GDPR’s risk-based approach, including:
- Expanded categories of cookies/trackers permitted without consent (e.g., certain aggregated analytics, security-related tools)
- Streamlined treatment for low-intrusion technologies
Businesses may be able to reduce banner complexity and increase reliance on exempt analytics practices. Consent-based advertising, profiling, and cross-site tracking would remain unchanged.
Data Act adjustments: Trade-secret protection and cloud switching relief
The proposal includes refinements aimed at addressing business concerns raised since the Data Act’s adoption, including:
- Stronger mechanisms to protect trade secrets when responding to data access or sharing requests
- Exemptions from cloud switching requirements for certain custom-built services and for smaller providers
Data holders would gain clearer grounds for declining or conditioning data-sharing requests that pose confidentiality risks. Cloud migration obligations may become more manageable, but companies should still expect detailed contract and technical-architecture reviews.
Cybersecurity: Toward a single incident-reporting portal
The proposal aims to streamline overlapping reporting obligations across GDPR, NIS2, DORA, and other cybersecurity statutes, including:
- One EU-level “front door” for incident notifications
- Extension of the GDPR breach reporting timeline from 72 to 96 hours
This could materially simplify crisis-response workflows. Companies should expect to update playbooks, escalation paths, and tooling well before a unified portal is operational.
AI Act timelines and governance: More time, more risk-based activation
The separate Digital Omnibus on AI proposes to adjust dates and governance structure for the EU AI Act, including:
- Delayed activation of high-risk AI obligations, tied to the availability of technical standards or Commission guidance, with backstop dates
- Additional grace periods for certain legacy and pre-August-2026 generative AI systems
- Expanded ability to process limited sensitive data for bias detection and mitigation
- Clarification that some systems reclassified as non-high-risk need not be entered in the EU database (but must still maintain documentation)
- Greater central role for the EU AI Office in oversight of general-purpose AI and high-impact use cases
Businesses should anticipate more flexibility in structuring compliance programs but also more operational reliance on forthcoming standards, guidance, and engagement with the AI Office. This is a strong signal to invest in internal AI governance frameworks that can adapt to multiple implementation timelines.
European Business Wallet: Streamlining digital identity across the EU
The package also includes a proposed European Business Wallet, extending the EU digital identity framework to companies, including:
- A unified digital identity to authenticate with EU authorities
- Potential integration with regulatory filings, incident reporting, licensing processes, and cross-border compliance workflows
Businesses with multinational EU operations may ultimately treat the Business Wallet as a foundational identity layer for regulatory interactions.
What businesses should do now
Even at this preliminary stage, businesses should explore several steps:
REASSESS DATA TAXONOMY AND PSEUDONYMIZATION DESIGNS
If the definition of personal data evolves, your ability to rely on it will hinge on the strength of your data maintenance, technical separation of identifiers, and access controls.
UPDATE AI COMPLIANCE ROADMAPS WITH ALTERNATIVE TIMELINES
Build “baseline” and “Omnibus-adjusted” scenarios for high-risk AI implementation and documentation.
REVIEW DSAR, NOTICE, AND COOKIE WORKFLOWS
Identify where resource-intensive processes could be simplified under the proposed amendments—without altering current compliance until the rules stabilize.
RE-EVALUATE DATA ACT AND CLOUD TRANSITION STRATEGIES
Revisit contracting, vendor management, and data-sharing playbooks to align with potential exemptions around trade secrets and cloud switching.
PREPARE FOR CONSOLIDATED INCIDENT REPORTING
Legal, privacy, and security teams should begin exploring unified reporting models that could be adapted quickly once an EU portal becomes available.
MONITOR LEGISLATIVE NEGOTIATIONS CLOSELY
The specific proposals are likely to shift, but the direction is clear: simplification, risk-based flexibility, and standard-driven AI implementation.
