Simplification of EU digital regulations: The Digital Omnibus

1. AI: the Digital Omnibus would water down the obligation on ensuring AI literacy. It is rather the EU Member States and the Commission to “encourage” such measures instead. This change may come too late because the obligation to assure AI literacy is already in force since the beginning of February 2025. More importantly and as expected, a “stop the clock” is foreseen on high risk AI provisions kicking back the entry into force from August 2026 to August 2027 (to be however seen if the Digital Omnibus can adopted before then).

2. Scope of Personal Data: on a more technical yet fundamental update, the Digital Omnibus proposal introduces a targeted clarification to GDPR’s core definition of personal data, which could significantly narrow its scope. The definition would focus on whether the controller has “means reasonably likely” to identify an individual. This reflects a subjective approach, meaning data may fall outside GDPR if the organization itself cannot identify the person, even if others could. This could exclude pseudonymized identifiers or certain tracking data from GDPR’s reach. This subjective approach has also been upheld in the recent SRB (Single Resolution Board) case of the CJEU (Court of Justice of the European Union). This reinforces the importance of the clarification given by the CJEU, as service providers which would have been considered as processing personal data can now be considered as outside the scope of the GDPR from the controllers’ perspective.

Personal data subject rights: Another important change is the rule that the right of data subjects to access their personal data will be subject to the requirement that they can only do so for “data protection purposes”. Therefore, and by way of example, an employee seeking access to their yearly assessment or other personal data in view of starting a court case, may become more difficult. To be however seen how such purpose (or rather lack thereof) can be evidenced in practice.

3. Single portal for all incident reporting and extension of deadlines: the Digital Omnibus introduces a single-entry portal for incident notifications, operated by ENISA (European Union Agency for Cybersecurity). This portal is designed to simplify overlapping reporting obligations under GDPR, NIS2 (Network and Information Security Directive 2), DORA (Digital Operational Resilience Act), and the Cyber Resilience Act (CRA) by applying the principle of “report once, share many.” Under the proposal, the threshold for notifying data protection authorities about personal data breaches would increase: only incidents that pose a high risk to individuals’ rights and freedoms would require reporting. The reporting window would be extended from 72 to 96 hours, and a standardized single reporting form would be introduced to streamline submissions.

4. Cookie consent reform: the Commission’s proposal tackles “consent fatigue” by moving and adapting cookie rules from the ePrivacy Directive into the GDPR. In practice, this means:

• Placing/using of cookies in relation to natural persons will be subject to the GDPR, which implies that a basis of lawfulness under the GDPR is necessary. Hence, the Digital Omnibus leaves it up to the data controllers to choose the adequate ground. This leads to some legal uncertainty and consent may still be needed in many cases of non-essential cookies. In order to alleviate this legal uncertainty, it is foreseen that cases of low-risk deployment of non-essential cookies will be whitelisted and will not need consent (and thus could be based on legitimate interest).
• One click to accept or refuse all non-necessary cookies will be required (although already understood as a requirement by some national authorities).
• Cookie banners could eventually disappear as browsers and operating systems take over consent management, using standardized privacy settings that automatically communicate your choices to websites.
• Compliance with rules on cookies will be subject to the same sanctions as under the GDPR (including fines up to 4% of the organisation’s global turnover).

While this simplifies compliance, it raises privacy concerns: less upfront control for individuals and more reliance on post-hoc objections. Businesses from their end should prepare for:

• Revising cookie policies and consent flows.
• Assessing legitimate interest for tracking and profiling.
• Monitoring standards for automated consent signals.

5. Repeal of the P2B regulation: the so-called P2B (platform-to-business) Regulation (EU) 2019/1150 governing the practices of platform to their business customers, for example the Amazon marketplace towards the third-party vendors that are active on that platform, will be abolished. The Commission considers that competition law, as well as the Digital Services Act (DSA) and the Digital Markets Act (DMA) provide for sufficient tools to tackle problematic practices of the platforms towards their business customers.

6. Integration of Data Governance Act and the Open Data Directive will be integrated into the Data Act - reduction of cloud switching obligations for SMEs: the Open Data Directive governing access to public sector data for reuse, omplemented by the Data Governance Act (for special data such as personal and confidential data) will be integrated into the Data Act which covers a wide array of other topics such as the access to IoT generated data and provisions on cloud switching. In relation to cloud-switching, some obligations are watered down for SMEs and in case of custom-made cloud services.

7. AI and Data Processing: one of the most debated elements of the Digital Omnibus is the introduction of a new legal basis for AI related data processing. Under this provision:

• AI training, testing, and validation can rely on legitimate interest rather than consent, provided that strict safeguards are in place (such as balancing tests, transparency, data minimization, and data subject rights)
• If removing special-category data (such as health or ethnicity information) would be “disproportionate,” processing may still occur under additional protective measures. These measures could include measures like stronger encryption, limited access, and transparency obligations to reduce risks of misuse.

This raises critical questions:

• How would “disproportionate” be interpreted in
• practice?
• Could this open the door to profiling or bias risks if special-category data is used in AI models?
• What compliance strategies would businesses need
• to adopt to balance innovation with fundamental rights?

In any case this change would entail that companies will need to develop structured frameworks for Legitimate Interest Assessments (LIA) tailored to AI processing.

8. SME Compliance Relief: GDPR record keeping and sanctions: currently, under Article 30(5) GDPR, organisations with fewer than 250 employees are exempt from maintaining records of processing activities (RoPA) unless:

• The processing is likely to result in a risk to individuals’ rights and freedoms.
• The processing is not occasional.
• Special-category or criminal conviction data is involved.

The Digital Omnibus proposal significantly raises this threshold and introduces a risk-based approach:

• New threshold: The exemption will apply to organisations with fewer than 750 employees, provided they also meet financial criteria (annual turnover ≤ €150 million or balance sheet total ≤ €129 million).
• Risk-based condition: These organisations will only need to maintain RoPA if their processing activities are likely to result in a high risk to individuals’ rights and freedoms (as defined under Article 35 GDPR for DPIAs).

Under the proposal, many midsized companies that previously had to maintain detailed processing records would be exempt. Nevertheless, it is strongly recommended to start preparing internal guidelines to identify when processing activities could trigger a Data Protection Impact Assessment (DPIA) or fall outside the proposed exemption for high-risk processing. On a more general note, the Digital Omnibus foresees a more lenient regime on the sanction end, fully taking into account the principle of proportionality.

The Digital Omnibus signals a clear move toward simplification and harmonization of EU digital regulations, aiming to reduce compliance burdens and address “consent fatigue.” However, critics warn that these changes could weaken core GDPR protections, particularly around sensitive data, profiling, and user control over tracking. For legal professionals, this means two things:

• Stay ahead of the curve: Even though the proposal is not yet law, businesses should begin assessing how these changes might affect their compliance frameworks.
• Future-proof compliance strategies: Develop risk-based approaches, update internal policies for legitimate interest assessments, and prepare for new reporting and consent mechanisms.

The legislative process is still ongoing, and the final text may evolve—but proactive planning now will help organisations adapt quickly when the rules take effect.

This article was published in the November 2025 edition of Agefi Luxembourg.