The “digital omnibus” is rolling: These changes are planned

The “digital omnibus” is rolling: These changes are planned
  • 11/25/2025
  • Reading time 4 Minutes

Companies in Europe are to be relieved by easing digital regulations. Measures to reduce bureaucracy are planned in areas such as data protection, artificial intelligence (AI), and cookie rules.

 

In November, the European Commission presented a comprehensive package of amendments with its proposal for a “Digital Omnibus Regulation.” Among other things, the proposal includes adjustments to the General Data Protection Regulation (GDPR), the Regulation on Artificial Intelligence (AI Regulation, also known as the “AI Act”), and cookie regulations. 

According to the EU Commission, the Digital Omnibus aims to “ensure that compliance with regulations is achieved at lower cost, that the same objectives are achieved, and that responsible companies gain a competitive advantage.” 

Specifically, the amendment package contains the following proposed adjustments: 

General Data Protection Regulation (GDPR) 

  • “Relative personal data,” i.e., pseudonymized data, may be personal for the controller but remain anonymous for the recipient. This can entail considerable benefits, but also risks relating to the issue of re-identifiability. 
  • The reporting deadline for high-risk violations is to be extended from 72 to 96 hours. 
  • In future, there will be a single reporting recipient for incidents under the Network and Information Systems Directive (NIS2), the GDPR, and the Digital Operational Resilience Act (DORA). This is intended to simplify the handling of reports for companies. 
  • In future, automated decisions are to be permissible, provided they are based on consent, a concluded contract, or a law – even if a human decision would be possible in the same situation. This would considerably facilitate the use of automated decisions for companies. However, this proposal is likely to be controversial, and the legal basis must be designed very carefully. 
  • If data subjects exercise their rights inappropriately, companies should in future be able to assert more grounds for rejecting requests for information. This is intended to reduce the effort involved in providing information. 
  • Binding templates and methodologies for companies to use in data protection impact assessments (DPIA) are to be created. This will provide clarity and increase efficiency in the preparation of such data protection impact assessments (DPIA). 
  • Facilitating research: Follow-up processing for scientific purposes will be considered compatible with the original purpose in future. This would eliminate the need for information obligations. 

AI Act 

  • The implementation deadlines for high-risk systems are to be extended until uniform standards are in place – by a maximum of 16 months. This is intended to give AI providers and operators more time to implement the complex requirements of the AI Regulation
  • New legal bases for special categories of personal data in AI development and testing are to be created. For example, the so-called legitimate interest can be used as a legal basis for AI development. 
  • In future, biometric verification will be permitted provided the data is entirely under the user's control. 
  • Furthermore, additional relief for small and medium-sized enterprises (SMEs) is planned (e.g., simplifications in documentation, easier access to sandboxes, and longer implementation periods). 

New cookie regulations 

  • Fewer recurring cookie banners: If you decline or accept, another cookie banner is allowed to pop up only after six months. 
  • One-click consent and centralized consent management are intended to simplify cookie management. 
  • Extended exceptions are to apply, for example, for aggregated measurement data. 

The omnibus bill is now moving on to the European Parliament and Council. A decision is expected in 2026 or 2027. 

In its current form, the Digital Omnibus promises real relief for companies, especially in the area of compliance: Although structures and processes would have to be adapted, the effort required to comply with the aforementioned regulations would decrease in the long term. 

However, it is still unclear whether any changes will be made before publication and, if so, what these changes will be. A lively public debate has already erupted over whether the omnibus bill will “override” data protection or not. Nevertheless, companies should continue to monitor the upcoming changes and anticipate their impact on their structures and processes. 

We will continue to keep you informed about significant changes and will be happy to advise you on implementation