Over the last few years, businesses have had to navigate an increasing number of EU digital laws. The GDPR was just the beginning. Since then, new rules have been introduced covering online platforms, data sharing, cybersecurity and artificial intelligence.
While these laws are intended to address genuine risks and challenges, many businesses now find the overall regulatory landscape complex, overlapping and difficult to manage, particularly small and mid-sized organisations.
The European Commission has acknowledged these concerns. In November 2025, it published the Digital Omnibus package, setting out proposed amendments to the EU’s digital regulatory framework as part of a broader simplification and competitiveness initiative.
Rather than introducing new rules, the package is intended to simplify and refine the existing framework. Its aim is to reduce unnecessary administrative burden, make compliance more practical and ensure the EU’s digital rulebook works more effectively in practice.
In this blog post, we look at what the Digital Omnibus package is, why it matters and what businesses should be aware of at this stage.
What is the proposed Digital Omnibus package?
The Digital Omnibus package is not yet law. It is a set of proposals published by the European Commission in November 2025, which will need to progress through the EU legislative process before any changes take effect.
The package represents the Commission’s first step towards improving how existing EU digital legislation operates in practice. Instead of creating new digital obligations, it brings together a series of targeted, technical amendments to existing EU laws, aimed at delivering practical benefits for businesses, public authorities and individuals.
The Commission’s stated objective is to ensure that compliance with EU digital rules is less costly, more efficient and easier to manage, while continuing to deliver the same regulatory outcomes. In this way, compliance is intended to become a competitive advantage for responsible businesses, rather than an administrative burden.
The proposals build on consultations with stakeholders and early experience of how recent digital laws are working in practice. A recurring theme is the importance of data as a key economic resource, particularly in supporting innovation and the development and use of trustworthy artificial intelligence.
Importantly, the proposed amendments are technical in nature. They are not intended to change the underlying policy objectives of EU digital regulation or to reduce existing levels of protection. Instead, the focus is on streamlining, harmonising and refining the current framework so that it operates more effectively in practice.
Key changes proposed
The Digital Omnibus package proposes changes affecting several well-known areas of EU digital regulation, including:
- the EU AI Act
- the EU GDPR
- the Data Act
- EU cybersecurity rules
Changes affecting the GDPR and privacy
The Digital Omnibus package proposes several changes aimed at clarifying how the GDPR applies in practice, particularly where organisations are using AI.
- Legal basis for AI-related processing
At present, organisations developing or operating AI systems often face uncertainty about whether they can rely on legitimate interests as a legal basis for processing personal data, particularly in light of regulatory focus on consent and purpose limitation. The proposal seeks to confirm explicitly that legitimate interests may be relied on where personal data processing is necessary for AI development, testing or operation, provided the usual safeguards are in place. This includes carrying out a balancing test and implementing appropriate technical and organisational measures. Importantly, this would not remove the need to assess risks to individuals, but it would give businesses greater legal certainty about an approach many already take in practice.
- Use of sensitive personal data
The proposals also introduce two new, limited exceptions to the general prohibition on processing special category personal data. First, they would allow the use of biometric data for identity verification, where this is necessary and where the biometric data and the means of verification remain under the sole control of the individual (for example, on-device facial recognition). Second, the proposals would permit the residual processing of special category personal data in the development and operation of AI systems or models, where such data appears unintentionally or cannot reasonably be avoided. This would be subject to strict conditions, including the use of appropriate technical and organisational measures to minimise collection, prevent misuse and remove the data where possible. The aim is to address practical challenges in AI development without weakening the GDPR’s underlying protections.
- GDPR breach reporting
The package also proposes changes to personal data breach notification. Currently, organisations must notify regulators of most personal data breaches within 72 hours, unless the breach is unlikely to result in a risk to individuals. Under the proposal, notification to regulators would be required only where a breach is likely to result in a high risk to individuals’ rights and freedoms. In addition, the reporting deadline would be extended slightly from 72 hours to 96 hours, giving organisations more time to assess incidents and provide meaningful information.
Changes to the AI Act
One of the most significant proposals concerns when the EU AI Act’s requirements for high-risk AI systems will start to apply. Instead of coming into force on a fixed date, the idea is to link their start to the availability of key guidance and technical standards. Once those materials are in place, businesses would have a short period to prepare before the rules apply. There are also proposed ‘backstop’ dates to ensure the regime eventually takes effect even if guidance is delayed. This could give businesses more time, but it also makes long-term planning less predictable.
The proposals would also delay certain marking requirements for AI-generated content, giving providers more time to adjust their systems while detailed guidance is developed.
In terms of oversight, the Commission proposes expanding the role of the EU AI Office, leading to more centralised supervision in certain areas. At the same time, the current requirement for organisations to ensure staff have a sufficient level of AI literacy would be softened. Rather than a strict legal duty, the focus would shift towards guidance, training and best-practice initiatives supported by the Commission and Member States.
Some documentation and registration requirements for AI systems would also be simplified, particularly for smaller and mid-sized businesses.
Changes to the Data Act
The proposed changes to the Data Act are intended to reduce complexity and make it easier for businesses to understand and manage their data access and sharing obligations.
- Bringing data rules together
At present, EU data-sharing obligations are spread across several different laws, each with its own terminology and processes. This can make it difficult for businesses to understand when they are required to share data and on what terms. The proposal would consolidate elements of this framework into the Data Act, making it a clearer reference point for data access and reuse obligations. In practical terms, this is intended to reduce confusion and help businesses assess their obligations more quickly and consistently.
- Stronger protection for trade secrets
Under the current framework, businesses may be required to share data even where this creates a real risk to commercially sensitive information. The proposals would strengthen protections for businesses’ trade secrets when data sharing is required. In particular, data holders would be able to refuse to share information where there is a substantial risk that trade secrets could be unlawfully acquired, used or disclosed in third countries, especially where those countries operate under legal regimes offering weaker protection than the EU. This is intended to give businesses greater confidence that sharing data will not undermine their competitive position.
- Narrower data sharing with public authorities
Currently, the Data Act allows public authorities to request data from businesses in situations of ‘exceptional need,’ a concept that some organisations have found broad and uncertain. The proposal would narrow this down, limiting mandatory business-to-government data sharing to more clearly defined ‘public emergency’ scenarios. It would also introduce clearer procedural safeguards, including around compensation and protection of trade secrets and personal data. For businesses, this represents a clearer and more limited set of circumstances in which compulsory data sharing can arise.
Changes to EU cybersecurity rules and incident reporting
The Digital Omnibus package also proposes changes designed to make it easier for organisations to deal with cybersecurity and incident reporting requirements across the EU, particularly where more than one regulatory regime applies.
One of the main proposals is the introduction of a single reporting channel for cyber and data incidents. Currently, the same incident can trigger multiple reporting obligations under different EU laws, such as the GDPR, NIS2 and sector-specific cybersecurity frameworks, often requiring notifications to be submitted separately to different regulators. Under the proposal, organisations would submit a single report through a central reporting point, which could then be re-used to meet multiple reporting obligations, with the information shared with the relevant supervisory authorities under each applicable regime. The aim is to reduce duplication and administrative burden, especially in time-critical situations.
What does this mean for businesses?
At this stage, the Digital Omnibus package remains a proposal, and no immediate action is required. The detail may still change as it progresses through the EU legislative process.
However, the proposals provide a clear signal about the direction of travel. Businesses operating in, or targeting, the EU should expect:
- increased legal certainty over time
- continued focus on simplification and proportionality
- greater emphasis on practical compliance
What does this mean for UK businesses?
Although the Digital Omnibus package is an EU initiative, it is likely to be relevant for many UK businesses.
Any UK organisations that offer goods or services to individuals in the EU, operate digital platforms with EU users or process personal data relating to individuals in the EU will continue to be subject to EU digital laws such as the GDPR, the AI Act and the Data Act. Changes to how those regimes operate in practice may therefore affect compliance obligations, even where a business is based in the UK.
For now, the proposals are best viewed as a potential opportunity rather than an immediate compliance exercise. In the short term, UK businesses should continue to comply with existing EU requirements, while keeping a close eye on how the proposals develop, particularly if they are investing in AI, data-driven products or cross-border digital services.
Businesses operating across both the UK and EU should also be mindful that regulatory alignment cannot be assumed. While some of the proposed changes are similar to recent UK reforms, the two regimes may continue to diverge. A practical example is breach notification timing: if EU rules move to a 96-hour reporting window while UK law remains at 72 hours, a business that updates its internal policies to reflect only the EU position could inadvertently breach UK requirements. For organisations subject to both regimes, compliance processes will need to accommodate the stricter or shorter timelines where they differ.
What happens next?
The Digital Omnibus package will now be considered by the European Parliament and the Council. This process is likely to take time and further amendments are possible before any final text is adopted.
For now, businesses should treat the proposals as an important indication of where EU digital regulation is heading, rather than a source of immediate new obligations. We will continue to monitor developments and provide updates as the proposals progress.
