The EU’s Digital Omnibus Explained: One Package to Rule GDPR, AI, DORA, and Cybersecurity All at Once

Last Updated: March 18, 2026

European regulation has long been criticized for its complexity. Businesses operating in the EU have faced a labyrinth of overlapping rules: the General Data Protection Regulation (GDPR) for data privacy, the AI Act for artificial intelligence governance, the Digital Operational Resilience Act (DORA) for financial cybersecurity, the Network and Information Security Directive 2 (NIS2) for critical infrastructure, and the ePrivacy Directive for electronic communications. Each framework brought its own compliance requirements, reporting timelines, and enforcement mechanisms—often creating duplicative obligations for the same underlying activities.

On November 19, 2025, the European Commission published its answer to this regulatory fragmentation: the Digital Omnibus Package. This legislative initiative represents the most significant simplification of EU digital law since the GDPR took effect in 2018, proposing to streamline overlapping requirements, unify incident reporting, and reduce compliance costs by an estimated €5 billion by 2029. Rather than creating entirely new rules, the Digital Omnibus amends existing legislation to make it work better together—addressing the “regulatory fatigue” that has burdened businesses while maintaining Europe’s high standards for fundamental rights and data protection.

This comprehensive guide explains what the Digital Omnibus contains, how it changes specific regulations, what businesses must prepare for, and when these changes will take effect.

What Is the Digital Omnibus Package?

The Digital Omnibus is not a single new law but a collection of amendments to existing EU digital legislation. Published by the European Commission on November 19, 2025, the package consists of two distinct legislative proposals: the Digital Omnibus Regulation (covering data, privacy, and cybersecurity) and the Digital Omnibus on AI (specifically amending the AI Act). Together, they aim to eliminate regulatory overlap, reduce administrative burdens, and create interoperable compliance infrastructure across the EU’s digital rulebook.

The Commission explicitly frames this exercise not as deregulation but as “targeted legislative simplification”—preserving substantive obligations and rights while fixing structural problems in how those obligations are discharged. The package responds to years of business feedback highlighting overlapping rules, inconsistent national implementations, and fragmented reporting requirements that slow innovation and increase costs without improving protections.

The Core Components at a Glance

Component	What It Amends	Key Simplification
Digital Omnibus Regulation	GDPR, Data Act, NIS2, DORA, CER, ePrivacy Directive	Single reporting portal, unified breach thresholds, cookie consent reform
Digital Omnibus on AI	EU AI Act	Delayed high-risk obligations, expanded sandboxes, centralized AI Office oversight
Data Union Strategy	Data Governance Act, Open Data Directive	Consolidation into Data Act, data labs for AI development
European Business Wallet	Digital identity frameworks	Secure, interoperable corporate digital identity for cross-border procedures

GDPR Reform: Narrower Scope, Clearer Rules

The Digital Omnibus proposes the most substantial changes to the GDPR since its implementation in 2018. These amendments aim to reduce compliance friction while maintaining core privacy protections, particularly addressing areas where the GDPR has created unintended operational burdens or overlapped with other frameworks.

Redefining Personal Data

The proposal tightens the definition of personal data to exclude information held by entities that “do not have the means reasonably likely to identify individuals.” This “relative identifiability” criterion addresses practical challenges where data technically contains identifiers but cannot realistically be linked to specific persons given available technology and resources. The Commission frames this as codifying existing Court of Justice of the European Union (CJEU) case law rather than creating new policy, but the practical effect is to narrow GDPR scope for certain large-scale datasets where individual identification is theoretically possible but practically infeasible.

Harmonizing Data Breach Reporting

Currently, a single data breach can trigger multiple notification obligations under different frameworks with inconsistent thresholds and timelines. The Digital Omnibus creates a unified approach:

• Extended Timeline: Breach notification to supervisory authorities extends from 72 hours to 96 hours after becoming aware of the breach
• Unified Threshold: Only “high risk” breaches must be reported to both authorities and data subjects—aligning previously different standards
• Single Portal: Organizations submit one standardized report through a single-entry point, with automated routing to relevant authorities
• Standardized Template: The European Data Protection Board (EDPB) will develop a common notification template for Commission adoption

This addresses the current absurdity where the same breach might require separate notifications under GDPR (72 hours), NIS2 (various timelines), and DORA (immediate for major incidents)—each with different content requirements and submission mechanisms.

Modernizing Cookie Consent

Perhaps the most visible change for everyday users involves cookie consent rules. The Commission estimates that people in the EU spend approximately 334 million hours annually clicking through cookie banners, representing €11.2 billion in lost productivity. The Digital Omnibus proposes fundamental reform:

Current Rule	Proposed Change	Impact
Consent required for most website cookies under ePrivacy Directive	Governance moved to GDPR Article 88a; low-risk analytics exempt	First-party analytics for internal purposes may not require consent
Complex multi-step rejection processes common	Accept and reject must require equal effort and visibility (one-click)	Eliminates “dark patterns” making rejection harder than acceptance
No restrictions on repeated consent requests	Six-month moratorium after refusal unless processing changes meaningfully	Reduces “consent fatigue” from persistent banner reappearance
Website-level consent management only	Machine-readable browser signals must be respected automatically	Users set preferences once at browser/OS level

The proposal moves governance of personal data processing on terminal equipment from the ePrivacy Directive to the GDPR, creating a single framework for these activities. Media service providers receive special treatment, allowing them to present their own consent interfaces even where browser signals indicate refusal—a controversial carve-out for the publishing industry.

Standardizing Data Protection Impact Assessments

The Digital Omnibus tasks the EDPB with creating EU-wide lists of processing activities that do and do not require Data Protection Impact Assessments (DPIAs), replacing the current fragmented system where each national Data Protection Authority maintains separate lists. The EDPB will also develop a standardized DPIA template and methodology, reviewed every three years to reflect technological developments. This addresses the current situation where identical processing activities might require DPIAs in some member states but not others, creating compliance uncertainty for multinational organizations.

Automated Decision-Making Clarification

GDPR Article 22 currently grants data subjects the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. The Digital Omnibus clarifies that such decisions may be taken when “necessary for entering into, or performance of, a contract,” when authorized by law, or based on consent. Crucially, the proposal states that the possibility of human decision-making “does not prevent the controller from taking the decision by solely automated processing”—providing legal certainty for automated systems where human alternatives exist but are not required.

AI Act Modifications: Breathing Room and Centralized Oversight

The AI Act, which took effect August 1, 2024, was already facing implementation challenges when the Commission proposed the Digital Omnibus on AI. The amendments provide additional compliance preparation time, streamline oversight, and address practical concerns raised by industry stakeholders.

Delayed High-Risk AI Obligations

The most significant change involves “stopping the clock” on high-risk AI system obligations. Rather than the original August 2, 2026 deadline, compliance will now be contingent on the Commission confirming that adequate support measures—harmonized standards, guidelines, common specifications—are available. Once confirmed:

• Annex III high-risk systems: Six months to comply (long-stop date: December 2, 2027)
• Annex I high-risk systems: Twelve months to comply (long-stop date: August 2, 2028)
• Public authority systems: Extended deadline of August 2, 2030

This “compliance support contingency” addresses the “compliance before standards” problem, where obligations would apply before necessary implementation guidance existed. The Commission estimates this prevents legal uncertainty and incomplete compliance frameworks that could expose businesses to enforcement without clear benchmarks.

Simplified Registration and Self-Assessment

Under current rules, providers of AI systems that fall under Annex III but are not considered high-risk must register themselves and their systems in the EU high-risk AI database. The Digital Omnibus eliminates this registration requirement, shifting to a self-assessment model where providers determine high-risk status without mandatory database entry. This reduces administrative burden but has drawn criticism from data protection authorities concerned about lost supervisory visibility.

Expanded SME and Small Mid-Cap Benefits

The proposal extends existing SME benefits to “Small Mid-Caps” (SMCs)—defined as entities with up to 750 employees and €150 million turnover. These benefits include:

• Simplified technical documentation requirements for high-risk AI systems
• Special consideration in penalty calculations
• Extended timelines for certain compliance activities

The Commission also proposes expanding regulatory sandbox opportunities and real-world testing for high-risk AI systems, including extending testing to Annex I systems currently excluded. A new EU-level sandbox for general-purpose AI (GPAI) systems will operate under AI Office supervision.

Strengthened AI Office Centralization

The Digital Omnibus significantly enhances the AI Office’s role within the European Commission. Key changes include:

Current AI Office Role	Proposed Enhanced Role
Shared competence with member state authorities	Exclusive competence for GPAI-based systems and AI integrated into VLOPs/VLOSEs under DSA
Advisory and coordination functions	Direct market surveillance powers and premarket conformity assessments for high-risk systems
Limited enforcement tools	Coordinated enforcement with Digital Services Act authorities and member state regulators

This centralization addresses concerns about inconsistent national implementations while creating a single point of contact for the most complex AI oversight scenarios.

AI Literacy and Sensitive Data Processing

The proposal shifts AI literacy obligations from mandatory requirements on all providers and deployers to a member state and Commission responsibility to “encourage” such measures—addressing implementation challenges, particularly for smaller companies. For sensitive data processing, the Digital Omnibus extends existing high-risk AI system exemptions for bias detection to other actors, AI systems, and AI models, creating a statutory legal basis for processing special category data where necessary for bias correction.

Cybersecurity Consolidation: One Portal to Rule Them All

The most operationally significant change for security teams involves incident reporting. Currently, a single cybersecurity incident can trigger parallel notification requirements under:

• GDPR (personal data breaches to Data Protection Authorities)
• NIS2 (incidents affecting essential and important entities)
• DORA (financial sector operational resilience)
• CER (critical entities resilience)
• eIDAS (electronic identification and trust services)
• Cyber Resilience Act (product security incidents)

The Digital Omnibus creates a Single-Entry Point (SEP) operated by ENISA (the EU Agency for Cybersecurity), enabling organizations to submit one standardized report that is automatically routed to relevant authorities under all applicable frameworks. This “submit once, share widely” model eliminates duplicative reporting while ensuring all competent authorities receive necessary information.

The single portal is expected to be operational within 18 months of the regulation entering into force, with standardized templates and common high-risk thresholds replacing the current fragmented system. For financial institutions, this addresses the particularly painful overlap between DORA’s immediate reporting for major incidents and GDPR’s 72-hour timeline for personal data breaches—timelines that often required simultaneous but separate notification processes for the same underlying event.

Data Act Integration: Consolidating Fragmented Frameworks

The Digital Omnibus consolidates several standalone data instruments into the Data Act, creating a unified framework for data access and reuse:

• Data Governance Act: Rules on reuse of protected public sector data absorbed into Data Act; original regulation repealed
• Open Data Directive: High-value dataset provisions integrated; directive repealed
• Free Flow of Non-Personal Data Regulation: Repealed, maintaining only the prohibition on data localization requirements

This legislative housekeeping eliminates overlapping obligations while preserving substantive rights. The consolidation is accompanied by practical support measures including data labs for AI development experimentation, a Data Act legal helpdesk for contractual and regulatory guidance, and model contractual terms for data access and cloud computing agreements.

Key substantive changes to the Data Act include:

1. Stronger trade secret protections: Companies may refuse data sharing where high risk of exposing trade secrets exists
2. Third-country safeguards: Enhanced protections for sensitive non-personal data shared outside the EU
3. Cloud switching refinement: Lighter regime for highly customized services and SME/SMC providers
4. Business-to-Government narrowing: B2G data sharing limited from “exceptional need” to “public emergency” scenarios
5. Stricter conditions for very large commercial users: Public sector bodies may charge higher fees or impose stricter terms on very large companies seeking public sector data for commercial analytics

What the Digital Omnibus Means for Different Stakeholders

For Multinational Corporations

The simplification agenda reduces compliance complexity most significantly for organizations operating across multiple EU member states. Unified reporting, standardized DPIA requirements, and centralized AI Office oversight eliminate the current need to navigate 27 different national implementations of GDPR and AI Act obligations. The estimated €5 billion cost savings by 2029 come primarily from reduced legal consulting, streamlined compliance tooling, and elimination of parallel reporting processes.

For Small and Medium Enterprises

SMEs and the newly defined SMCs receive targeted relief through simplified documentation requirements, extended timelines, and special penalty considerations. The expansion of regulatory sandboxes provides lower-risk environments for AI innovation, while the cookie consent reforms reduce website compliance costs. However, the “relative identifiability” personal data definition may create uncertainty for smaller organizations without dedicated legal teams to assess whether their data processing falls within GDPR scope.

For Technology Developers

AI developers gain crucial breathing room with delayed high-risk obligations contingent on standards availability, addressing the “compliance before standards” critique. The clarification that legitimate interest may cover AI model training with personal data provides legal certainty for machine learning development, though this provision has drawn scrutiny from data protection authorities concerned about fundamental rights protections. The consolidated data framework and data labs support improved access to high-quality training datasets.

For Data Protection Authorities

The EDPB gains significant new responsibilities including standardized template development, EU-wide DPIA list maintenance, and three-year review cycles. National DPAs lose some autonomy in defining local DPIA requirements but gain streamlined enforcement through unified reporting mechanisms. The shift of AI Office oversight for GPAI-based systems and DSA-integrated AI creates new coordination requirements between data protection and AI regulators.

Legislative Timeline and Next Steps

The Digital Omnibus package has entered the ordinary legislative procedure, requiring agreement between the European Parliament and Council before becoming law. The tentative timeline includes:

Timeline	Milestone	Status
November 19, 2025	Commission publishes Digital Omnibus proposals	✓ Complete
March 11, 2026	Public consultation on Digital Fitness Check closes	✓ Complete
Q2 2026	European Parliament committees adopt reports; Council establishes general approach	→ In Progress
May 2026 (target)	Interinstitutional agreement on AI Omnibus to align with AI Act deadlines	→ Pending
Mid-to-Late 2026	Final adoption expected; provisions begin entering into force	→ Anticipated
18 months post-adoption	Single-entry cybersecurity reporting portal operational	→ Future

The AI Omnibus faces particular time pressure. If not adopted by August 2, 2026, the original AI Act high-risk obligations will take effect without the proposed delays and support infrastructure—creating the exact “compliance before standards” problem the Omnibus aims to prevent. This hard deadline is driving accelerated negotiations.

Criticism and Controversies

Despite its simplification goals, the Digital Omnibus has attracted criticism from multiple quarters:

Data Protection Authority Concerns

The EDPB and European Data Protection Supervisor (EDPS) issued a joint opinion in January 2026 identifying specific aspects that “risk diluting accountability in high-risk use cases.” Their concerns include:

• Bias detection data processing: The proposed legal basis for processing special category data for bias detection could be relied upon beyond genuinely high-risk contexts without strictly necessary thresholds
• Registration removal: Eliminating the EU database registration obligation for self-assessed non-high-risk systems removes early supervisory visibility before market placement
• AI literacy downgrading: Shifting from mandatory provider obligations to encouragement by member states weakens accountability
• AI Office competence: Unclear limits on AI Office authority in cross-border scenarios and lack of EDPB observer status on the AI Board

Fundamental Rights Scrutiny

Legal scholars and civil liberties organizations have raised questions about whether the “relative identifiability” personal data definition and AI training legitimate interest provisions maintain equivalent protection levels in practice. These changes must withstand proportionality, legal certainty, and effective protection tests under Articles 7 and 8 of the EU Charter of Fundamental Rights and established CJEU jurisprudence.

Industry Mixed Reactions

While businesses generally welcome simplification, some sectors express concern about:

• The six-month cookie refusal moratorium potentially limiting legitimate marketing outreach
• Media service provider exceptions to browser signals creating inconsistent user experiences
• Remaining complexity in determining whether processing qualifies as “low risk” and exempt from consent requirements
• Uncertainty about “small mid-cap” definitions and eligibility for simplified requirements

Preparing for the Digital Omnibus: Action Items

Organizations should begin preparing now for the likely adoption of Digital Omnibus provisions:

Immediate Actions (Q1-Q2 2026)

1. Audit current incident reporting workflows: Map how your organization currently handles GDPR, NIS2, and DORA notifications to identify consolidation opportunities
2. Review cookie consent mechanisms: Prepare for one-click accept/reject requirements and browser signal integration
3. Assess AI system portfolios: Determine which systems may qualify for delayed high-risk obligations and which require immediate compliance preparation
4. Monitor legislative developments: Track European Parliament committee reports and Council general approach documents for sector-specific implications

Medium-Term Preparation (2026-2027)

1. Implement single reporting infrastructure: Develop internal capabilities to submit unified breach notifications when the ENISA portal becomes operational
2. Update DPIA processes: Align with forthcoming EDPB standardized templates and EU-wide activity lists
3. Evaluate data processing classifications: Assess whether “relative identifiability” changes affect GDPR scope for your datasets
4. Train compliance teams: Educate privacy, security, and AI governance staff on consolidated frameworks and new timelines

Strategic Considerations

1. Regulatory arbitrage assessment: Evaluate whether simplified SMC requirements or sandbox participation could accelerate AI development timelines
2. Vendor management: Ensure third-party processors and AI providers are preparing for unified reporting and standardized documentation requirements
3. Documentation harmonization: Consolidate currently separate GDPR, AI Act, and DORA compliance documentation into integrated frameworks

Conclusion: Simplification Without Weakening

The EU Digital Omnibus represents a mature approach to digital governance—acknowledging that regulatory effectiveness depends not just on the substance of rules but on their practical implementation. By consolidating overlapping frameworks, unifying reporting mechanisms, and clarifying ambiguous provisions, the package aims to reduce compliance costs by €5 billion while maintaining Europe’s high standards for data protection, AI safety, and cybersecurity resilience.

For businesses, the Omnibus offers a path from regulatory fragmentation to coherent compliance. The single reporting portal, standardized templates, and delayed AI obligations contingent on available standards address real operational pain points without sacrificing fundamental rights protections. The consolidation of data instruments into the Data Act and the clarification of GDPR-ePrivacy interactions eliminate the current need to navigate multiple legal bases for single processing activities.

Yet the package is not deregulation. Core obligations remain; enforcement mechanisms are strengthened through AI Office centralization; and the EDPB gains significant new responsibilities for standardization. The “relative identifiability” and AI training provisions that have drawn data protection scrutiny demonstrate the tension between simplification and protection—a tension that will be resolved through legislative negotiation and, likely, subsequent litigation.

The Digital Omnibus is best understood as regulatory maintenance: fixing what has proven unworkable in practice while preserving what has proven valuable in principle. For organizations operating in Europe, preparation should begin now—not because the rules are changing radically, but because the way those rules are implemented is changing fundamentally. The transition from fragmented to unified compliance, when it comes, will favor those who have prepared for integration rather than those scrambling to catch up.

---

References

1. Usercentrics. (2026, February 11). “What To Know About The EU’s Digital Omnibus Package.” Usercentrics Knowledge Hub. https://usercentrics.com/knowledge-hub/eu-digital-omnibus-package/
2. Baker McKenzie. (2026, January 29). “EU: New Package Reforms AI and Data.” Baker McKenzie Insight. https://www.bakermckenzie.com/en/insight/publications/2026/01/eu-new-package-reforms-ai-data-and-business-identity
3. FiscalNote. (2026, March 2). “Omnibus Unpacked: The Latest on the EU’s Simplification Agenda.” FiscalNote Blog. https://fiscalnote.com/blog/omnibus-unpacked
4. Jones Day. (2025, December 18). “EU Digital Omnibus: How EU Data, Cyber, and AI Rules Will Shift.” Jones Day Insights. https://www.jonesday.com/en/insights/2025/12/eu-digital-omnibus-how-eu-data-cyber-and-ai-rules-will-shift
5. Kennedys Law. (2026, January 26). “2025 EU Digital Omnibus Package: Practical Guide & Explainer.” Kennedys Knowledge Hub. https://www.kennedyslaw.com/en/thought-leadership/article/2026/the-2025-european-commission-eu-digital-omnibus-package-a-practical-guide-and-explainer/

---