The European Commission has published its proposal for the simplification of the EU’s digital rulebook, see: Digital Omnibus Regulation Proposal | Shaping Europe’s digital future (the Digital Omnibus). The EU’s digital regulatory landscape has evolved and there is now a recognition of an opportunity to streamline and clarify the current cumbersome legislative and regulatory framework (including the Data Act, Data Governance Act, Open Data Directive, Free Flow of Non-Personal Data Regulation, the GDPR, ePrivacy Directive, NIS2, CER, DORA and the EU AI Act) as well address and bolster the EU’s competitiveness. Whilst the Digital Omnibus is an EU initiative – for UK organisations with customers in the EU or who transfer EU personal data, the proposals are strategically important, and the legislative developments should be carefully monitored. Additionally, some of these EU laws – such as the GDPR – have influenced and shaped the equivalent legislative packages in the UK and we await to see the full impact of the Data (Use and Access) Act (DUAA) the main provisions of which have recently come into force, as well as the progression of the UK Cyber Security and Resilience Bill.
The Omnibus comes in the form of two draft Regulations:
- a “Digital Omnibus” to simplify, consolidate, and clarify parts of the overall EU digital legislative package around personal data, privacy controls, and cyber security; and a
- “Digital Omnibus on AI” to simplify the rules on artificial intelligence (AI).
The proposals are not in final form and are subject to further negotiations at European Parliament and Council level which we will continue to monitor.
The Digital Omnibus – digital legislation
We have set out below a high-level, non-exhaustive table of some of the key changes categorised by topic that the Digital Omnibus covers:
Legislation | Topic | Proposal |
|---|---|---|
Data protection | ||
GDPR (Regulation 2016/679) | Definition of personal data amended | Under the current GDPR, any information that could directly or indirectly identify an individual is treated as personal. This includes names, emails, IP addresses, device IDs and pseudonymous data. Change to a subjective approach (controller centred test) to the definition of personal data is proposed: information is not personal data for an entity if that entity cannot identify the individual, even if another entity could. Data will only be personal if the organisation processing it has the means that are reasonably likely to be used to identify a person. This means that in practice highly pseudonymised data or indirect identifiers may fall outside scope if the controller cannot realistically link them to a person. Direct identifiers or data that the organisation could reasonably use to single someone out will remain personal and judging identifiability becomes relative to each controller’s realistic capabilities. |
GDPR (Regulation 2016/679) | Special categories and Legitimate Interest for AI | Processing of personal data for development, training, testing and operation of AI systems is to be recognised as a legitimate interest – the processing needs to be subject to a balancing test, appropriate safeguards and an effective right to object. New exemption for processing of special categories of personal data in AI training with requirements for the removal or protection of such data. Where a disproportionate effort would be required of the controller to remove such categories, the controller is required to protect such data from being used to infer outputs being made available to third parties. |
GDPR (Regulation 2016/679) | Biometric data | Allowing processing of biometric data subject to a limited exemption where it is necessary for confirming the ID of data subjects and where the biometric data is under the sole control of the user (e.g. mobile phone facial recognition). |
GDPR (Regulation 2016/679) | Data subject rights (DSARS) | Prevent abuse of access rights; allow controllers to charge a ‘reasonable fee’ for or refuse to act where there are excessive or abusive requests. |
GDPR (Regulation 2016/679) | Breach notification | Align threshold for notifying supervisory authority with threshold for notifying data subjects (only if data breach likely to result in “high risk” to the individual). The existing provision requires notification unless the breach is unlikely to result in a risk to the rights of data subjects. The deadline for making the notification will be extended from 72 to 96 hours. |
GDPR (Regulation 2016/679) | Data Protection Impact Assessment (DPIAs) | Replace national lists with a single EU-level list; introduce common template and methodology. |
Data Act (Regulation 2023/2854) | Trade secrets | Introduce new ground for refusal to share data where disclosure poses high risk of unlawful acquisition/use in third countries with inadequate protections (i.e weaker or non-equivalent protection than the EU). Data holders would be required to notify the competent authority in such a case. |
Data Act (Regulation 2023/2854) | Business-to-government data sharing | Narrow scope from ‘exceptional need’ to ‘public emergencies’; the proposal clarifies the compensation regime for situations where data holders, including microenterprises and small enterprises are required to provide data to address a public emergency. |
Data Act (Regulation 2023/2854) | Smart contracts | Delete Article 36 of Data Act on essential requirements regarding smart contracts executing data sharing agreements due to compliance ambiguities and incompatibility with blockchain architectures – aims to remove the uncertainty where there are no clear definitions of key concepts or harmonised standards. |
Data Act (Regulation 2023/2854) | Switching cloud/data processing services | The proposal modifies the Data Act’s portability and switching obligations so they better fit different types of cloud services. Custom cloud services may not have to meet the full standardised portability requirements originally imposed by the Data Act, acknowledging their bespoke nature. Cloud switching rules are adapted for custom-made services and for Small and Medium-sized Enterprises (SMEs)/Small Mid-Caps Enterprises (SMCs) providers (e.g. limited exemptions for pre-12 September 2025 contracts proportionate early termination fees) - recognising that full compliance may be disproportionate for smaller providers. |
Data Governance Act (DGA) (Regulation 2022/868) | Data intermediation services (third-party services that facilitate data sharing between individuals/companies and data users in a trusted and secure environment) | No substantive change – structural organisational reform which clarifies the definition of data intermediation services. The mandatory regime for data intermediation services under the DGA would be replaced by a voluntary regime in the Data Act. |
Privacy and cookie rules | ||
Directive 2002/58/EC (ePrivacy) | Cookies and terminal equipment | Integrate rules into GDPR (new articles 88a and 88b) aiming to reduce “cookie fatigue”: -users to be able to refuse consent easily with a single click or equivalent means -if user consent declined, controller cannot make a new request for consent for at least 6 months -users to be able to manage cookie preferences centrally through browser settings or other automated machine-readable means - clarifying that access to or storage of information in the terminal equipment continues to require consent (subject to a limited set of exemptions) - introducing a conditional consent exemption for certain first-party, aggregated analytics and audience measurement cookies and confirming consent exemptions for security-related cookies and cookies for delivery of user-requested services. |
Regulation 2018/1807 (Free Flow of Non-Personal Data) | Data localisation | Retain principle of free flow in Data Act: Member States would not be permitted to require non-personal data to be stored or processed within their territory unless the localisation measure is necessary for public security or specifically required by EU law. Member States would still be required to notify the Commission of new data localisation requirements, but the obligation to maintain national single information points listing these measures would be removed. |
Regulation 2019/1150 (Platform-to-Business P2B) | Online platforms | Repeal P2B regulation; rely on Digital Services Act and Digital Markets Act to clarify compliance requirements for online intermediary service providers. |
Cyber security | ||
| GDPR, the Network and Information Security Directive (NIS2), the Critical Entities Resilience Directive (CER), the Digital Operations Resilience Act (DORA) and other instruments | Reduction of duplication and Incident Reporting | Proposed introduction of single-entry point (SEP) for incident reporting though a single EU level interface. The SEP then routes the notification to the competent authorities under each regime. The proposal aims to reduce duplication, ease administrative burden for organisations and improve uniformity across overlapping cybersecurity and incident reporting structures. |
AI | ||
EU AI Act | High Risk Systems linked to harmonised standards | Proposed simplification with introduction of high -risk AI systems linked to availability of harmonized standards or Commission Guidelines with the rules applying following a transition period (6 months for Annex III high- risk systems and 12 months for Annex I high risk systems) with final deadlines after which the rules will apply regardless being 2 December 2027 for Annex III systems and 2 August 2028 for Annex I systems. Providers of high-risk systems for narrow or procedural tasks to be exempted from the EU database for high-risk systems. |
EU AI Act | GenAI | Omnibus to defer entry of obligations around the marking of artificially generated or manipulated content produced by AI systems until 2 Feb 2027 for systems which have been placed on the market before 2 Aug 2026. Allows for providers to adapt to new practices. |
EU AI Act Art 4 | AI Literacy | Blanket obligation for providers and deployers to ensure AI literacy to be deleted and replaced (previous compliance burden) with requirements on the Commission and member states to foster AI literacy by encouraging providers and deployers to supply training and good practice. |
Digital Services Act | Governance | AI Office to have ability to conduct premarket conformity assessments and tests for certain high-risk systems. AI Office to have exclusive competence to oversee: (1) AI systems based on general purpose models developed by the same provider (previously not reserved only AI Office) and (2) AI embedded in Very Large Online Platforms and Very Large Online Search Engines – not addressed in the AI Act currently. |
EU AI Act | Special category personal data | Expansion of AI Act from high- risk only AI system providers to providers and deployers of all AI systems and models for allowing the processing of special categories of personal data for bias detection and correction (subject to certain provisions such as implementation of technical and organisational safeguards). |
Next steps
Members of the European Parliament will begin the process of discussing the proposals and tabling amendments, with the aim of reaching final texts by summer 2026. Once the Digital Omnibus is agreed, the majority of its provisions would enter into force three days after its publication in the Official Journal of the EU. Transitional periods for certain rules such as those relating to settings-based mechanisms for cookie preferences (48 months following entry into force) and to moving cookie compliance to the GDPR (six months following entry into force) will assist businesses in their preparation for compliance.
Implications for businesses
It is likely there will be many amends to the original proposals which will undoubtedly cause businesses uncertainty in their planning, especially around implementation times for compliance. Early preparation can mitigate any compliance issues as well as support innovation and reduce risk. Businesses should:
- keep an eye on the legislative journey of the Digital Omnibus (as well as UK equivalent legalisation, for example the DUAA and the Cyber Security and Resilience Bill);
- give thought as to the potential impact of the reforms and the practicalities of operating within uncertain parameters in this period of flux; and
- review contractual positions and data protection policies in light of proposed reforms.
If you would like any further information on the above, please contact Beverley Flynn or Guy Cartwright
