On November 19, 2025, the European Commission officially presented the "Digital Omnibus Package". After years of piling up digital regulations – from the GDPR and ePrivacy to the recent AI Act and NIS2 – it is time for consolidation and simplification.
This package, already referred to in the corridors as "the great digital cleanup," aims to reduce administrative burdens for companies and stimulate innovation, without compromising on fundamental rights and safety.
What is the Digital Omnibus?
The Digital Omnibus is not a single new law, but a package of proposed amendments to existing legislation. It consists of two main pillars:
- The General Digital Omnibus: Aimed at streamlining the GDPR, ePrivacy, NIS2, and the Data Act.
- The AI Omnibus: Specific adjustments to the EU AI Act to make implementation smoother.
The Commission's core message is clear: "Less regulatory burden, more innovation."
Key Changes for Your Organization
1. Simplification of the GDPR
One of the most striking proposals is the revision of the definition of "personal data". The Commission proposes not to consider data as personal data if the holder cannot reasonably use means to identify an individual. This is good news for AI developers working with anonymized datasets.
In addition, the notification obligation for data breaches is being relaxed:
- Higher threshold: Only breaches with a "high risk" need to be reported.
- Longer deadline: The reporting deadline is extended to 96 hours (was 72 hours).
2. AI Act: More Room for Innovation
The "AI Omnibus" introduces targeted adjustments to make the AI Act more workable, especially for SMEs:
- Postponement for High-Risk: The rules for high-risk AI systems are linked to the availability of harmonized standards. In practice, this can lead to a postponement of up to 16 months for certain obligations.
- Less Documentation: Technical documentation requirements are simplified for small and medium-sized enterprises.
3. End to Cookie Fatigue?
The package contains proposals to curb the endless stream of cookie banners. The idea is to let users manage their preferences centrally via browser or system settings, instead of having to give consent on every website again.
4. One-Stop Shop for Cybersecurity
For organizations struggling with the overlap between NIS2, DORA, and the GDPR, relief is coming. Work is being done on a single central reporting point for cyber incidents, so you no longer have to report the same incident to three different regulators.
Timeline and Impact
Although the proposals are now on the table, it is not yet law. The legislative process via the European Parliament and the Council is expected to take until mid-2026.
What does this mean for you now?
- Don't panic: The current rules remain in force for the time being.
- Stay compliant: Continue with your current implementation trajectories for the AI Act and NIS2. The Omnibus is about simplification, not abolition.
- Look ahead: Take these future relaxations into account in your long-term strategy, especially if you are investing in heavy compliance infrastructure.
Conclusion
The Digital Omnibus is a welcome step towards a mature digital market in Europe. It acknowledges that regulation is necessary, but that execution must remain workable. For companies, this offers a perspective on lower compliance costs and more room to do business with AI.
Do you want to know what the current AI Act rules mean for your organization before the relaxations take effect? Take our free compliance check and get immediate insight.
