Back to the overview
11-13-2025 Article

Digital Omnibus: EU Commission presents draft

Update Data Protection No. 221

With the presentation of the first drafts for the so-called "Digital Omnibus," the discussion on simplifying European digital law has reached a new phase. After numerous digital regulations, from the AI Act to the Data Act to the Cyber Resilience Act, have come into force one after the other in recent years, practitioners are increasingly faced with the challenge of reconciling parallel obligations and deadlines. The European Commission is now responding with a comprehensive package of targeted amending regulations designed to better align existing rules, reduce duplication of requirements, and make implementation more practicable for businesses and administrations.

The drafts now available (available here and here) show that the Commission is not seeking a substantive realignment, but rather technical and organizational simplification. Among other things, adjustments to data law, more precise reporting and information requirements in data protection, clearer interaction with the Cyber Resilience Act, and simplifications in the application of the AI Act are planned. At the same time, the supervision of AI systems is to be more centralized and the transition to a more uniform European digital legal framework is to be prepared.

The following article summarizes the key German positions, the main content of the Commission's drafts, and the resulting practical consequences for companies.

I. Starting point and political background

The starting point for the omnibus procedure is the growing complexity of European digital law. With the entry into force of numerous regulations such as the AI Act, Data Act, Cyber Resilience Act, DORA, and NIS-2, companies are confronted with a dense network of obligations that often overlap in terms of content and timing. Against this backdrop, the European Commission launched a consultation in the summer of 2025 to examine options for harmonization and relief (we reported). Member states, companies, and associations had until October 14 to submit their comments. Germany, in particular, pushed for a more coherent, innovation-friendly regulatory framework. Based on this feedback, the Commission has now presented draft proposals for a "Digital Omnibus" that aims to harmonize the previously fragmented regulations and reduce bureaucracy at the same time.

II. Key proposals from Germany

As part of the consultation, the Federal Ministry for Digital and Governmental Affairs (BMDS) set its own priorities for the omnibus procedure and submitted them to the European Commission in a position paper. The starting point is the demand for a more coherent and innovation-friendly regulatory framework that avoids double regulation and reduces the burden on companies.

The initial focus is on the idea of "reducing governance complexity." The ministry is calling for new digital regulations to be introduced only after a mandatory cost-benefit analysis and for better coordination of the existing responsibilities of supervisory authorities. In addition, the BMDS advocates dispute resolution by private bodies in order to avoid lengthy and expensive administrative procedures.

A second focus concerns the simplification of data regulation. The ministry suggests defining the scope of the Data Act more precisely in order to eliminate legal uncertainties and, in particular, to reduce the burden on small and medium-sized enterprises. The focus should be on facilitating data use and transfer, not on additional bureaucratic requirements.

Germany is also calling for significant adjustments to existing data protection regulations. For example, the Commission should consider partially exempting non-commercial activities and SMEs from the GDPR in order to avoid disproportionate burdens. In addition, a simplification of cookie regulations is proposed—if necessary in the form of a separate legal act—in order to reduce the large number of consent dialogs.

The BMDS is calling for an innovation-friendly and practical interpretation of the AI Act. The aim must be to promote competition and research rather than hindering market entry through excessive regulation. AI systems for research purposes in particular should be exempt from key obligations.

Finally, the ministry calls for legal frameworks such as EUDI Wallet, digital driver's licenses, and Single Digital Gateway to be better coordinated in order to facilitate the cross-border exchange of digital administrative services.

III. EU Commission draft: Core elements of the Digital Omnibus

With the drafts for the "Digital Omnibus" now available, the European Commission aims to consolidate the previously fragmented digital legislation and at the same time reduce technical ambiguities, duplicate obligations, and bureaucratic burdens. The focus is on four key areas: data use and data access, data protection and consent, cybersecurity notifications, and supervisory structures in the field of artificial intelligence.

1. Consolidation of data laws

European data law will undergo the most significant changes. The Data Act is intended to form the core of European data legislation in the future and will incorporate the Data Governance Act, the Regulation on the free flow of non-personal data (FFDR), and the Open Data Directive. This would create a uniform regulatory framework for data use and access in the EU for the first time.

The draft contains numerous clarifications. For example, the definitions of key terms ("data user," "data holder," "public emergency") are to be standardized and an obligation for the Commission to publish technical standards for data interfaces within twelve months is to be introduced.

The protection of trade secrets will also be strengthened by allowing data owners to refuse disclosure if this could result in sensitive information being transferred to third countries with an inadequate level of protection or could compromise the EU's essential security interests. Access to data by public authorities will also be restricted. In future, it will only be permitted in the event of a "public emergency," not in every case of exceptional necessity.

For cloud providers, the switching obligations under Art. 26 ff. of the Data Act are specified in more detail. Individually customized, non-standardized services remain exempt from interoperability requirements under existing contracts. At the same time, small and mid-caps (up to 750 employees) are permanently exempt from additional obligations. In addition, member states will be able to set up "data sandboxes" in the future to test data exchange and interface solutions in controlled test environments.

Finally, the draft links the (future integrated) Data Governance Act with the Digital Markets Act to ensure market power-neutral data use: Public authorities will be able to set higher fees and stricter conditions for data access from gatekeepers such as Google in the future.

2. Amendments to the General Data Protection Regulation (GDPR)

The GDPR will also be amended in several respects by the Omnibus, in many cases in line with German proposals. The aim is to simplify procedures while better reflecting technological developments such as AI training and automated consent.

The draft clarifies the scope of Article 9 GDPR so that data from which sensitive characteristics can only be derived indirectly ("through intellectual operations") will not automatically be considered particularly sensitive in the future. In addition, a new regulation on biometric verification is being introduced: a one-to-one query with locally stored or encrypted data of the data subject will be permitted, provided that the data subject retains full control over their data.

Of particular practical relevance is the approval of AI training on the basis of legitimate interest (Art. 6 (1) (f) GDPR) if appropriate technical and organizational measures are implemented in accordance with Art. 32 GDPR. The Commission is to present guidelines on data protection-friendly training methods (such as synthetic data or differential privacy) by 2027.

However, this planned opening up of AI training data has been met with significant criticism. The data protection organization noyb, led by Max Schrems, warns that the proposed changes jeopardize key principles of the GDPR. The proposed possibility of using personal data, including sensitive categories, for training large AI models could significantly water down protection standards. According to noyb, this is the most politically significant part of the reform, while other simplifications, such as those for SMEs, are of lesser practical importance. Another point of criticism is that in several places the proposals closely follow the demands of the German federal government, which has been pushing for an opening of the GDPR for some time.

In addition, information and reporting requirements are being simplified. Companies with fewer than 250 employees can simplify the information requirements under Articles 13 and 14 of the GDPR, provided there is no high risk. Data breaches without significant risk will no longer have to be reported to the supervisory authority, but must be documented internally. A uniform EU reporting form is intended to further standardize processes and at the same time be compatible with the new central cyber reporting portal.

3. Integration of ePrivacy rules ("cookie reform")

A central component of the draft is the complete integration of the ePrivacy rules into the GDPR. The aim is to end so-called "consent fatigue" and to map consent in a technically standardized manner in the future. Users should be able to give their consent or refusal in their browser or operating system in the future, which websites must automatically recognize and implement.

For media service providers, a limited exception for refinancing through advertising remains in place, but this is to be reviewed regularly.

4. Cybersecurity: Single reporting portal

In the area of cybersecurity, the draft confirms the creation of a central European reporting portal ("single entry point") through which companies will be able to report all security-related incidents in accordance with the GDPR, NIS-2, DORA, or CRA, for example. The system will be operated by the EU cybersecurity agency ENISA and will automatically forward reports to the relevant national authorities.

A new feature is that the portal will also integrate certification information from the Cybersecurity Act in order to standardize the interfaces between reporting and auditing obligations. For small businesses (up to 250 employees), the reporting deadline will be extended to 120 hours. The aim is to create a uniform, digitized reporting system that avoids multiple reports and redundant audit steps.

5. Centralization and simplification of AI supervision

Another focus of the Commission concerns the AI Act, which the omnibus bill aims to simplify and adapt to existing practical problems. Technical and organizational adjustments are planned, primarily to facilitate the transition to implementation.

The draft includes, among other things:

  • an extension of individual transition periods, in particular for transparency and labeling requirements under Article 50 of the AI Act, which will only be subject to fines from August 2, 2027;
  • a new legal basis for processing sensitive data for bias detection and correction (new Art. 4a AI Act) under strict data protection requirements;
  • simplified documentation and quality management requirements for SMEs and small-mid-caps, including a more lenient penalty framework;
  • the possibility to test high-risk AI systems in real-world conditions outside national sandboxes;
  • the establishment of an EU-wide AI Regulatory Sandbox program led by the AI Office with priority access for start-ups;
  • Explicit integration with the Cyber Resilience Act, according to which AI systems that meet its security requirements are automatically considered IT-secure;
  • and the strengthening of the AI Office as a central supervisory and enforcement authority with powers to monitor the market, carry out ex ante testing, and impose sanctions on providers of basic models or integrated AI systems on very large online platforms.

These adjustments are intended to ensure that the AI Act is applied in a practical, innovation-friendly, and legally certain manner. The Commission's aim is to reduce the burden on member states while at the same time strengthening the coherence of European supervision.

IV. Recommendated actions for companies

Even though the draft Digital Omnibus is likely to provide greater clarity and some relief in the medium term, the direction of European digital policy remains unchanged. Existing obligations will neither be repealed nor weakened in terms of content, but merely better structured and, in some cases, spread out over time. For companies, therefore, the question remains not so much whether, but when and to what extent the respective requirements will take effect. At a time when deadlines, responsibilities, and technical standards are still in flux, a gradual, resource-efficient approach is recommended, with clear prioritization of the requirements that already apply today or are highly likely to become applicable in the short term.

The key is to strike a pragmatic balance between legal certainty and effort. Companies should design their internal processes in such a way that they are traceable, verifiable, and expandable if necessary. Uniform documentation and reporting procedures, clear responsibilities, and coordinated risk analyses create stability without tying up excessive resources.

Such a basic approach makes it possible to integrate new requirements step by step as soon as they become binding and prevents costly changes. In this way, a sustainable level of compliance can be achieved with limited effort, creating sufficient time and space for further implementation.

V. Conclusion and outlook

With the draft presented, the European Commission is specifying its plans to make European digital law more coherent and manageable. The Digital Omnibus does not mark a change of course, but rather a structural development. The aim is not less regulation, but more efficient and consistent implementation of existing obligations.

For companies, this means more guidance, but no all-clear. Even after the Digital Omnibus comes into force, the legal framework will remain challenging and will require a minimum level of organizational preparation. It is crucial to consider the emerging standardizations at an early stage and to align existing data protection, IT security, and AI processes so that they are compatible with the new system.

If the draft is adopted as planned in 2025, it is expected to come into force gradually from 2026 onwards. The coming months will show to what extent the Council and Parliament will follow the Commission's proposals. It is already foreseeable that the Digital Omnibus will initiate the transition from a confusing patchwork to an integrated European digital legal framework, which will not reduce the implementation effort but will make it more predictable.

This article was created in collaboration with our student employee Emily Bernklau.

Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Related articles

12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-13-2025
Digital Omnibus: EU Commission presents draft
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?
09-25-2025
New draft bill for the implementation of the AI Regulation
09-22-2025
Landmark ECJ ruling on the pseudonymization of personal data
09-17-2025
Legal framework for the use of AI AGENTS
09-11-2025
Data Act: New obligations for data disclosure apply from September 12
09-04-2025
EuG confirms effectiveness of EU-US Data Privacy Framework

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.