DIGITAL OMNIBUS: What specific relief measures are planned for businesses?

With the so-called "Digital Omnibus," the European Commission is pursuing the goal of adapting and simplifying key digital legislation, in particular the AI Regulation (AI-VO) and the General Data Protection Regulation (GDPR), in selected areas. The background to this is growing criticism from the business community regarding the implementation effort, deadlines, and, in some cases, unclear distinctions in the interaction between the regulations. The Omnibus aims to reduce regulatory duplication, make deadlines more flexible, and make individual obligations more practical without abandoning fundamental protection mechanisms. For companies, the question is less about political assessment and more about the specific implications for compliance, product development, and data use. Below, we outline the current status of the consultations and analyze the practical relief that is actually emerging for companies.

I. Background: Revision of the AI Regulation and GDPR

With the drafts for a "Digital Omnibus" of November 19, 2025, the European Commission is pursuing the goal of structurally consolidating the previously fragmented digital regulation and addressing enforcement problems. This particularly affects the Data Act and related data laws, the GDPR including ePrivacy rules, the European cyber reporting system, and the AI Regulation.

In data law, the Data Act is to serve as the central legal framework in the future and integrate the Data Governance Act, the FFDR (Free Flow of Data Regulation), and the open data regulations (we reported). The plans include standardized definitions of terms, more precise access and switching obligations, especially for cloud providers, stronger protection mechanisms for trade secrets, and a restriction of official data access to clearly defined emergencies.

The GDPR is to be amended in specific areas. These include a clarification of the term "special categories of personal data," an explicit opening for AI training based on legitimate interests under technical safeguards, simplified information and reporting obligations for smaller companies, and the integration of ePrivacy rules with technically standardized consent mechanisms (we reported).

In addition, a central European reporting portal for cyber and data protection incidents will be created to bundle multiple reports under the GDPR, NIS-2, DORA, or CRA. In the area of AI regulation, extended transition periods, simplified documentation requirements for SMEs, expanded testing opportunities under real conditions, and greater centralization of oversight at the AI Office are planned.

II. Current status

1. AI Omnibus

The legislative process for the AI Omnibus is about to enter the parliamentary consultation phase. Negotiations in the European Parliament are scheduled to begin on Wednesday, February 25. The issue is also on the agenda at the member state level: on Friday, February 27, the EU Committee of the Bundesrat will discuss the Digital Omnibus in the context of the European data strategy.

Once Parliament and Council have each determined their position, the trilogue could begin in April or May, according to current plans. The goal is to complete the process before August 1 so that the changes can take effect in time for the AI Regulation's relevant application date of August 2. The schedule is correspondingly tight and politically ambitious.

2. Data Omnibus

The status of the Data Omnibus procedure is less clearly structured. Discussions have been more controversial so far, particularly with regard to data protection adjustments.

The European Data Protection Board (EDPB) in particular has expressed considerable reservations about individual proposals and criticized a possible lowering of the level of data protection. Against this background, it is currently unclear whether the data protection reform components will be synchronized with the AI Omnibus or whether they will go through a separate, possibly longer legislative process.

III. Concrete practical advantages for companies

The drafts of the Digital Omnibus are not designed as substantive deregulation, but as a structuring and simplifying reform. The practical effects for companies therefore lie less in a lowering of protection standards than in increased predictability, reduced multiple regulation, and clearer structures of responsibility. The main operational effects can be summarized in five key areas.

1. Uniform regulatory framework in data law

The planned integration of the Data Governance Act, FFDR, and open data regulations into the Data Act eliminates the parallel structure of different data regimes that has existed to date. For companies, this means a systematic consolidation of the regulations on data access, data use, and disclosure obligations into a uniform set of rules.

In practice, this reduces the need for multiple legal reviews of data-driven business models, platform architectures, or intra-group data transfers. Clear and EU-wide harmonized definitions of terms reduce interpretation uncertainties, particularly with regard to qualification as a data holder or data user. For internationally active companies, this reduces transaction costs in contract drafting and the risk of diverging national enforcement practices.

2. More precise cloud and interoperability requirements

The specification of change and interoperability requirements in the Data Act has a direct impact on existing IT and cloud infrastructures. The possibility of exempting customized and non-standardized services from interoperability requirements under certain conditions increases contractual and investment security.

For companies with complex, tailor-made IT environments, this reduces the risk of short-term technical conversions or cost-intensive migration obligations. At the same time, data sandboxes create a regulatory-controlled framework for testing new data products and interface solutions without immediately imposing all full requirements. This favors innovation projects in early stages of development.

3. Data protection openings for AI development

Of particular practical relevance is the planned explicit recognition of legitimate interest as the legal basis for AI training, provided that appropriate technical and organizational measures are implemented. For companies, this opens up greater scope for using existing data sets for training purposes without having to rely on individualized consent in every case.

This facilitates the scaling of data-intensive models and reduces the administrative burden of consent management. At the same time, information and reporting requirements for smaller companies will be differentiated on a risk basis. In the future, data protection violations without significant risk will only be subject to documentation requirements, but not to reporting requirements. In operational practice, this means a reduction in the burden on internal compliance resources and a focus on incidents that are actually relevant to risk.

4. Bundling of cyber and data protection reports

The planned central European reporting portal will bundle the previously separate reporting obligations under the GDPR, NIS-2, DORA, and CRA. This will eliminate the need for companies to contact different national authorities in parallel via different reporting channels.

The harmonization of forms and automated forwarding to the relevant authorities will reduce coordination efforts and friction in incident management. This will create a consistent and digitized process that avoids multiple reports and redundant checks, particularly for companies with multiple regulatory reporting obligations.

5. Adjustments to the AI Regulation: time savings, simplification, and centralization

There are several cumulative relief effects in the area of AI regulations. Linking the effective date of high-risk obligations to the availability of harmonized standards prevents companies from having to implement requirements without being able to refer to specific technical standards. This improves project planning and reduces the risk of faulty implementations or implementations that need to be adjusted retrospectively.

The extension of simplified documentation and quality management requirements to SMEs and small-mid-caps reduces the administrative burden, especially for high-growth companies. Expanded opportunities for testing under real-world conditions and an EU-wide sandbox program promote early market testing of innovative systems under regulatory supervision.

Finally, strengthening the AI Office as the central supervisory authority for certain AI systems will lead to greater harmonization of enforcement practices. For providers operating across Europe, this may reduce the number of parallel national proceedings and contribute to more consistent application of the law.

IV. Conclusion and outlook

The Digital Omnibus does not mark a paradigm shift in European digital law, but it does mark a noticeable change of course toward consolidation, procedural simplification, and realistic implementation. The drafts do not aim to materially lower protection standards, but rather to reduce regulatory friction losses that have resulted from parallel legal acts, unclear demarcations, and tightly scheduled deadlines. For companies, the concrete benefits lie primarily in improved predictability for AI and data projects, a bundling of reporting and documentation requirements, and greater leeway in the design of training and development processes in accordance with data protection law.

Whether these effects actually materialize depends largely on the further legislative process. While the AI omnibus bill is following an ambitious schedule and is set to come into force before August 2, the data omnibus bill is more politically controversial. Intensive negotiations and possible readjustments are to be expected, particularly in the area of data protection. Companies should therefore closely monitor developments and already start to consider where strategic adjustments can be made – for example, in AI governance structures, data architectures, or reporting processes.

Regardless of the final wording of the reform, however, a clear trend is emerging: the Commission is responding to practical implementation problems and signaling its willingness to make regulatory structures more functional. For companies, this opens up the opportunity to align compliance not only as a fulfillment of obligations, but as an integral part of a plannable and innovation-oriented digital strategy. 

This article was created in collaboration with our student employee Emily Bernklau.