New Developments in the Digital Omnibus

There is currently noticeable momentum in the discussion surrounding the European omnibus initiatives in digital law. Concrete proposals and initial political positions are now available for both the so-called Data or Digital Omnibus and the AI Omnibus. While the Commission’s primary aim with these proposals is to simplify and better coordinate existing regulations, clear lines of conflict are already emerging regarding the scope and substantive content of the planned changes.

For companies, this increasingly raises the question of the direction in which European digital law is evolving and whether the announced relief will actually materialize or whether new uncertainties will arise. The following overview highlights current developments regarding the Data and AI Omnibus and assesses their practical relevance.

I. Background and Objectives

The European Commission’s omnibus initiatives are set against the backdrop of increasingly complex and fragmented digital regulation. In recent years, key legislative acts – including the GDPR, the Data Governance Act, the Data Act, and the AI Regulation – have been developed and adopted, in some cases in parallel, without their interactions being consistently coordinated. As a result, companies are frequently confronted with overlapping obligations, unclear demarcation issues, and increased compliance burdens.

Against this backdrop, the Commission’s omnibus proposals aim to selectively adapt existing regulations, better align them with one another, and improve their practical applicability. The focus is particularly on reducing bureaucratic burdens and promoting innovation, especially in the areas of data-driven business models and artificial intelligence. At the same time, it is clear that the planned adjustments are not merely technical in nature but concern key policy decisions in European digital law.

II. Data Omnibus

The proposal for a “Digital Omnibus” represents the first concrete intervention in the regulatory framework of the GDPR since its entry into force. The goal is to modernize the regulation in specific areas, integrate it more closely with related regulations – particularly the Data Act and the AI Regulation – and, at the same time, reduce practical implementation challenges.

1. Planned Changes

In terms of content, the planned changes focus primarily on three areas: First, the central concept of “personal data” is clarified, with future provisions placing greater emphasis on concrete identifiability by the respective data recipient . Second, it is clarified that the processing of personal data for the training, testing, and validation of AI systems may, in principle, be based on a legitimate interest. Third, a limited exception is introduced for the processing of special categories of personal data in the AI context, provided that such processing is unavoidable and not targeted.

Accompanying adjustments are planned, such as clarifying specific definitions (e. g., health data), easing transparency and reporting obligations, and further harmonizing procedural requirements in conjunction with other digital legislation.

2. Current Status

The Digital Omnibus is currently still undergoing the legislative process at the EU level. The Commission’s proposal from November 2025 is currently being debated in the European Parliament and the Council. In parallel, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) submitted a joint opinion in February 2026 that is significantly shaping the further legislative process.

While the supervisory authorities expressly support the goal of simplifying and harmonizing the digital legal framework, they simultaneously voice significant criticism of key elements of the proposal. The focus is particularly on the planned amendment to the definition of “personal data.”

The Commission bases this adjustment primarily on a recent ruling by the ECJ (Case C-413/23 P – EDPS v. SRB). In this decision, the Court clarified that data is not considered personal data for a specific recipient if that recipient cannot identify the data subject using “means reasonably available to them.” At the same time, however, the ECJ emphasizes that data can regain its personal character as soon as it reaches a recipient who has the means to identify the data subject.

This is precisely where the criticism begins: The Omnibus Proposal addresses this case law only selectively and, in the view of the EDPB and EDPS, goes significantly beyond it. In particular, the proposed clarification that data should not be considered personal merely because another recipient could identify it contradicts the CJEU’s case law.

The supervisory authorities see this as a significant threat to the level of protection afforded by data protection law. The proposed redefinition would noticeably narrow the scope of the GDPR and could incentivize companies to deliberately structure data processing in such a way that it formally falls outside the scope of the regulation. Furthermore, new difficulties in defining boundaries would arise, leading not to greater legal certainty, but to less.

Further points of criticism relate in particular to:

• Pseudonymization: The planned option to determine, through implementing acts, when pseudonymized data no longer qualifies as personal data is viewed as contrary to the system, as this affects the core area of data protection law.
• AI-specific exemptions: While it is acknowledged that practical challenges exist, for example, in the training of AI systems, the proposed blanket exemptions (e. g., regarding legitimate interests or sensitive data) are deemed too vague and potentially threatening to fundamental rights.
• Protection of fundamental rights: Overall, the proposal is criticized for going beyond a mere “technical simplification” in some respects and potentially resulting in substantial changes to the level of protection provided by the GDPR.

As a result, the interim assessment is therefore ambivalent: While individual simplifications—such as regarding reporting obligations or in the research sector - are viewed predominantly positively, the encroachments on core concepts of data protection law in particular raise significant concerns. Against this backdrop, extensive revisions are still to be expected in the further legislative process.

III. AI Omnibus

1. Planned Changes

In terms of content, the planned changes in the AI Omnibus focus primarily on three areas. First, overlaps between the AI Regulation and other regulatory frameworks – particularly the GDPR – are to be reduced, and questions of demarcation are to be clarified. Second, simplifications are envisaged for the development and deployment of AI systems, for example regarding the handling of training data and risk-based requirements. Third, the proposals aim to simplify compliance and conformity procedures, particularly through standardization and reduced documentation requirements. Additionally, closer integration with existing sector-specific regulations and supervisory structures is planned.

2. Current Status

The AI Omnibus is also currently undergoing the legislative process. Following the publication of the Commission’s proposals in November 2025, the Member States have already agreed on a common Council position; in the European Parliament, the lead committees (IMCO and LIBE) have adopted a compromise text. The plenary vote is imminent, after which trilogue negotiations are set to begin.

In terms of content, the discussion remains highly contentious. At the center of the debate is, in particular, the question of whether and to what extent certain sectors should be exempted from key requirements of the AI Regulation. The Parliament’s proposal aims to remove parts of the scope of application – particularly in the area of already regulated product sectors – from the direct application of the AI Act or to transfer them to other regulatory mechanisms.

However, it is precisely these approaches that have drawn significant criticism. For one thing, representatives of the certification and standardization industry warn of a structural weakening of the risk-based approach of the AI Regulation. In particular, postponing or removing key provisions in Annex I could result in large portions of industrial AI systems no longer being directly subject to the requirements of the AI Act. This would undermine the uniform regulation sought thus far and lead to a fragmentation of the legal framework.

On the other hand, there are fears that the proposed changes will lead not to less, but to more bureaucracy and legal uncertainty. If requirements were increasingly shifted to sector-specific regulations in the future, these would first have to be specified through additional legislative acts. This would delay the implementation process and further complicate the regulatory landscape.

Significant risks are also seen with regard to standardization: ongoing work on harmonized AI standards could be partially undermined or would need to be adapted, which would lead to further delays. Additionally, there is a risk of losing expertise if key application areas fall outside the scope of the regulation.

Finally, there is no unified political stance either. While parts of Parliament and industry welcome the proposed exemptions as a necessary step to avoid double regulation, other voices – including national governments – warn against lowering the level of protection and weakening the horizontal structure of the AI Regulation.

IV. Impact on Practice

The current drafts of the Data and AI Omnibus should be understood less as deregulation and more as a realignment and, in some cases, a shift in existing regulatory priorities. The practical effects are particularly evident in the following areas:

1. Increasing relevance of classification decisions in data protection

The proposed realignment of the concept of personal data shifts a significant portion of compliance to the upstream qualification decision. For companies, this means that in the future, it will be necessary to examine and document even more rigorously whether and for whom a personal reference actually exists.

In practice, this does not lead to a blanket reduction in burden, but rather to higher requirements for data classification, technical access controls, and documentation. Particularly in the case of data processing involving a division of labor (e. g., cloud, platforms, AI training), it will be crucial to determine which actors have the means to re-identify individuals. Companies should therefore map their data flows in granular detail and clearly separate the respective perspectives of individual processing units.

2. More leeway in AI training

The explicit inclusion of legitimate interest for AI training points to greater flexibility in the future. At the same time, the focus is shifting toward the qualitative nature of the balancing of interests.

In practice, this means that companies cannot rely on a “blanket” legal basis but must comprehensively justify and safeguard their training processes. This includes, in particular, transparent definitions of purpose, technical safeguards (e. g., against data leaks or regurgitation), as well as robust arguments regarding the benefits and foreseeability of the processing. The requirements for internal documentation and governance are thus likely to increase, even if consent processes could be reduced in the future.

3. Risk of Fragmented AI Regulation Due to Sectoral Exemptions

The sectoral exemptions discussed in the AI Omnibus have potentially significant practical implications. Should entire industries be excluded from the direct scope of the AI Regulation, this would disrupt the previously uniform legal framework.

Companies would then face the challenge of having to account for different regulatory frameworks simultaneously, depending on whether an AI system falls under the AI Act or under sector-specific product law. Rather than simplifying matters, this could lead to additional coordination needs between compliance, product, and regulatory teams.

V. Conclusion and Outlook

The omnibus initiatives clearly demonstrate that European digital law is in a phase of realignment. The aim of simplifying existing regulations and better aligning them with one another faces fundamental conflicts of interest – particularly between promoting innovation and maintaining high standards of protection.

In the case of both the Data and AI Omnibus initiatives, it is already clear at this stage of the proceedings that key proposals are politically contentious and may undergo significant changes in the further legislative process. In particular, the discussion regarding the personal nature of data in data protection as well as sectoral exemptions within the scope of the AI Regulation is likely to shape further negotiations.

In practice, this means that no fundamental relief is to be expected in the short term. Rather, a transitional phase is to be anticipated in which regulatory guidelines are only just emerging. In the long term, however, the omnibus initiatives could contribute to a clearer structure and better integration of European digital law. 

This article was created in collaboration with our student employee Emily Bernklau.