The European Commission unveiled its Digital Omnibus proposal this week, intended to simplify the EU's digital rulebook. For businesses already navigating NIS2, GDPR, DORA, and a complex web of other digital regulations, this could be welcome news. However, others have criticised the proposal for significantly weakening the regulatory protections afforded to individuals.
At its core, the Digital Omnibus consolidates and streamlines eight different digital regulations while repealing four others entirely. The Commission is attempting to maintain high standards for data protection and cyber security but make compliance more efficient and less burdensome; whether the proposal succeeds in that objective is up for debate.
Here are some of the most significant changes for you to be aware of:
Single-Entry Point for Reporting
Perhaps the most tangible change is the introduction of a single-entry point for incident reporting. Currently, organisations experiencing a significant cyber incident might find themselves having to report under NIS2, GDPR (if personal data is breached), DORA (for financial entities), and eIDAS (for trust service providers).
Under the new system, managed by ENISA, organisations will only be required to submit one report through a single interface. This information would then be routed to the relevant authorities.
This should reduce the administrative burden on businesses and allow for much faster incident response.
Clarity on AI and Personal Data
Businesses developing or deploying AI have faced uncertainty about the circumstances in which personal data can be processed for the purpose of training models. The Digital Omnibus clarifies that AI development can rely on "legitimate interest" as a lawful basis under GDPR, provided appropriate safeguards are in place, such as enhanced transparency for data subjects and technical measures to minimise risks from regurgitation, data leakage and other intended or foreseeable actions.
It also includes new provisions for handling special categories of data that might residually appear in training datasets, and a practical derogation for biometric verification systems where users maintain sole control.
This should provide businesses with greater legal certainty for AI innovation and clearer pathways to compliance in this space.
Data Framework Consolidation
The proposal merges the Data Governance Act, Open Data Directive, and Free Flow of Data Regulation into the existing Data Act. What was previously a complex web of five separate data regulations would become two: the GDPR for personal data, and the Data Act for everything else.
The Data Governance Act's mandatory notification regime for data intermediaries becomes voluntary, and several reporting obligations are streamlined or removed entirely.
This significantly simplifies the regulatory framework that businesses are expected to adhere to and is intended to lower compliance costs for pan-European organisations.
Streamlining E-Privacy
The proposal also tackles the overlap between GDPR and the e-Privacy Directive, by moving the processing of personal data from cookies and similar technologies under GDPR rules.
Further, to align with the consolidation of reporting, the separate breach notification requirements for telecommunication providers will be repealed.
Finally, it paves the way for automated consent management where websites would be expected to respect privacy choices set by the individual at a browser or device level.
What Should You Do Now?
The Digital Omnibus has only just been proposed and so with the length passage through the European Parliament and the European Council ahead, it’s likely to be 12-18 months before final adoption. However, immediate actions that an organisation could take are to:
Map your current incident reporting obligations across NIS2, GDPR, and sector-specific rules
Assess which AI processing activities could benefit from the legitimate interest clarifications
Review data governance documentation that references regulations being merged or repealed
On a more strategic level, organisations could also quantify the potential savings delivered by the simplified framework and consider what it means for your budgets and operating model.
Summary
The Digital Omnibus represents a proactive attempt by Brussels to simplify ever-accumulating digital and data regulations. The devil will be in the implementation details, and it will face robust criticism for the relaxing of rules and protections, but the direction of travel is clearly towards simpler frameworks and lower administrative burden for businesses.
