Scope

The Digital Omnibus proposal aims to streamline and modernize the EU’s digital regulatory framework by amending, consolidating, and aligning multiple existing digital acts. Its objective is to reduce duplication, clarify obligations, and improve legal certainty across key areas such as data governance, AI, cybersecurity, privacy, digital platforms, and cross-border digital services. The package affects instruments including the AI Act, GDPR, Data Act, NIS2, DORA, Digital Services Act (DSA), Digital Markets Act (DMA), ensuring a more coherent and efficient digital rulebook.

Relevance

The Digital Omnibus is relevant for enterprises operating in the EU and EEA, including Norway by simplifying compliance obligations. In the context of the GDPR, it is noteworthy that processing of personal data for scientific research purposes and for development and operation of AI systems is softened.
For a summary of key amendments to other legal frameworks, see:

• Data Act
• Data Governance Act
• NIS2
• DORA
• eIDAS
• CER Directive

Key obligations

Key proposed changes to the GDPR include

• Clarification of the notion of “Personal Data”, by including a condition that an entity must have means “reasonably likely to be used” to identify the data subject.
• New legal bases for processing special category data for the purposes of developing and operating an AI system, and for the processing of biometric data for identity verification, if exclusive control remains with the data subject.
• Exceptions from the obligation to provide information about the processing to data subjects, when personal data is collected in the context of a clear and circumscribed relationship between data subjects and a controller exercising an activity that is not data-intensive.
• Definition of scientific research to clarify which further processing shall always be compatible with the original purpose, and exemption from information obligations for scientific research purposes.
• Threshold for notification of personal data breaches raised, so that only breaches likely to result in high risk require notification to authorities and data subjects. Deadline for notification extended to 96 hours.
• National lists for when DPIAs are required or not required will be replaced by a single EU-level list, adopted by the Commission.
• Empowerment of the Commission to define technical means/criteria for when pseudonymised data is not re-identifiable (and thus not personal data).
• The GDPR becomes the sole legal framework for processing of personal data on and from terminal equipment where the user is a natural person (cookies). Consent banners are to be replaced by more effective means: machine-readable and automated consent/refusal signals (e.g., browser settings/identity wallets) must be accepted by service providers once standards are available. If users refuse or accept a consent request, controllers must honour those choices for a set minimum period (6 months for a refusal; no repeated popups).