Digital Omnibus: Major amendments to the GDPR and several data regulations

The proposal (COM(2025) 837) seeks to amend several digital legislation initiatives to bring immediate relief to businesses, public administrations, and citizens alike, and to stimulate competitiveness.

Status

EU

Commission proposal published on 19 November 2025.

EEA

Pending.

Norway

Pending.

Hot topics

EDPB and EDPS support simplification and competitiveness while raising key concerns (edpb.com)

Who is affected

The proposal will affect any entity processing personal data, in addition to entities being subject to other directives and regulations covered by the proposal.

For a summary of key amendments to other legal frameworks than the GDPR, see:

Key obligations

Key proposed changes to the GDPR include

Clarification of the notion of “Personal Data”, by including a condition that an entity must have means “reasonably likely to be used” to identify the data subject.
New legal bases for processing special category data for the purposes of developing and operating an AI system, and for the processing of biometric data for identity verification, if exclusive control remains with the data subject.
Exceptions from the obligation to provide information about the processing to data subjects, when personal data is collected in the context of a clear and circumscribed relationship between data subjects and a controller exercising an activity that is not data-intensive.
Definition of scientific research to clarify which further processing shall always be compatible with the original purpose, and exemption from information obligations for scientific research purposes.
Threshold for notification of personal data breaches raised, so that only breaches likely to result in high risk require notification to authorities and data subjects. Deadline for notification extended to 96 hours.
National lists for when DPIAs are required or not required will be replaced by a single EU-level list, adopted by the Commission.
Empowerment of the Commission to define technical means/criteria for when pseudonymised data is not re-identifiable (and thus not personal data).
The GDPR becomes the sole legal framework for processing of personal data on and from terminal equipment where the user is a natural person (cookies). Consent banners are to be replaced by more effective means: machine-readable and automated consent/refusal signals (e.g., browser settings/identity wallets) must be accepted by service providers once standards are available. If users refuse or accept a consent request, controllers must honour those choices for a set minimum period (6 months for a refusal; no repeated popups).

Recommended actions

The legislation is still at proposal stage, with the public consultation closing as of February 2026. For the time being, we recommend monitoring developments on our site.

Contact us

Marie Dahl
Associate

m.dahl@haavind.no
+47 417 65 082

Kjetil Wick Sætre
Senior Lawyer

k.satre@haavind.no
+47 467 97 373

Kari Gimmingsrud
Partner

k.gimmingsrud@haavind.no
+47 922 91 006