Publication date: January 05, 2026
The Digital Omnibus is a comprehensive draft of two regulations of the European Parliament and Council, the most important part of a broader package of changes to data regulations (especially personal data) and those regulating the digital market in the EU. The changes aim to stimulate innovation and the development of the European artificial intelligence market, and to introduce solutions that could save businesses capital (estimated at up to €4 billion in total by 2029). The changes aim to ensure that businesses of all types, from factories to start-ups, spend less time and money on administration and maintaining the documentation required by current EU regulations.
The draft amendments consist of two regulations:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016, No. 119, p. 1, as amended).
Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 on establishing a single digital gateway to provide access to information, procedures and assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ EU L 295, 2018, p. 1, as amended).
Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of such data , and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ EU L 295, 2018, p. 39).
Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (” Data Act “) (OJ L 2854, 2023, item 2854, as amended).
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 2002, p. 37–47)
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS Directive 2) (OJ L 333, 2022, p. 80, as amended).
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ EU L 333, 2022, p. 164).
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (“Artificial Intelligence Act“) (OJ L 1689, 2024).
Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 2018, p. 1, as amended).
The bill also assumes the repeal of the following acts:
In theory, all these changes are purely technical: they unify processes and obligations occurring simultaneously under various acts, simplify definitions and procedures, and simultaneously maintain the level of protection of fundamental rights. How? The justifications for both projects only state that they do not violate the fundamental rights of EU citizens. In practice, the presented projects introduce numerous solutions that will be significantly different from those previously implemented, primarily in terms of privacy and data protection for individuals. The overarching goal of the changes is to increase the competitiveness of the European digital market by introducing solutions that enable artificial intelligence to train on larger datasets, including personal data.
AI Act
The changes proposed in the draft amendment to this act are intended to improve the implementation of its individual elements and counteract problems that have already occurred – some provisions have already entered into force, while others are yet to be replaced.
The most significant change is the introduction of a new Article 4a, which replaces the previous Article 10(5). The repealed provision provided the legal basis for providers of high-risk AI systems to exceptionally process special categories of personal data to ensure the detection and correction of bias in specific circumstances. In principle, the new regulation is identical to the previous one, but paragraph 2 significantly expands its scope, as: “Paragraph 1 may apply to providers and implementers of other AI systems and models , and implementers of high-risk AI systems , if necessary and proportionate, provided that the processing is carried out for the purposes specified in that paragraph and subject to compliance with the conditions set out in the safeguards set out in that paragraph.” Consequently, this provision allows for the processing of personal data to a broader extent for AI training purposes.
In general, significant changes are expected to occur within high-risk systems. These are systems that have a significant impact on society and the lives of individuals. Examples include systems used to diagnose diseases, predict treatment outcomes, or assist in the recruitment process. These systems may be used provided they meet the requirements of the AI Act.
First, the powers granted to small and medium-sized enterprises (SMEs) in many regulations have been expanded, including the right to prepare simplified technical documentation for high-risk systems. As a result of the changes, small mid-cap companies (SMCs) will also have this power.
The European Commission also wants to link the entry into force of the regulations on high-risk systems to the availability of support tools. Therefore, the entry into force of the regulations on high-risk systems is to be postponed for a maximum of 16 months, so that it takes place after the support tools are available.
Changes are also taking place in the scope of the AI Authority’s powers under Article 75 to supervise and control general-purpose AI systems. The Authority will be the exclusive authority responsible for supervising and enforcing the obligations arising from the AI Act in relation to AI systems that constitute or are integrated with a designated very large online platform or very large online search engine within the meaning of Regulation (EU) 2022/2065.
A number of new regulations are also intended to enable greater use of regulatory sandboxes and real-world testing.
The bill also extends the deadline for AI systems and general-purpose models already on the market or put into service to meet the requirements of the AI Act for labeling and watermarking AI-generated content until February 2, 2027, giving companies more time to adapt their technology.
GDPR
The justification for the GDPR amendments states that “Targeted changes to the GDPR will harmonize, clarify, and simplify certain rules to increase innovation and make it easier for organizations to comply, while preserving the essence of the GDPR and ensuring the highest level of personal data protection.” This is an interesting statement, considering that one of the first changes introduced is a narrowing of the definition of personal data. The new definition introduces a subjective approach to personal data, focusing on whether an entity has “likely means of identifying a natural person.” This approach to personal data has been presented in the case law of the CJEU (including case number C-413/23 P). Introducing this definition would mean that if an entity claims that it cannot or does not intend to identify natural persons based on the data it possesses, the provisions of the regulation would cease to apply. The greatest impact of such a change would be in sectors that use pseudonymization and identification numbers to build consumer profiles (e.g., online advertising). As a result, individual data could be considered personal or not, depending on whether a specific entity has the means to legitimately identify an individual based on that data.
Recital 32 of the draft regulation clearly states that “the development and operation of artificial intelligence systems or models constitutes a ‘legitimate interest’ of the controller pursuant to Article 6(1)(f) of the GDPR.” This statement provides a legal basis for the processing of personal data for AI training purposes, provided that the requirements set out in the aforementioned provision are met. Further limitations on the rights of data subjects result from the addition of paragraph 5 to Article 13, according to which the information obligations under Article 13 need not be complied with if the data are processed for scientific research purposes (including AI development) if this proves impossible or would involve a disproportionate effort.
Changes are also to be made to the processing of special categories of data (Article 9). Two new exceptions are introduced:
The draft also excludes the application of the information obligation under Article 13 if there are reasonable grounds to believe that the data subject already has the information that must be provided under that provision. This exception will not apply if the data subject transfers data to other recipients or categories of recipients, transfers data to a third country, engages in automated decision-making, or the processing is likely to result in a high risk to the rights of data subjects.
The amendment also includes Article 33 on reporting personal data breaches to the supervisory authority. This obligation would apply only to breaches “likely to result in a high risk to the rights and freedoms of natural persons,” aligning its threshold with the information obligation towards data subjects under Article 34. The period within which notification must be made has also been extended to 96 hours.
Significant changes may also occur in the area of data processing on end devices. Article 88a is proposed, which introduces the possibility of using grounds other than consent for the processing of personal data and for the specific purposes listed in this provision. With regard to consent to the processing of personal data on end devices, data subjects must be able to easily and understandably refuse requests for consent by means of a single click or equivalent means. Article 88b, in turn, requires controllers to adapt their web interfaces to the automated and machine-readable indication of data subjects’ choices regarding consent or refusal to the processing of personal data on end devices. These changes will have significant implications for cookies and are intended to reduce the number of cookie notifications and allow users to express consent and save preferences through central preference settings in browsers and operating systems.
Access to data
The proposed changes to data access should be viewed positively. Significant and still relevant provisions from the four repealed EU acts are to be implemented in the Data Act . This move aims to increase transparency regarding the regulation of data management and circulation in the EU by consolidating all relevant provisions into a single act.
The remaining changes to the Data Act will not be revolutionary. It is intended to enable entities covered by the regulation to comply with the Act’s guidelines through model contractual terms and clauses regarding data access and use. Furthermore, a rule will be introduced according to which data owners may refuse to disclose trade secrets to a user if there is a significant risk of unlawful acquisition, use, or disclosure of the data to third countries or entities under their control that are subject to jurisdictions with weaker protection than that available in the EU.
Cybersecurity reporting
The most important change in streamlining procedures and standardizing obligations under various EU acts is the proposal to create a single, common interface, known as a “contact point,” where entities required to report various types of incidents under various legal acts can fulfill their obligations. Currently, such obligations arise from, among others, the GDPR, the NIS2 Directive, and the AI Act, which necessitates the preparation of multiple reports on the same incident. The changes assume a single report submitted through a single system, which will be forwarded to the appropriate authorities.
Summary
The European Commission’s goal in creating these projects was to increase innovation and competitiveness in the European digital market, primarily in relation to the development of artificial intelligence. The changes were intended to simplify procedures and remove restrictions that hinder the faster development of AI. As can be seen, the proposed changes could significantly limit the protection of individuals in terms of their privacy and personal data, which could be used to train systems, not only high-risk ones. Many groups in the European Parliament do not support the proposed changes, believing that they will not bring real benefits to European entities and will instead facilitate the work of foreign technology giants. The changes to the GDPR are the most criticized, as member states requested that they remain outside the scope of the Digital Omnibus, as in the original draft.
Sources: