The Digital Omnibus is a comprehensive draft of two regulations of the European Parliament and Council, the most important part of a broader package of changes to data regulations (especially personal data) and those regulating the digital market in the EU. The changes aim to stimulate innovation and the development of the European artificial intelligence market, and to introduce solutions that could save businesses capital (estimated at up to €4 billion in total by 2029). The changes aim to ensure that businesses of all types, from factories to start-ups, spend less time and money on administration and maintaining the documentation required by current EU regulations.

The draft amendments consist of two regulations:

• Digital Omnibus, which introduces changes to many important EU regulations already in force, such as:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L. of 2016, No. 119, p. 1, as amended).

Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 on establishing a single digital gateway to provide access to information, procedures and assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ EU L 295, 2018, p. 1, as amended).

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of such data , and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ EU L 295, 2018, p. 39).

Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (” Data Act “) (OJ L 2854, 2023, item 2854, as amended).

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 2002, p. 37–47)

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS Directive 2) (OJ L 333, 2022, p. 80, as amended).

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ EU L 333, 2022, p. 164).

• Digital Omnibus on AI, which amends:

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (“Artificial Intelligence Act“) (OJ L 1689, 2024).

Regulation (EU) 2018/1139 of the European Parliament and of the Council of 4 July 2018 on common rules in the field of civil aviation and establishing a European Union Aviation Safety Agency, and amending Regulations (EC) No 2111/2005, (EC) No 1008/2008, (EU) No 996/2010, (EU) No 376/2014 and Directives 2014/30/EU and 2014/53/EU of the European Parliament and of the Council, and repealing Regulations (EC) No 552/2004 and (EC) No 216/2008 of the European Parliament and of the Council and Council Regulation (EEC) No 3922/91 (OJ L 212, 2018, p. 1, as amended).

The bill also assumes the repeal of the following acts:

1. Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (OJ L 303, 2018, p. 59).
2. Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 2019, p. 57).
3. Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European Data Governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 2022, p. 1, as amended).
4. Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 2019, p. 56)

In theory, all these changes are purely technical: they unify processes and obligations occurring simultaneously under various acts, simplify definitions and procedures, and simultaneously maintain the level of protection of fundamental rights. How? The justifications for both projects only state that they do not violate the fundamental rights of EU citizens. In practice, the presented projects introduce numerous solutions that will be significantly different from those previously implemented, primarily in terms of privacy and data protection for individuals. The overarching goal of the changes is to increase the competitiveness of the European digital market by introducing solutions that enable artificial intelligence to train on larger datasets, including personal data.

AI Act

The changes proposed in the draft amendment to this act are intended to improve the implementation of its individual elements and counteract problems that have already occurred – some provisions have already entered into force, while others are yet to be replaced.

The most significant change is the introduction of a new Article 4a, which replaces the previous Article 10(5). The repealed provision provided the legal basis for providers of high-risk AI systems to exceptionally process special categories of personal data to ensure the detection and correction of bias in specific circumstances. In principle, the new regulation is identical to the previous one, but paragraph 2 significantly expands its scope, as: “Paragraph 1 may apply to providers and implementers of other AI systems and models , and implementers of high-risk AI systems , if necessary and proportionate, provided that the processing is carried out for the purposes specified in that paragraph and subject to compliance with the conditions set out in the safeguards set out in that paragraph.” Consequently, this provision allows for the processing of personal data to a broader extent for AI training purposes.

In general, significant changes are expected to occur within high-risk systems. These are systems that have a significant impact on society and the lives of individuals. Examples include systems used to diagnose diseases, predict treatment outcomes, or assist in the recruitment process. These systems may be used provided they meet the requirements of the AI Act.

First, the powers granted to small and medium-sized enterprises (SMEs) in many regulations have been expanded, including the right to prepare simplified technical documentation for high-risk systems. As a result of the changes, small mid-cap companies (SMCs) will also have this power.

The European Commission also wants to link the entry into force of the regulations on high-risk systems to the availability of support tools. Therefore, the entry into force of the regulations on high-risk systems is to be postponed for a maximum of 16 months, so that it takes place after the support tools are available.

Changes are also taking place in the scope of the AI Authority’s powers under Article 75 to supervise and control general-purpose AI systems. The Authority will be the exclusive authority responsible for supervising and enforcing the obligations arising from the AI Act in relation to AI systems that constitute or are integrated with a designated very large online platform or very large online search engine within the meaning of Regulation (EU) 2022/2065.

A number of new regulations are also intended to enable greater use of regulatory sandboxes and real-world testing.

The bill also extends the deadline for AI systems and general-purpose models already on the market or put into service to meet the requirements of the AI Act for labeling and watermarking AI-generated content until February 2, 2027, giving companies more time to adapt their technology.

GDPR

The justification for the GDPR amendments states that “Targeted changes to the GDPR will harmonize, clarify, and simplify certain rules to increase innovation and make it easier for organizations to comply, while preserving the essence of the GDPR and ensuring the highest level of personal data protection.” This is an interesting statement, considering that one of the first changes introduced is a narrowing of the definition of personal data. The new definition introduces a subjective approach to personal data, focusing on whether an entity has “likely means of identifying a natural person.” This approach to personal data has been presented in the case law of the CJEU (including case number C-413/23 P). Introducing this definition would mean that if an entity claims that it cannot or does not intend to identify natural persons based on the data it possesses, the provisions of the regulation would cease to apply. The greatest impact of such a change would be in sectors that use pseudonymization and identification numbers to build consumer profiles (e.g., online advertising). As a result, individual data could be considered personal or not, depending on whether a specific entity has the means to legitimately identify an individual based on that data.

Recital 32 of the draft regulation clearly states that “the development and operation of artificial intelligence systems or models constitutes a ‘legitimate interest’ of the controller pursuant to Article 6(1)(f) of the GDPR.” This statement provides a legal basis for the processing of personal data for AI training purposes, provided that the requirements set out in the aforementioned provision are met. Further limitations on the rights of data subjects result from the addition of paragraph 5 to Article 13, according to which the information obligations under Article 13 need not be complied with if the data are processed for scientific research purposes (including AI development) if this proves impossible or would involve a disproportionate effort.

Changes are also to be made to the processing of special categories of data (Article 9). Two new exceptions are introduced:

• an exception to the general prohibition on processing biometric data, which will be permitted for identity verification purposes, provided that the data remains under the user’s control (e.g. FaceID verification taking place only on the device)
• an exception for the processing of special categories of personal data for the development and operation of an artificial intelligence system or model, subject to certain conditions, including appropriate organisational and technical measures to avoid the collection of special categories of personal data and the deletion of such data.

The draft also excludes the application of the information obligation under Article 13 if there are reasonable grounds to believe that the data subject already has the information that must be provided under that provision. This exception will not apply if the data subject transfers data to other recipients or categories of recipients, transfers data to a third country, engages in automated decision-making, or the processing is likely to result in a high risk to the rights of data subjects.

The amendment also includes Article 33 on reporting personal data breaches to the supervisory authority. This obligation would apply only to breaches “likely to result in a high risk to the rights and freedoms of natural persons,” aligning its threshold with the information obligation towards data subjects under Article 34. The period within which notification must be made has also been extended to 96 hours.

Significant changes may also occur in the area of data processing on end devices. Article 88a is proposed, which introduces the possibility of using grounds other than consent for the processing of personal data and for the specific purposes listed in this provision. With regard to consent to the processing of personal data on end devices, data subjects must be able to easily and understandably refuse requests for consent by means of a single click or equivalent means. Article 88b, in turn, requires controllers to adapt their web interfaces to the automated and machine-readable indication of data subjects’ choices regarding consent or refusal to the processing of personal data on end devices. These changes will have significant implications for cookies and are intended to reduce the number of cookie notifications and allow users to express consent and save preferences through central preference settings in browsers and operating systems.

Access to data

The proposed changes to data access should be viewed positively. Significant and still relevant provisions from the four repealed EU acts are to be implemented in the Data Act . This move aims to increase transparency regarding the regulation of data management and circulation in the EU by consolidating all relevant provisions into a single act.

The remaining changes to the Data Act will not be revolutionary. It is intended to enable entities covered by the regulation to comply with the Act’s guidelines through model contractual terms and clauses regarding data access and use. Furthermore, a rule will be introduced according to which data owners may refuse to disclose trade secrets to a user if there is a significant risk of unlawful acquisition, use, or disclosure of the data to third countries or entities under their control that are subject to jurisdictions with weaker protection than that available in the EU.

Cybersecurity reporting

The most important change in streamlining procedures and standardizing obligations under various EU acts is the proposal to create a single, common interface, known as a “contact point,” where entities required to report various types of incidents under various legal acts can fulfill their obligations. Currently, such obligations arise from, among others, the GDPR, the NIS2 Directive, and the AI Act, which necessitates the preparation of multiple reports on the same incident. The changes assume a single report submitted through a single system, which will be forwarded to the appropriate authorities.

Summary

The European Commission’s goal in creating these projects was to increase innovation and competitiveness in the European digital market, primarily in relation to the development of artificial intelligence. The changes were intended to simplify procedures and remove restrictions that hinder the faster development of AI. As can be seen, the proposed changes could significantly limit the protection of individuals in terms of their privacy and personal data, which could be used to train systems, not only high-risk ones. Many groups in the European Parliament do not support the proposed changes, believing that they will not bring real benefits to European entities and will instead facilitate the work of foreign technology giants. The changes to the GDPR are the most criticized, as member states requested that they remain outside the scope of the Digital Omnibus, as in the original draft.

Sources:

1. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2016/679, (EU) 2018/1724, (EU) 2018/1725, (EU) 2023/2854 and Directives 2002/58/EC, (EU) 2022/2555 and (EU) 2022/2557 as regards the simplification of the digital legislative framework , and repealing Regulations (EU) 2018/1807, (EU) 2019/1150, (EU) 2022/868, and Directive (EU) 2019/1024 (Digital Omnibus) {SWD(2025) 836 final }
2. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonized rules on artificial intelligence (Digital Omnibus on AI) {SWD(2025) 836 final }
3. https://ec.europa.eu/commission/presscorner/detail/en/ip_25_2718

Artykuł Digital Omnibus pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

On September 12-14, 2025, lawyers from KIELTYKA GLADKOWSKI KG LEGAL participated in the annual Futurology Congress in Krakow.

The participants, among which there was AGH University of Science and Technology’s Artificial Intelligence Center of Excellence discussed aspects of new technologies, including:

• Optical Illusions in AI Systems: The Danger of Adversarial Attacks. Adversarial attacks on vision systems are a topic of growing interest in both science and the technology industry – not only due to autonomous vehicles but also medical systems. The panelists demonstrated how subtle, almost invisible image modifications can completely confuse AI algorithms, leading to situations where the algorithm fails to recognize a STOP road sign or makes an error when analyzing medical images. Examples of such attacks from both transportation and medicine were presented, highlighting their impact on everyday life and safety. There were explained the mechanisms behind these phenomena and their consequences for machine learning-based systems. In this area, there is a constant race between the creators of such attacks and the engineers developing protection methods, and ensuring complete security remains a major challenge for the AI industry.

• The development of the Polish space sector, combining engineering, science, and modern technologies. Domestic entities are among the leaders building Poland’s position in the global space industry supply chain. During the panel, there were discussed the most important achievements and participation of Polish teams in prestigious international missions. Representatives of key companies discussed their projects, challenges, and role in the global space ecosystem. There were also considered barriers to sector development and legislative and financial needs. The panel was an opportunity to look to the future and attempt to answer the question of Poland’s potential role in the exploration and use of space. Participants shared their experiences collaborating with the European Space Agency and other international partners.

• Modern biotechnology. Biotechnology is becoming one of the pillars of modern civilization, offering breakthrough solutions in medicine, diagnostics, agriculture, and environmental protection. Faced with global challenges such as aging societies, the growing number of lifestyle diseases, and the need for sustainable development, the dynamic development of biotechnology is opening up new opportunities to improve the quality of life. The panel discussed the potential of gene and cell therapies, the importance of innovative drugs in the fight against cancer, and the role of collaboration between science, the investment sector, and industry. Guests addressed ethical, regulatory, and social issues related to the implementation of new biological technologies. The discussion explored how biotechnology can truly benefit humanity in the coming decades.

The Congress lectures are related to specific examples and problems that scientists are struggling with in daily lives – for example, how to easily delude artificial intelligence in software in an unmanned vehicle resulting in a failure to recognize a STOP sign

source: https://www.drmalinowski.edu.pl/posts/2824-adwersarialne-ataki-na-sztuczna-inteligencje

Artykuł Optical Illusions in AI Systems, the Danger of Adversarial Attacks, Biological Technologies, Explainable AI – topics discussed during Futurology Congress 2025 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

In an era of dynamic digital technology development and a growing number of cyberthreats, cybersecurity and personal data protection are becoming key aspects of how organizations operate in the European Union. New regulations, such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the current GDPR, create a comprehensive security system aimed at raising protection standards and ensuring greater transparency in data processing.

NIS2 and GDPR: Strengthening Data Protection and Incident Response

The Network and Information Security Directive (NIS2) is another step towards increasing the cyber resilience of entities operating in key economic sectors. In 2025, its implementation will require organizations to take a number of actions, including:

• Expanding security measures against cyberattacks,
• Introducing more rigorous incident reporting procedures,
• Strengthening cooperation between supervisory authorities and the private sector.

NIS2, in conjunction with GDPR (Regulation 2016/679), means that businesses will not only have to protect personal data more effectively, but also implement new procedures for risk management and auditing of IT security activities.

5 Things You Need to Know About NIS2

01 – Fines up to €10 million or 2% of total annual global turnover

02 – Expanded scope compared to NIS1, changing the way companies are classified and requiring more of them to comply with the directives

03 – Management staff is liable for violations and the authorities may suspend activities or functions

04 – Broad security risk management measures and shift to a risk-based approach

05 – Initial reporting of security incidents within 24 hours, further action within 72 hours, and final summary within 1 month

DORA: Cyber Resilience and Personal Data Security in Finance

DORA is the Regulation of the European Parliament and of the Council (EU) of 14 December 2022 on the digital operational resilience of the financial sector. This is another of many recent regulations concerning cybersecurity and the broadly defined security of information technology.

The Digital Operational Resilience Act (DORA) focuses on the financial sector, which is particularly vulnerable to cyberattacks. Key requirements imposed by DORA include:

• Testing the operational resilience of IT systems,
• Implementing risk management strategies based on threat analysis,
• Obligation to monitor and report digital incidents.

DORA applies to:

1. credit institutions;
2. payment institutions, including payment institutions exempted under Directive (EU) 2015/2366;
3. providers of account information access services;
4. electronic money institutions, including electronic money institutions exempted under Directive 2009/110/EC;
5. investment companies;
6. crypto-asset service providers,
7. central securities depositories;
8. central counterparties;
9. trading systems;
10. transaction repositories;
11. alternative investment fund managers;
12. management companies;
13. information sharing service providers;
14. insurance and reinsurance undertakings;
15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
16. institutions of occupational pension programs;
17. rating agencies;
18. administrators of critical benchmarks;
19. crowdfunding service providers;
20. securitization repositories;
21. external ICT service providers.

In the context of GDPR compliance, financial institutions must ensure adequate security measures to protect customer data against unauthorized access and information leakage. GDPR also mandates cooperation with cloud service providers and external IT operators, which requires thorough verification of their security standards.

Article 33 of the DORA Directive requires personal data breaches to be reported without undue delay, and within 72 hours where possible. In the event of a delay, an explanation of the reason for the delay must be included.

AI Act and GDPR: Managing Artificial Intelligence and Data Protection

The AI Act regulations classify AI systems according to risk level and impose obligations on entities that implement them. In the context of data protection, the AI Act requires:

• Transparency of artificial intelligence algorithms and mechanisms,
• Possibilities of controlling and auditing decisions made by AI,
• Compliance with the principles of data minimization and limitation of the processing purpose.

Companies that use AI to process personal data will have to meet stringent GDPR requirements, giving users greater control over their information and minimizing the risk of abuse.

CRA: Cyber Resilience Act – Security of Digital Products

The Cyber Resilience Act (CRA) introduces obligations related to the security of digital software and hardware. Its key requirements include:

• Designing secure digital products,
• Monitoring vulnerabilities and updating them regularly,
• Manufacturers’ responsibility to ensure continued safety throughout the product life cycle.

CRA aims to increase cybersecurity across the entire digital ecosystem, minimizing the risk of attacks based on device and application vulnerabilities.

eIDAS 2.0: Strengthening digital identification

The amendment to the eIDAS (electronic IDentification, Authentication and trust Services) regulation – known as eIDAS 2.0 – introduces a European digital identity wallet that:

• Allows citizens to securely store and share their identity data,
• It enables public and private institutions to provide secure online services,
• Strengthens authentication standards in digital transactions.

In conjunction with GDPR, eIDAS 2.0 improves users’ control over their identity data and increases the security of online transactions.

Challenges and benefits of new regulations

Adapting to new regulations poses numerous challenges for companies, including:

• The need to invest in modern security systems,
• Employee training in cybersecurity and data protection,
• Implementation of effective incident monitoring and reporting mechanisms.

However, the new regulations also bring numerous benefits, such as:

• Better protection of customer data and greater trust in the organization,
• Increased resistance to cyber attacks,
• Possibility to avoid high fines for violating data protection regulations.

The impact of new regulations on small and medium-sized enterprises (SMEs)

New regulations such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0 can pose challenges for small and medium-sized enterprises (SMEs). Implementing these regulations requires investment in modern security systems and employee training in cybersecurity and data protection. SMEs may face challenges related to limited financial and human resources, which can make it difficult to fully comply with the new requirements.

However, compliance with these regulations also brings benefits, such as better protection of customer data, increased trust in the organization, and the ability to avoid significant fines for violating data protection regulations. Therefore, it is worthwhile for SMEs to consider partnering with external IT service providers and cybersecurity specialists to effectively implement the required security measures.

The future of cybersecurity in the EU

In the coming years, we can expect further development of regulations regarding cybersecurity and personal data protection. The European Union will continue to work on strengthening the legal framework to address growing cyber threats and ensure a high level of data protection. Organizations will need to be prepared to continuously adapt to new requirements and invest in modern security technologies and procedures.

Summary

In 2025, organizations will have to comply with a range of regulations regarding cybersecurity and personal data protection. NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the GDPR, create a modern legal framework aimed at improving data protection and increasing resilience to cyber threats across various economic sectors. Implementing these regulations will be a challenge, but also an opportunity, to build a more secure and digitally resilient business environment in the EU.

Artykuł Cybersecurity and GDPR Compliance in 2025 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.