In this article, we break down what the Digital Omnibus package is, why it has been proposed, and who it will affect. Most importantly, we outline the next practical steps for your business as the European Union aims to simplify its digital landscape.
What is the Digital Omnibus?
The Digital Omnibus is a package of updates the European Commission published on 19 November 2025 to streamline several of the EU’s main digital laws. Instead of creating new rules, it adjusts and aligns existing ones such as the AI Act, the Digital Services Act, the Digital Markets Act, and the Data Act so they work together more smoothly.
The package includes three parts: a set of technical amendments to digital regulations, a proposal to simplify and clarify elements of the AI Act, and a strategy document outlining how the EU wants data to support innovation. Together, these updates aim to remove overlaps, clarify procedures, and make it easier for companies and authorities to apply the rules in practice.
Some of the new rules will apply to a new category of company, the so-called small mid-cap (SMC). A small mid-cap (SMC) is a medium-sized company that is larger than an SME but still significantly smaller than a large enterprise, and the Omnibus proposal formally adds this category to the AI Act so that these companies can benefit from simplified compliance measures that were originally reserved for SMEs.
In short, the Digital Omnibus is a cross-cutting clean-up and coordination effort meant to make the EU’s digital policy framework more consistent and easier to operate.
Key proposed amendments
Below are a few key highlights from the proposed amendments across the AI Act, Data Act, GDPR, and cybersecurity rules.
1. The AI Act
- Legal basis to process sensitive data for bias detection. The Omnibus introduces a new Article 4a allowing all providers and deployers of AI systems and models to process special categories of personal data (e.g., biometrics, race, health, etc.) for the purpose of bias detection and correction under strict conditions. Processing must be subject to “appropriate safeguards for fundamental rights and freedoms,” invoking alignment with GDPR.
- Changes to the Transparency Obligations. The application deadline has been extended to 2 February 2027 for the transparency obligations laid out in Article 50, giving companies more time to prepare next year while allowing sufficient time for the AI Office guidelines on transparency operational obligations to be released.
A significant structural change removes the Commission’s previous power to adopt harmonised, binding transparency rules, replacing it with a more flexible two-step framework led by the AI Office. Under the amended Article 50, the AI Office is now responsible for encouraging and facilitating the development of voluntary transparency Codes of Practice, which providers and deployers may follow to demonstrate compliance. Instead of requiring the Commission to formally approve the guidance drafted by the AI Office, the system makes the Commission intervene only if problems arise, which can speed up the process but still leaves open how this reactive approach will work in practice.
The AI Office is expected to publish its first Transparency Codes of Practice in 2026.
- Changes to the High-Risk AI category. The proposal introduces a new, conditional timeline for the application of the high-risk AI requirements in Chapter III of the AI Act. The new dates depend on when the Commission adopts a decision confirming that adequate compliance support tools. These can be late 2027 or early 2028. The main changes include a new conditional timeline for high-risk rules, reduced registration for exempted systems, extended SME-style simplifications to SMCs, clearer conformity-assessment procedures, and expanded options for real-world testing.
- Removal of mandatory AI-literacy obligations for providers and deployers. The proposal removes the obligation on providers and deployers to ensure staff AI literacy and instead shifts the responsibility to the Commission and Member States, who are asked to promote AI literacy through non-binding measures.
2. The Data Act
- Consolidation of major laws: The Free Flow of Non-Personal Data Regulation, Data Governance Act, and Open Data Directive are repealed and merged into the Data Act to create a single rulebook.
- Trade Secrets: Data holders can refuse disclosure where there is a high risk of unlawful access, particularly regarding third countries with weak protections.
- Cloud Switching: Lighter rules are introduced for SMEs and SMCs. These providers can include early-termination penalties in fixed-term contracts and face lighter regimes for custom-made services signed before September 2025.
- Improved measures of implementation: The release of Model Contractual Terms for data access and use, Standard Contractual Clauses for cloud computing contracts, and establishing a Data Act Legal Helpdesk to help companies (especially SMEs) interpret the rules.
3. GDPR
- Updated scope & duties: Tightens the definition of when data counts as personal, relaxes obligations on informing data subjects of their data processing, and clarifies the use of automated decision-making.
- Targeted flexibility: Allows limited biometric use and safeguarded special-category data processing for AI, with data breach notifications only for high-risk breaches (extending the notifying period to 96 hours, via the single-entry point).
- Modern cookie rules: The cookie consent from the ePrivacy Directive moves into the GDPR text and enables one-click consent plus future browser-level preference signals.
4. Cybersecurity
- A single point of reporting incidents: The introduction of a single-entry point operated by ENISA for reporting cybersecurity incidents. Instead of reporting separately under different legislations such as the NIS2, CRA, GDPR, and DORA, companies will use a unified channel.
Beyond these proposed amendments, the package introduces a European Business Wallet to streamline cross-border administration and a Data Union Strategy designed to unlock high-quality datasets and promote AI development for broader EU competitiveness goals in the global market.
Does it impact your business?
Although the Digital Omnibus is only a proposal, companies operating in the EU should treat it as an early signal of how digital regulation will evolve. The package is designed to streamline existing rules rather than create new ones, but this still means organisations will need to adjust their compliance setup.
1. Map where the Omnibus overlaps with your existing obligations
Since it amends frameworks like the AI Act, Data Act, GDPR-related processes, organisations should identify:
- where reporting processes could be merged,
- where documentation requirements will be simplified,
- and where supervisory responsibilities may transfer.
2. Review compliance trajectories that the Omnibus is expected to simplify
If you were planning major updates to your AI Act technical documentation, cloud-switching processes, or digital incident-reporting workflows, review whether the Omnibus would change those obligations. This prevents wasted investment. 2026 will remain a preparation year for AI Act implementation, with the AI Office expected to publish its transparency guidelines during that period.
3. Prepare for more integrated obligations across laws
The Omnibus aims to reduce contradictions between the AI Act, GDPR, cybersecurity rules, and data-sharing obligations. Companies should begin aligning internal teams (legal, security, data governance, product) so decisions are made across frameworks, instead of silos.
4. Expect national authorities and EU bodies to start using the Omnibus as guidance
Even before adoption, regulators often treat such proposals as an indication of future enforcement direction. Companies should follow developments closely, especially around AI transparency, high-risk procedural timelines, and streamlined reporting.
Timelines for Adoption and Application
With the Digital Omnibus proposal published on 19 November 2025, adoption is expected around the end of 2026, and reforms could follow in effect around mid-2027/2028. The ongoing Digital Fitness Check, running until March 2026, may influence the final text and timing.
| Timeline |
Action |
|
19 November 2025
|
- Official Proposal of the Digital Omnibus package & Business Wallet presented
|
|
2025–2026
|
- Digital Fitness Check: Public consultation open (until 11 March 2026)
|
|
Late 2025
|
- Start of formal legislative negotiations (the EU Parliament and Council)
|
|
2026
|
- Negotiation & Finalization
- The EU Parliament and Council review and (potentially) adopt the final law
|
|
2027/2028
|
|
The Digital Omnibus is only one part of a broader update to the EU’s digital landscape. The Commission plans to release new proposals (in Q4 2025) on areas such as ePrivacy, targeted GDPR adjustments, the launch of Data Act support measures (model contracts, clauses, helpdesk), international data-flow safeguards. In addition to this, several major digital laws are scheduled for formal evaluations in the coming years. These evaluations help the Commission decide whether further changes are needed.
Digital Compliance Support - Let’s get started
The Digital Omnibus may simplify the landscape, but it still requires organisations to adjust. Our Digital Compliance Support service helps you navigate this transition by assessing how the updated rules apply to your specific operations.
We analyse your current compliance posture against the proposed consolidated framework, simulating how the new obligations, and the removals of old ones, affect your responsibilities. We also map and track which requirements remain relevant and which are being phased out, ensuring you focus only on the obligations that genuinely apply rather than maintaining compliance with rules that no longer exist.
Ultimately, our team ensures your organisation turns this regulatory reset into a streamlined competitive advantage. You can access more information on digital compliance in our webinar.
Would you like more information?
For a detailed assessment of how the Digital Omnibus package applies to you, please contact one of our specialists.
Contact us
Read the full Commission proposal: Digital Omnibus Regulation Proposal | Shaping Europe’s digital future
Read about the Commission package: Simpler EU digital rules and new digital wallets to save billions for businesses
