Top 10 proposed changes in the EU’s Digital Omnibus

The Commission’s proposed reforms are now due to be scrutinised by the European Parliament and the Council of the EU, so they are subject to change as part of the EU’s legislative process. We have identified the top 10 changes in terms of their potential impact if they come into force. While the Omnibus also includes proposals to repeal and merge a number of regulations, the practical effects of this legislative reform will be most critical in relation to the following:

GDPR

1. Updated definition of personal data stating that, if an entity holds information which could be used to identify a natural person, but does not have a reasonably likely means of doing so, this is not personal data. The Commission will also have the power to release further regulations clarifying when pseudonymised data is no longer personal data. While this alters the most important definition of the GDPR, it is aligned with recent case law affecting this concept, so it is not a wildly conceived idea.

2. Confirmation that the legitimate interest lawful basis for processing personal data under Article 6 can be relied upon for the development and operation of AI, provided suitable safeguards, such as data minimisation, transparency and the right to object, are in place. Again, this is also aligned with the current thinking of European data protection authorities. What is potentially more consequential is that the processing of special category personal data in this context would also qualify as a lawful condition under Article 9.

3. Greater scope for controllers to refuse data subject access requests. Controllers will not need to respond to requests where a data subject is deemed to be abusing their right for purposes other than the protection of their personal data.

4. Controllers will not need to provide privacy notices to customers where (i) the use of personal data is low risk, and (ii) they have reasonable grounds to believe the data subject already knows who the controller is and why they are processing their personal data.

ePrivacy

5. Expanding the scope of cookies which may be used without consent to include not just those which are necessary for the transmission of a communication or the provision of a requested service, but also those aimed at creating aggregated information for audience measurement and maintaining or restoring security. This is essentially a codification of what was already a common practical approach taken by regulators, but it obviously falls short of abolishing cookie consent in the EU, so it would not fully address the European Commission’s concerns regarding cookie banners and consent fatigue.

Cybersecurity

6. Creation of a single-entry point for incident notifications under the GDPR, NIS2, Cyber Resilience Act, Digital Operational Resilience Act, Digital Identity Regulation and Critical Entities Resilience Directive. This will also allow for the removal of duplicate notification requirements for a “severe incident” under the Cyber Resilience Act and a “significant incident” under NIS2. In addition, the deadline for reporting personal data breaches under the GDPR will be extended from 72 to 96 hours.

Data Act

7. Introduction of a new rule allowing data holders to refuse disclosure of trade secrets to users where data holders can demonstrate a high risk of unlawful acquisition, use, or disclosure to third countries with weaker protections.

8. Introduction of exemptions from cloud switching requirements and a lighter regime for the following data processing services (based on contracts concluded before 12 September 2025):

• data processing services that are custom-made, (i.e. not off-the-shelf and unable to function without prior adaptation to the users’ needs and ecosystem); and
• data processing services provided by SMEs and small mid-caps (SMCs), including a clarification that these providers can include early-termination penalties in fixed-term contracts.

AI Act

9. Delay to the commencement of the obligations applicable to high-risk AI systems, from August 2026 to 6 months after the Commission makes its decision setting out the technical requirements for high-risk AI systems used for law enforcement or education, and 12 months after its decision for all other use-cases. This adds a degree of uncertainty to the timeline for compliance uncertain, but in any event, the latest the obligations would come into effect is December 2027 (for AI systems used in law enforcement and education) and August 2028 (for other use cases).

10. Broadened powers for the Commission’s AI Office which, subject to carve-outs for sector-regulated products, would be exclusively competent for the supervision and enforcement of (i) general-purpose AI models and any systems based on them developed by the same provider, and (ii) AI systems integrated into a designated very large online platform (VLOP) or very large online search engine (VLOSE), as defined in the Digital Services Act. The AI Office would have the power to request documentation, supervise pre-market conformity assessments and impose penalties. This would mean more focused scrutiny for large AI developers by a single pan-European regulator.

Next Steps

It is important to note that these are still only proposals, which will be subject to modifications and rejections as part of the legislative process involving the EU institutions. However, The Commission has deliberately injected some time pressure to the process, given that unless the reforms to the AI Act take place before 2 August 2026, the requirements applicable to high-risk AI systems will become effective from that date.

Authored by Eduardo Ustaran, Joke Bodewits, Dan Whitehead, Michaela Glass, July Baltus and Bella Sharif.