The 2025 European Commission EU digital omnibus package: a practical guide and explainer

The European Commission’s EU Digital Omnibus package, published on 19 November 2025, is an initiative directed at streamlining and rationalising EU digital law and improving internal consistency across the existing regulatory framework. This initiative forms part of the Commission’s broader digital policy programme , alongside the emerging Data Union Strategy and the proposed European Business Wallet, and sits within the EU’s wider competitiveness agenda as articulated in the Competitiveness Compass, presented in January 2025. It also aligns with the European Data Protection Board’s Helsinki Statement on enhanced clarity, support and engagement, adopted on 3 July 2025, which calls for practical simplification of the GDPR, clearer and more usable guidance, and improved  cross‑regulatory cooperation to ensure greater consistency across the EU’s digital rulebook.

The Commission does not present the package  as  deregulation  but as a targeted legislative simplification exercise of the EU digital acquis (i.e., the wider body of EU digital and data legislation) intended to reduce duplication, regulatory friction and compliance burden, while formally preserving the existing substantive obligations, rights architecture and enforcement frameworks.

On 22 January 2026, the EDPB and EDPS published their Joint Opinion 1/2026 on the AI Omnibus Proposal (the AI Omnibus Proposal). The Opinion supports simplification only where it does not weaken enforceability or fundamental-rights safeguards, and identifies specific aspects of the Proposal that, in the view of the EDPB and EDPS, risk diluting accountability in high-risk use cases. In particular, the Opinion focuses on: 

1. The creation of an explicit statutory legal basis for the processing of special-category data for bias detection and correction, and the risk that such a basis could be relied upon beyond genuinely high-risk AI contexts, together with the need for a strictly-necessary threshold and clearer drafting; 
2. The proposed removal of the EU database registration obligation where a provider self-assesses that an Annex III system is not high-risk, and the resulting loss of early supervisory visibility prior to placing on the market or putting into service;
3. EU-level sandbox governance, including the need for explicit involvement of competent data protection authorities, identification of the competent authority in cross-border scenarios, clearer articulation of the interaction with GDPR cooperation mechanisms, and observer status for the EDPB on the AI Board;
4. Supervision and enforcement allocation, including clearer limits on the AI Office’s competence in the operative provisions and explicit clarification for Union-institution systems supervised by the EDPS;
5. The downgrading of the AI literacy obligation; and
6. Implementation timelines that become contingent on standards and common specifications, raising concerns as to legal certainty and effective fundamental-rights protection.

The package comprises two distinct legislative proposals:

1. A proposal for a Regulation amending and repealing certain Union acts in the field of digital legislation (the “Digital Omnibus Regulation Proposal”), introducing targeted technical and structural amendments across selected EU digital legislation, and 
2. A separate proposal for a Regulation amending Regulation (EU) 2024/1689 on artificial intelligence (the “AI Omnibus Proposal”), proposing targeted amendments intended to facilitate the implementation of the EU AI Act.

The Digital Omnibus Regulation Proposal is set out in the following core documents:  

• Proposal for Regulation on simplification of the digital legislation (The Digital Omnibus Regulation Proposal)
• Proposal for Regulation on simplification of the digital legislation - ANNEXES (The Digital Omnibus Annexes)
• Staff Working Document accompanying the Proposal (The SWD)
• Commission Press release (The Press Release)

The AI Omnibus Proposal is a separate legislative proposal adopted as part of the same package, published as a Proposal for Regulation on simplification for AI rules (the AI Omnibus Proposal)

The Commission expressly frames a number of the proposed amendments in both the explanatory memorandum and the Staff Working Document as codifications or clarifications of  existing case law of the Court of Justice of the European Union and established supervisory interpretation, rather than as new policy interventions. This approach is particularly evident in relation to the definition of personal data, purpose limitation and further processing, automated decision-making, breach-notification thresholds, and the interaction between the GDPR and the ePrivacy regime for access to or storage of information in terminal equipment where personal data is processed.

Each of the Digital Omnibus Regulation Proposal and the AI Omnibus Proposal will be subject to full legislative negotiation between the European Parliament and the Council. It is therefore inevitable that the final texts will differ materially from the proposals as introduced. Certain elements of the package have already attracted greater political and regulatory scrutiny than others.

This article is intended as a reference guide. Our assessment focuses on:

1. Likely negotiating positions of Member States and the European Parliament,
2. The operational constraints identified by regulators and market actors, and
3. Foreseeable enforcement and litigation risk.

Against that background, the EU Digital Omnibus package advances a set of core proposals which, at a high level, comprise:

1. Compliance: targeted simplification of compliance processes across multiple EU digital instruments, without reopening their substantive legal standards or rights architecture;
2. Reporting: alignment and rationalisation of procedural and reporting obligations in order to reduce duplication across adjacent regulatory regimes;
3. Supervision and enforcement: adjustments to implementation and operational rules to address identified supervisory and enforcement constraints;
4. Fragmentation: consolidation or re-allocation of regulatory functions and obligations where parallel frameworks have produced inconsistent application
5. Legislative restructuring: repeal of selected standalone instruments within the EU data acquis, with operative provisions reallocated or absorbed into remaining instruments rather than maintained as separate regimes; and
6. AI reform: targeted amendments to the EU AI Act directed at facilitating its implementation and practical application, without altering its core risk-based structure.

At this stage, the proposals do not have legal effect. They will require agreement between the European Parliament and the Council. The Commission has opened post-adoption feedback periods on both Omnibus proposals (currently running until 3 March 2026), alongside the broader Digital Fitness Check consultation and call for evidence (open until 11 March 2026).

For each instrument amended or repealed by the Digital Omnibus Regulation Proposal or the AI Omnibus Proposal, we set out our assessment of the Commission’s proposals by separating (Section A) those proposals that are most likely to be adopted in substance, and why, and (Section B) those proposals that are more likely to be challenged, materially narrowed, or rejected during the legislative process, and why:

Conclusion

The EU Digital Omnibus package marks a significant moment in the European Union’s current phase of legislative consolidation of its digital and data protection framework. Rather than reopening the substantive legal standards contained in instruments such as the GDPR, the NIS2 Directive, the Data Act or the EU AI Act, the Omnibus proposals are directed at amending the structure, interaction and procedural operation of existing obligations, including by reallocating certain obligations between instruments, aligning reporting routes, and introducing common standardisation and coordination mechanisms.

The proposals do not constitute deregulation, but they would alter the legal routes through which existing obligations are discharged, particularly in relation to incident notification, supervisory cooperation, terminal-equipment access and storage where personal data is processed, and the location of certain data-sharing and re-use obligations within the legislative framework. As a matter of EU law, these changes are material even where the underlying substantive tests are preserved, because they affect which legal instrument applies, which authority is competent, and how compliance is assessed and enforced.

The proposals remain draft legislative texts. They require adoption through the ordinary legislative procedure and may be materially amended during negotiations between the European Parliament and the Council. The Commission has opened post-adoption feedback periods on both Omnibus proposals (currently running until 9 March 2026), alongside the broader Digital Fitness Check consultation and call for evidence (open until 11 March 2026).

Although framed as technical simplification, several elements of the Digital Omnibus raise non-trivial legal issues, particularly where they affect the scope and application of the GDPR, the operation of transparency and data subject rights, and the relationship between the GDPR and the ePrivacy Directive in relation to terminal-equipment access and storage. These issues are likely to attract close scrutiny during trilogue negotiations, including by reference to Articles 7 and 8 of the Charter of Fundamental Rights, and to established CJEU jurisprudence on proportionality, legal certainty and effective protection.

In particular, the reallocation of certain terminal-equipment processing scenarios from the ePrivacy framework into the GDPR, the recalibration of breach-notification thresholds and routing, and the introduction of the relative identifiability criteria raise questions as to whether the proposed drafting maintains an equivalent level of protection in practice, and whether it preserves clear and predictable allocation of supervisory competence and legal responsibility.

In their Joint Opinion 1/2026 on the AI Omnibus Proposal, the EDPB and EDPS do not oppose targeted simplification as such, but emphasise that procedural streamlining must not weaken enforceability or fundamental-rights safeguards. The Opinion identifies specific areas requiring tighter drafting, including the use of special-category data for bias detection and correction, registration and documentation obligations, sandbox governance, AI literacy requirements, and implementation sequencing tied to standards and common specifications. It also calls for clearer operative-text delineation of supervisory competences, including the respective roles of the AI Office, national authorities and the EDPS.

In parallel, the Commission has commenced technical engagement with Member States. Materials circulated through Council channels, together with Member State comments, indicate that negotiations are likely to focus on legal certainty, enforceability, supervisory coordination and the practical operation of reporting and information-sharing mechanisms, particularly where a single factual event triggers obligations under multiple EU instruments.

Against this background, organisations should treat the Digital Omnibus as a developing legislative process, to map which internal compliance components would be affected if adopted broadly in its current form, and to monitor the emerging Council and Parliament positions as they crystallise. In practice, the areas most likely to warrant early internal scoping are: (i) revised incident reporting mechanics and any “single entry” routing model (cyber and data protection); (ii) contractual and governance implications of relative identifiability and any criteria set by the Commission for pseudonymisation/identifiability; and (iii) the operational impact of bringing certain terminal-equipment access/storage scenarios (where personal data is processed) within the GDPR framework.

In parallel, organisations should continue to monitor and track related initiatives that will shape the EU’s data and digital landscape, including the Data Union Strategy, the European Business Wallet proposal, and the newly published non-binding Model Contractual Terms on Data Access and Use and Standard Contractual Clauses for Cloud Computing Contracts issued by the Commission as part of its Data Act implementation work, given that the Omnibus proposals explicitly operate alongside (and in places depend on) standardisation, templates and other implementation measures which will materially influence compliance outcomes even where the obligations remain nominally unchanged.

Taken together, these developments point to a period in which the EU digital and data protection framework is being restructured rather than expanded. During this period, legal certainty will depend on the clarity of the final operative provisions, the handling of transitional situations following repeals and reallocations, and the consistency of supervisory interpretation and enforcement across Member States. Until those elements stabilise, the practical application of the revised framework will remain subject to interpretative and enforcement risk.