Navigating the EU's Digital Omnibus on Privacy, Cyber, Data and AI and Next Steps

• The recently released EU Digital Omnibus proposes ambitious legislative changes to update and simplify EU data, privacy and cybersecurity laws.
• The legislative package also looks at the recently enacted EU AI Act, proposing to delay or streamline some of its key provisions.
• The EU Member States and the European Parliament will negotiate the final legislative package in the coming months. Rebalancing data privacy and security with accelerating AI use and innovation emerges as the key battleground.

On November 19, 2025, the European Commission formally unveiled a “digital omnibus” legislative proposal aimed at simplifying the EU’s privacy, cyber, data and AI regulatory frameworks. This is also in response to growing criticism from industry, leading EU figures, the U.S. and some national governments, who have expressed their concerns that the rules are overly complex, slowing innovation and hampering the EU’s competitiveness.

The proposal amends key aspects of the General Data Protection Regulation (GDPR) and the e-Privacy Directive (so-called “EU Cookies Law”), clarifying, for example, the processing of personal data for AI training and development and addressing consent fatigue in relation to cookies by allowing certain processing activities without users’ consent. In relation to the EU AI Act, the package proposes delaying stricter rules on the use of AI in “high-risk” areas, relaxing obligations in relation to AI literacy, clarifying the use of special category personal data for bias detection and mitigation and removing the requirement to register AI systems which providers consider not “high-risk.” However, the proposed delay is not a simple postponement to a new date and will be subject to negotiations.

In relation to EU cyber laws, it is proposed that incident reporting requirements are streamlined, introducing a single-entry point for such reporting under the Cyber Resilience Act, NIS2 Directive, DORA (Digital Operational Resilience Act) and the CER Directive (Critical Entities Resilience). The omnibus is also complemented by a new Data Union Strategy, which aims to boost access to high-quality datasets, as well as a European Business Wallet, which will provide European companies and public sector bodies with a unified digital tool. The proposals will now go through the EU's legislative process, with the European Parliament and Council negotiating the final versions.

Key Amendments in the EU Digital Omnibus

The newly proposed Digital Omnibus brings a suite of changes intended to streamline compliance, promote innovation and create a more cohesive framework for businesses operating in the digital space. The proposal is expected to overhaul a series of existing laws, including the following:

• Artificial Intelligence Act (EU AI Act): The digital omnibus proposes to delay the original implementation date for high-risk AI systems (August 2026) by linking a future Commission decision about adequate compliance measures such as harmonized standards, common specifications and Commission guidelines to the future implementation date. If the Commission confirms these compliance measures have been established, the rules for high-risk AI systems in areas such as biometrics, critical infrastructure, education, employment, healthcare, migration and law enforcement (Annex III of the EU AI Act) will take effect six months later, while the rules for high-risk AI systems that serve as a safety component, such as for medical devices and other product-based AI (Annex I of the EU AI Act) will begin to apply twelve months afterward. This means the crucial provisions of the landmark EU AI Act as regards high-risk AI systems will be activated when the EU executive decides that sufficient compliance measures are in place. However, if the Commission does not decide that adequate compliance measures are in place, the rules would still be enforced starting in December 2027 for high-risk AI systems under Annex III and August 2028 for high-risk systems under Annex I. The proposal also increases flexibility for post-market monitoring, permits processing of special personal data for bias correction with strict safeguards, removes the requirement to register AI systems, which providers consider not “high-risk,” centralizes oversight for large platforms under the AI Office and further consolidates enforcement procedures.
• General Data Protection Regulation (GDPR): The proposal clarifies the definition of personal data, explains when special category personal data may be used for the development and operation of an AI system and amends the provisions as regards automated processing and decision making. It also simplifies the transparency requirements as regards providing information to individuals about how their personal data is processed and relaxes the time limit and process for personal data breach reporting.
• e-Privacy Directive: It is proposed that the e-Privacy Directive no longer governs personal data issues. Rather, processing of personal data from terminal devices (like cookies) would become aligned with the GDPR, paving the way for automated consent management to reduce consent fatigue and banner overload.
• Data Act: The proposals to amend the Data Act are aimed at consolidating multiple data laws, such as the Data Governance Act and the Data Act, into a single harmonized framework, strengthening trade secret protections, providing exemptions and lighter regimes for SMEs and small mid-cap companies, establishing a single entry point for incident reporting and simplifying the notification regime for data intermediation services.
• Cyber Resilience Act, DORA (Digital Operational Resilience Act) and NIS2 Directive: It is proposed that incident reporting obligations are fulfilled through a single-entry point, shared across the three laws, streamlining processes and ensuring consistency.

Together, these amendments represent a significant shift as the EU aims to balance innovative incentives with existing oversight and consumer protection measures. By consolidating requirements and fostering collaboration among stakeholders, the EU is seeking to ensure both economic growth and digital trust in a rapidly changing digital environment.

Next Steps

The proposal now goes to the co-legislators under an ordinary legislative procedure. This means the EU Member States and the European Parliament will negotiate within and among themselves to arrive at the final version, revising existing pieces of legislation and thus updating the EU's digital rulebook. This goes hand in hand with the Digital Fitness Check, a wide consultation to run until March 11, 2026.

We expect the legislative process to take months. The legislators will seek input from stakeholders in various formats. We expect intense debate as the proposal attempts to rebalance existing data protection with the need for data as an engine for innovation and competitiveness. A wide range of industry participants should consider taking part and providing feedback. The Akin team stands ready to assist.