Digital Omnibus

Proposal for Simplification of EU Digital Regulation

Proposed Regulation (Nov 2025)Proposed — Adoption expected 2026

Sweeping proposal to simplify EU digital regulation by amending GDPR, AI Act, ePrivacy Directive, Data Act, NIS2, and the Cybersecurity Act simultaneously. Proposes redefining ‘personal data,’ standardised breach notification via a single entry point, legitimate interest basis for AI model training, and SME exemptions from records of processing. EUR 6B projected savings by 2029.

Regulations Amended

€6B

Projected Savings

2029

Full Impact Year

MS Unified

Implementation Timeline

November 2025

European Commission publishes proposal

Q1 2026

European Parliament committee review begins

Spring 2026

Expected trilogue negotiations

Q3 2026

Anticipated adoption and publication

Who's In Scope

Regulations Amended

GDPR (Regulation 2016/679)
AI Act (Regulation 2024/1689)
Data Act (Regulation 2023/2854)
Cybersecurity Act (Regulation 2019/881)

Directives Amended

NIS2 Directive (2022/2555)
ePrivacy Directive (2002/58/EC)

Affected Entities

All GDPR-subject organisations
AI providers and deployers
Cloud and data service providers
NIS2 essential and important entities

Key Requirements

GDPR Reform

Redefinition of Personal Data

Proposes a relative, entity-driven definition of personal data. Data that one entity cannot use to identify a person would not be considered personal data for that entity.

GDPR Reform

Standardised Breach Notification

Single entry point for data breach notifications across Member States, replacing 27 different national notification procedures.

AI & GDPR

Legitimate Interest for AI Training

Explicit legitimate interest legal basis for using personal data in AI model training, subject to appropriate safeguards and data protection impact assessments.

GDPR Reform

SME Exemptions

Small and medium enterprises exempted from maintaining records of processing activities, reducing administrative burden for smaller organisations.

ePrivacy/GDPR

Cookie Regulation Merger

Cookie consent rules moved from the ePrivacy Directive into GDPR, simplifying the dual-regulation overlap that has caused compliance confusion.

Cross-cutting

Harmonised Enforcement

Consistent enforcement mechanisms across all amended regulations, with streamlined supervisory cooperation. Projected EUR 6B cost savings for businesses by 2029.

Penalties & Enforcement

Inherits from amended regulations

Varies by regulation

Penalty framework inherits from each amended regulation (GDPR: 4% turnover, AI Act: 7% turnover, NIS2: EUR 10M or 2% turnover). Specific adjustments may be introduced during trilogue negotiations.

How Orizon Can Help

Compliance Management

We provide structured preparation and compliance support for Digital Omnibus.

Learn more

Official Sources

Assess Your Readiness

Schedule a consultation with our regulatory experts to assess your Digital Omnibus compliance posture and build a practical roadmap.

Get Started

Digital Omnibus

Proposal for Simplification of EU Digital Regulation

Proposed Regulation (Nov 2025)Proposed — Adoption expected 2026

Who's In Scope

Regulations Amended

GDPR (Regulation 2016/679)
AI Act (Regulation 2024/1689)
Data Act (Regulation 2023/2854)
Cybersecurity Act (Regulation 2019/881)

Directives Amended

NIS2 Directive (2022/2555)
ePrivacy Directive (2002/58/EC)

Affected Entities

All GDPR-subject organisations
AI providers and deployers
Cloud and data service providers
NIS2 essential and important entities

Key Requirements

GDPR Reform

Redefinition of Personal Data

Proposes a relative, entity-driven definition of personal data. Data that one entity cannot use to identify a person would not be considered personal data for that entity.

GDPR Reform

Standardised Breach Notification

Single entry point for data breach notifications across Member States, replacing 27 different national notification procedures.

AI & GDPR

Legitimate Interest for AI Training

Explicit legitimate interest legal basis for using personal data in AI model training, subject to appropriate safeguards and data protection impact assessments.

GDPR Reform

SME Exemptions

Small and medium enterprises exempted from maintaining records of processing activities, reducing administrative burden for smaller organisations.

ePrivacy/GDPR

Cookie Regulation Merger

Cookie consent rules moved from the ePrivacy Directive into GDPR, simplifying the dual-regulation overlap that has caused compliance confusion.

Cross-cutting

Harmonised Enforcement

Consistent enforcement mechanisms across all amended regulations, with streamlined supervisory cooperation. Projected EUR 6B cost savings for businesses by 2029.