backThe European Commission’s Digital Omnibus proposal (COM(2025) 837) (“Proposal” or “Omnibus”) represents the first major legislative attempt of the new mandate to “simplify” the Union’s digital regulatory landscape. Framed as a simplification exercise, the initiative is European Commission’s proposed response to longstanding concerns that Europe’s digital rulebook has grown too fragmented, too prescriptive and increasingly difficult for organizations to navigate. The Proposal is also complemented by the proposed Digital omnibus on AI and European Business Wallet regulations.
The Omnibus explicitly builds on political calls for regulatory streamlining, including the broader plan laid out by Commission President von der Leyen in her political guidelines of the 2024-2029 term,1Von der Leyen, U. (2024) Europe’s Choice: Political Guidelines for the Next European Commission 2024-2029. Available at: e6cd428-673c-4e7a-8683-f63ffb2cf648_en the recommendations of the Draghi2Draghi, M. (2024) The future of European competitiveness. Available at: The Draghi report on EU competitiveness and Letta3Letta, E. (2024) Much more than a market. Available at: Enrico Letta – Much more than a market reports, which urged the European Union (“EU”) to reduce administrative burdens, make compliance more predictable, and create better conditions for innovation. The Omnibus uses the “Europe cannot remain competitive without consolidating and updating the patchwork of rules governing data, cybersecurity, digital operations and Artificial Intelligence (“AI”)” motto and is trying to deliver on it.
In this context, the Omnibus aims to update or combine several instruments, including the GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act, NIS2, DORA, eIDAS, and the CER Directive, while repealing others entirely. The Commission presents this as a rationalization effort that will lower compliance costs and improve legal clarity. Will this be delivered upon? It is hard to predict what the finally adopted Omnibus will look like, if ever adopted. But there are some fundamental questions, even before the train starts its legislative journey.
In the following sections, we cherry-pick some elements of the package and try to assess whether they deliver on the simplification mandate (or might raise question marks).
1. Legislative Technique and the Omnibus Architecture
Simplification Score: Zero
The legislative mechanism creates substantial structural complexity by amending or repealing numerous instruments simultaneously, as well as incorporating substantial parts of the DGA and the Open Data Directive into the Data Act, and relocating ePrivacy provisions into the GDPR, all in one act.
While macro-level consolidation may reduce the number of standalone acts, practitioners are required to navigate extensive cross-references and interdependent amendments. The technique complicates the interpretative landscape rather than genuinely simplifying it. 11 pages of multiple regulation changes lost in 150 pages is a hard read; thankfully it didn’t take too long for the community to have consolidated versions prepared of all the text showing the proposed amendments in track changes.
Also, promoting as “changes” or “simplifications” matters that were already there, because of case law or guidance, is not really adding anything new (but confusion).
In addition, this complexity is amplified by the fact that the Omnibus effectively pre-empts the planned “Digital Fitness Check”. Until just days before the publication of the Omnibus, the Commission’s alleged intention was to conduct a comprehensive evaluation of the GDPR in 2026. This was supposed to be an evidence-based, consultative process designed to assess jurisprudence, enforcement patterns, and industry experience before contemplating targeted revisions. Instead, the Proposal introduces significant GDPR amendments through an accelerated “fast-track” procedure in which EU services had around five working days to review the draft. This departure from the expected process raises legitimate concerns about the quality and coherence of the resulting text, as well as uncertainty for organizations that had prepared for a structured, transparent review rather than a rapid overhaul.
2. Codification of the Personal Data Definition (post-SRB CJEU) & Special Categories of Data
Simplification Score: Close to Zero (except for biometrics)
The proposed amendment to the GDPR’s definition of “personal data,” intended to reflect the Single Resolution Board v EDPS judgment,4Case T-413/23P, European Data Protection Supervisor (EDPS) v Single Resolution Board (SBR), 4 September 2025 introduces additional wording that states that information is not to be considered personal data for a given entity (an undefined new concept) when it does not have the “means reasonably likely to be used” to identify the natural person to whom the information relates. Consequently, such processing would, in principle, fall outside the scope of GDPR. This drafting, rather than clarifying identifiability, risks fragmenting interpretation and prompting renewed litigation over controller-specific versus objective identifiability.
Given the foundational importance of this definition, and the Commission’s stated objective of predictability, this amendment appears insufficiently precise. If the intention was harmonization, the execution ensures future litigation. Shouldn’t this be left to harmonized guidance from data protection authorities (or the EDPB as the mother of all of them) rather than importing court case specific facts into law?
On the contrary, the new exclusion in the proposed Article 9(2)(l) might provide some great relief to all controllers that are using biometric data for ID verification purposes. This favors the deployment of technology that are necessary and that, on the face of it, couldn’t really be considered as highly invasive.
3. Data Access Only for Data Protection Purposes
Simplification Score: Not Much, but Welcome
The Proposal addresses the “misuse” of data subject access rights (e.g., for litigation) by clarifying that controllers may refuse or charge for excessive or abusive access requests made for purposes other than the protection of personal data. This was already an established practice.
While this clarification is intended to reduce administrative burdens linked to repetitive or disruptive rights-request practices, it also presents the risk of creating more restrictive interpretations that could inadvertently raise the bar for individuals legitimately seeking access to their data (as it gives controllers a wider range of options to refuse acting on the request).
4. Data Breach Reporting Requirements
Simplification Score. Good (but was this necessary?)
The Omnibus introduces several novelties regarding cybersecurity and data breach reporting obligations. First, and as part of a GDPR suggested amendment, it aligns the controller’s obligation to notify data breaches to the competent authority with its obligation to notify data subjects of such breaches by stipulating that the notification is “only required if a data breach is likely to result in a high risk to the data subject’s rights”. In other words, the authority notification threshold is raised from the current standard of “risk” to the higher standard of “high risk”, merging current articles 33 and 34 into a trigger.
This shift substantially narrows the scope of supervisory oversight. Under the current GDPR framework, the obligation to notify authorities captures a wider spectrum of incidents, including those that may not ultimately require communication to the affected individuals, but still require attention. This was made to ensure controllers had a framework in place to assess risks and to provide authorities with useful information (even if sometimes overwhelming one) on systemic vulnerabilities, or cybersecurity weaknesses across sectors. By limiting notifications to only “high risk” breaches, reportable incidents where harm is possible but not demonstrably “high” might become more unnoticed.
In addition, for organizations, while it may seem reducing administrative burden, this change does not remove the need to document and investigate breaches.
5. Single Entry Point for Cybersecurity and Data Breach Reporting
Simplification Score. Not Great (and risky?)
The proposal introduces a Union-level “single-entry-point” for incident reporting across several legislative instruments (such as GDPR, NIS2, DORA) to be developed by ENISA.
While reducing duplicative submissions is a legitimate objective, the underlying reporting thresholds, timelines, impact criteria, and sector-specific requirements remain unaligned. Without harmonizing substantive obligations, a unified interface risks becoming a procedural convenience layered over persistent conceptual inconsistencies.
Furthermore, it remains unclear how effective communication will be between the “single-entry-point” and those additional authorities whose jurisdiction is affected. This “over-centralization”, that is likely to please ENISA, is seeking to play a more important role creating additional vulnerabilities (i.e., incentives to hack a single platform to cause major disruptions). The single entry point also leaves several other incident reporting frameworks decentralized, for no obvious reasons.
6. Standardized Data Breach Notification Template
Simplification Score. Good, Very Good
The mandate for the EDPB to propose a single EU-wide data breach notification template, and for the Commission to adopt it by implementing act, is a welcome development.
This measure will notably reduce divergent national practices, provide clearer expectations for controllers, and streamline notification workflows.
This is one of the elements of the Omnibus that has the potential to deliver genuine simplification, hoping that we can get out of “stricter approach consensus” (but was this something that required the Omnibus to be done?).
7. Common Guidelines on Breach Reportability
Simplification Score. Undetermined
The Proposal envisages additional guidelines on breach reportability.
Yet the EDPB has already issued extensive and authoritative guidance on this topic5European Data Protection Board, Guidelines 9/2022 on personal data breach notification under GDPR, Version 2.0, Adopted 28 March 2023. Unless the Commission intends to introduce more prescriptive or quantitative thresholds, the added value of new guidelines remains unclear.
8. Extension of the GDPR Breach Reporting Deadline to 96 hours
Simplification Score. Why, Why, Why?
The extension of the breach notification deadline from 72 to 96 hours means more time for controllers to assess the extent of the breach and obtain relevant information. However, considering the additional changes (i.e. only “high risk” reporting, single-entry-point), it does not materially alleviate compliance challenges. What will a day bring (except maybe saving some weekends for breaches one becomes aware of on a Friday).
The fundamental issue is not the number of hours, but the variability and complexity of forensic investigation. Therefore, while substantive, the reform is therefore largely symbolic when taking into consideration all the added “simplification” elements. This will also require extensive burden to update procedures, agreements, processes, for no obvious benefits.
9. Introduction of a Union-Wide DPIA Template
Simplification Score. Poor
The requirement for the EDPB to establish a standardized EU-level DPIA template and methodology, as well as harmonized lists of processing operations that require or do not require a DPIA represents a departure from the GDPR’s accountability framework. One can also expect the white and black lists to just build on the existing Member States one.
Accountability – by design – relies on contextual, risk-based assessments tailored to specific processing scenarios. A rigid, template-driven approach risks encouraging formalistic compliance and may diminish the quality and depth of substantive risk evaluation.
10. Browser- or Device-Level Consent Preferences
Simplification Score. Great, Finally (hoping the tech follows)
The mandatory recognition of machine-readable consent signals generated at browser or device level, once relevant standards become available, has the potential to significantly reduce consent fatigue and improve user autonomy.
The Proposal meaningfully operationalizes earlier policy ambitions dating back to the 2009 ePrivacy amendments and the draft ePrivacy Regulation. However, the long-standing industry position has been that such mechanisms are technically infeasible or commercially unworkable. Therefore, the proposed renewed optimism warrants scrutiny and close monitoring of the standardization process.
In addition, it must be noted that the consent requirements for the storing or accessing of personal data on the terminal equipment of natural persons which bring the processing of personal data on and from terminal equipment, are now covered by the GDPR and no longer under the ePrivacy Directive regime. If this is a way to unlock the revision of ePirvacy, all in favor (but one do not really see why consensus can be reached here if ePrivacy changes could not be voted on for the last 8 years).
11. Processing of Personal Data for AI Training as Legitimate Interest
Simplification Score. Setting in the Law EDPB’ Guidance Is Not Bringing Much
The proposed amendment seeks to clarify the conditions under which personal data, including residual special category data, may be processed for the training and development of AI models. It introduces a pathway for relying on legitimate interests where the processing is necessary for the development or operation of an AI system within the meaning of the EU AI Act. This is perceived as a significant shift as until now, organizations have struggled to identify a viable lawful basis for large-scale AI training, with consent largely impracticable and other bases ill-suited for broad or heterogeneous datasets. The new provision therefore opens the door to further AI development in Europe by acknowledging, at least in principle, that technological advancement can constitute a legitimate interest. It is not new, as it is basically backing up the EDPB position on the topic.
Legitimate interests remains one of the most scrutinized lawful bases under the GDPR and will require a full balancing test, rigorous necessity assessment, and documentation capable of withstanding DPA review. Given the sensitivity surrounding AI training practices, it is reasonable to expect that supervisory authorities will examine such claims closely.
12. Alignment of High-Risk AI Obligations with Future Standards
Simplification Score. Just Normal (really?)
The Proposal (read together with the accompanying Omnibus AI Act amendments) ties the applicability of certain high-risk AI obligations to the availability of harmonized standards. Although responsive to stakeholder concerns, this approach introduces significant timeline uncertainty. Indeed, it is unclear when these standards will (if ever) become available and there is no guarantee that the standardization process will deliver the necessary technical granularity. Therefore, this is primarily buying some time, but the longstop dates are there and will kick in even in the absence of standards.
What Comes Next?
The Omnibus represents a significant and ambitious restructuring of the EU’s digital regulatory framework. Despite the Commission’s stated aim of simplification, the proposal frequently introduces new layers of complexity, particularly in areas where detailed cross-instrument coordination is required.
But, above all, this is only a proposal. It will now move through the ordinary legislative procedure in the European Parliament and the Council, where both institutions may seek to narrow, condition, or even remove some of the more far-reaching changes. And the debate is expected to be fierce, with a very concerned Parliament and very resisting Member States. And the legislative format may in fact slow down rather than accelerate reforms. By bundling together sensitive amendments and technical fixes of several regulations, the proposal is likely to become hostage to its most controversial elements and be heavily amended during the legislative process.
What are we telling the world with the Omnibus? That the continent that was seeking to push its values to protect fundamental rights is moving away from them? GDPR is no longer only an internal market instrument, but the legal benchmark underlying the EU’s adequacy decisions with third countries. If core concepts such as “personal data” are narrowed, or if broad new bases for AI training are introduced, third country regimes previously deemed “essentially equivalent” may in fact end up offering more protection than the EU’s own law. In relation to that, some digital-rights groups are already branding the package as a “rollback” of protections, rather than a neutral technical clean-up.
Domestically, the pace of change is also a risk factor. The Data Act is barely in force and the AI Act not yet fully applicable, yet both are already being reopened and adjusted via the Omnibus and the parallel AI Omnibus proposal. This rapid sequence of reforms creates a moving target for compliance and a burden for organizations aiming for early observance of the law that now face the prospect of redesigning frameworks before they have even gone live. A rational response for many will be to delay or slow implementation until the direction of travel is more clear. This runs directly counter to the Commission’s stated aim of speeding up legal certainty and uptake.
As the proposal unfolds, stakeholders should closely monitor subsequent amendments. Simplicity is the ultimate sophistication (da Vinci), but the EU Digital Rulebook might still be found complex rather than sophisticated for a little while.