EU simplification agenda: Commission proposes Digital Omnibus

21 Nov 2025 12:19 PM

On 19 November the EU Commission proposed its “Digital Omnibus”. This proposal, which follows other large pieces of legislation like the “Sustainability Omnibus” or the “Defence Omnibus”, seeks to continue the EU Commission’s goals of simplifying administrative burdens across the EU (with a target to reduce administrative burden by 25% overall).  

The Digital Omnibus focuses on two major areas: AI and Data  

In a nutshell – what is in the Omnibus?  

AI Omnibus: The EU Commission proposes to amend the AI Act to seek compliance facilitation and proposes a delay of the implementation of the Act up to 2027. 

Data Omnibus: The package proposes to amend key “data acquis”, including the GDPR (e.g. facilitating the use of data for AI training), and incident reporting.  

The proposal seeks to amend the following pieces of legislation:  

• GDPR (Regulation 2016/679) 
• AI Act (Regulation 2024/1689) 
• Data Act (Regulation 2023/2854) 
• NIS2 Directive (Directive 2022/2555) 
• ePrivacy Directive (Directive 2002/58/EC) 

It seeks to repeal the following pieces of legislation by merging them into a single unified and harmonised structure: 

• Platform-to-Business (P2B) Regulation 
• Data Governance Act (DGA) 
• Free Flow of Non-Personal Data Regulation 
• Open Data Directive 

Should you be interested, please find below an overview of some of the major changes proposed by the Omnibus.  

Key measures of the AI Omnibus 

The proposed text lists the following “targeted changes” to be made:  

• Clarified legal basis for providers and deployers of AI systems and AI models to exceptionally process special categories of personal data for bias detection and correction (under certain conditions) as mentioned previously.  
• Removal of database registration for certain high-risk AI systems that fall out of scope (when matching the "filter" conditions of the AI Act) 
• Stronger enforcement powers for the EU Commission, including AI Office-centralised enforcement for AI systems based on GPAI models (GPAI systems) and AI services under the Digital Services Act.  
• Removal of the mandatory template for a post-market monitoring plan, which was to be drafted by the Commission to adopt (to be replaced instead by guidance). 
• AI literacy is no longer an obligation. Instead, EU Member States will be encouraged to take AI literacy measures.  
• Possibility to launch a regulatory sandbox at EU level for AI systems within the Commission's exclusive supervision. Cross-border cooperation should be reinforced for national sandboxes. 
• A few exemptions and privileges are extended to small mid-caps (companies limited to 750 people and a maximum annual turnover of €150 million) including on technical documentation and quality management system. 
• New legal basis to facilitate real-world testing  
• Deadline specified for the changes to sectoral legislation under Annex I, section B (to integrate high-risk AI requirements into sectoral laws). The Commission will have one year to propose draft amendments, which would apply by the omnibus' "entry into force". 
• Clarification on the interplay with the Cyber Resilience Act (CRA). 

Quite importantly, the legislation proposes to delay the AI Act’s high-risk requirements until the end of 2027. Additionally, it proposes moving the date when the high-risk requirements associated with AI systems linked to sectoral regulated products will take legal effect to August 2028.   

This raises key questions regarding timeline. Indeed, should EU institutions not be able to come to an agreement on a final version of the text before August 2026 (at which time the AI Act’s high-risk regime is meant to apply), a risk exists that a window would open during which enforcement of high-risk infringements would be technically possible.  

Data Omnibus  

In order to address regulatory complexity, the Commission has decided to consolidate various existing frameworks into the Data Act (see above for the list of repealed legislation). However not all repealed legislation will be integrated into the new consolidated legislation equally. Indeed, nearly all of the Free Flow of Non-Personal Data Regulation will be repealed, except for a few articles, such as those defining “data localisation requirements”. Conversely, most of the Data Governance Act and the Open Data Directive will be retained and adapted within the Data Act. Overall, the newly consolidated Data Act would propose to: 

• Target exemptions to cloud-switching rules for SMEs and SMCs and for providers of custom-made data processing services 
• Remove mandatory registration and label for data intermediation service providers, fostering growth by lowering entry barriers to the market of data intermediation services; 
• Reduce complexity of the data altruism framework to make sharing data for the public good easier; 
• Limit and clarify the scope of the business to government sharing provisions to ensure that governments can have sufficient data in emergency situations (e.g. in cases of massive floodings or a pandemic) while not putting extra burdens on companies to share their data for situations that are not related to emergencies.  
• Ensure public sector bodies set out higher charges and fees for the re-use of open government data and protected data by very large enterprises (designated as gatekeepers under the Digital Markets Act).  
• Modernisation of “cookie rules” through a “one click consent” and central settings of preferences for how users want their data to be shared and processed.  
• Create a single reporting point for reporting of Cyber incidents for NIS2 Directive, GDPR, the Digital Operational Resilience Act Regulation, the Critical Entities Resilience Directive and the EU Digital Identity Regulation.   

New interplay between the GDPR and the AI Act  

Amongst the key things the Commission proposes is that anonymised data should no longer be considered “personal” and thus should find itself excluded from the scope of the GDPR. However, this would depend on whether the entity holding the data is unable to identify the person to whom the data relates to and taking into account the means reasonably likely to be used by the entity. Even if a subsequent entity might be able to later identity someone through anonymised data by using different tools, this will not be considered sufficient for the data to be classified as “personal”.  

Another key issue the proposal puts forward is making the ban on “sensitive” data listed under article 9 of the GDPR (such as ethnic origin, sexual orientation, health status etc.) more flexible. Under the proposed changes, the ban would only apply to data where there is a direct risk of revealing sensitive information. Quite importantly, the proposed changes would allow for exemptions to this ban if the data is used for training and operating AI models under certain conditions (see article 88c of the omnibus).  

The omnibus also aims to introduce a new article which would make legal for AI developers to rely on the “legitimate interest” legal basis when training their AI models on personal data. Indeed the text states that “The development and use of AI systems and the underlying models such as large language models and generative video models rely on data, including personal data, in various phases in the AI lifecycle, such as the training, testing and validation phase and may in some instances be retained in the AI system or the AI model” (see recital 30 of the omnibus).  

What does this all mean and what’s next?  

The EU Commission, through this legislative proposal is making an ambitious first step in seeking to simplify major pieces of legislation such as the AI Act and the GDPR. Should this be achieved, the EU Commission would be able to “bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness”  

However, some members of the European Parliament from the Greens, Renew, and S&D political groups have already expressed some scepticism and discontent at the EU. The Omnibus will now go to the Council (EU Member States) and European Parliament, who will have to agree on their respective negotiating positions before beginning interinstitutional negotiations. Agreeing on a final text as soon as possible will be crucial to guarantee certainty for businesses operating in the EU.  

techUK will continue to analyse the proposal and its evolution throughout the legislative process and provide membership with relevant updates.