With the proposal for a Digital Omnibus Package, the EU Commission is adjusting its current course. The objective is to lighten the regulatory burdens on the economy resulting from increasing EU regulation and to harmonise the corresponding digital rulebooks.
The Digital Omnibus Package consists of two Regulations intended to simplify and amend the existing digital legislative framework:
- Digital Omnibus on AI: The planned adjustments exclusively concern the AI Act.
- Digital Omnibus: This Regulation envisages substantive amendments to the following legal acts:
- Data Act: A central law for the European data economy will be established. The provisions of the Data Governance Act (Regulation (EU) 2022/868) are being consolidated with the provisions of the Open Data Directive (Directive (EU) 2019/1024) as well as the Regulation on a framework for the free flow of non-personal data in the European Union (Regulation (EU) 2018/1807). The aforementioned legal acts will be incorporated into the Data Act.
- DSGVO: The amendments contained in the proposal aim to clarify certain key concepts and facilitate compliance with data protection obligations (e.g. information requirements, notification obligations).
- Cybersecurity laws (e.g. NIS2, DORA): In future, there shall be a single-entry point for reporting cyber incidents.
What substantive (practice-relevant) changes can be expected?
- Data economy law: Important substantive changes include strengthening the protection of trade secrets regarding claims for access to data, as well as extending regulatory privileges granted to SMEs to small mid-cap enterprises ('SMCs').
- Data protection law: The definition of personal data is being resharpened, taking into account the CJEU case law issued to date (specifically regarding relative identifiability, CJEU decision C-413/23P). Furthermore, a new legal basis is being created for the processing of special categories of personal data for the development of AI systems (extension of the list in Art. 9(2) GDPR).
- Cybersecurity: A central reporting office (single-entry point) is to be established at the EU Agency ENISA. Instead of fragmented notifications (e.g. to BSI, BaFin, data protection authorities), entities will in future only have to report a cyber incident once centrally to a portal. This is also welcomed in view of the reporting obligations under the Cyber Resilience Act, which already provides for a reporting obligation for cyber incidents to ENISA.
- AI Act: Among other things, the proposal envisages the creation of a (data protection) legal basis for providers and deployers of AI systems for the processing of special categories of personal data for the purpose of ensuring bias detection and correction. In addition, existing regulatory privileges for SMEs (e.g. regarding technical documentation and quality management) are to be extended to SMCs.
What are the next steps?
The proposal for a Digital Omnibus Package was presented by the EU Commission on November 19, 2025 and is now passing through the ordinary legislative procedure. Substantive changes to the two proposed Regulations are therefore still possible.
