On November 19, 2025 The European Commission unveiled its Digital Omnibus, a package of proposed reforms aimed at simplifying and modernising the EU’s digital regulatory framework, including the General Data Protection Regulation (GDPR), the AI Act, ePrivacy rules, and cybersecurity laws. The initiative is designed to reduce overlapping obligations, clarify legal requirements for businesses, and support European innovation in artificial intelligence, while retaining privacy and consumer protections.
Political Context
The announcement comes amid concerns that Europe is falling behind in the global AI race. The Commission argues that greater regulatory flexibility is needed to spur innovation and enable European companies to compete with U.S. tech giants. The Commission estimates the package could save businesses €5 billion in administrative costs by 2029.
The proposal has sparked debate among EU Member States and rights advocacy groups. Some countries, such as Germany, support changes to boost AI competitiveness. Others, including Estonia, France, Austria, and Slovenia, oppose reopening GDPR protections. While rights groups see the Omnibus as a sweeping rollback of critical digital protections.
Key Elements of the Digital Omnibus: GDPR Reforms
The Omnibus proposes several significant adjustments to the GDPR:
- Definition of personal data: Narrows the definition so that pseudonymized or indirectly identifiable data may no longer automatically fall under GDPR protections.
- Special categories of data: Sensitive data such as health, religion, or political beliefs could be processed for AI training and operation under new exceptions, provided safeguards are in place.
- User rights: Data subject access requests could be limited to “data protection purposes,” potentially restricting their use in employment disputes, research, or other economic activities.
- Cookie rules: Companies may gain more legal grounds to track users without requiring explicit consent.
- Legal clarity for AI developers: Clearer guidance on how AI models can use personal and sensitive data while remaining compliant.
AI Regulatory Revisions
The Digital Omnibus also addresses AI-specific changes, including aligning GDPR rules with the AI Act to clarify how personal data can be used in AI development and deployment. It introduces greater flexibility for AI model training and operation, including stronger exceptions for processing sensitive data. The package would allow companies to self-assess whether their systems qualify as high-risk.
Data Framework Harmonization
The Digital Omnibus aims to streamline EU data laws by consolidating multiple frameworks, including the Data Governance Act, the Open Data Directive, and the non-personal data regulation, into a reformed Data Act. In addition, the proposal seeks to broaden the definition of “data holders” to facilitate improved data sharing and reuse across the EU.
Cyber-Incident Reporting
The Omnibus also proposes a single-entry reporting portal ito simplify reporting for incidents across GDPR, NIS2, DORA, and other frameworks. Reporting thresholds focus on “high-risk” incidents, with extended notification periods (from 72 hours to 96 hours).
Expected Impacts
- Businesses: SMEs could benefit from reduced regulatory burdens and a more harmonised legal framework.
- AI Developers: Legal certainty for using personal data could accelerate innovation.
- Privacy Advocates: Civil society groups warn that the proposals may weaken core GDPR rights protections and expand Big Tech privileges.
- Consumers: Control over personal data would be reduced, particularly for inferred or pseudonymised data. Cookie-consent requirements may also be relaxed.
What this means for Cybersecurity and AI companies
The Digital Omnibus will now undergo scrutiny and negotiation in the European Parliament and Council, where lawmakers may introduce significant amendments before any final adoption. If approved, the reforms would be phased in, updating rules on incident reporting, AI compliance, and data use. In its current form (still an uncertain prospect) the Omnibus would ease compliance burdens by reducing obligations, extending reporting deadlines, and expanding self-assessment, potentially prompting some organisations to delay or scale back investments in compliance tools. Yet the GDPR, the AI Act, and related frameworks will remain, and companies will still need support to navigate a more flexible but increasingly complex regulatory landscape. And in this shifting landscape, it is security companies that will play the decisive role in keeping organisations compliant, resilient, and ahead of regulatory change.
