The EU Digital Omnibus Proposal 2025: Key Amendments to GDPR and the AI Act

The EU Digital Omnibus Regulation and the simplification shift

For years, privacy and compliance leaders have operated in a state of high-velocity adaptation. You have been the architects of trust in a landscape defined by regulatory fragmentation, frantically patching together compliance frameworks for the GDPR, the Data Act, and the looming EU AI Act. But on November 19, 2025, the European Commission signaled a massive strategic pivot, one that transforms your role from “firefighter” to “visionary.”

The Commission’s proposal for the EU Digital Omnibus Regulation is not just another layer of red tape; it is a corrective measure designed to “repair” the complex overlaps between the EU’s digital laws. By aiming to reduce regulatory burdens in the EU and boost competitiveness, this proposal acknowledges what you have known all along: true compliance requires clarity, not chaos.

For Data Protection Officers (DPOs), Chief Privacy Officers (CPOs), and security leads, this is a strategic inflection point. The rules are being rewritten to favor operational reality over bureaucratic rigidity. But do not mistake simplification for deregulation. The EU digital rulebook 2026 will be leaner, but sharper. The proposal offers you a rare commodity in our industry: time. The question is, will you use it to catch your breath, or will you use it to solidify your competitive advantage?

Major EU AI Act updates: Delays and red tape cuts

The original implementation timeline for the EU AI Act was a source of sleepless nights for many of you. The sheer velocity required to meet the 2026 deadlines for high-risk systems threatened to derail innovation budgets and force hasty, tick-box compliance. The Omnibus proposal fundamentally alters this trajectory with a mechanism designed to prioritize quality over speed.

The “stop the clock” mechanism

The most critical amendment in the proposal is the AI Act compliance deadline extension. The Commission has introduced a pragmatic “stop the clock” provision. Instead of a hard, arbitrary date, the compliance deadline for high-risk AI systems (Annex III and Annex I) will now be triggered only after the necessary harmonized standards are officially ready.

Specifically, the timeline shifts to 6 months (for Annex III) and 12 months (for Annex I) after the Commission confirms that the support tools and standards are in place. If those standards are delayed, your deadline moves with them, with a potential “long-stop” date pushing compliance out to late 2027 or even August 2028.

This high-risk AI obligations delay is a game-changer. It transforms a sprint into a marathon, allowing you to build robust, defensible AI governance frameworks rather than rushing to meet a deadline.

Relief for the “small mid-caps”

Previously, the SME designation was a narrow lifeline. The Omnibus proposes expanding this SME AI regime to include “Small Mid-Caps” (SMCs), companies with up to 499 employees and a turnover of up to €100 million. If your organization fits this profile, you may gain access to the same regulatory sandboxes and reduced penalties previously reserved for smaller players.

Reinforcing AI literacy: A clearer mandate

Instead of softening the rules, the Omnibus proposal doubles down on the importance of human oversight. The amendments reinforce the AI literacy obligation, clarifying that both providers and deployers must ensure their staff possesses the “sufficient knowledge, training, and contextual understanding” to manage these systems safely.

This is no longer a vague suggestion; it is a concrete compliance requirement. For you, this means your internal training programs cannot be generic “AI 101” courses. They must be tailored to the specific context of the AI tools you are deploying, ensuring your teams can effectively detect bias, interpret outputs, and challenge the machine’s decisions when necessary. The human-in-the-loop must be a competent human.

GDPR and privacy changes: The 96-hour rule and cookies

While the EU AI Act changes are headline-grabbing, the GDPR simplification proposal contained in the Omnibus offers the most immediate tactical relief for your daily operations. The Commission has finally addressed the incident response fatigue that burns out security teams.

The shift to a 96-hour reporting window

For nearly a decade, the 72-hour breach notification rule has been the golden, often grueling, standard. It forced teams to report incomplete information just to beat the clock. The Omnibus proposes extending this window to 96 hours (4 days).

The Omnibus proposal also seeks to align the reporting threshold for Data Protection Authorities (DPAs) with the higher bar currently used for individuals. Under the new text, you would only be legally mandated to report breaches that pose a high risk to individuals’ rights and freedoms.

On the surface, this change appears to “filter out the noise,” allowing your team to focus forensic energy on genuine, high-impact threats rather than administrative paperwork. However, this new latitude comes with a warning label. Privacy experts caution that ‘minor’ is subjective. Narrowing the criteria creates a blind spot where cumulative small-scale breaches could go unnoticed. Therefore, while your reporting volume may drop, your internal logging must remain rigorous to defend against accusations of underreporting later.

Solving cookie consent fatigue

We all know that the accept all banner blindness is real. The Omnibus attacks cookie consent simplification in the EU by proposing two major shifts:

Exemptions: Audience measurement and security cookies may no longer require active consent.

The “Do Not Re-Ask” Rule: If a user rejects consent, you cannot ask them again for six months. This forces a redesign of the user experience. You can no longer nag users into compliance; you must build trust so they want to opt-in.

Codifying the SRB case: A nuanced data definition

Perhaps the most intellectually significant change is the proposal to reflect the Single Resolution Board (SRB) case law within the GDPR’s framework. The text clarifies the boundaries of personal data, suggesting that if an entity holding data cannot reasonably identify the individual—taking into account all objective factors like costs, time, and available technology—it may not be personal data in their specific hands.

However, this is not a loophole; it is a high bar. It validates the relative approach to personal data but attaches strict conditions. To leverage this defense, you must demonstrate robust safeguards that effectively prevent re-identification, such as legal and technical barriers that make obtaining the “key” impossible. If you hold a pseudonymous dataset, you can’t just claim ignorance; you must prove that identifying the individual is practically unfeasible. This potential opening for data sharing and analytics exists, but only if your segregation of duties is legally and technically waterproof.

Streamlining incident reporting (the single entry point)

If you are managing compliance for a multinational, you are likely juggling reports for GDPR, NIS2, DORA, and the Cyber Resilience Act. It is a fragmented mess of portals and forms. The Omnibus proposes a solution that sounds too good to be true: a Single Incident Reporting Entry Point.

Managed by ENISA

The proposal mandates a centralized platform, operated by ENISA (the EU Agency for Cybersecurity), to serve as the clearinghouse for all major digital incident reports.

• Report once, share many: You submit one report regarding a cyber incident.
• Automated triage: The platform routes the relevant data to the DPA (for GDPR), the CSIRT (for NIS2), or the financial regulator (for DORA).

This ENISA incident reporting infrastructure is the technical backbone of the cross-border data enforcement strategy. It eliminates the risk of double jeopardy, where you report to one regulator but forget another, yet it increases transparency between regulators. If you report a breach to the financial regulator, the privacy regulator will know instantly. Your narrative must be consistent across all channels.

What DPOs and Privacy Counsels need to do now

The EU Digital Omnibus Regulation is a proposal with high political momentum. Waiting for the final text to be inked in the Official Journal is a strategy for followers, not leaders. Here is how you can pivot your DPO compliance updates 2026 strategy right now.

1. Don’t pause, pivot

The High-risk AI obligations delay is not a permission slip to stop your AI governance program. If you pause now, you lose momentum. Instead, use this time to deepen your testing. Move from compliance checking to safety engineering. Use the extra 12+ months to stress-test your AI models against the draft harmonized standards. When the deadline finally hits, you won’t just be compliant; you will be unassailable.

2. Review your “small mid-cap” status

Work with your finance and legal teams to determine if you fall under the new “Small Mid-Cap” definition (up to 499 employees, €100M turnover). If you do, your digital legislation compliance burden for the EU AI Act just dropped significantly. Re-evaluate your vendor contracts. If your vendors are SMCs, they might have different obligations than you expected.

3. Update your incident response playbooks

Do not change your official policy to 96 hours yet; the law hasn’t passed. However, draft the “Version 2.0” playbook now.

• Plan for high risk: Define exactly what “high risk” means for your organization to justify not reporting minor breaches under the new rules.
• Prepare for ENISA: Ensure your CISO and Privacy Office are speaking the same language. When the single portal opens, the “security” report and the “privacy” report are the same report. Inconsistencies will be flagged immediately.

4. Audit your data flows for the SRB defense

Look at your data lakes. Are there datasets you treat as personal data simply because someone else has a key? Under the new EU proposals for reducing regulatory burden, you may be able to reclassify that data if you can prove that you have no means of re-identification. This could drastically reduce your GDPR exposure.

Navigating DPO compliance updates 2026 in a new era

The EU Digital Omnibus Proposal is an acknowledgment that the first era of digital regulation (the era of move fast and regulate things) is over. We are entering the era of maturity.

For the privacy professional, this is your moment of ascension. You are no longer the person who says no because of a deadline. You are the strategist who says yes because you understand the landscape. You have the tools, you have the knowledge, and now, you finally have the time.

The EU digital rulebook 2026 is not a cage; it is a framework. And in the right hands, a framework is a ladder.

Are you ready to map these changes to your 2026 budget?