Insights

  • Home
  • Insights
  • EU Digital Omnibus: How EU Data, Cyber, and AI Rules Will Shift

Share

EU Digital Omnibus_SOCIAL

EU Digital Omnibus: How EU Data, Cyber, and AI Rules Will Shift

December 2025 Commentary

In Short 

The Situation: On November 19, 2025, the European Commission published two "Digital Omnibus" proposals as part of a wider Digital Package: (i) a Digital Legislation Omnibus that amends and consolidates large parts of the European Union's existing digital rulebook—including the GDPR and ePrivacy Directive and key cybersecurity laws (in particular, the Network and Information Security Directive 2 ("NIS2 Directive"), the Digital Operational Resilience Act ("DORA"), the Critical Entities Resilience Directive ("CER"), and the Digital Identity Regulation); and (ii) a separate Digital Omnibus on AI that streamlines and partially delays elements of the EU AI Act. 

The Result: If adopted, the package would narrow and clarify the scope of "personal data," facilitate the use of EU personal data for AI training, rationalize cookie consent, raise thresholds and extend timelines for breach and incident notifications, and push back compliance deadlines for many high-risk AI systems. It would also consolidate parts of the EU data-access and data-sharing framework in the Data Act and reduce some cloud-switching burdens. 

Looking Ahead: The Digital Omnibus package represents a cautious and selective adjustment rather than a broad overhaul, primarily aiming to address inconsistencies and regulatory provisions that have proven ineffective in practice. While certain amendments may ease compliance for companies in specific areas, the overall scope of the changes remains targeted rather than comprehensive. For entities, this means the compliance landscape is unlikely to shift dramatically.

The Most Relevant Aspects of the Digital Omnibus Regarding the GDPR, the ePrivacy Directive, and EU Cybersecurity Laws  

The Digital Omnibus proposes targeted amendments to simplify and clarify the GDPR, to overhaul the so-called cookie rules in the ePrivacy Directive, and to establish a single-entry point for incident related reporting obligations. The proposed Digital Omnibus: 

  • Refines the definition of personal data by codifying a more "relative" concept of personal data. The proposal clarifies that information qualifies as personal data only if the current holder can identify the data subject with the means reasonably available to it. The ability of a subsequent recipient to identify the data subject (making it personal data) does not render the data personal for the current holder. 
  • Introduces exemptions for processing specialcategory data under Article 9 GDPR, allowing: (i) residual processing for developing and operating AI systems or models; and (ii) processing biometric data under the user's sole control for identification. 
  • Recognizes processing for AI development and operation as a legitimate interest (Article 6(1)(f) GDPR), while EU Member State law may still require consent.  
  • Limits abusive data subject access requests by clarifying that Article 15 GDPR may not be misused for purposes unrelated to the protection of their data (e.g., solely to seek compensation or cause harm). 
  • Expands the information obligation exemptions in Article 13 GDPR, where processing is unlikely to create a high risk and there are reasonable grounds to assume the data subject already knows the controller's identity, contact details, and purposes. 
  • Confirms compatibility of processing for archiving, scientific research, or statistical purposes under Article 5(1)(b) GDPR, if Article 89(1) GDPR safeguards are met (including anonymization or pseudonymization where possible), and clarifies the definition of "scientific research."  
  • Streamlines data and cyber incident reporting by introducing a higher threshold for data breach notifications (high-risk cases only), extending the notification deadline from 72 to 96 hours, and introducing reporting via a single EU portal piloted by ENISA, covering incidents not only under the GDPR but also the NIS2 Directive, DORA, eIDAS, and CER. The portal will be ready for reporting within 18 months of the Omnibus's entry into force. 
  • Streamlines regulations on cookies by moving relevant ePrivacy rules into the GDPR and aligning the legal basis for the use of cookies involving personal data with those of the GDPR. While consent remains the default for storing or accessing information on terminal equipment (including cookies), the Digital Omnibus would introduce a closed list of low-risk purposes for which such storing or access, and any subsequent processing, are exempt from consent. This would replace the current, more fragmented ePrivacy-based approach with a framework internal to the GDPR's normative logic. The Digital Omnibus would also create a technical framework under which consent, refusal, and objections are expressed through automated, machine-readable signals that controllers must honor, and require non-SME browser providers to support these signals. 

The Most Relevant Aspects of the Digital Omnibus on AI 

Key amendments proposed to the AI Act include: 

  • New timelines for when highrisk AI systems must comply with EU rules. For high-risk AI systems listed in Annex III, the obligations would apply no later than December 2, 2027. For high-risk AI systems covered by sector‑specific product legislation in Annex I, the deadline is August 2, 2028. However, if the European Commission concludes that the necessary standards, common specifications, or guidance are in place, the rules could take effect sooner: six months after that decision for Annex III high-risk AI systems, and 12 months after for Annex I high-risk AI systems.
  • Removal of registration requirements for Annex III systems not deemed as high-risk. Currently, companies that determine their system as not high‑risk must register this in the EU database. 
  • Permission to process special-category personal data (Article 9 GDPR) to de-bias AI systems. The Digital Omnibus on AI extends the de‑biasing exemption beyond high‑risk AI to other types of AI systems and AI models.
  • A transfer of the AI literacy obligation from companies to the EU Commission and EU Member States, removing the direct obligation on providers and deployers.
  • Reinforcement of the AI Office's competence over AI systems based on general-purpose models when both the model and system are provided by the same provider (excluding AI systems related to Annex I products), and AI systems integrated into designated very large online platforms and very large online search engines.
  • Broader use of AI regulatory sandboxes by empowering the AI Office to establish an EU-level sandbox for systems within its supervisory remit and by strengthening requirements for cross-border cooperation among national sandboxes. The framework for real-world testing is also expanded, allowing such testing for additional categories of high-risk systems. 

The Most Relevant Aspects of the Digital Omnibus with Respect to the Data Act 

The proposed amendments to the Data Act are intended to introduce stronger safeguards for entities and greater clarity in data governance. Companies would gain the right to refuse data sharing where there is a substantial risk of trade secrets being misused, particularly in jurisdictions with weaker protections. Business‑to‑government data requests are narrowed from "exceptional need" to strictly defined "public emergencies," with microenterprises and small businesses entitled to compensation for compliance costs. At the same time, three existing instruments—the Free Flow of Non‑Personal Data Regulation, the Data Governance Act, and the Open Data Directive—are consolidated into the Data Act, creating a single, coherent framework for reuse of public-sector information. 

Furthermore, the mandatory regime for data intermediary services is replaced with a voluntary certification system, supported by an EU register of recognized data intermediation service providers and recognized data altruism organizations. Legal uncertainties around smart contracts are resolved by removing obligations on providers of smart contracts to comply with essential elements.  

Lastly, the Digital Omnibus also reduces cloud‑switching burdens for custom‑made services and for SME providers, provided the contracts were concluded on or before September 12, 2025. 

Immediate Action Required 

The Digital Omnibus Package still requires approval from the European Commission, European Parliament, and Council of the European Union. Entities should anticipate refinements rather than transformative changes. However, entities are advised to assess relevant processes to reduce risk of noncompliance and mitigate regulatory exposure.

Four Key Takeaways 

  1. GDPR and AI training are being rebalanced, not deregulated. The proposals clarify how EU personal data (including some special-category data) can be used to develop and operate AI systems and narrow the notion of "personal data" for some actors. This results in both opportunities (easier AI development) and new compliance expectations.
  2. High-risk AI gets more time, but the bar stays high. Extended deadlines and relaxed obligations buy time but do not mean a reprieve. Providers and deployers targeting the European Union should continue building AI Act compliance programs, using the extra time to prioritize high-risk systems and refine documentation and testing.
  3. Incident, cookie, and data protection impact assessment ("DPIA") regimes should become more manageable—eventually. A single incident-reporting entry point, harmonized DPIA triggers, and more pragmatic cookie rules should reduce friction in the medium term, but transitional complexity is inevitable. Companies should anticipate system and process changes to leverage these simplifications.
  4. This is the European Union signaling a more "competitive" digital rulebook, not abandoning enforcement. The Digital Omnibus package is framed as a competitiveness and simplification initiative, especially around AI, but enforcement of existing digital rules (in particular, GDPR, AI Act, Data Act, NIS2 Directive, DORA) will continue. In particular, companies located abroad and operating in or into the European Union should treat this shift as a strategic opportunity to streamline their EU compliance posture, rather than a reason to stand still.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
Contributors
You May Also Be Interested In

December 16, 2025 Alert

Taiwan Passes Major Amendments to the Personal Data Protection Act

Firm Hosted

2025 Public Company Speaker Series

December 11, 2025 Newsletters

Innovative Insights: Legal Updates in Life Sciences | Fourth Quarter 2025

December 08, 2025 Alert

NY Department of Financial Services Signals Increased Scrutiny of Third-Party Technology Risk Management

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.