The Digital Omnibus Proposal and Its Impact on EU Digital Regulations

The European Union’s digital laws have long served as a benchmark worldwide, yet the steady growth of overlapping rules has raised concerns about competitiveness and increasing compliance costs. To address this, the European Commission has introduced the Digital Omnibus Proposal, a set of targeted amendments that simplify the application of major digital laws, including updates to the GDPR, changes to cookie and terminal-equipment rules, consolidation of data legislation, and complementary initiatives such as the European Business Wallet.

This blog explains the context behind the proposal, the issues it seeks to resolve, and why its changes matter, particularly for data protection and cookie compliance.

The proposal arises from a broader goal of creating a simpler and faster Europe by reducing regulatory load without weakening protection standards. 

The Commission acknowledges that years of layered digital rules, covering data, privacy, Artificial Intelligence, and cybersecurity, have created overlaps, inconsistencies and duplicated obligations.

Stakeholders repeatedly highlighted problems such as:

• Inconsistent interpretations of GDPR across Member States,
  
• Overlapping data-sharing and reporting obligations,
  
• Fragmented approach to cookies and consent,
  
• Ambiguity in how newer data laws fit together,
  
• Compliance fatigue and high administrative costs.

The Digital Omnibus is the Commission’s first step in a long-term “stress test” of digital legislation. It focuses on immediate technical amendments and repeals to simplify compliance, remove outdated laws, clarify interplays between laws, and cut costs for businesses while keeping high rights-protection standards intact.

The following are the key amendments proposed under the EU Digital Omnibus package:

Merging and streamlining the data rulebook

Over the last few years, the EU has enacted several major data laws:

• Data Governance Act (2022)
  
• Data Act (2023)
  
• Free Flow of Non-Personal Data Regulation (2018)
  
• Open Data Directive (2019)
  
• General Data Protection Regulation (2018)

These instruments overlap, creating confusion for public bodies, data holders, and data re-users. The Digital Omnibus proposes to consolidate DGA, FFDR, and the Open Data Directive into the Data Act, creating one unified instrument for data sharing and public-sector data re-use. The GDPR remains a separate law, but is amended and interconnected with the revised Data Act.

This consolidation:

• Eliminates duplicate definitions
  
• Aligns rules for the re-use of public sector information
  
• Updates protections for trade secrets in cross-border data sharing
  
• Streamlines obligations for cloud switching
  
• Converts strict regimes (e.g., for data intermediation services) into voluntary ones

The aim is a coherent and consistent “data economy” framework that is easier for businesses to follow.

A single entry point for incident reporting

EU laws such as NIS2, GDPR, DORA, eIDAS, CER, and others require entities to report cybersecurity or personal-data incidents. 

Currently, this means sending similar information to multiple authorities through different systems. To tackle this, the Digital Omnibus creates a single-entry reporting platform, operated by ENISA, that businesses will use to fulfil multiple reporting obligations at once.

This “report once, use many times” model significantly reduces administrative burden, which is one of the biggest practical pain points for companies.

Targeted amendments to the GDPR

The proposal introduces several clarifications and adjustments to reduce compliance friction while keeping protections intact, including:

• A clearer definition of personal data and guidance on pseudonymisation
  
• Reduced compliance burden through clearer rules on when data protection impact assessments are required and when data breaches must be reported to regulators
  
• EU-wide common and public list of circumstances for DPIA and breach notification instead of fragmented national ones
  
• Specific rules enabling AI training with residual special-category data under strict safeguards
  
• Clearer rules for biometric verification

A new framework for cookies and device-level data

The Omnibus moves rules on accessing or storing personal data on terminal equipment (cookies and similar technologies) fully under the GDPR.
Key changes include:

• Unified regime for cookies instead of the current split between the ePrivacy Directive and GDPR
  
• Defined list of purposes that do not require consent
  
• Mandatory respect for users’ refusals for a set period
  
• Future system of automated, machine-readable consent signals (via browsers or similar tools)
  
• Exemptions for media service providers due to their reliance on advertising revenue

Adjustments to data-sharing rules and trade secret protections

The proposal strengthens safeguards for trade secrets when data is shared with entities in third countries. It also:

• Narrows the Data Act’s business-to-government data-sharing regime to public emergencies,
  
• Reduces burdens for SMEs and small mid-caps,
  
• Makes the data-intermediation services regime voluntary instead of mandatory.

Removal of outdated or duplicated legislation

The proposal repeals:

• P2B Regulation, now largely overtaken by the DMA and DSA
  
• Free Flow of Non-Personal Data Regulation
  
• Data Governance Act
  
• Open Data Directive

The aim is to eliminate legal overlap and reduce confusion caused by outdated references.

Key Digital Omnibus amendments to the Artificial Intelligence Act

The Digital Omnibus Package also introduces a set of focused updates to the EU’s Artificial Intelligence Act to make its roll-out more practical and predictable. 

The proposal postpones the applicability of high-risk system requirements, expands access to regulatory sandboxes and real-world testing, and clarifies how the AI Act aligns with existing medical device rules under the MDR and IVDR. 

It also simplifies conformity assessments, introduces relief measures for small mid-caps, and creates a clearer legal basis for processing sensitive data when needed to detect and correct bias.

Together, these adjustments aim to ease implementation, reduce administrative friction, and support safer, more effective development of AI-enabled technologies across the EU.

Complementary initiative: European Business Wallet

Alongside the Digital Omnibus, the Commission also proposes the concept of  European Business Wallets.

These will allow companies to:

• Digitally verify identity,
  
• Sign documents,
  
• Exchange certified information securely across borders.

This initiative makes regulatory compliance easier, especially for SMEs.

Today, cookie use is governed by two separate laws: the ePrivacy Directive controls the act of placing or accessing information on a user’s device, while the GDPR governs what happens to the personal data collected through those cookies. 

This split has led to confusing rules, inconsistent enforcement, and growing consent fatigue for users. The Digital Omnibus resolves this by moving the entire regulation of cookie-related personal data under the GDPR.

It also proposes one-click automated, machine-readable consent signals. Once technical standards are created, browsers and applications will be able to communicate a user’s choices directly to websites, and controllers will be required to honour them after a short transition period. This shifts consent away from repetitive pop-ups toward user-controlled settings. 

However, media service providers are not required to follow automated signals, so they can continue engaging users directly, given their reliance on advertising revenue.

Cookie banners will still exist, but they are expected to become less frequent and less intrusive, as the Omnibus shifts control toward user-managed settings and clearer rules on when consent is actually required.

Here is why Digital Omnibus matters in the EU:

Businesses

• Lower compliance costs for SMEs and SMCs.
  
• Businesses will only have to follow two laws instead of five: GDPR and the Data Act.
  
• Greater legal certainty, especially in AI development and data analytics.
  
• Better protection for trade secrets
  
• Simplified cookie consent requirements
  
• More opportunities for innovations

Individuals

• Control over data, user-friendly cookie consent designs and more meaningful choices.
  
• Stricter enforcement with higher fines by transferring the cookie-related provision from the e-Privacy Directive to the GDPR.
  
• Greater control over data processed from devices and AI-related systems.

Digital market

• Competition boost, by empowering SMEs and limiting overwhelming advantages held by very large gatekeeper platforms.
  
• More efficient public-sector data re-use, with harmonised rules across the EU.
  
• Strong privacy baseline maintained, even as innovation is encouraged.

Safna

Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, movies, and hot chocolate.