One Package to Reform Them All
The European Commission has attempted something that few believed possible: consolidating reforms to the General Data Protection Regulation (GDPR), the ePrivacy Directive, the Data Act, the Network and Information Security Directive (NIS2), and the EU Artificial Intelligence Act into a single legislative package. The Digital Omnibus, formally proposed on November 19, 2025, represents the most ambitious regulatory recalibration in European digital policy since the GDPR itself took effect in 2018.
The stated rationale is simplification. Commission President Ursula von der Leyen has framed the package as a response to persistent complaints from European businesses — particularly small and medium enterprises — that the EU’s layered digital regulations have become an unnavigable compliance burden. Executive Vice-President for Tech Sovereignty Henna Virkkunen, who presented the package alongside Commissioners Valdis Dombrovskis and Michael McGrath, stated that the Digital Omnibus aims to “get rid of regulatory clutter” so that businesses can “spend less time on administrative work and compliance and more on innovating and scaling up.”
The Commission estimates that the simplification measures could save businesses up to EUR 5 billion in administrative costs by 2029, with a target of reducing administrative burdens by at least 25% for all businesses and 35% for SMEs by the end of that year. If European Business Wallets — a companion proposal in the broader Digital Package — are adopted, the Commission projects additional savings of up to EUR 150 billion annually.
But the Digital Omnibus is not merely a technical cleanup. It contains substantive policy changes that have alarmed data protection advocates, consumer groups, and some member state regulators. The package delays certain high-risk AI obligations by up to 16 months, introduces a specific legal basis for processing personal data for AI model training under “legitimate interest,” and moves cookie consent rules from the ePrivacy framework into the GDPR itself.
The scope of the package is remarkable. It touches virtually every aspect of European digital regulation, from cookie consent banners to critical infrastructure cybersecurity requirements. Understanding what it changes — and what it doesn’t — requires examining each component in detail.
GDPR: Simplification or Erosion?
The GDPR reforms within the Digital Omnibus have generated the most controversy. The regulation, which has served as the global gold standard for data protection since 2018, would be modified in several significant ways.
The most consequential change involves personal data processing for AI. A new Article 88c would confirm that the development and operation of AI models may be pursued as a legitimate interest under Article 6(1)(f) of the GDPR, provided that certain conditions are met — including conducting a balancing test, ensuring data minimization, protecting against disclosure of residual data, and providing individuals with an unconditional right to opt out. The Digital Omnibus also proposes a specific derogation allowing the processing of special category data (such as ethnicity, health, or sexual orientation) for AI training, provided that controllers attempt to identify and remove such data from training sets, or use methods to prevent its disclosure in outputs where removal would be disproportionate.
The EDPB and EDPS noted in their Joint Opinion 2/2026, adopted on February 11, 2026, that the legitimate interest provision for AI is largely unnecessary because they have already confirmed through their own guidance that legitimate interest can serve as a valid legal basis for AI model development. Their concern is that codifying it in this way could be interpreted as creating a broader exemption than what currently exists under case law.
For SMEs and small mid-cap companies (SMCs, defined as up to 750 employees or EUR 150 million turnover), the Omnibus extends several compliance reliefs. The threshold for the record-keeping exemption under Article 30(5) would rise from enterprises with fewer than 250 employees to those with fewer than 750 employees — provided the processing does not pose a high risk to individuals’ rights. SMCs would also benefit from streamlined technical documentation requirements for high-risk AI systems, and fines for SMCs would be calculated using the same reduced formula currently applied to SMEs.
The EDPB and EDPS issued their joint opinion expressing both support for certain simplification measures and “serious concerns” that some proposals could “adversely affect the level of protection enjoyed by individuals, create legal uncertainty and make data protection law more difficult to apply.” They strongly urged co-legislators not to adopt the proposed changes to the definition of personal data, arguing that narrowing the concept goes far beyond a targeted amendment.
The Commission also proposes extending the deadline for GDPR breach notifications from 72 hours to 96 hours, harmonizing the threshold for mandatory reporting to supervisory authorities with the threshold for reporting to data subjects. The EDPB and EDPS actually support this change, noting it could reduce administrative burden without undermining individual protection.
Cookie consent requirements — the most visible and most complained-about aspect of European data protection — would be significantly restructured. The Omnibus moves cookie regulation from the ePrivacy Directive fully into the GDPR framework, and proposes a centralized consent management system. Under this approach, users would set data-sharing preferences once through their browser or operating system, and websites would be required to respect those machine-readable signals for at least six months. Low-risk cookies for security and basic analytics would not require consent banners, while marketing and tracking cookies would be managed through centralized browser preferences. This change has broad support from both industry and privacy advocates, though European publishers have raised concerns about the impact on their advertising revenue models.
AI Act: The 16-Month Delay
Perhaps the most strategically significant element of the Digital Omnibus is its treatment of the EU AI Act. The Act, which entered into force in August 2024, established a tiered regulatory framework for AI systems based on risk levels. The highest-risk categories — including AI used in critical infrastructure, law enforcement, and employment — face the most stringent requirements, including conformity assessments, mandatory risk management systems, and human oversight obligations.
The Omnibus proposes delaying the compliance deadline for these high-risk AI obligations by linking the application date to the availability of harmonized standards and support tools. Under the original AI Act, rules for standalone high-risk use cases (Annex III, covering areas like biometric identification and employment) were scheduled to apply from August 2, 2026. The Omnibus would allow the Commission to confirm when adequate compliance support is available, after which obligations apply within six months for Annex III systems and 12 months for AI embedded in regulated products (Annex I). Backstop dates ensure enforcement regardless: December 2, 2027 for Annex III systems and August 2, 2028 for Annex I systems — providing up to 16 months of additional preparation time.
The delay responds to a concrete problem: CEN and CENELEC, the European standards bodies tasked with developing harmonized standards for high-risk AI, missed their original August 2025 deadline, and standardization work remains ongoing. Without finalized standards, companies lack clear benchmarks against which to demonstrate compliance. Over thirty founders and venture investors signed an open letter arguing that the AI Act risks creating a “fragmented, unpredictable regulatory environment that will undermine innovation, discourage investment, and ultimately leave Europe behind.”
Critics see strategic motives beyond the technical justification. The delay coincides with intensifying competition from American and Chinese AI companies, several of which have cited EU compliance requirements as factors in their market entry decisions. By delaying the most burdensome requirements, the Commission appears to be responding to industry warnings that premature enforcement could widen the EU’s AI capability gap.
The delay does not apply to the AI Act’s prohibitions on unacceptable-risk practices — such as social scoring systems and real-time biometric surveillance in public spaces — which remain in effect. Nor does it affect the transparency requirements for general-purpose AI models, including labeling obligations for AI-generated content (though the compliance deadline for content labeling under Article 50(2) would be extended to February 2, 2027 for providers who placed systems on the market before August 2, 2026).
Advertisement
NIS2 and Cybersecurity: A Single-Entry Point
The cybersecurity components of the Digital Omnibus reflect a growing recognition that Europe’s cybersecurity regulatory framework has become fragmented to the point of counterproductivity.
The Network and Information Security Directive 2 (NIS2), which member states were required to transpose into national law by October 2024, has been implemented inconsistently across the bloc. Some member states have adopted expansive interpretations that capture a broad range of entities, while others have taken minimalist approaches. The result is that a company operating critical infrastructure across multiple EU member states may face substantially different cybersecurity requirements in each jurisdiction.
The Omnibus introduces a major structural reform: a single-entry point for incident reporting across multiple EU regulatory frameworks. A new Article 23a in NIS2 would establish a unified reporting interface, enabling businesses to satisfy notification obligations under NIS2, GDPR personal data breach requirements, DORA major ICT incident reports, eIDAS notifications, and CER Directive incidents through one secure portal. This addresses one of the most frequently cited compliance burdens — the requirement to file overlapping incident reports with multiple authorities under different timelines and formats.
The Omnibus also proposes targeted amendments to NIS2 aimed at simplifying jurisdictional rules, streamlining the collection of data on ransomware attacks, and facilitating the supervision of cross-border entities with ENISA playing a reinforced coordinating role. Under the NIS2-CSA2 alignment, EU cybersecurity certifications — including future entity-level schemes — could be used to demonstrate compliance with NIS2 risk-management duties.
The single-entry point measures would apply 18 months after entry into force, extendable to 24 months if needed. Cybersecurity professionals have generally welcomed the harmonization effort, though some have cautioned that the transition to a unified system must not create gaps during implementation.
The Data Act and ePrivacy Directive
The Digital Omnibus also touches the Data Act and the ePrivacy Directive, though the changes differ in scope and controversy.
For the Data Act, the Omnibus primarily addresses implementation concerns that have emerged since the Act entered into force. It introduces a lighter compliance regime for custom-made data processing services and for SME and SMC data processing service providers, refines cloud interoperability and switching requirements, and provides a more precise definition of “trade secrets” that can be withheld from data sharing obligations. It also introduces a dispute resolution mechanism for cases where data holders and data recipients disagree about access terms.
The ePrivacy changes are more consequential — and more contested. Rather than continuing to advance the stalled ePrivacy Regulation (which has failed to progress through the legislative process for years), the Omnibus effectively folds the most critical ePrivacy updates into the GDPR framework. Cookie regulation and rules governing electronic communications metadata and tracking technologies would move under the GDPR’s jurisdiction, with the centralized browser-based consent mechanism replacing the current site-by-site consent model.
This legislative maneuver has drawn sharp criticism. European Digital Rights (EDRi) and other civil society organizations have argued that the Commission is circumventing the ordinary legislative procedure by bundling ePrivacy reforms into a broader package, avoiding the full parliamentary scrutiny that a standalone regulation would receive. Privacy advocacy group noyb has published a detailed analysis arguing that the Digital Omnibus represents a “major rollback of EU digital protections.” The EDPB and EDPS have also raised concerns about the risk that this approach resolves contested ePrivacy issues “indirectly and without full debate.”
Implications for Global Companies
For multinational corporations operating in or serving the European market, the Digital Omnibus creates both opportunities and uncertainties.
The simplification elements — centralized consent management, a single-entry point for incident reporting, harmonized cybersecurity baselines — represent genuine compliance cost reductions. Companies that have invested heavily in EU regulatory compliance infrastructure may find that some of those investments become less necessary, freeing resources for other purposes.
However, the transitional uncertainty is significant. Until the Omnibus completes the legislative process — which could take 18 to 24 months given the need for European Parliament and Council approval — companies must continue complying with existing regulations while simultaneously preparing for potential changes. Post-adoption feedback periods on both Omnibus proposals run until March 9, 2026, alongside the broader Digital Fitness Check consultation open until March 11, 2026.
The AI Act delay is particularly consequential for American and Asian technology companies that have been developing EU-compliant AI systems. Companies that accelerated their compliance efforts to meet the original August 2026 deadline may find themselves competing against companies that adopted a wait-and-see approach, as the extended timeline provides latecomers with more time to implement at lower cost.
For data protection professionals globally, the GDPR changes signal a potential shift in the direction of global data protection law. The GDPR has served as a template for data protection legislation in dozens of countries — including Algeria’s Law No. 18-07. If the EU modifies its own framework to facilitate AI development, the ripple effects could be felt in every jurisdiction that has modeled its laws on the European approach.
The legislative process is now in its early stages. MEPs will discuss the package and may table amendments, with EU institutions feeling particular pressure to reach consensus on the AI Omnibus proposal before August 2, 2026 — the original date for full application of high-risk rules. The Parliament has historically been more protective of individual rights than the Commission, and significant amendments are expected. The final shape of the Digital Omnibus will likely look quite different from the Commission’s proposal — but the direction of travel toward regulatory simplification appears firmly established.
Advertisement
🧭 Decision Radar (Algeria Lens)
| Dimension | Assessment |
|---|---|
| Relevance for Algeria | High — Algeria’s Law No. 18-07 on personal data protection is modeled on European frameworks. Changes to GDPR legitimate interest provisions and AI training data rules will influence how Algeria’s ANPDP interprets its own regulations, and affect Algerian companies doing business with EU partners. |
| Infrastructure Ready? | Partial — Algeria’s ANPDP is operational and enforcement of Law 18-07 is underway, but the country lacks the harmonized standards bodies and certification infrastructure that the EU Omnibus relies on for compliance passporting. |
| Skills Available? | Partial — Algeria has growing legal and IT compliance expertise, but limited specialized capacity in EU AI Act conformity assessment, cross-framework cybersecurity compliance, and multilateral data governance. |
| Action Timeline | 12-24 months — The Omnibus is still in legislative process and unlikely to be finalized before late 2027. Algerian regulators and businesses should monitor developments but have time to prepare. |
| Key Stakeholders | ANPDP (data protection authority), Ministry of Digitalization, Algerian tech companies serving EU markets, telecom operators, legal and compliance professionals |
| Decision Type | Strategic — Algeria must decide whether to align its data protection framework with the evolving EU model or maintain the current approach as the EU potentially loosens its own rules. |
Quick Take: The Digital Omnibus signals that Europe is willing to trade some data protection rigor for AI competitiveness. For Algeria, which adopted EU-inspired data protection rules, this creates a strategic question: follow the EU’s simplification path to maintain regulatory compatibility, or maintain stricter protections as the EU retreats. Algerian companies serving European clients should begin monitoring the Omnibus process now, as changes to GDPR legitimate interest and AI training rules will directly affect cross-border data flows.
Sources & Further Reading
- Digital Omnibus Regulation Proposal — European Commission
- EDPB-EDPS Joint Opinion 2/2026 on the Digital Omnibus — European Data Protection Board
- EU Digital Omnibus: Analysis of Key Changes — IAPP
- Digital Omnibus on AI Regulation Proposal — European Commission
- Why the Digital Omnibus Puts GDPR and ePrivacy at Risk — EDRi
- EU Commission Proposes to Streamline GDPR and EU AI Act — Latham & Watkins
🔗 Related Intelligence
The EU AI Act: The World’s First Major AI Law Is Now in Force — Here’s What You Need to Know
The Right to Repair Movement Goes Digital in 2026
The AI Liability Gap: Who Is Responsible When an AI System Harms Someone?
The EU Cyber Resilience Act Enters Its Critical Phase
Advertisement