Skadden, Arps, Slate, Meagher & Flom LLP and Affiliates

Commission Proposes Significant Changes to EU Digital Rules – First Impressions

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Nicola Kerr-Shaw Susanne Werry Aleksander J. Aleksiev Kata Éles Alex Smallwood Alberto F. Vogel

Executive Summary

  • Whats new: On 19 November 2025, the European Commission (EC) released a package of proposed changes to EU digital rules (the Digital Omnibus).
  • Why it matters: The Digital Omnibus introduces wide-ranging measures aimed at reducing the burden of the EU’s digital legislative framework, including through amendments to the GDPR, AI Act and Data Act.
  • What to do next: Though the text will likely change substantially as the updates move through the EU legislative process before the proposal becomes law, given the significant changes currently suggested, companies should consider reviewing the proposals, tracking their implementation and assessing opportunities to simplify company compliance programs.

__________

On 19 November 2025, the EC released a proposal for the Digital Omnibus regulation, which is a set of suggested changes to the EU rules that govern the digital sector. The proposed expansive updates would introduce amendments to the General Data Protection Regulation (GDPR), AI Act and Data Act in order to reduce the regulatory burdens of the EU’s digital regime.

Context

The Digital Omnibus builds on the Draghi Report (released in 2024) and the EC’s Competitiveness Compass (released earlier in 2025), which identified a need to simplify EU digital rules to reduce barriers to innovation. In some respects, the Digital Omnibus reflects simplifications recently made to the UK’s digital legislation (see our 1 July 2025 client alert for details about those changes).

The Digital Omnibus consists of two parts:

  1.  A proposal focused on the AI Act (AI Omnibus).
  2. A proposal focused on EU data rules such as the General Data Protection Regulation and Data Act (Data Omnibus).

Below, we summarize the key points from both proposals.

The AI Omnibus

The AI Omnibus proposes changes to the AI Act aimed at reducing administrative and compliance costs, including:

  • Delaying application of certain high-risk AI obligations. The AI Omnibus “stops the clock” on the application of the AI Act’s obligations for high-risk AI systems.
    • These obligations, originally set to apply starting 2 August 2026 (for Annex III systems) and 2 August 2027 (for Annex I systems), would now apply from 2 December 2027 (for Annex III systems) and 2 August 2028 (for Annex I systems).
    • This postponement addresses concerns related to timing of the publication of AI Act technical standards, and the Digital Omnibus empowers the EC to bring the compliance deadlines forward if officials issue those technical standards earlier than expected.
  • Extending the simplified regime for SMEs to more enterprises. The AI Omnibus proposes extending the simplified regime that applies to small or medium-sized enterprises (SMEs) that provide high-risk AI systems to small mid-cap enterprises (SMCs) — which are entities with fewer than 750 employees and less than €150 million in revenue. SMCs, which are larger than SMEs, would also benefit from a privileged treatment in the calculation of fines under the AI Act.
  • Removing AI literacy requirements. The AI Omnibus proposes to remove the AI Act’s “AI literacy” obligation for providers and deployers of AI systems.

Changes to Data and Privacy Laws

The Data Omnibus also proposes changes to the EU’s data laws to promote a more “innovation-friendly” approach.

  • Cookie rules: The Digital Omnibus proposes amending the regime governing cookies and similar technologies to: (i) introduce new exceptions to cookie consent requirements, including an exception for cookies used for statistics or security purposes; and (ii) require controllers to accept and respect individuals’ preferences expressed in a machine-readable manner through online interfaces (e.g., web browser settings).
  • AI training: The Digital Omnibus adds a recital to the GDPR clarifying that “legitimate interest” can be an appropriate legal basis for AI training and use. The new provision also proposes an exemption in Article 9 of the GDPR to allow the processing of special categories of personal data for the development and use of AI systems and models, subject to certain conditions.
  • Incident response: The Digital Omnibus proposes to extend the GDPR notification window to 96 hours and increase the threshold that triggers reporting. The Digital Omnibus also proposes a new EU-wide incident reporting portal, managed by ENISA, that would streamline cyber notifications under key laws (e.g., GDPR, NIS2, the Digital Operational Resilience Act (DORA) and the Critical Entities Resilience (CER) Directive) — though companies will need to carefully assess whether using this unified reporting platform will make it harder to “pick and choose” which EU regulators to notify and what to tell them.
  • Personal data: The Data Omnibus proposes narrowing the GDPR’s definition of personal data to exclude data held by an entity that does not have “means reasonably likely to be used to identify” the individual to whom the information relates. This proposed amendment seeks to explicitly incorporate the position of the Court of Justice of the European Union (CJEU) in SRB into the GDPR (for more details on the CJEU’s position in SRB, see our 3 November 2025 client alert).
  • Data subject access rights: The Data Omnibus proposes allowing controllers to refuse a GDPR data subject access request (DSAR) if the request is an “abuse of the rights conferred” by the GDPR. Companies will likely argue that the new wording prevents the (mis)use of DSARs during disputes (e.g., the widespread use of DSARs for litigation fishing exercises), but because the proposed updates do not define what is “abusive”, we will need to see whether regulators accept this interpretation.
  • Data Act application: The Digital Omnibus proposes (i) removing the Data Act’s requirements regarding the use of “smart contracts” for data-sharing agreements and (ii) exempting certain custom-made data processing services put in place before 12 September 2025 from the Data Act’s “switching” obligations. Similar to the proposed scope of the AI Omnibus described above, the Digital Omnibus would extend to SMCs the simplified Data Act regime currently applicable to SMEs.
  • Repeals: The Digital Omnibus proposes consolidating a series of minor data laws into the Data Act, namely (i) the Data Governance Act (DGA), (ii) Regulation (EU) 2018/1807 on a Framework for the Free Flow of Non-Personal Data in the EU, (iii) the Open Data Directive and (iv) the EU Regulation on Platform-to-Business Relations.

What Is Not Addressed

While the Digital Omnibus proposals represent welcome simplification, the proposals do not overhaul the current regulatory regime and are less ambitious than many companies may ideally desire given the scale of the issues identified in the Draghi Report. For example, the Digital Omnibus does not substantially address:

  • Fragmentation and inconsistency in the interpretation and enforcement of the GDPR across EU member states — an issue that the Draghi Report warned “undermines the EU’s digital goals”.
  • The broad interpretation by the CJEU of the GDPR’s protections for “special category data”. (Leaked drafts of the Digital Omnibus included wording that proposed to address this, but that wording has not been included in the final version.)
  • Simplification of the most paperwork-intensive GDPR obligations such as international data transfer assessments, legitimate interests assessments, data protection impact assessments and data processing contract terms.
  • Inconsistencies in EU incident reporting triggers, thresholds and time frames.
  • The uncertainty and operational challenge that companies face when attempting to reconcile the EU’s often overlapping and conflicting set of digital regulations. For a recent example, see our 30 October 2025 client alert on the interaction between the DSA and the GDPR.
  • Other related laws, such as EU cybersecurity, competition, content moderation and IP laws.

Next Steps

The legislative process for the Digital Omnibus package is now underway, and the European Parliament and the Council of the European Union will negotiate to produce the final provisions. Although the text is likely to change between now and the finalization of the new rules, companies should track progress of the Digital Omnibus and identify opportunities to update or simplify their current compliance practices in light of the anticipated reforms — for example, by reprioritizing AI Act compliance projects in light of the likely delay, or considering how the new AI training provisions allow additional data to be used to train AI models.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP