Background
On 19 November 2025, the European Commission published a proposal for a “Digital Omnibus Regulation”. According to the proposal, the aim is to simplify the EU’s digital legal framework, reduce administrative costs and make the application of existing rules clearer and more efficient, without changing the underlying protection goals. The proposal affects, among other things, the GDPR, the ePrivacy Directive, the Data Act, cybersecurity rules and other digital-law instruments.
The Commission expressly describes the proposal as a first step in a broader “stress test” of the digital rulebook. Companies, public administrations and citizens are intended to benefit from short-term relief, while competitiveness, innovation and legal certainty are to be strengthened.
What the proposal provides for
According to the explanatory memorandum, several older legal instruments are to be consolidated or repealed. The proposal specifically refers to the Regulation on the free flow of non-personal data, the Data Governance Act and the Open Data Directive, whose contents are to be transferred into the Data Act and streamlined there. The annexes include correspondence tables mapping the previous instruments to the new provisions in the Data Act.
The Commission also intends to introduce targeted clarifications in data protection law. These include, among other things, clarifications of key definitions, facilitation of compliance obligations, clarification regarding the processing of pseudonymised data, notifications of personal data breaches, and certain aspects of data processing for the development and training of AI. Scientific research and an expansion of exemptions from information obligations are also addressed.
Another key focus concerns cookie banners and what the Commission describes as “consent fatigue”. The proposal highlights the burden created by banners and the related compliance costs for providers, and announces a regulatory solution in the interaction between ePrivacy and the GDPR. In addition, the reporting of cybersecurity incidents is to be streamlined through a single reporting mechanism.
Why this matters in practice
For companies, the proposal is particularly relevant because it aims to reduce overlap, improve coherence and lower implementation costs. This affects data-driven business models, online services, AI development, cloud and platform offerings, as well as organisations with complex data protection and governance processes.
At the same time, this is currently only a legislative proposal by the Commission, not law already in force. Which simplifications will actually be adopted depends on the further legislative process. However, the source text already clearly shows the direction of travel: less fragmented rules, more clarity in application and a more streamlined digital compliance framework in the EU.
To the point
- The European Commission proposes a “Digital Omnibus Regulation” to simplify the digital legal framework.
- The proposal affects, among other things, the GDPR, ePrivacy, the Data Act and cybersecurity incident reporting.
- Older data-law instruments are to be partly repealed and consolidated into the Data Act.
- The proposal announces clarifications on data protection, AI training, scientific research and cookie banners.
- For companies, the main practical relevance is the intended reduction of compliance burdens and legal fragmentation.
- The proposal is not yet applicable law, but part of the ongoing EU legislative process.