On 19 November, the European Commission published its Digital Omnibus, a package of targeted amendments to key EU digital laws, most notably the GDPR and the EU AI Act.

It’s important to remember that these are proposals, not law. The next stage is formal Trilogue negotiations between the Commission, the Council (including Member State ratification), and the Parliament.

🤔 Why Is the Commission Proposing Changes?

There are several drivers behind the amendments, which broadly fall into three categories:

1️⃣ Increasing Complexity & Regulatory Overlap

EU digital legislation has expanded rapidly in both number and complexity. This has increased the regulatory burden on businesses, created overlapping obligations, and introduced inconsistencies across different laws.

2️⃣ Pressure from US and EU companies and countries

Many major US tech companies have warned that the EU AI Act, particularly its high-risk obligations, are too burdensome. 46 major European companies (Airbus, Lufthansa, Mercedes-Benz etc) signed an open letter asking for a two-year pause before the high-risk obligations kick in. Officials in Copenhagen declared that the AI Act is overly complex and called for “genuine simplification”.

3️⃣ Need for Technical Standards

The EU AI Act sets out the legal framework but lacks technical detail. That detail is meant to come from harmonised standards, which clarify exactly how companies can meet legal requirements. Think of it like this:

• The law says a car must be safe.
• The standard defines what safe means (eg braking distance X, tyre thickness Y).

Until standards are finalised, compliance is difficult – hence the proposed delay.

📌 Key Changes

1. 📄 DSARs – Ability to Refuse Requests Made for Non‑Data‑Protection Purposes

Currently, under the GDPR, businesses may refuse DSARs that are “manifestly unfounded or excessive.” The Digital Omnibus proposes expanding this by allowing refusal where a DSAR is made for reasons unrelated to data protection. Caveats still apply:

• Organisations must notify the individual about the refusal.
• The decision must be documented internally.
• The organisation must be prepared to justify the refusal if challenged.

This is a business‑friendly clarification but does not remove accountability.

2. 🧠 AI Literacy – Shift of Responsibility

Under Article 4 of the existing EU AI Act: “Providers and deployers of AI systems shall take measures to ensure … a sufficient level of AI literacy of their staff.” This obligation has been in force since February 2025.

The Omnibus proposes shifting the responsibility to the European Commission, and Member States, who will now be required to encourage organisations to maintain AI literacy. However:

• Companies deploying high-risk AI systems must still ensure that staff interacting with those systems are competent.
• Training remains essential in practice.
• This mirrors GDPR: training wasn’t explicitly required, but nearly all organisations implemented it.

3. 🏛️ Legitimate Interest can be a legal basis for AI training and use

The Digital Omnibus proposes adding a further recital to the GDPR clarifying that “legitimate interest” can be an appropriate legal basis for AI training and use.

It also introduces a new, limited exemption under Article 9 GDPR allowing the processing of special category data for developing and using AI systems when strict conditions are met. Note this is not a blanket permission; it provides narrow permission under strict conditions.

4. 🗓️ High-Risk AI Obligations – Changes to the Compliance Timeline

There are two categories of high-risk AI systems under the EU AI Act:

• Annex III – high‑risk based on use case (eg biometrics, education, employment).
• Annex I – high‑risk based on product safety legislation (eg AI in medical devices, cars, planes).

🔸 Annex III – Current Law

• High-risk obligations begin 2 August 2026.
• Systems already in operation before that date only need to comply if they undergo a significant change.

🔸 Annex III – Proposed Change

The Omnibus proposes removing the 2 August 2026 date, replacing it with:

• a compliance deadline 6 months after standards are approved, and
• a long‑stop date of 2 December 2027.

If the Omnibus is not passed into law by 2 August 2026, then the original date still applies.

🔸 Annex I – Current Law

Compliance deadline currently: 2 August 2027.

🔸 Annex I – Proposed Change

• Compliance deadline becomes 12 months after standards are approved.
• Long‑stop date: 2 August 2028.

5. 🗂️ Registration of High-Risk AI Systems in Database: Narrower Scope

Currently, even if an AI system qualifies for a derogation (e.g., it only performs a narrow procedural task), organisations must still register it in the EU database if it falls into a high-risk category. The Omnibus proposes:

• Only actual high-risk systems must be registered.
• Systems that qualify for a derogation no longer require registration.

This reduces administrative burden significantly, though it also reduces transparency.

6. 🚨 Data Breach Reporting: 96 Hours Instead of 72 Hours

The Commission proposes extending the GDPR breach notification window from 72 hours → to 96 hours. Additionally, the EDPB will create a common reporting template, and clarify what constitutes a “high risk” to individuals.

7. 🧩Single Entry Portal (SEP) for Incident Reporting

The Omnibus proposes a unified portal for incident reporting under multiple EU laws such as GDPR, NIS2 and DORA. The portal, operated by ENISA, will allow businesses to: “Report once, share many.” This significantly simplifies cross‑regulatory incident reporting.

8. 🍪 Cookies: Respecting the Refusal

Where a user refuses non‑essential cookies, organisations cannot ask again for 6 months. Websites will need technical updates to ensure that refusals are honoured. For data subjects, this represents a more hassle-free browsing experience, but will be viewed less favourably by business marketing teams.

9. 🔐 Personal Data: Contextual Definition

Data will only be considered personal if the receiving party can reasonably identify the individual. Example:

• Party A sends pseudonymised data to Party B.
• Party A keeps the key; Party B cannot identify individuals.

In this case, for Party B, the data is not personal data. This clarification may reduce the regulatory burden for some processors.

10. 📋 DPIAs: EU‑Wide Blacklist and Whitelist

DPIAs are required where processing is likely to result in a high risk to natural persons, e.g. large-scale processing of special category data.

Each Member State DPA issues its own national DPIA lists – setting out activities that require a DPIA (blacklist), and activities that do not require a DPIA (whitelist). However, this creates fragmentation across the EU, especially for multi-nationals. The Omnibus proposes that the EDPB will publish EU‑wide blacklists and whitelists to replace all national lists. This will create much‑needed harmonisation and make cross‑border compliance easier.

Final Thoughts

Many of the proposals put forward by the Digital Omnibus will bring about decreased regulatory burden for companies, once they become law.

However, some of the proposed changes provide only the appearance of an easier regulatory ride. While headlines focus on a “delay to the EU AI Act” – the fact remains, many of the provisions (eg in relation to prohibited AI and GPAI are already in force) and while the Omnibus does propose delaying the high-risk obligations, the date of 2^nd December 2027 is only a long-stop date. The intention of the Commission is that once harmonised standards are approved, they will trigger a 6 month window for compliance for Annex III systems and a 12-month compliance window for Annex I systems.

This would represent a near impossible compliance task for companies with such systems, and it’s therefore prudent for many companies to start focussing on compliance now.

Further, should the Trilogue negotiations extend beyond 2^nd August 2026, the current law applies and then high-risk obligations for Annex III systems will enter into force on that date.