Digital Omnibus: EU Moves to Relax AI & Privacy Rules

News

Security

Threats

min read

TL;DR

What it is: the EU Commission’s Digital Omnibus proposal, presented on November 19, 2025, to “simplify” EU digital regulation across the EU AI Act, GDPR regulation, privacy/tracking rules, the EU Data Act, and cyber reporting.

What it isn’t: not law yet, not in force, not a full rewrite of everything. It still needs Parliament + Council approval.

Why care: good for businesses (less overlap, less paperwork, less compliance costs), but risky for people: it may widen “legitimate interest” paths for AI training on personal data (less consent), delay some EU AI Act checks, and blur what counts as “personal/private data” via pseudonymisation/re-identification logic.

What to do now: even if the Digital Omnibus is still just a proposal, practice basic privacy hygiene – lock down browser tracking, trim app permissions, clean up accounts/inbox “data exhaust,” and make email your control point (secure email + aliases + encryption + safer recovery). More on this at the end of the article.

What The Digital Omnibus Is

The Digital Omnibus is an “omnibus regulation” proposal presented on November 19, 2025. It’s a single legislative instrument designed to amend multiple, distinct EU digital regulations at once.

The Commission’s stated goal is to reduce compliance burden while keeping the underlying protections and outcomes. It explicitly links this to competitiveness – the feeling that Europe is doing a lot of regulating, but not always enough competing.

Current status and timelines

As of December 2025, the Digital Omnibus package is still at the proposal stage. It needs to move through the EU’s legislative process in the European Parliament and the Council before anything becomes binding law. Until that happens, the existing EU digital regulation stack remains the baseline.

Why It Exists: Forces Behind “Simplify Everything” Moment

Competitiveness push + “regulatory overload” + Draghi Report influence + politics.

For a decade, the EU acted like the world’s digital conscience. GDPR regulation became exportable law, the EU AI Act became headline-making AI regulation, and EU digital regulation turned into a global reference point.

By late 2024, however, the economic cost of this regulatory supremacy had become impossible to ignore.

The "Digital Single Market" had morphed into a "Digital Compliance Market." While the US and Asia sprinted ahead in AI regulation news, European startups were drowning in a swamp of paperwork. That’s expensive and demoralizing. Engineers ship less; lawyers ship more.

The Draghi report: competitiveness alarm

The catalyst for the Digital Omnibus was a report by Mario Draghi (former Italian Prime Minister). He didn't mince words: Europe is missing the Fourth Industrial Revolution.

According to the report, the combined impact of the GDPR, Digital Services Act (DSA), Digital Markets Act (DMA), EU Data Act and EU AI Act has created a "compliance thicket" that killed any growth.

The Draghi Report recommended a radical simplification of the rules.

Politics

And yes, politics is in the room, because AI is a capital race.

The EU wants AI investment, compute capacity, and startup growth. At the same time, the EU AI Act is a heavyweight rulebook that asks for documentation, risk management, and oversight that can feel brutal if you’re a small team.

Big Tech also successfully sold a terrifying narrative: "We cannot build world-class AI if we have to ask 450 million Europeans for permission to use their data."

Critics and privacy advocates are calling this anti-democratic. They argue that, under the guise of reforming and 'simplifying' the EU Data Act, the EU is handing over control to Silicon Valley and local tech giants, sacrificing citizens' privacy on the altar of GDP growth.

What it Changes (EU AI Act + GDPR + Privacy & Tracking + EU Data Act + Cyber)

The Digital Omnibus is a mix of edits meant to reduce collisions across EU digital regulation. It tries to make the rulebook simpler to follow, simpler to enforce, and (in theory) less annoying for humans.

But “simpler” can mean two very different things: fewer duplicate forms… or fewer hard limits.

3.1 EU AI Act: implementation gets “smoothed”

The Great Delay: buying time for industry.

The original timeline of the AI Act was aggressive, requiring high-risk systems to be compliant by August 2026. The Digital Omnibus admits this was unrealistic – the technical standards simply don't exist yet. Consequently, Omnibus pushes compliance deadlines for High-Risk AI systems to August 2028 (general) and December 2027 (public sector).

This prevents a "compliance cliff" but leaves citizens unprotected for an additional two years.

Small Mid-Caps (SMCs): new protected class.

The Digital Omnibus extends simplified compliance support beyond SMEs to SMCs. That’s still not Big Tech, but it’s big enough to drown in paperwork.

A new beneficiary class, "Small Mid-Caps" (up to 499 employees or €100m turnover), will now enjoy the same regulatory relief as SMEs. This includes reduced documentation requirements, capped fines, and priority access to regulatory sandboxes.

Centralized governance: AI Office.

Authority over General Purpose AI (GPAI) models is centralized within the EU AI Office, removing power from national regulators and ensuring a unified European stance against US and Chinese tech giants.

3.2 GDPR Reform: “clarify + lighten”

Perhaps the most controversial section. The GDPR regulation (once the untouchable holy grail) is now open to surgery.

The “Relative” definition of personal data.

The proposal suggests that if a company strips your name but keeps your unique tracking ID (pseudonymization), the data might no longer be considered "personal" relative to them. This creates a massive gray area where your digital behavior could be shared freely.

“Legitimate Interest” for AI training.

Previously, companies needed your Consent. Now, the Digital Omnibus proposes that training AI models is a "Legitimate Interest." This means they don't have to ask permission to use your data; you have to figure out how to object to it.

Scientific research expansion.

The Omnibus expands the definition of "scientific research" to include commercial AI development that has a "research" component. Under the new rules, data collected for a commercial service (e.g., ride-hailing) can be reused for "scientific research" (e.g., training an autonomous driving AI) without asking for new consent.

3.3 Cookies + device access: the “banner reset button”

This is the Digital Omnibus part normal people will notice (if adopted): less banner theatre, more durable choices.

“One-click” mandate

The proposal mandates that a "Reject All" button must be as prominent as "Accept All" on cookie banners. This design aims to end "dark patterns" and is expected to significantly increase opt-out rates.

Machine-readable signals.

Browsers and OSs must now support automated signals (like Global Privacy Control). If a website detects this signal, it must treat it as a binding refusal of consent and cannot ask the user again for 6 months. This effectively moves the web toward a browser-level opt-out model.

Audience measurement exemption.

To support publishers, first-party analytics (audience measurement) are now exempt from consent requirements, allowing basic metrics even if a user rejects tracking. This means tracking you just to "count visitors" will no longer require your consent.

3.4 EU Data Act Reform: consolidation into fewer “big laws”

The original EU Data Act forced manufacturers of smart devices (IoT) to share data with users and repair shops. The Digital Omnibus introduces a massive loophole to stop this.

Companies can now refuse to share data if they claim a "substantial risk" to their trade secrets.

This is a firewall against China. It explicitly strengthens the right to deny data requests from countries with weak legal protections, preventing European industrial secrets from leaking to foreign competitors.

B2G Limitations

The power of governments to demand data from companies is also narrowed – from "exceptional needs" to strictly defined "public emergencies," – preventing local governments from using the EU Data Act for routine surveillance or urban planning.

3.5 Cyber incident reporting: less paperwork

Finally, some good news? The proposal creates a Single Entry Point (SEP) for reporting hacks.

Currently, a major cyberattack triggers a bureaucratic nightmare. A bank, for instance, might have to report the same incident to the Data Protection Authority (GDPR), the cybersecurity agency (NIS2), and the financial regulator (DORA) – all with different forms and deadlines.

With a Single Entry Point (SEP), a company submits one standardized report to a central EU portal.

Who’s Affected By The Digital Omnibus

Everyday people

Win: fewer cookie pop-ups, one-click reject, and (potentially) privacy choices that stick longer across sites. The Digital Omnibus is explicitly trying to reduce consent fatigue.
Risk: “benign purposes” exemptions can get stretched, and if AI training leans harder on legitimate interest under GDPR regulation, your browsing, emails, and uploaded work can become easier to use for model training – without a clean, meaningful consent moment.

Businesses (from startups to Big Tech)

Win: less overlap across EU digital regulation: smoother EU AI Act rollout (more time + clearer governance), fewer collisions between GDPR regulation and the EU Data Act, and big savings from a cyber Single Entry Point for cyber incident reporting.
Risk: the rules may get fuzzier, not just lighter. If “personal data” becomes more context-dependent and AI training relies more on “legitimate interest,” teams can misjudge what’s allowed, ship something “legal-ish,” and still get hit with complaints, audits, fines, or PR damage. Moreover, while the Omnibus aims to help SMEs, critics argue Big Tech wins more. Google and Microsoft already have the "means" to process massive datasets. By legalizing "legitimate interest" scraping, the Omnibus removes the one legal lever (copyright/privacy lawsuits) that smaller creators had against giants scraping their work. Big Tech has the legal teams to document the "balancing tests," while startups may struggle with the bureaucratic "safeguards" required to use the exemptions. And if browser signals / one-click reject actually bite, ad-funded models can see consent rates drop fast.

The Geopolitical Dimension: Europe vs. The World

The Digital Omnibus is Europe trying to do two things at once: keep its “rights-first” reputation, and stop bleeding momentum to the US and China.

The US Angle: The "Trump Effect" (potential trade barriers and deregulation in the US) has spooked Brussels. If the US deregulates AI further, Europe cannot afford to be the only "heavy" regulator, or it will become a digital backwater.
The China Angle: The EU Data Act's amendments concerning trade secrets are explicitly intended to safeguard European intellectual property (IP) from Chinese acquisition. While trying to promote the internal use of industrial data, the EU is building a 'defensive wall' around it.

What Could Go Wrong? Privacy Risks

The Digital Omnibus can reduce consent fatigue and incident-reporting chaos. Great. But it can also create a lot of privacy “soft spots”.

“Legitimate interest” creep for AI training. By allowing AI training under "legitimate interest," the Digital Omnibus package effectively kills the "Opt-In" culture. The default state of your data becomes "Shared," and the burden shifts to you to opt-out.
“Not personal data for us” loopholes. Data can be treated as non-personal for one actor while still being identifiable elsewhere in the chain – so your info moves, but nobody “owns” the privacy responsibility.
Pseudonymised gets mistaken for anonymous. Removing names isn’t the same as removing identity; with enough extra clues (location, device, purchases), datasets can be re-identified.
Cleaner cookie UX, same tracking. “Benign purposes” and measurement exemptions can be stretched until they quietly recreate profiling, just without the noisy banner circus.
Machine-readable signals become a new dark-pattern arena. Best case: your browser says “no” once and it sticks. Worst case: inconsistent support + “your experience may break” nudges push people back into consent.
Delays create an enforcement gap. In AI regulation news, rollout delays can mean big players keep scaling while oversight arrives slowly – market power hardens before checks harden.
Single cyber reporting portal concentrates sensitive breach data. A Single Entry Point reduces duplicate reporting, but it also centralises incident details, making access control, retention, and auditing much more critical.
The "Trade Secret" wall: Under the EU Data Act reforms, if you demand to know why an algorithm denied your loan, the bank might just hide behind the new "Trade Secret" shield.
"Research" gets used as a cover story: The Digital Omnibus package expands scientific research flexibility. That’s a real need. But “research” is also a label that can be abused. If broad AI training starts wearing the “research” badge, transparency declines, and your data becomes a raw material stream.

Community Reaction

The reaction to the Digital Omnibus depends entirely on who you ask.

Critics alarm

EDRi (European Digital Rights) called the Commission’s proposals a major rollback of digital protections and warned about reopening core safeguards across EU digital policy.
noyb (None of Your Business group) argued the Digital Omnibus could undermine core GDPR principles and pushed back hard on the direction of travel.
Director General of BEUC (The European Consumer Organization) commented: “Consumers were promised simplification to support the European economy and yet the Commission’s proposal can only be read as deregulation almost to the exclusive benefit of Big Tech.

Industry applause

Conversely, for tech lobbies, the EU AI Act was a death sentence for innovation. They see the Omnibus as a long-overdue correction that finally treats data as an asset to be used, not a hazard to be locked away. They argue this will finally unlock the "Digital Single Market."

For example, BusinessEurope praised the Digital Omnibus proposals as an important milestone for EU competitiveness and signalled they want more simplification, not less.

What Should I Do To Protect My Privacy?

Do this even if the Digital Omnibus never passes.

Because your privacy risk isn’t only regulation. It’s sloppy defaults, leaky accounts, and the fact that your email inbox is basically your entire digital identity stuffed into one searchable archive.

Quick table

Tool / setting	Action	Effect
Browser cookie controls	Block third-party cookies by default	Reduces the value of “benign” tracking exceptions by starving cross-site profiles
Consent auto-reject / privacy extension	Prefer “reject all” when possible	Forces sites to demonstrate real necessity instead of defaulting to surveillance
Global Privacy Control (GPC)	Enable GPC where supported	Aligns with the Digital Omnibus push toward machine-readable refusal signals
Content blocker	Block trackers + scripts	Makes “audience measurement” harder to quietly expand into profiling
DNS filtering (NextDNS / Pi-hole)	Block known tracker domains	Cuts off many analytics/ads calls before the page can even ask
Phone OS permissions	Audit location, microphone, contacts	Limits what apps can exfiltrate even if policies become looser
Password manager + 2FA	Unique passwords and passkeys where possible, enable 2FA	Prevents account takeover
Cookie / site data cleanup	Clear cookies for your “daily sites”	Shrinks identifier continuity; makes tracking less sticky

Your “data exhaust” checklist

Every day, you leave a digital trail of digital. It’s time to clean it up.

Delete old accounts. If you haven't used that app in a year, delete the account entirely. Dormant accounts are prime targets for policy updates you’ll never read.
Remove “Sign in with Google/Apple/Facebook” connections you forgot you gave.
Review third-party app access in Google/Microsoft/Apple dashboards and revoke anything you don’t recognise.
Check your cloud photo metadata sharing settings.
In messaging apps, turn off contact syncing if you don’t need it.
Turn off email forwarding rules you didn’t create (common takeover trick).
Purge old newsletters and marketing lists you never read – every list is a leak surface.
Stop using your primary inbox for every signup.
Stop giving the truth. If a random newsletter asks for your job title, lie. If a Wi-Fi portal asks for your birthdate, make one up.

And the ultimate recommendation:

Choose a secure email service

This is the most important step. Your email is a key to your digital life. It resets your passwords, receives your bank statements, and holds your private conversations.

If you are using a standard, free provider (like Gmail or Outlook), your inbox is essentially a training dataset waiting to happen.

So make email your control point:

use aliases per service
keep sensitive conversations encrypted
use safer recovery (so “lost phone” doesn’t become “lost account” and the risk of SIM swapping is neutralized)

This is exactly where a secure email service like Atomic Mail is your best choice:

End-to-end encryption and zero-access encryption
Multiple email aliases
Seed-phrase style recovery
Modern security defaults for individuals and teams
Anonymous signup
Free unlimited storage

✳️🔐 Get Atomic Mail and move your most important digital life assets into an inbox designed for the 2026 security landscape.

FAQ – EU Digital Omnibus

What is Digital Omnibus?

The Digital Omnibus is a European Commission proposal package meant to simplify parts of EU digital regulation by adjusting and aligning several laws (including the EU AI Act, GDPR regulation, privacy & tracking rules, the EU Data Act, and cybersecurity reporting). Its primary goal is to boost European competitiveness by reducing compliance costs.

Is the Digital Omnibus already law or still a proposal?

Still a proposal. Published in November 2025, the Digital Omnibus package must go through the EU legislative process (Parliament + Council) before anything becomes final.

What changes in AI regulation and the EU AI Act?

The proposal delays the compliance deadlines for high-risk AI systems by up to two years and introduces a "Legitimate Interest" clause that allows companies to train AI on personal data without explicit consent. It also creates a new protected class for "Small Mid-Caps" to exempt them from strict transparency rules.

What changes in EU Data Act?

The reform introduces a "Trade Secret" shield. This allows companies to refuse data-sharing requests (from users or governments) if they claim it would expose sensitive intellectual property. It is designed partly as a geopolitical tool to prevent data leakage to China but can be used to block user transparency.

What changes in GDPR regulation?

The Digital Omnibus attempts to “clarify and lighten” compliance in specific areas, especially around pseudonymised data sharing and lawful bases for certain processing (including implications connected to AI training), plus expanded and clarified scientific research treatment.

Will this actually help European competitiveness?

It could. Simpler compliance reduces cost and time-to-market, especially for startups and mid-sized teams. But competitiveness gains depend on whether simplification preserves trust. If privacy protections weaken in practice, the long-term reputational cost can cancel the benefit.

What are pros and cons of the Digital Omnibus law?

Pros: less duplicate paperwork, fewer contradictory obligations, better enforcement consistency, improved cookie consent UX, simpler cyber incident reporting.

Cons: risk of loopholes through exemptions/whitelists, risk of “opt-out” privacy creeping in, higher reidentification exposure through wider data sharing, and blurred lines around AI training and “research.”

Does this affect non-EU companies with EU users?

Likely yes, in practice. If you process EU users’ data (or your services target the EU market) EU digital regulation obligations can apply. The exact impact depends on the final text and how enforcement evolves.