On 19 November 2025, the European Commission (“Commission”) officially presented its Digital Omnibus Package (see here and here). The initiative represents a comprehensive update to the EU’s digital regulatory landscape, which the Commission frames as a competitiveness and simplification initiative aimed at reducing administrative burdens and enhancing legal certainty for businesses. Although the final text is likely to evolve during negotiations with the European Parliament and the Council of the EU (“Council”), the package, if adopted in its present form, would introduce significant changes to data protection obligations, cookie rules, cybersecurity regulations and the EU AI Act.
The Digital Omnibus Package consists of two proposed regulations: a “Digital Omnibus” that would amend, amongst other legislation, the General Data Protection Regulation (GDPR), ePrivacy Directive, NIS2 Directive and Data Act, and a “Digital Omnibus on AI” that would amend the EU AI Act. We outline below key proposals from the Digital Omnibus that have particular significance for organizations operating in the EU.
A summary of amendments affecting the Data Act and the key proposals in the Digital Omnibus on AI will be addressed in subsequent blog posts.
Key Proposals
- Revised definition of personal data
The GDPR’s definition of “personal data” would be revised to exclude information where the entity holding it does not have “means reasonably likely to be used” to identify the individual. Reflecting the Court of Justice of the European Union’s (CJEU) decision in SRB (Case C-413/23) (see our previous blog post here), information would not be considered personal data for that entity—and thus would fall outside the GDPR’s scope—if identification is legally prohibited or would require a disproportionate effort.
The proposal also empowers the Commission to adopt further implementing acts specifying when pseudonymised data constitutes personal data, based on the state of the art of available techniques.
The proposal does not propose to amend the definition of “data concerning health”, which was included in an earlier draft leaked on November 10, 2025, however. The leaked draft sought to limit the scope of the definition to data directly revealing information about an individual’s health status.
- Allowances for AI development and deployment
Two key amendments to the GDPR are proposed to clarify rules for controllers processing personal data to develop and deploy AI systems and models. Notably, a new provision would explicitly recognize such processing as a legitimate interest under the GDPR. Nonetheless, controllers would still need to demonstrate necessity and proportionality through a balancing test and implement appropriate safeguards, including minimizing data used for AI training and granting data subjects an unconditional right to object to the processing of their personal data. Additionally, the proposal would introduce a new exemption from the prohibition on processing “special categories of personal data” to cover cases in which a dataset contains residual sensitive data. The exemption would allow the processing of such data for the development and operation of an AI system or model, provided controllers implement certain technical measures to minimize collection of sensitive data and to ensure removal of any identified sensitive data.
- Clearer rules for “scientific research” activities
The concept of “scientific research” would now be explicitly defined as “any research which can also support innovation, such as technological development and demonstration.” Such research may “aim to further a commercial interest” and must“contribute to existing scientific knowledge or apply existing knowledge in novel ways, be carried out with the aim of contributing to the growth of society´s general knowledge and wellbeing and adhere to ethical standards in the relevant research area.”
The proposal also specifies that further processing for scientific purposes is compatible with the initial purpose of processing and that scientific research constitutes a legitimate interest.
- Expanded exemptions to data subjects’ rights
The proposal extends the existing exceptions to transparency requirements, in particular where processing is conducted for scientific research purposes. It also clarifies the circumstances in which controllers may either refuse to act on an access request under Article 15 GDPR or charge a reasonable fee for responding to such requests. These include, in particular, situations where the data subject “abuses the rights conferred by [the GDPR] for purposes other than the protection of their data”.
- Updated cookie rules
The Commission seeks to address “consent fatigue” and the proliferation of cookie banners by adopting a more flexible and harmonized approach to online tracking rules – as reflected in the Digital Omnibus’ Recitals. Among other changes, the proposal would permit the storing of personal data, or gaining access to personal data stored in terminal equipment, without consent, in a range of circumstances. These include access needed by the controller to measure audience size for own use to maintain or restore security. Looking ahead, the Commission foresees the introduction of universal settings-based preference mechanisms that allow users to express consent or opt out consistently across websites and applications. Relevant standards organizations would create the technical specifications, while browser, operating system, and app store providers might be required to honor these settings, and website and app operators would need to implement them following a six-month transition period.
- EU-wide data breach template and notification platform
The Commission plans to introduce a single-entry EU portal for reporting data breaches, following a “submit once, share widely” model to streamline obligations under GDPR, the NIS2 Directive, the Digital Operational Resilience Act, the Critical Entities Resilience Directive and the upcoming Cyber Resilience Act. Overlapping reporting duties under the ePrivacy Directive for communications service providers would be repealed. Controllers would only be required to notify breaches under the GDPR that present a high risk to individuals, and the reporting deadline would be extended to 96 hours. This contrasts with the existing standard, where reporting is required unless the breach is unlikely to result in a risk to data subjects, with a reporting deadline of 72 hours. In addition, the European Data Protection Board (EDPB) would be tasked with preparing a standardized breach notification template for the Commission to adopt through an implementing act.
- Harmonized Data Protection Impact Assessment (DPIA) guidance and template
Under the Commission’s proposals, the EDPB would be tasked with creating EU-wide lists of processing activities that do and do not require a DPIA, replacing the current national lists. The EDPB would also develop a standardized template and methodology for conducting DPIAs, which the Commission could adopt through an implementing act. The lists, template, and methodology would be reviewed and updated at least every three years to reflect technological developments.
Next Steps
The Digital Omnibus Package will proceed through the EU’s ordinary legislative procedure in the European Parliament and the Council. The final text will depend on the two institutions’ review, and substantive amendments may be made during the legislative process.
The Covington team continues to monitor these developments closely and regularly advises the world’s top companies on their most challenging technology regulatory, compliance, and public policy issues in the EU and other major markets. Please reach out to a member of the team if you need any assistance.