Key Takeaways
- No immediate action required: These are still draft proposals. If adopted, most changes will be phased in gradually, with limited impact for the majority of companies.
- Impact remains limited for most: Unless your organisation processes pseudonymised or sensitive data for complex use cases like AI or life sciences, day-to-day operations are unlikely to be significantly affected.
- A more nuanced definition of personal data: The proposal suggests a shift to an entity-relative definition, focusing on whether the data recipient can identify individuals, potentially reducing GDPR burden for intermediaries.
- DPIA lists get centralised: Responsibility for blacklists and whitelists moves to the EDPB (with final EC oversight), aiming for greater clarity and consistency.
- Sensitive data and AI: A new provision (Article 88c) would permit some use of sensitive data for AI development under legitimate interest—a controversial but practical proposal.
- Cookies under the GDPR: Elements of the ePrivacy Directive would be merged into the GDPR. Consent signals from browsers may become legally binding.
- Simplified incident reporting: A single ENISA-managed reporting channel is proposed, with a 96-hour deadline, bringing consistency with other cyber regulations.
- AI compliance deadlines could shift: High-risk AI systems may see extended implementation deadlines, though this depends on the timing of adoption.
Table of Contents
Every few years, Brussels throws a stone into the digital regulation pond and the ripples keep us all busy for a while. The Digital Omnibus published on 19 November is one of those moments. After weeks of rumours, the Commission finally unveiled its long-awaited proposal to simplify the Digital Rulebook.
For practitioners, it can be a lot to take in at once. For most organisations, the short answer is: no need to panic. These are proposals, not final texts, and even if adopted they will take time to roll out. We foresee that these changes will not impact the majority of companies, and for the minority which are impacted, CRANIUM will be there to assist you.
The Digital Omnibus is open for consultation until the 11th of March 2026. During which everybody can provide input (including lobby and civil society groups) whilst simultaniously having debates about the content in the Parliament and Council. The trilogue will start and once a compromise proposal is agreed upon, we will know the impact of the final text. Currently, the expectation for the Digital Omnibus to land is in mid 2026.
We will walk you through the main elements, lightly and without drowning you in legislative cross-references.
1. The Digital Omnibus GDPR
The focus of the Digital Omnibus (DO) is centered around the digital legislation, the most controversial being the GDPR. We’ll walk you through a few core draft changes:
A new take on “personal data”.
The Commission wants to shift to a more entity-relative definition of personal data, inspired by the CJEU’s SRB decision. In simple terms: whether something counts as personal data depends on the ability of the entity holding/receiving the data to identify data subjects, rather than on whether anyone could.
This might ease the burden for some intermediaries who receive pseudonymised datasets they cannot reidentify with the reasonable means they have. At the same time, experts warn it could open the door to broader sharing of large datasets where identifiability for the recipient is low, even if outsiders could easily reidentify individuals.
For most companies however, we expect that this proposed change will not meaningfully impact their day-to-day business operations.
DPIA black/white lists
The responsibility for the creation of lists where a DPIA is (not) required would be moved to the EDPB (with final authority by the European Commission). We welcome this consistency change as well as reducing the administrative burden.
Sensitive data and AI development.
A new Article 88c would allow certain processing of sensitive data for AI training and development under legitimate interest. Supporters see it as a realistic fix for unstructured datasets. Critics see it as a step back on necessity and minimisation.
Streamlined data subject rights.
Controllers could refuse “abusive” access requests made for non-data-protection purposes. Information duties would be lighter for certain organisations. Automated decision-making rules would also relax slightly.
A lot of companies struggle with overreaching access requests (such as when a disgruntled employee asks a copy of all their data). The proposed change would make it easier for companies to deny an access request if not done for data protection reasons, but we believe the bar remains very high in that regard and the burden remains on the controller.
Cybersecurity reporting: one door instead of five.
A single ENISA-managed entry point for incident reporting (via NIS2 single-entry point), plus an extension from 72 to 96 hours in line with other regulations. We welcome consistency on this part.
Cookies included in the GDPR
Some parts of the ePrivacy Directive would be moved to the GDPR. Browsers should be able to signal the consent of users to websites, and those websites must then respect this signal. Interesting to note: this feature for a user to express their preference on tracking is already present in most browsers today (called “Do Not Track”) but respecting this user choice is currently optional. Standardisation would be good if enforced by law.
To be seen how this is implemented.
2. The AI Digital Omnibus
The Commission also proposes a set of adjustments to the AI Act.
High-risk AI obligations may be delayed.
If adopted in time, the high-risk compliance deadlines will be pushed back significantly, potentially to December 2027 (Annex III systems) and August 2028 (Annex I systems). This gives providers and deployers breathing room while the EU builds more support structures.
However, since the current timeline for Annex III systems is August 2026, the proposal has to pass before that time, otherwise the AI Act will be fully applicable to those systems regardless. On top of that, the GDPR remains applicable to training data of AI systems regardless of the AI Act’s obligations.
Debiasing exception broadened.
The rule that allowed high-risk developers to process sensitive data to remove biases from AI systems now extends to all AI system developers, not just for those of high-risk AI systems.
3. New Model Contractual Terms and SCCs (Data Act)
Non-binding templates for data sharing and data-processing service agreements. Helpful for standardisation, optional for everyone.
4. Impact and follow-up
We at Cranium believe the impact of the proposed changes will be relatively low on most businesses. There will be some simplification and easier procedures (like cookie preferences or reporting incidents), but unless your business is focused specifically on using personal data in more complex settings like AI development, life sciences, etc. where technical measures such as pseudonymised data arise, the impact remains low.
However, for those companies and government institutions, the proposed rules could allow for more flexibility if implemented and documented accordingly.
Yet, as these are mere draft changes, nothing is set into stone yet and the outcome of what is sure to be some tough negotiations will determine the actual impact. CRANIUM will follow up on this and remain available to share insight and assist with implications
