The EU’s Digital Omnibus: Simplifying Rules on AI, Cybersecurity, and Data

By Roxana Daskălu, Senior Associate & Diana Ciubotaru, Associate

The European Commission published its most debated draft legislative package today, known as the Digital Omnibus[1] and the Digital Omnibus on AI[2]. The Digital Omnibus proposals aim to reduce administrative and compliance burdens, enhance legal certainty, and make the EU’s digital landscape more navigable for businesses, particularly for SMEs.

A. The proposal for Digital Omnibus

It introduces numerous amendments, of which the key ones are the following:

1. Consolidation of existing EU data laws into the Data Act

Three major instruments are merged into the Data Act, such as: (i) Regulation 2018/1807 (Free Flow of Non-Personal Data); (ii) Regulation 2022/868 (Data Governance Act/ DGA); and (iii) Directive 2019/1024 (Open Data Directive).

This cohesion of the legal provisions, among others, aims to:

▸ modernize and harmonize existing rules;

▸ strengthen the protection applicable to trade secrets and third countries (e., allowing data holders to refuse disclosures of trade secrets to a user when there is a high risk of unlawful acquisition, use, or disclosure to third countries that are subject to jurisdictions with weaker protections than those available in the Union);

▸ streamline and simplify the conditions for re-using certain categories of protected data, clarifying how the rules apply when personal data have been anonymized, by also maintaining the safeguards for transfers of non-personal data to third countries, etc.

2. GDPR & ePrivacy Directive amendments

 ► The Digital Omnibus draft also aims to clarify key GDPR concepts, as follows:

▸ Inserting new definitions
– Tightening the definition of personal data: by introducing a “subjective” approach depending on the specific controllers’ capability to identify the person and by potentially excluding “pseudonymous” data from the scope of the GDPR;
– It adds new definitions, including terminal equipment, web browser, media service, media service provider, online interface, and scientific research.

▸ New exemptions for special categories of data introduced, such as:
– biometric data: Processing of biometric data is permitted when it is necessary for confirming the identity of the data subject.
– residual sensitive data: Allows for the residual processing of special categories of personal data (i.e., data that remains despite efforts to avoid collecting it) for the development and operation of an AI system or model.

▸ Clarifying the “right of access” of data subjects:
– providing that controllers may refuse or charge a reasonable fee for access requests made for purposes unrelated to data protection, and it further defines the criteria for determining when such requests are excessive.

▸ Restricting the data controller’s obligation to inform data subjects under Art. 13 GDPR:
– by removing the obligation to inform data subjects when they can reasonably be expected to already have the information, except where the data will be shared with new recipients, transferred internationally, used for automated decision-making, or processed in ways that pose a high risk to individuals’ rights;

▸ Recognizing the development and operation of AI systems as a legitimate interest for processing personal data:
– this means companies could rely on legitimate interest for AI training and use, so long as the processing is necessary and does not outweigh individuals’ rights;

▸ Updating the rules on automated decision-making:
– by broadening the exemptions under Art 22 GDPR and clarifying that, for automated decision-making under Article 22 GDPR in the context of entering into or performing a contract, the requirement of “necessity” applies even if the decision could technically be made by non-automated means.

▸ Extending the breach-notification deadline to 96 hours, and creating a single EU reporting portal:
– the notification is only required if a data breach is likely to result in a high risk to the data subject’s rights;
– it is also proposed that controllers use the EU single-entry point when they notify data breaches to the supervisory authority.

▸ Introducing new rules on DPIAs:
– by creating a single EU list of processing operations that do or do not require a DPIA. The EDPB would be obliged to prepare proposals for such lists, along with a common DPIA template and methodology, which the Commission can formalize through an implementing act.

 ►Integration of the ePrivacy rules into the GDPR framework.

▸remove the ambiguity created by the dual GDPR–ePrivacy regime, it is clarified that the processing of personal data on or from terminal equipment is governed solely by the GDPR

3. Cybersecurity framework – Single-Entry Point for Incident Reporting

The Digital Omnibus draft aims to create a Single-Entry Point for all major EU incident-reporting obligations, assigning ENISA key responsibilities and requiring that notifications under NIS2, the eIDAS Regulation, DORA, the Critical Entities Resilience Directive (CER), and the GDPR all flow through this unified channel.

B. The proposal for Digital Omnibus on AI

To ensure a smooth and practical rollout of the AI Act, the European Commission has introduced a set of targeted simplification measures, such as:

► Implementation and Standards: The timeline for implementing high-risk rules will be linked to the availability of standards or other support tools.

► AI Literacy: The Commission and the Member States are required to foster AI literacy. This replaces unspecified obligations on providers and deployers, although training obligations for high-risk deployers remain in place.

► Reduced Registration Burden: There will be a reduction in the registration burden for providers of AI systems that are used in high-risk areas but are concluded to not be high-risk because they are only used for narrow or procedural tasks.

► EU-Level Sandbox: The AI Office will set up an EU-level AI regulatory sandbox starting from 2028.

► Legislative Clarity: Targeted changes will be made to clarify the interplay between the AI Act and other EU legislation.

[1] https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal

[2] Digital Omnibus on AI Regulation Proposal | Shaping Europe’s digital future