The EU’s Digital Omnibus is a proposed legislative package that aims to streamline overlapping digital regulations and simplify compliance. It would amend some of the EU’s cornerstone digital legislation, including GDPR, the EU AI Act, the EU Data Act, the NIS2 directive, and the Digital Services Act (DSA). 

The Digital Omnibus changes will serve to better enable forward-looking organizations to integrate AI and data governance into their risk, compliance, and cybersecurity programs rather than treating them separately. This will help cut compliance costs and effort while improving competitiveness.

What changes does the Digital Omnibus specifically call for? How will it impact organizations and when will it be in force? This article shares a comprehensive overview for business and technical leaders.

Key takeaways

• The Digital Omnibus is not a single law or bill, but an ongoing initiative to rationalize current guidelines and compliance requirements.
• The Digital Omnibus proposes changes to several EU digital regulations, including GDPR, the EU AI Act, and the EU Data Act.
• A key driver for the Digital Omnibus package is to support organizations to build unified, enterprise-wide governance, risk, and compliance (GRC) programs that cover cybersecurity, privacy, and AI.
• The overall benefit of Digital Omnibus changes is to strengthen EU competitiveness by reducing administrative burdens.
• The Digital Omnibus package is expected to enter into force by late 2026.
• Because it is a proposal only, the changes the Digital Omnibus recommends could evolve during the legislative process.

What is the EU Digital Omnibus and what does it hope to achieve?

On November 19, 2025, the European Commission published its much-anticipated Digital Omnibus package to update and rationalize the EU’s digital legal framework, notably the EU AI Act, the Data Act, and the cornerstone General Data Protection Regulation (GDPR). The primary motivation for these strategic changes is to simplify regulatory overlap to reduce compliance effort and complexity, especially for SMBs. The new rules are expected to be finalized and enter into force by late 2026.

The term “Digital Omnibus” is used unofficially to designate the European Commission’s ongoing initiative to rationalize its digital regulations. It is a policy objective, not a separate law or framework. The Digital Omnibus package has three components:

• The Digital Omnibus, which amends data, privacy, and cybersecurity laws. 
• The Digital Omnibus on AI Regulation, which amends the EU AI Act.
• A proposal for a regulation to create European Business wallets.

As the EU has gradually rolled out a series of digital regulations, one result has been overlapping requirements creating undue complexity in key areas like governance, risk management, and documentation. The Digital Omnibus looks to address this by:

• Simplifying regulatory complexity and redundancy.
• Unifying definitions and reporting requirements.
• Enabling companies to build unified governance programs with centralized oversight for AI.
• Reducing compliance administrative impacts for SMBs.

Core provisions of the Digital Omnibus initiative include:

• Simplifying data, privacy, and cybersecurity mandates by creating a single-entry point for cyber incident reporting and clarifying the relationship between GDPR and the EU Data Act.
• Amending the EU AI Act to extend deadlines for registering high-risk AI systems, shifting the obligation for AI literacy, prioritize innovation for SMBs and startups, and centralize AI legal governance under the EU AI Office.
• Harmonizing fragmented compliance requirements to provide regulatory relief and reduce high administrative costs, with the goal of saving covered businesses approximately €4 billion by 2029. Time spent on administrative tasks should be reduced by 25% or more for all businesses, and 35% or more for SMBs.

How will the Digital Omnibus impact covered organizations?

The Digital Omnibus package reflects EU lawmakers’ emphasis on integrating governance across privacy/data protection, cybersecurity, data governance/sharing, and AI risk management. The intent is to direct organizations towards using current risk and control frameworks to build unified governance processes—not siloed programs—that streamline compliance efforts across multiple regulations.

In short, the Digital Omnibus supports a strategic shift from managing compliance at the level of separate regulations to building a centralized, company-wide GRC model that covers cybersecurity, privacy, and AI. 

Benefits of an integrated GRC approach include:

• Reduced compliance cost and effort.
• Greater ability to scale AI initiatives while effectively managing risk.
• Improved responsiveness to ongoing regulatory demands.

How does the Digital Omnibus propose to change GDPR?

The Digital Omnibus would modernize GDPR to better align with newer legislation like the EU Data Act and EU AI Act. The key proposed changes include:

• Creating a central, EU-wide portal for data breach reporting, thus reducing duplicate reporting to comply with related laws (e.g., NIS2 and DORA). 
• Updating the definition of “personal data” in the context of pseudonymized data
• Clarifying how GDPR relates to AI development, especially around using personal data for model training. 
• Incorporating new rules on cookies from the new ePrivacy Directive.
• Adding new exceptions to permit processing certain personal data categories (e.g., genetic data) in special circumstances.
• Strengthening trade secret protections by allowing data holders to refuse data sharing if they can show a high risk of trade secret leakage to non-EU nations.

How does the Digital Omnibus propose to change the EU AI Act?

The Digital Omnibus package does not alter the EU AI Act’s basic requirements in key areas like risk classification, governance for high-risk systems, and conformity assessments. Its intent is to influence how businesses comply with AI laws. Changes the Digital Omnibus reinforces include:

• Streamlining risk assessments so they apply across multiple laws.
• Integrating AI governance with current privacy and cybersecurity frameworks.
• Unifying documentation and control activities across EU digital regulations. 

Additionally, the Digital Omnibus provides regulatory relief by pushing back, extending, or removing various AI rules. These include:

• Shifting the requirement to promote AI literacy from AI developers and users to the EU Commission and EU member states.
• Shifting the application of high-risk AI rules to later dates based on standards availability.
• Extending simplified technical documentation rules for SMBs.

How does the Digital Omnibus propose to change the EU Data Act?

The Digital Omnibus would change the EU Data Act primarily by consolidating EU data rules and merging other current regulations into the Data Act framework.

Other changes include:

• Reinforcing trade secret protections.
• Creating specific exemptions from cloud-switching requirements for SMBs.

How does the Digital Omnibus propose to change NIS2?

Among the most welcome Digital Omnibus proposed changes is single-entry cyber incident reporting via a unified reporting portal managed by the EU Agency for Cybersecurity (ENISA). This will allow businesses to seamlessly comply with reporting requirement for NIS2, DORA, GDPR, and the EU Critical Entities Resilience (CER) directive. 

The Digital Omnibus also aligns the high-risk threshold for personal data breaches with the NIS2 reporting threshold, which simplifies incident analysis. 

What other legislative changes does the Digital Omnibus propose?

Other important legislative changes within the Digital Omnibus package include:

• Phasing out the Platform to Business Regulation (P2B) by repealing most of its parts, which the Digital Services Act (DSA) now covers. 
• Removing some of the ePrivacy Directive’s incident reporting mandates, which would be covered by the new single-entry point portal. 

What are EU Business Wallets?

The European Business Wallets are digital tools designed to make it easier for companies of all sizes to relate securely with public authorities and other EU businesses.

EU Business Wallets will reduce administrative effort by enabling businesses to verify their identity, sign and send official documents, or digitally share licenses and certificates, all with full legal standing. 

The voluntary proposal allows two years for all levels of EU public administration to implement business wallets, while providing temporary methods for using similar systems currently available within different member states.

The EU business wallets regulation puts the onus on public sector organizations to support its core operations. However, private sector entities are not obligated to use business wallets.

How can my business prepare for the Digital Omnibus changes?

Since the Digital Omnibus proposal remains subject to legislative changes, businesses seeking to comply with and benefit from the new guidance should focus on developing a flexible and efficient governance approach that covers a range of regulations, aligns with core best practices, and can adapt to changes readily. 

Many firms will want to begin by reviewing their current governance processes and programs across the EU’s digital legal framework. Important considerations include:

• Integrating AI governance. EU and market demands to demonstrate effective AI governance are not going away. The Digital Omnibus will help firms to simplify and integrate digital governance processes rather than adding a new layer of complexity for governing AI.
• Leveling up controls and documentation, especially for AI training data. The new EU rules reduce overall compliance effort but increase AI risk management requirements. This includes adding privacy controls applicable across AI system datasets and updating AI policies and privacy notifications to cover how your AI development and operational usage ingest data. 
• Keep current with AI regulatory changes so you can apply them to your evolving governance framework in a timely manner. 
• Identifying skills gaps. AI governance and risk assessment may demand new specialist skills. Outsourcing to a trusted advisor can empower your business to innovate more effectively while protecting stakeholder interests around cybersecurity, privacy, and brand image. 

Next steps

CBIZ Pivot Point Security is a one-stop solution for AI and cybersecurity assessment and consulting services. Our team consists of industry-leading professionals qualified to ensure your business achieves its desired outcomes while leveraging only the specific services you need.

Contact us today to schedule a consultation.