Digital Omnibus Regulation: the Commission’s proposal to streamline the EU digital framework

Digital Omnibus Regulation: the Commission’s proposal to streamline the EU digital framework

In recent years, the EU digital framework has been built through a succession of regulations and directives that, in practice, sometimes overlap or duplicate one another. With the so-called “Digital Omnibus Package”, the European Commission is not proposing a single new overarching instrument; rather, it is seeking a “technical tune-up”: to simplify, align existing pieces and reduce compliance friction (“A simpler and faster Europe”). On 19 November 2025, it tabled two proposals (one general and one focused on AI) which have now entered the negotiation phase and may change during the legislative process.

The Commission’s official narrative is clear: “(…) to provide immediate relief to businesses, public administrations and citizens alike, and to boost competitiveness.”

Which laws are included in the Omnibus Package?

By way of context, this package is structured around two proposals:

• The first is the general Digital Omnibus proposal, which seeks to introduce technical amendments across a broad set of digital legislation and, in addition, to repeal instruments that the Commission considers to have been superseded by more recent frameworks. Under that first proposal, key instruments would be affected, including, among others, the GDPR, the ePrivacy Directive, NIS2 and the Data Act, together with a set of adjustments also aimed at bringing greater order to the “data economy” and the cybersecurity landscape.
• The second proposal is the Digital Omnibus on AI, which amends the Artificial Intelligence Act (AI Act) with the aim of facilitating a “smooth” and proportionate implementation (e.g., by adjusting timelines and simplifying certain obligations for specific undertakings).

In parallel, and as part of the same simplification drive, the Commission has linked these initiatives to other levers, such as the proposal on European Business Wallets and a review exercise (“fitness check”) of the EU digital rulebook to assess its cumulative impact.

In other words, this is not a single regulation intended to replace everything that came before, but rather a cross-cutting intervention designed to adjust several instruments at once.

Developments affecting digital content and digital services

Although this Omnibus is not a “consumer law reform” concerning digital content, it does have a direct impact on how apps, SaaS, eCommerce and data-driven services operate, because it addresses three areas that shape product and operations: privacy/trackers, data (Data Act) and cybersecurity (incidents).

Privacy

In the area of privacy, one of the most relevant strands is the attempt to recalibrate the relationship between the GDPR and ePrivacy, by moving into the GDPR part of the regime applicable to tracking technologies. If this approach prevails, the most visible impact should be felt in how preferences and consent are managed: less repetition and greater standardisation, with more reliance on browser-level signals or settings.

In any event, given that this is a proposal, caution is warranted: the real scope will depend on the final text and on how exceptions, evidentiary requirements and control mechanisms are defined.

Data

As regards data, the proposal seeks to reduce fragmentation by consolidating rules around the Data Act. The Digital Omnibus envisages integrating into the Data Act and repealing instruments such as the Regulation on the free flow of non-personal data (2018/1807), the Data Governance Act (2022/868) and the Open Data Directive (2019/1024), moving towards a single framework for the re-use of public-sector data and certain protected categories.

It also refers to improvements in “switching” (provider switching/portability in data processing services such as cloud) and to relief measures for SMEs and “small mid-caps” with respect to certain requirements. In day-to-day terms, this translates into reviewing cloud contracts, portability clauses and exit policies.

Cybersecurity

In cybersecurity and incident management, the proposal introduces two measures with significant operational impact. The first is the “single entry point”: a single mechanism for channelling notifications where multiple obligations converge (GDPR, NIS2, DORA or others).

The second is a timing adjustment: it proposes extending the GDPR deadline for notifying personal data breaches from 72 to 96 hours. For security and legal teams, this requires revisiting internal procedures (who decides, what is reported, to whom, and under what thresholds), but it may reduce duplication if the “single point” is implemented effectively.

Artificial intelligence

Finally, in AI (under the “AI Omnibus” proposal), the initiative is twofold: on the one hand, adjustments to the timetable and “triggers” for the applicability/enforceability of obligations relating to high-risk systems; on the other, simplifications and refinements such as the promotion of sandboxes, the extension of certain facilitations to “mid-caps”, and specific rules on the processing of special categories of data where necessary to detect or correct bias, subject to safeguards.

Right to information in marketplaces and third-party platforms

From a marketplace perspective, the “angle” of this Omnibus is not so much the consumer’s right to information (which sits in other layers, such as the DSA, consumer law or advertising rules), but rather transparency and the framework applicable to intermediation where a platform connects third parties (sellers, suppliers, partners) with users.

It is useful to distinguish between two planes: information and transparency vis-à-vis consumers (governed mainly by consumer law and, in the digital environment, also by the DSA) and transparency vis-à-vis professional users operating within the platform (sellers, partners, suppliers). The Omnibus primarily affects this second plane.

The most relevant element here is the proposal to repeal the P2B Regulation (transparency for business users of online intermediation services), on the basis that part of its function has been absorbed by more recent platform-related frameworks.

What does this mean for a “real” marketplace? It means the debate is no longer whether there are information obligations, but rather where they sit and how compliance is evidenced. Even if P2B were to disappear in its current form, the regulatory trajectory continues to push platforms to explain their rules more clearly: conditions for access and continued use, contractual changes, material decision-making criteria (for example, ranking/positioning), and complaint and dispute-management mechanisms.

The practical advice is conservative: review third-party T&Cs and the internal documentation describing “how the platform decides” (to defend decisions and respond to complaints), while avoiding the design of compliance as a single-instrument checklist, because the perimeter may shift during the legislative process.