Are you still building your compliance framework around the current GDPR, AI Act, and Data Act requirements? The European Commission just published the most sweeping reform of EU digital laws since 2018 – and everything you thought you knew about data protection compliance might be about to change.
The Regulatory Earthquake You Can’t Ignore
On 19 November 2025, the European Commission released two proposed regulations that will fundamentally reshape how businesses handle data, AI, and cybersecurity in Europe. The Digital Omnibus (2025/0360) and Digital Omnibus on AI (2025/0359) aren’t minor tweaks – they’re a complete rethinking of the EU’s approach to digital regulation.
The Commission’s goal? Cut administrative burden by 25% for all companies and 35% for SMEs. But here’s what matters to you: these changes will force you to rethink processes you’ve spent years building.
The Definition of Personal Data Is Changing
Here’s the change that should make every DPO sit up: the very definition of personal data is being rewritten.
Under the proposed rules, if your organization doesn’t have reasonable means to identify an individual, that data isn’t personal data for you – even if someone else could identify that person. This subjective approach, aligned with the recent CJEU ruling in EDPS v SRB, could mean entire datasets you’re currently treating as personal data might no longer require GDPR treatment.
Are you ready to reassess every dataset in your organization?
AI Training on Personal Data Gets a Green Light
Still struggling to find a legal basis for using personal data to train your AI models? The Commission just handed you one: a new provision explicitly confirms that AI model training constitutes a legitimate interest under Article 6(1)(f) GDPR.
But don’t celebrate too quickly – you still need to pass the balancing test. And here’s the catch that’s already causing concern: Member States can still require consent for AI training under national law. The fragmentation risk is real.
Your Privacy Notices Might Be Overkill
Are you sending elaborate privacy notices to people who already know exactly who you are and why you’re processing their data? Under the new rules, you might not need to. If there are reasonable grounds to assume the individual already knows, no notice is required.
The exception won’t apply for third-party transfers, automated decision-making, or high-risk processing – but for straightforward B2B relationships and simple consumer interactions, this could eliminate significant compliance overhead.
DSARs Used as Weapons? You Can Fight Back
Every compliance officer knows the problem: data subject access requests weaponized in employment disputes or used as leverage. The Omnibus explicitly allows you to refuse requests or charge fees when individuals abuse their rights – including when they deliberately provoke refusal to claim compensation, or offer to withdraw requests in exchange for benefits.
This is the clarity HR departments have been waiting for.
Breach Reporting Gets Simpler – and Slower
The 72-hour scramble after a data breach? It’s becoming 96 hours. And you’ll only need to report breaches posing “high risk” to individuals – aligning with the notification threshold for data subjects.
Better still: a single reporting portal is coming for all your incident notifications across GDPR, NIS2, DORA, and more. Report once, reach all relevant authorities.
The Cookie Banner Revolution You’ve Been Waiting For
One-Click Rejection Becomes Mandatory
Cookie consent fatigue is officially recognized as a problem. The solution? Controllers must provide single-click rejection. No more dark patterns. No more 47 clicks to refuse tracking. Websites must respect your choice for at least six months.
Automated Consent Signals Are Coming
This is the big one: within 24 months of adoption, you’ll need to enable users to give or refuse consent through automated, machine-readable mechanisms – think Global Privacy Control, but mandatory. Browser providers have 48 months to build in the tools.
The era of cookie banners may finally be ending. But are you ready for the technical implementation this requires?
New Exceptions That Actually Matter
Two new scenarios where you won’t need consent:
- Aggregated audience measurement for your own analytics
- Security-related storage (like automatic updates)
For the adtech industry, this provides some breathing room – but don’t mistake simplification for permission. The regulatory scrutiny of data-intensive advertising isn’t going away.
AI Act: The Breathing Room You Needed
High-Risk Deadlines Are Sliding
If you’re racing to comply with high-risk AI system requirements by August 2026, you might be able to slow down. The proposal delays obligations by 6-12 months after technical standards are approved – with hard stops at December 2027 and August 2028 depending on the system category.
This isn’t the Commission going soft on AI regulation. It’s an acknowledgment that you can’t comply with requirements when the standards don’t exist yet.
AI Literacy Becomes Optional
Were you struggling to implement AI literacy programs across your organization? The mandatory obligation is becoming an “encouragement.” The Commission and Member States will foster literacy – but you won’t be directly obligated.
SME Privileges Expand
If you’re a small mid-cap company, you’re now eligible for the same regulatory privileges as SMEs: lower fines and simplified documentation requirements. Check if you qualify.
Registration Requirements Narrowed
Concluded that your AI system doesn’t pose significant risk to health, safety, or fundamental rights? Under the new rules, you won’t need to register it in the EU database. Less bureaucracy for lower-risk applications.
Cybersecurity: One Portal to Rule Them All
The Single Entry Point Is Coming
ENISA is building a centralized platform for all your incident reporting obligations. NIS2, GDPR breaches, DORA incidents – everything goes through one interface, gets automatically routed to relevant authorities.
No more filing the same incident report five different ways to five different regulators.
The timeline: 18 months after adoption for piloting, then a Commission confirmation before full operation. Start planning your internal processes now.
Data Act: Winners and Losers
Cloud Switching Gets Easier (For Some)
Running custom-made data processing services? The switching obligations are being relaxed. SMEs and SMCs with contracts from before September 2025 get additional flexibility. You can include proportionate early termination penalties.
SaaS providers have been lobbying hard for this – and they got it.
Trade Secret Protection Strengthens
Here’s a win for businesses worried about forced data disclosure: you can now refuse to share trade secrets if disclosure would cause serious economic damage or if there’s high risk of the information reaching third countries with weaker protections.
Document your reasoning carefully – refusals must be justified in writing.
Public Sector Data Demands Restricted
Government authorities demanding your data? The threshold just got higher: from “exceptional need” to “public emergencies” only. And if you’re a micro or small enterprise, you can claim compensation.
The Privacy Activists Are Not Happy
Before you celebrate the reduced compliance burden, understand the opposition. On 11 November, noyb, the Irish Council for Civil Liberties, and European Digital Rights published a joint open letter expressing serious concerns:
- Potential erosion of individual privacy protections
- Easier paths for AI companies to use personal data without adequate safeguards
- Risk of regulatory fragmentation as Member States add their own requirements
These organizations have successfully challenged major tech companies before. Don’t assume the proposals will pass unchanged.
What Happens Next
The Legislative Timeline
- December 2025 – January 2026: Assignment to Parliament committees (IMCO, ITRE, LIBE)
- Q1 2026: Committee discussions, amendments, Council positioning
- Q2/Q3 2026: Trilogue negotiations
- Mid-late 2026: Expected adoption
The Fast-Track Possibility
Parliament could invoke Rule 170 for urgent procedure, potentially enabling adoption as early as Q1 2026. If that happens, your preparation window just got much shorter.
The Strategic Question You Must Answer Now
These proposals will change. Trilogue negotiations always produce compromises. But the direction is clear: simplification, consolidation, and competitiveness.
The question isn’t whether to prepare – it’s how aggressively. Organizations that wait for final adoption will scramble to catch up. Those that start scenario planning now will turn regulatory change into competitive advantage.
So ask yourself: Is your current compliance strategy built for flexibility, or will you be rebuilding from scratch when these rules take effect?
The Commission has made its move. What’s yours?
This article provides general information and does not constitute legal advice. Consult qualified professionals for specific compliance guidance.
Sources: European Commission Digital Omnibus proposals (2025/0360, 2025/0359); analysis from Matheson LLP, Addleshaw Goddard, McDermott Will & Emery, and Bird & Bird.