The Digital Omnibus: Implications for AVG, Data Act & AI Act

The European Union is rapidly developing a comprehensive set of laws and regulations around data, technology and digital security. These laws affect virtually every organization that works with data, IT or digital services. There are very many laws involved, some already in effect and others in the pipeline.

The European Union is now choosing to put a pruning knife in these laws. This mainly affects data, privacy and AI.

Data Act: Changes & Consolidation

The Digital Omnibus (COM/2025/837) deletes a number of "small" laws and merges them into larger frameworks. In doing so, the EU explicitly opts for two central data laws: the GDPR and the Data Act. Everything that logically falls under these will slide along. With this, the Data Governance Act, the Open Data Directive and the Free Movement of Non-Personal Data Regulation disappear and their content is placed in the Data Act. The P2B regulation disappears into the Digital Services Act (DSA) and Digital Markets Act (DMA).

The Data Act is strengthened by the Omnibus while becoming more pragmatic. Some key changes:

• Reduced risk of loss of trade secrets. Duty to share data with third countries is reduced.
• Governments may claim data less quickly, and SMEs get compensation.
• Switching between cloud services at no extra cost remains, custom suppliers and SMEs are partially spared.
• There will be a one-stop shop for public datasets. One place to see what governments have available.

Impact on privacy and the GDPR

The Digital Omnibus also covers the GDPR. While the core principles of the GDPR remain intact, the Omnibus introduces a number of important changes.

1. Personal data
   The GDPR clarifies that data is not personal data for an entity that cannot reasonably identify a person. This makes it easier for organizations to use pseudonymous datasets.
   
   
2. Legitimate interest
   The Omnibus explicitly confirms that training of AI models and scientific research can be legitimate interests.
   
   
3. Special categories of personal data
   Residual special personal data in AI training datasets are permitted, provided organizations demonstrably make every effort to avoid them. In addition, biometrics for face unlock are explicitly allowed.
   
   
4. Duty to report data breaches
   

   Reporting every data breach will become a thing of the past. For a data breach notification to the AP, the same threshold will apply as for reporting a data breach to a data subject: only in case of a probable high risk for the rights and freedoms of natural persons must be reported. Subsequently, the reporting period goes from 72 to 96 hours.

   The method of reporting also changes. Via one central European hotline, a report can be made for GDPR, NIS2, DORA, eIDAS and CER: report once, share many.

5. Data subjects' rights
   The duty to provide information about data processing becomes lighter for small organizations: in simple, non-data-intensive situations where the data subject probably already has the core information, less information needs to be provided.
   
   The right of inspection is also slightly curtailed: there will be a lower threshold for abuse of the right of inspection to refuse inspection or levy a fee.
6. DPIAs
   DPIA lists will be standardized EU-wide. Whereas there are now 27 national lists of what does and does not require a DPIA, there will be one European list of processing operations that require a DPIA and one European list of processing operations that do not require a DPIA. A DPIA "just to be sure" will therefore not have to be carried out as often.
7. Cookies
   The cookie regime will also be cleaned up: consent remains mandatory, but does not need to be requested for security, statistical and strictly necessary cookies. Moreover, websites must start respecting machine-readable consent signals. Accepting or refusing cookies via browser settings will thus become possible.

Adjustments to the AI Act

The Digital Omnibus on AI (COM/2025/836) amends the AI Act. As this Act has only just entered into force, the Omnibus mostly entails refinements.

What stands out?

• AI literacy becomes a government duty. Companies no longer have the duty to provide AI education of their staff themselves; this duty falls to member states.
• Special personal data may be processed to counter bias in AI systems.
• The AI Act already gave an exception to high-risk AI for AI that performs purely procedural tasks. The Omnibus eliminates the need to register this AI as well.
• CE marking will be streamlined. One combined application will be possible for both the AI Act and sectoral legislation such as the MDR.
• There will be lower fines for SMEs.
• There will be a postponement of obligations for high-risk AI.

The Digital Omnibus as an evolutionary step

The Digital Omnibus is not a new revolution, but it is an interesting evolutionary step. While many privacy experts are also critical of the package, it is clear that the Omnibus addresses major corporate frustrations: fragmentation, inconsistency and duplication of obligations.

Remarkably, the Omnibus leaves a few tricky files untouched:

• Processing personal data outside the EEA;
• Unclear definitions in the Data Act;
• Overlap in cybersecurity legislation.

For lawyers, compliance teams and companies, the Omnibus means mainly one thing: catching up on reading again. We can also count on a lot of lobbying to get the text updated until the Omnibus is final.

The new European digital legislation brings big changes. Are you active in the ICT industry and have questions about the upcoming laws? Or are you a seller of technical products and want to know more about your rights and obligations? Then feel free to contact me or one of my IT law colleagues. We are happy to think along with you.