Documentation

Table of Contents

Understanding the Digital Omnibus Regulation proposal: what it means for privacy and compliance

European Union flag waving against blue sky - Digital Omnibus Regulation proposal updates to GDPR, ePrivacy, and EU data protection laws

📣 Latest updates

The European Data Protection Board (EDPB), the EU’s top data protection authority, reviewed the Digital Omnibus proposal and raised concerns about how it redefines “personal data.” The proposal would narrow the definition to focus on whether you can identify someone, not whether someone else could. The EDPB thinks this might go too far and conflict with recent court rulings. They’re hosting a stakeholder discussion on December 12, 2025 to explore this further (discussion paper). This matters because when the EDPB flags a concern, it can influence how the final law takes shape. The personal data definition is foundational to privacy rules, so this part of the proposal may get revised. Read more →

The European Commission published its Digital Omnibus Regulation proposal on November 19, 2025. For anyone working in digital compliance, this is worth paying attention to.

The proposal aims to simplify and modernize Europe’s regulatory framework by amending several key laws, including the GDPR, ePrivacy Directive, Data Act, NIS2, eIDAS, DORA, and CER.

The text will evolve as it moves through the EU legislative process. But the trajectory is promising, and we’re committed to helping you understand what’s ahead.

💡 Before we dive in, here’s what you need to know: this is a proposal, not law. The text is at an early stage and may change substantially as it moves through the EU legislative process. The principles and obligations outlined aren’t yet in force or enforceable. Until the Regulation is formally adopted, the existing legal framework (including the GDPR and other relevant laws) continues to govern data processing activities.

EU legislative process timeline showing Digital Omnibus Regulation proposal stages from Commission proposal to entry into force

Cookie consent gets a refresh

The proposal moves the ePrivacy cookie rule into the GDPR as new Article 88a. Consent remains the general rule for storing or reading information on devices, but with important updates.

Here’s what’s changing:

  • No-consent exceptions added: A closed list now covers transmission, strictly-necessary cookies, first-party audience measurement for your own services, and security of the service or device.
  • One-click accept and reject required: Cookie banners must make both options equally easy to choose.
  • Six-month cooling-off period: Sites can’t keep re-asking users after they refuse consent for at least six months, unless something relevant changes in your processing activities.

What’s not changing:

  • Consent stays central: You’ll still need consent for advertising, profiling, cross-site tracking, and third-party analytics. The proposal doesn’t weaken these requirements.

Machine-readable preference signals

Article 88b introduces something new: machine-readable preference signals. Think browser settings that communicate consent or objection automatically. Controllers will need to honor these signals, and browser vendors will gradually need to support them.

This could fundamentally change how consent flows across the web, moving some choices upstream to the browser level while maintaining user control.

đŸȘ Fewer cookie banners in your future?

Here’s what would change: if users set their privacy preferences at the browser or OS level (like “reject all tracking” or “essentials only”), sites would read and respect that choice automatically. No banner needed.

The reality? Most people won’t adopt these settings right away, so cookie banners will remain standard for the foreseeable future. But over time, as more visitors set browser-level preferences, they’ll see fewer banners as they browse.

Behind the scenes, you’ll still need consent management systems like iubenda to handle user choices properly. The system would just get smarter about when it needs to show a banner versus when it can read an existing preference signal.

⚠ Exception for media service providers

Not everyone has to honor these signals. The proposal explicitly exempts media service providers from the obligation to respect machine-readable preference signals.

Why? The Commission argues that media organizations depend on advertising revenue for financial sustainability, and that independent media are essential to pluralism and democratic debate. This qualifies as a public-interest objective.

In practice, media sites may ask for consent even if a user has set a global “reject tracking” preference. This privileged exception doesn’t apply to other websites, apps, or online service providers.

GDPR updates worth noting

The proposal brings several practical changes to the GDPR:

Personal data and pseudonymization

The definition of personal data is narrowed. The key question becomes whether a given controller or recipient has the means to “reasonably ” identify someone. Just because someone else can identify a person doesn’t automatically make that data personal for everyone.

What this means: The Commission, working with the European Data Protection Board (EDPB), can adopt criteria for when pseudonymized data no longer counts as personal data for specific entities.

Right of access gets anti-abuse protections

Article 12 is amended so controllers may refuse access requests or charge a reasonable fee where requests are clearly abusive. This covers scenarios like:

  • Harassment campaigns
  • Speculative compensation claims
  • “Pay me and I’ll withdraw the request” schemes

The burden of proof stays with the controller.

Transparency exceptions for low-risk situations

For low-risk, obvious situations (like local craftspeople or small clubs), controllers may rely on a wider exception where there are reasonable grounds to assume people already have the necessary information.

Standardizing DPIAs and breach notifications

The EDPB must propose EU-wide lists of processing that does or doesn’t require a Data Protection Impact Assessment (DPIA), plus a common template and methodology. The same goes for high-risk data breach notifications: a standard template and criteria that the Commission will turn into implementing acts.

Why this matters: This standardization could reduce compliance complexity, especially for organizations operating across multiple EU member states.

AI and personal data

The proposal’s recitals clarify that using personal data to train, test, and validate AI systems can rely on legitimate interest under Article 6(1)(f). The catch: you need a strict balancing test and safeguards in place.

Required safeguards include:

  • Transparency about AI training use
  • Unconditional right to object
  • Privacy-preserving techniques
  • Additional protections based on risk level

A narrow derogation is added for incidental special-category data in AI training sets where removal would be disproportionate. In those cases, the data must be strongly protected and not used to infer or disclose sensitive information. The usual Article 9(2) grounds still apply where special-category processing is actually needed.

Other changes to note

Single EU entry point for incident reporting

A single EU entry point is created for cybersecurity and personal data incident reporting. GDPR controllers will use it for breach notifications, cutting duplicate reporting under NIS2, GDPR, eIDAS, DORA, and CER.

The benefit: This consolidation addresses a real pain point for organizations juggling multiple reporting obligations.

Data Act adjustments

The Data Act gets several updates:

  • Stronger trade-secret safeguards
  • Business-to-government (B2G) data sharing is limited to public emergencies
  • Lighter regime for some cloud contracts
  • Open Data Directive and Data Governance Act folded into it

The Platform-to-Business Regulation (P2B) is repealed as largely superseded by newer platform rules.

What this means for your business

This proposal points to where EU privacy regulation is going, and it’s a future we welcome.

Greater user control. Streamlined requirements. Standardization that actually helps. These aren’t just policy goals; they’re the foundation of what we’ve been building at iubenda since the beginning.

“The Digital Omnibus is not law, yet. And until it is, GDPR and ePrivacy compliance remains exactly as you know it. What will not change, even under the future regime, is the need for a robust operational layer translating legal requirements into technical enforcement. That’s still your CMP. Global signals and automation don’t replace CMPs; they make them indispensable, because someone still needs to bridge abstract rights and concrete code.”

Giulia Stancampiano, Product Legal Manager Privacy, iubenda

We’re committed to playing an active role as this proposal takes shape, helping ensure it works in practice for businesses and their customers alike.

The legislative process takes time, but we’ll be with you every step of the way, turning regulatory change into clear, actionable guidance.

Frequently asked questions

What is the Digital Omnibus Regulation?

The Digital Omnibus is a proposal from the European Commission that amends and harmonizes multiple EU digital laws, most notably the GDPR and the ePrivacy Directive, to reduce complexity, improve coherence, and modernize outdated provisions.

Is the Digital Omnibus Regulation in force?

No. The Digital Omnibus is still a proposal at an early stage of the EU legislative process. It may be substantially amended before adoption. Until it becomes law, existing regulations like the GDPR continue to apply.

When will the Digital Omnibus become law?

 There’s no fixed timeline.  EU legislative procedures typically take 12–30 months. Once adopted, the Regulation enters into force 20 days after publication. Its new obligations apply in stages (e.g., 6 months for the new cookie rules, 24 months for machine-readable signals).

Does the Digital Omnibus replace the GDPR?

No. The Digital Omnibus amends and updates the GDPR rather than replacing it. It proposes changes to specific articles, such as cookie consent rules and data breach notification procedures.

What changes to cookie consent does the Digital Omnibus propose?

The proposal would require one-click accept and reject options, preventing repeated consent prompts for at least six months after a refusal, and introducing machine-readable preference signals. It also moves the cookie rules into the GDPR (new Article 88a) and clarifies which limited purposes may rely on non-consent exceptions, such as first-party aggregated audience measurement and security.

Will I still need a cookie banner under the Digital Omnibus?

Yes. Consent management systems remain essential for handling user choices, managing proof of consent, and applying preferences correctly. What would change is that some users who set browser-level preferences may not see a banner, as the system would read their existing preference instead. However, media service providers may still request consent even when a global ‘reject’ signal is present.

How does the Digital Omnibus affect AI and personal data?

The proposal clarifies that using personal data to train AI systems can rely on legitimate interest under Article 6(1)(f), provided strict safeguards are in place: transparency, unconditional right to object, and privacy-preserving techniques. It creates a new Article 88c GDPR.

Do I need to do anything right now?

No immediate action is required. Your compliance obligations under GDPR and other existing laws remain unchanged. We recommend staying informed as the proposal evolves, and we’ll keep you updated on any developments that affect your compliance work.

Still have questions?

Attend one of our free webinars Email us Live chat