The European Commission published its Digital Omnibus Regulation proposal on November 19, 2025. For anyone working in digital compliance, this is worth paying attention to.
The proposal aims to simplify and modernize Europeâs regulatory framework by amending several key laws, including the GDPR, ePrivacy Directive, Data Act, NIS2, eIDAS, DORA, and CER.
The text will evolve as it moves through the EU legislative process. But the trajectory is promising, and weâre committed to helping you understand whatâs ahead.
đĄ Before we dive in, hereâs what you need to know: this is a proposal, not law. The text is at an early stage and may change substantially as it moves through the EU legislative process. The principles and obligations outlined arenât yet in force or enforceable. Until the Regulation is formally adopted, the existing legal framework (including the GDPR and other relevant laws) continues to govern data processing activities.
The proposal moves the ePrivacy cookie rule into the GDPR as new Article 88a. Consent remains the general rule for storing or reading information on devices, but with important updates.
Whatâs not changing:
Article 88b introduces something new: machine-readable preference signals. Think browser settings that communicate consent or objection automatically. Controllers will need to honor these signals, and browser vendors will gradually need to support them.
This could fundamentally change how consent flows across the web, moving some choices upstream to the browser level while maintaining user control.
đȘ Fewer cookie banners in your future?
Hereâs what would change: if users set their privacy preferences at the browser or OS level (like âreject all trackingâ or âessentials onlyâ), sites would read and respect that choice automatically. No banner needed.
The reality? Most people wonât adopt these settings right away, so cookie banners will remain standard for the foreseeable future. But over time, as more visitors set browser-level preferences, theyâll see fewer banners as they browse.
Behind the scenes, youâll still need consent management systems like iubenda to handle user choices properly. The system would just get smarter about when it needs to show a banner versus when it can read an existing preference signal.
â ïž Exception for media service providers
Not everyone has to honor these signals. The proposal explicitly exempts media service providers from the obligation to respect machine-readable preference signals.
Why? The Commission argues that media organizations depend on advertising revenue for financial sustainability, and that independent media are essential to pluralism and democratic debate. This qualifies as a public-interest objective.
In practice, media sites may ask for consent even if a user has set a global âreject trackingâ preference. This privileged exception doesnât apply to other websites, apps, or online service providers.
The proposal brings several practical changes to the GDPR:
The definition of personal data is narrowed. The key question becomes whether a given controller or recipient has the means to âreasonably â identify someone. Just because someone else can identify a person doesnât automatically make that data personal for everyone.
What this means: The Commission, working with the European Data Protection Board (EDPB), can adopt criteria for when pseudonymized data no longer counts as personal data for specific entities.
Article 12 is amended so controllers may refuse access requests or charge a reasonable fee where requests are clearly abusive. This covers scenarios like:
The burden of proof stays with the controller.
For low-risk, obvious situations (like local craftspeople or small clubs), controllers may rely on a wider exception where there are reasonable grounds to assume people already have the necessary information.
The EDPB must propose EU-wide lists of processing that does or doesnât require a Data Protection Impact Assessment (DPIA), plus a common template and methodology. The same goes for high-risk data breach notifications: a standard template and criteria that the Commission will turn into implementing acts.
Why this matters: This standardization could reduce compliance complexity, especially for organizations operating across multiple EU member states.
The proposalâs recitals clarify that using personal data to train, test, and validate AI systems can rely on legitimate interest under Article 6(1)(f). The catch: you need a strict balancing test and safeguards in place.
Required safeguards include:
A narrow derogation is added for incidental special-category data in AI training sets where removal would be disproportionate. In those cases, the data must be strongly protected and not used to infer or disclose sensitive information. The usual Article 9(2) grounds still apply where special-category processing is actually needed.
A single EU entry point is created for cybersecurity and personal data incident reporting. GDPR controllers will use it for breach notifications, cutting duplicate reporting under NIS2, GDPR, eIDAS, DORA, and CER.
The benefit: This consolidation addresses a real pain point for organizations juggling multiple reporting obligations.
The Data Act gets several updates:
The Platform-to-Business Regulation (P2B) is repealed as largely superseded by newer platform rules.
This proposal points to where EU privacy regulation is going, and itâs a future we welcome.
Greater user control. Streamlined requirements. Standardization that actually helps. These arenât just policy goals; theyâre the foundation of what weâve been building at iubenda since the beginning.
âThe Digital Omnibus is not law, yet. And until it is, GDPR and ePrivacy compliance remains exactly as you know it. What will not change, even under the future regime, is the need for a robust operational layer translating legal requirements into technical enforcement. Thatâs still your CMP. Global signals and automation donât replace CMPs; they make them indispensable, because someone still needs to bridge abstract rights and concrete code.â
Giulia Stancampiano, Product Legal Manager Privacy, iubenda
Weâre committed to playing an active role as this proposal takes shape, helping ensure it works in practice for businesses and their customers alike.
The legislative process takes time, but weâll be with you every step of the way, turning regulatory change into clear, actionable guidance.
What is the Digital Omnibus Regulation?
The Digital Omnibus is a proposal from the European Commission that amends and harmonizes multiple EU digital laws, most notably the GDPR and the ePrivacy Directive, to reduce complexity, improve coherence, and modernize outdated provisions.
Is the Digital Omnibus Regulation in force?
No. The Digital Omnibus is still a proposal at an early stage of the EU legislative process. It may be substantially amended before adoption. Until it becomes law, existing regulations like the GDPR continue to apply.
When will the Digital Omnibus become law?
 Thereâs no fixed timeline.  EU legislative procedures typically take 12â30 months. Once adopted, the Regulation enters into force 20 days after publication. Its new obligations apply in stages (e.g., 6 months for the new cookie rules, 24 months for machine-readable signals).
Does the Digital Omnibus replace the GDPR?
No. The Digital Omnibus amends and updates the GDPR rather than replacing it. It proposes changes to specific articles, such as cookie consent rules and data breach notification procedures.
What changes to cookie consent does the Digital Omnibus propose?
The proposal would require one-click accept and reject options, preventing repeated consent prompts for at least six months after a refusal, and introducing machine-readable preference signals. It also moves the cookie rules into the GDPR (new Article 88a) and clarifies which limited purposes may rely on non-consent exceptions, such as first-party aggregated audience measurement and security.
Will I still need a cookie banner under the Digital Omnibus?
Yes. Consent management systems remain essential for handling user choices, managing proof of consent, and applying preferences correctly. What would change is that some users who set browser-level preferences may not see a banner, as the system would read their existing preference instead. However, media service providers may still request consent even when a global ârejectâ signal is present.
How does the Digital Omnibus affect AI and personal data?
The proposal clarifies that using personal data to train AI systems can rely on legitimate interest under Article 6(1)(f), provided strict safeguards are in place: transparency, unconditional right to object, and privacy-preserving techniques. It creates a new Article 88c GDPR.
Do I need to do anything right now?
No immediate action is required. Your compliance obligations under GDPR and other existing laws remain unchanged. We recommend staying informed as the proposal evolves, and weâll keep you updated on any developments that affect your compliance work.